Matching-Logic-Based Understanding of Polynomial Functors and their Initial/Final Models

In this paper, we investigate how the initial models and the final models for the polynomial functors can be uniformly specified in matching logic.Comment: In Proceedings FROM 2023, arXiv:2309.1295

Model-based Testing and Analysis of Coordinated Components

Software components are common in the open source community. These components can be specified in model languages like AsmL or JML by using contracts (preconditions, postconditions). Starting from an integrated specification (components, coordinating process, wrapper), a model program is defined and used to define the formal semantics of the whole system. The relationship between coordinator and components are expressed as abisimulation. The model program can be used for conformance testing and generating test case suites when working with closed systems, and for scenario-based testing when working with reactive systems

Full Transparency in DBI frameworks

Following the increasing trends of malicious applications or cyber threats in general, program analysis has become a ubiquitous technique in extracting relevant features. The current state-of-the-art solutions seem to fall behind new techniques. For instance, dynamic binary instrumentation (DBI) provides some promising results, but falls short when it comes to ease of use and overcoming analysis evasion. In this regard, we propose a two-fold contribution. First, we introduce COBAI (Complex Orchestrator for Binary Analysis and Instrumentation), a DBI framework designed for malware analysis, prioritizing ease-of-use and analysis transparency, without imposing a significant overhead. Second, we introduce an aggregated test suite intended to stand as a benchmark in determining the quality of an analysis solution regarding the protection against evasion mechanisms. The efficiency of our solution is validated by a careful evaluation taking into consideration other DBI frameworks, analysis environments, and the proposed benchmark.Comment: 13 pages, 4 figure

Program Equivalence by Circular Reasoning

We propose a logic and a deductive system for stating and automatically proving the equivalence of programs written in deterministic languages having a rewriting-based operational semantics. The chosen equivalence is parametric in a so-called observation relation, and it says that two programs satisfying the observation relation will inevitably be, in the future, in the observation relation again. This notion of equivalence generalises several well-known equivalences, and is shown to be appropriate for deterministic programs. The deductive system is circular in nature and is proved sound and weakly complete; together, these results say that, when it terminates, our system correctly solves the given program-equivalence problem. We show that our approach is suitable for proving equivalence for terminating and non-terminating programs as well as for concrete and symbolic programs. The latter are programs in which some statements or expressions are symbolic variables. By proving the equivalence between symbolic programs, one proves the equivalence of (infinitely) many concrete programs obtained by replacing the variables by concrete statements or expressions. The approach is illustrated by proving program equivalence in two languages from different programming paradigms. The examples in the paper, as well as other examples, can be checked using an online tool.Nous proposons une logique et un système déductif pour exprimer et prouver automatiquement l'équivalence de programmes dans des langages déterministes munis de sé- mantiques opérationnelles définies par réécriture. Le système déductif proposé est de nature circulaire; nous démontrons qu'il est correct et faiblement complet. Ces deux résultats sig- nifient que, lorsqu'il termine, notre système résout correctement le problème d'équivalence de programmes tels que nous l'avons posé. Nous montrons que ce système fonctionne autant pour des programmes qui terminent que pour des programmes qui ne terminent pas. Les programmes dits symboliques, dans lesquels certaines expressions ou instructions restent non-interprétés, peu- vent également être traités par notre approche. La démonstration d'une équivalence entre deux programmes symboliques revient à démontrer l'équivalence entre une infinité potentielle de pro- grammes concrets, qui sont des instances des programmes symboliques obtenues en remplaçant les variables symboliques par des instructions ou des expressions concrètes. L'approche est illustrée par la preuve d'équivalence de programmes dans deux langages appartenant à des paradigmes de programmation différents. Les exemples contenus dans l'article, ainsi que d'autres exemples, peuvent être essayés dans un outil en ligne

Behavioral Rewrite Systems and Behavioral Productivity

Abstract. This paper introduces behavioral rewrite systems, where rewriting is used to evaluate experiments, and behavioral productivity, which says that each experiment can be fully evaluated, and investigates some of their properties. First, it is shown that, in the case of (infinite) streams, behavioral productivity generalizes and may bring to a more basic rewriting setting the existing notion of stream productivity defined in the context of infinite rewriting and lazy strategies; some arguments are given that in some cases one may prefer the behavioral approach. Second, a behavioral productivity criterion is given, which reduces the problem to conventional term rewrite system termination, so that one can use off-the-shelf termination tools and techniques for checking behavioral productivity in general, not only for streams. Finally, behavioral productivity is shown to be equivalent to a proof-theoretic (rather than model-theoretic) notion of behavioral well-specifiedness, and its difficulty in the arithmetic hierarchy is shown to be Π 0 2 -complete. All new concepts are exemplified over streams, infinite binary trees, and processes

