1,805 research outputs found
Range Analysis of Binaries with Minimal Effort
COTS components are ubiquitous in military, industrial and governmental systems. However, the bene?fits of reduced development and maintainance costs are compromised by security concerns. Since source code is unavailable, security audits necessarily occur at the binary level. Push-button formal method techniques, such as model checking and abstract interpretation, can support this process by, among other things, inferring ranges of values for registers. Ranges aid the security engineer in checking for vulnerabilities that relate, for example, to integer wrapping, uninitialised variables and bu?er over ows. Yet the lack of structure in binaries limits the e?ffectiveness of classical range analyses based on widening. This paper thus contributes a simple but novel range analysis, formulated in terms of linear programming, which calculates ranges without manual intervention
Range and Set Abstraction using SAT
Symbolic decision trees are not the only way to correlate the relationship between flags and numeric variables. Boolean formulae can also represent such relationships where the integer variables are modelled with bit-vectors of propositional variables. Boolean formulae can be composed to express the semantics of a block and program state, but they are hardly tractable, hence the need to compute their abstractions. This paper shows how incremental SAT can be applied to derive range and set abstractions for bit-vectors that are constrained by Boolean formulae
Enhancing Predicate Pairing with Abstraction for Relational Verification
Relational verification is a technique that aims at proving properties that
relate two different program fragments, or two different program runs. It has
been shown that constrained Horn clauses (CHCs) can effectively be used for
relational verification by applying a CHC transformation, called predicate
pairing, which allows the CHC solver to infer relations among arguments of
different predicates. In this paper we study how the effects of the predicate
pairing transformation can be enhanced by using various abstract domains based
on linear arithmetic (i.e., the domain of convex polyhedra and some of its
subdomains) during the transformation. After presenting an algorithm for
predicate pairing with abstraction, we report on the experiments we have
performed on over a hundred relational verification problems by using various
abstract domains. The experiments have been performed by using the VeriMAP
transformation and verification system, together with the Parma Polyhedra
Library (PPL) and the Z3 solver for CHCs.Comment: Pre-proceedings paper presented at the 27th International Symposium
on Logic-Based Program Synthesis and Transformation (LOPSTR 2017), Namur,
Belgium, 10-12 October 2017 (arXiv:1708.07854
Estimating the maximum rise in temperature according to climate models using abstract interpretation
Current climate models are complex computer programs that are typically iterated time-step by time-step to predict the next set of values of the climate-related variables. Since these iterative methods are necessarily computed only for a fixed number of iterations, they are unable to answer the natural question whether there is a limit to the rise of global temperature. In order to answer that question we propose to combine climate models with software verification techniques that can find invariant conditions for the set of program variables. In particular, we apply the constraint database approach to software verification to find that the rise in global temperature is bounded according to the common Java Climate Model that implements the Wigely/Raper Upwelling-Diffusion Energy Balance Model climate model
Invariant Generation through Strategy Iteration in Succinctly Represented Control Flow Graphs
We consider the problem of computing numerical invariants of programs, for
instance bounds on the values of numerical program variables. More
specifically, we study the problem of performing static analysis by abstract
interpretation using template linear constraint domains. Such invariants can be
obtained by Kleene iterations that are, in order to guarantee termination,
accelerated by widening operators. In many cases, however, applying this form
of extrapolation leads to invariants that are weaker than the strongest
inductive invariant that can be expressed within the abstract domain in use.
Another well-known source of imprecision of traditional abstract interpretation
techniques stems from their use of join operators at merge nodes in the control
flow graph. The mentioned weaknesses may prevent these methods from proving
safety properties. The technique we develop in this article addresses both of
these issues: contrary to Kleene iterations accelerated by widening operators,
it is guaranteed to yield the strongest inductive invariant that can be
expressed within the template linear constraint domain in use. It also eschews
join operators by distinguishing all paths of loop-free code segments. Formally
speaking, our technique computes the least fixpoint within a given template
linear constraint domain of a transition relation that is succinctly expressed
as an existentially quantified linear real arithmetic formula. In contrast to
previously published techniques that rely on quantifier elimination, our
algorithm is proved to have optimal complexity: we prove that the decision
problem associated with our fixpoint problem is in the second level of the
polynomial-time hierarchy.Comment: 35 pages, conference version published at ESOP 2011, this version is
a CoRR version of our submission to Logical Methods in Computer Scienc
Experiments with a Convex Polyhedral Analysis Tool for Logic Programs
Convex polyhedral abstractions of logic programs have been found very useful
in deriving numeric relationships between program arguments in order to prove
program properties and in other areas such as termination and complexity
analysis. We present a tool for constructing polyhedral analyses of
(constraint) logic programs. The aim of the tool is to make available, with a
convenient interface, state-of-the-art techniques for polyhedral analysis such
as delayed widening, narrowing, "widening up-to", and enhanced automatic
selection of widening points. The tool is accessible on the web, permits user
programs to be uploaded and analysed, and is integrated with related program
transformations such as size abstractions and query-answer transformation. We
then report some experiments using the tool, showing how it can be conveniently
used to analyse transition systems arising from models of embedded systems, and
an emulator for a PIC microcontroller which is used for example in wearable
computing systems. We discuss issues including scalability, tradeoffs of
precision and computation time, and other program transformations that can
enhance the results of analysis.Comment: Paper presented at the 17th Workshop on Logic-based Methods in
Programming Environments (WLPE2007
A General Framework for Automatic Termination Analysis of Logic Programs
This paper describes a general framework for automatic termination analysis
of logic programs, where we understand by ``termination'' the finitenes s of
the LD-tree constructed for the program and a given query. A general property
of mappings from a certain subset of the branches of an infinite LD-tree into a
finite set is proved. From this result several termination theorems are
derived, by using different finite sets. The first two are formulated for the
predicate dependency and atom dependency graphs. Then a general result for the
case of the query-mapping pairs relevant to a program is proved (cf.
\cite{Sagiv,Lindenstrauss:Sagiv}). The correctness of the {\em TermiLog} system
described in \cite{Lindenstrauss:Sagiv:Serebrenik} follows from it. In this
system it is not possible to prove termination for programs involving
arithmetic predicates, since the usual order for the integers is not
well-founded. A new method, which can be easily incorporated in {\em TermiLog}
or similar systems, is presented, which makes it possible to prove termination
for programs involving arithmetic predicates. It is based on combining a finite
abstraction of the integers with the technique of the query-mapping pairs, and
is essentially capable of dividing a termination proof into several cases, such
that a simple termination function suffices for each case. Finally several
possible extensions are outlined
- …