2,044 research outputs found
A Survey of Symbolic Execution Techniques
Many security and software testing applications require checking whether
certain properties of a program hold for any possible usage scenario. For
instance, a tool for identifying software vulnerabilities may need to rule out
the existence of any backdoor to bypass a program's authentication. One
approach would be to test the program using different, possibly random inputs.
As the backdoor may only be hit for very specific program workloads, automated
exploration of the space of possible inputs is of the essence. Symbolic
execution provides an elegant solution to the problem, by systematically
exploring many possible execution paths at the same time without necessarily
requiring concrete inputs. Rather than taking on fully specified input values,
the technique abstractly represents them as symbols, resorting to constraint
solvers to construct actual instances that would cause property violations.
Symbolic execution has been incubated in dozens of tools developed over the
last four decades, leading to major practical breakthroughs in a number of
prominent software reliability applications. The goal of this survey is to
provide an overview of the main ideas, challenges, and solutions developed in
the area, distilling them for a broad audience.
The present survey has been accepted for publication at ACM Computing
Surveys. If you are considering citing this survey, we would appreciate if you
could use the following BibTeX entry: http://goo.gl/Hf5FvcComment: This is the authors pre-print copy. If you are considering citing
this survey, we would appreciate if you could use the following BibTeX entry:
http://goo.gl/Hf5Fv
Abstract Contract Synthesis and Verification in the Symbolic K Framework
[EN] In this article, we propose a symbolic technique that can be used for automatically inferring software contracts from programs that are written in a non-trivial fragment of C, called KERNELC, that supports pointer-based structures and heap manipulation. Starting from the semantic definition of KERNELC in the K semantic framework, we enrich the symbolic execution facilities recently provided by K with novel capabilities for contract synthesis that are based on abstract subsumption. Roughly speaking, we define an abstract symbolic technique that axiomatically explains the execution of any (modifier) C function by using other (observer) routines in the same program. We implemented our technique in the automated tool KINDSPEC 2.1, which generates logical axioms that express pre- and post-condition assertions which define the precise input/output behavior of the C routines. Thanks to the integrated support for symbolic execution and deductive verification provided by K, some synthesized axioms that cannot be guaranteed to be correct by construction due to abstraction can finally be verified in our setting with little effort.This work has been partially supported by the EC H2020-EU grant agreement No. 952215 (TAILOR), the EU (FEDER) and the Spanish MCIU under grant RTI2018-094403-B-C32, by Generalitat Valenciana under grant PROMETEO/2019/098.Alpuente Frasnedo, M.; Pardo, D.; Villanueva, A. (2020). Abstract Contract Synthesis and Verification in the Symbolic K Framework. Fundamenta Informaticae. 177(3-4):235-273. https://doi.org/10.3233/FI-2020-1989S2352731773-
Model Checker Execution Reports
Software model checking constitutes an undecidable problem and, as such, even
an ideal tool will in some cases fail to give a conclusive answer. In practice,
software model checkers fail often and usually do not provide any information
on what was effectively checked. The purpose of this work is to provide a
conceptual framing to extend software model checkers in a way that allows users
to access information about incomplete checks. We characterize the information
that model checkers themselves can provide, in terms of analyzed traces, i.e.
sequences of statements, and safe cones, and present the notion of execution
reports, which we also formalize. We instantiate these concepts for a family of
techniques based on Abstract Reachability Trees and implement the approach
using the software model checker CPAchecker. We evaluate our approach
empirically and provide examples to illustrate the execution reports produced
and the information that can be extracted
Abstract Contract Synthesis and Verification in the Symbolic K Framework
[EN] In this article, we propose a symbolic technique that can be used for automatically inferring software contracts from programs that are written in a non-trivial fragment of C, called KernelC, that supports pointer-based structures and heap manipulation. Starting from the semantic definition of KernelC in the K semantic framework, we enrich the symbolic execution facilities recently provided by K with novel capabilities for contract synthesis that are based on abstract subsumption. Roughly speaking, we define an abstract symbolic technique that axiomatically explains the execution of any (modifier) C function by using other (observer) routines in the same program. We implemented our technique in the automated tool KindSpec 2.1, which generates logical axioms that express pre- and postcondition assertions which define the precise input/output behavior of the C routines. Thanks to the integrated support for symbolic execution and deductive verification provided by K, some synthesized axioms that cannot be guaranteed to be correct by construction due to abstraction can finally be verified in our framework with little effort.This work has been partially supported by the EU (FEDER) and Spanish MINECO under
grant TIN2015-69175-C4-1-R, and and TIN2013-45732-C4-1-P, and by Generalitat Valenciana
PROMETEOII/2015/013. Daniel Pardo was supported by FPU-ME grant FPU14/01830.Alpuente Frasnedo, M.; Pardo Pont, D.; Villanueva García, A. (2018). Abstract Contract Synthesis and Verification in the Symbolic K Framework. Universitat Politècnica de València. http://hdl.handle.net/10251/10030
A Framework to Synergize Partial Order Reduction with State Interpolation
We address the problem of reasoning about interleavings in safety
verification of concurrent programs. In the literature, there are two prominent
techniques for pruning the search space. First, there are well-investigated
trace-based methods, collectively known as "Partial Order Reduction (POR)",
which operate by weakening the concept of a trace by abstracting the total
order of its transitions into a partial order. Second, there is state-based
interpolation where a collection of formulas can be generalized by taking into
account the property to be verified. Our main contribution is a framework that
synergistically combines POR with state interpolation so that the sum is more
than its parts
Using Graph Transformations and Graph Abstractions for Software Verification
In this paper we describe our intended approach for the verification of software written in imperative programming languages. We base our approach on model checking of graph transition systems, where each state is a graph and the transitions are specified by graph transformation rules. We believe that graph transformation is a very suitable technique to model the execution semantics of languages with dynamic memory allocation. Furthermore, such representation allows us to investigate the use of graph abstractions, which can mitigate the combinatorial explosion inherent to model checking. In addition to presenting our planned approach, we reason about its feasibility, and, by providing a brief comparison to other existing methods, we highlight the benefits and drawbacks that are expected
Model-driven engineering approach to design and implementation of robot control system
In this paper we apply a model-driven engineering approach to designing
domain-specific solutions for robot control system development. We present a
case study of the complete process, including identification of the domain
meta-model, graphical notation definition and source code generation for
subsumption architecture -- a well-known example of robot control architecture.
Our goal is to show that both the definition of the robot-control architecture
and its supporting tools fits well into the typical workflow of model-driven
engineering development.Comment: Presented at DSLRob 2011 (arXiv:cs/1212.3308
- …