Symbolic Execution as DPLL Modulo Theories

© Quoc-Sang Phan; licensed under Creative Commons License CC-BY. Imperial College Computing Student Workshop (ICCSW’14). Editors: Rumyana Neykova and Nicholas Ng; pp. 58–65. OpenAccess Series in Informatics. Schloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl Publishing, Germanyurn: urn:nbn:de:0030-drops-47746urn: urn:nbn:de:0030-drops-4774

Abstract Model Counting: A Novel Approach for Quantification of Information Leaks

acmid: 2590328 keywords: model checking, quantitative information flow, satisfiability modulo theories, symbolic execution location: Kyoto, Japan numpages: 10acmid: 2590328 keywords: model checking, quantitative information flow, satisfiability modulo theories, symbolic execution location: Kyoto, Japan numpages: 10acmid: 2590328 keywords: model checking, quantitative information flow, satisfiability modulo theories, symbolic execution location: Kyoto, Japan numpages: 10We present a novel method for Quantitative Information Flow analysis. We show how the problem of computing information leakage can be viewed as an extension of the Satisfiability Modulo Theories (SMT) problem. This view enables us to develop a framework for QIF analysis based on the framework DPLL(T) used in SMT solvers. We then show that the methodology of Symbolic Execution (SE) also fits our framework. Based on these ideas, we build two QIF analysis tools: the first one employs CBMC, a bounded model checker for ANSI C, and the second one is built on top of Symbolic PathFinder, a Symbolic Executor for Java. We use these tools to quantify leaks in industrial code such as C programs from the Linux kernel, a Java tax program from the European project HATS, and anonymity protocol

A Survey of Satisfiability Modulo Theory

Satisfiability modulo theory (SMT) consists in testing the satisfiability of first-order formulas over linear integer or real arithmetic, or other theories. In this survey, we explain the combination of propositional satisfiability and decision procedures for conjunctions known as DPLL(T), and the alternative "natural domain" approaches. We also cover quantifiers, Craig interpolants, polynomial arithmetic, and how SMT solvers are used in automated software analysis.Comment: Computer Algebra in Scientific Computing, Sep 2016, Bucharest, Romania. 201

A Simple and Flexible Way of Computing Small Unsatisfiable Cores in SAT Modulo Theories

Finding small unsatisfiable cores for SAT problems has recently received a lot of interest, mostly for its applications in formal verification. However, propositional logic is often not expressive enough for representing many interesting verification problems, which can be more naturally addressed in the framework of Satisfiability Modulo Theories, SMT. Surprisingly, the problem of finding unsatisfiable cores in SMT has received very little attention in the literature; in particular, we are not aware of any work aiming at producing small unsatisfiable cores in SMT. In this paper we present a novel approach to this problem. The main idea is to combine an SMT solver with an external propositional core extractor: the SMT solver produces the theory lemmas found during the search; the core extractor is then called on the boolean abstraction of the original SMT problem and of the theory lemmas. This results in an unsatisfiable core for the original SMT problem, once the remaining theory lemmas have been removed. The approach is conceptually interesting, since the SMT solver is used to dynamically lift the suitable amount of theory information to the boolean level, and it also has several advantages in practice. In fact, it is extremely simple to implement and to update, and it can be interfaced with every propositional core extractor in a plug-and-play manner, so that to benefit for free of all unsat-core reduction techniques which have been or will be made available. We have evaluated our approach by an extensive empirical test on SMT-LIB benchmarks, which confirms the validity and potential of this approach

All-Solution Satisfiability Modulo Theories: applications, algorithms and benchmarks

keywords: Automated Test Generation;Bounded Model Checking;Quantitative Information Flow;Reliability Analysis;Satisfiability Modulo Theories;Symbolic ExecutionPasquale Malacaria's research was supported by grant EP/K032011/1

A Survey of Satisfiability Modulo Theory

International audienceSatisfiability modulo theory (SMT) consists in testing the satisfiability of first-order formulas over linear integer or real arithmetic, or other theories. In this survey, we explain the combination of propositional satisfiability and decision procedures for conjunctions known as DPLL(T), and the alternative "natural domain" approaches. We also cover quantifiers, Craig interpolants, polynomial arithmetic, and how SMT solvers are used in automated software analysis