Interacting via the Heap in the Presence of Recursion

Almost all modern imperative programming languages include operations for dynamically manipulating the heap, for example by allocating and deallocating objects, and by updating reference fields. In the presence of recursive procedures and local variables the interactions of a program with the heap can become rather complex, as an unbounded number of objects can be allocated either on the call stack using local variables, or, anonymously, on the heap using reference fields. As such a static analysis is, in general, undecidable. In this paper we study the verification of recursive programs with unbounded allocation of objects, in a simple imperative language for heap manipulation. We present an improved semantics for this language, using an abstraction that is precise. For any program with a bounded visible heap, meaning that the number of objects reachable from variables at any point of execution is bounded, this abstraction is a finitary representation of its behaviour, even though an unbounded number of objects can appear in the state. As a consequence, for such programs model checking is decidable. Finally we introduce a specification language for temporal properties of the heap, and discuss model checking these properties against heap-manipulating programs.Comment: In Proceedings ICE 2012, arXiv:1212.345

Language-Independent Program Verification Using Symbolic Execution

We present an automatic, language-independent program verification approach and prototype tool based on symbolic execution. The program-specification formalism we consider is Reachability Logic, a language-independent alternative to Hoare logics. Reachability Logic has a sound and relatively complete deduction system that offers a lot of freedom to the user regarding the manner and order of rule application, but it lacks a strategy for automatic proof construction. Hence, we propose a procedure for proof construction, in which symbolic execution plays a major role. We prove that, under reasonable conditions on its inputs (the operational semantics of a programming language, and a specification of a program, both given as sets of Reachability Logic formulas) our procedure is partially correct: if it terminates it correctly answers (positively or negatively) to the question of whether the given program specification holds when executing the program according to the given semantics. Termination, of course, cannot be guaranteed, since program-verification is an undecidable problem; but it does happen if the provided set of goals includes enough information in order to be circularly provable (using each other as hypotheses). We introduce a prototype program-verification tool implementing our procedure in the K language-definition framework, and illustrate it by verifying nontrivial programs written in languages defined in KNous présentons une méthode automatique pour vérifier des programmes, qui ne dépend pas du langage de programmation dans lequel les programmes à vérifier sont écrits. Pour cela nous nous appuyons sur la Reachability Logic, un formalisme de spécification introduit récemment, qui peut être vu comme une alternative à la logique de Hoare, mais qui, contrairement à cette dernière, ne dépend pas du langage de programmation utilisé. La Reachability Logic est munie d'un système déductif correct et relativement complet, qui laisse beaucoup de liberté à l'utilisateur sur la manière d'appliquer les règles de déduction, mais qui n'offre pas de stratégie pour construire automatiquement des preuves. Par conséquent nous proposons ici une procédure de construction des preuves, dans laquelle l'exécution symbolique joue un rôle essentiel. Nous montrons que, moyennant des conditions raisonnables sur la sémantique des langages de programmation et sur les propriétés des programmes, notre procédure est partiellement correcte. Ceci dit en substance que, lorsqu'elle termine, la procédure résout correctement le problème de vérification de programmes à base de Reachability Logic. La terminaison ne peut être garantie car la vérification de programmes est indécidable, mais la procédure termine lorsque les propriétés contiennent suffisamment d'information pour être prouvées de manière circulaire, en s'utilisant mutuellement comme hypothèses. Nous présentons une implémentation prototype d'un outil de vérification basé sur ces idées, que nous avons implémenté dans la K framework et que nous illustrons sur des exemples de programmes non triviaux, écrits dans des langages formellement définis en K

Towards a K Semantics for OCL

International audienceWe give a formal definition to a significant subset of the Object Constraint Language (OCL) in the K framework. The chosen subset includes the usual arithmetical, Boolean (including quantifiers), and string expressions; collection expressions (including iterators and navigation); and pre/post conditions for methods. Being executable, our definition provides us, for free, with an interpreter for the chosen subset of OCL. It can be used for free in K definitions of languages having OCL as a component We illustrate some of the advantages of K by comparing our semantical definition of OCL with the official semantics from the language's standard. We also report on a tool implementing our definition that users can try online.Nous donnons une sémantique à un sous-ensemble significatif du langage OCL (Object Constraint Langage) dans le cadre formel K. Le sous-ensemble choisi inclut les expressions habituelles arithmétiques, logiques (y compris avec quantifications), et de type chaîne de caractères; les expressions de type collection (y compris les itérateurs et la navigation); et les pre/post conditions pour les méthodes des classes. Notre définition est exécutable et produit par construction un interpréteur pour le sous-ensemble d'OCL choisi. L'interpréteur peut être inclus comme composante dans d'autre langages définis en K qui incluent OCL en tant que sous-langage. Nous illustrons les avantages de notre sémantique en la comparant avec la sémantique issue de la norme (standard) OCL. Enfin, nous présentons un outil, disponible en ligne, qui implémente notre approche