Partial Orders for Efficient BMC of Concurrent Software

This version previously deposited at arXiv:1301.1629v1 [cs.LO]The vast number of interleavings that a concurrent program can have is typically identified as the root cause of the difficulty of automatic analysis of concurrent software. Weak memory is generally believed to make this problem even harder. We address both issues by modelling programs' executions with partial orders rather than the interleaving semantics (SC). We implemented a software analysis tool based on these ideas. It scales to programs of sufficient size to achieve first-time formal verification of non-trivial concurrent systems code over a wide range of models, including SC, Intel x86 and IBM Power

A model for time-dependent grain boundary diffusion of ions and electrons through a film or scale, with an application to alumina

A model for ionic and electronic grain boundary transport through thin films, scales or membranes with columnar grain structure is introduced. The grain structure is idealized as a lattice of identical hexagonal cells - a honeycomb pattern. Reactions with the environment constitute the boundary conditions and drive the transport between the surfaces. Time-dependent simulations solving the Poisson equation self-consistently with the Nernst-Planck flux equations for the mobile species are performed. In the resulting Poisson-Nernst-Planck system of equations, the electrostatic potential is obtained from the Poisson equation in its integral form by summation. The model is used to interpret alumina membrane oxygen permeation experiments, in which different oxygen gas pressures are applied at opposite membrane surfaces and the resulting flux of oxygen molecules through the membrane is measured. Simulation results involving four mobile species, charged aluminum and oxygen vacancies, electrons, and holes, provide a complete description of the measurements and insight into the microscopic processes underpinning the oxygen permeation of the membrane. Most notably, the hypothesized transition between p-type and n-type ionic conductivity of the alumina grain boundaries as a function of the applied oxygen gas pressure is observed in the simulations. The range of validity of a simple analytic model for the oxygen permeation rate, similar to the Wagner theory of metal oxidation, is quantified by comparison to the numeric simulations. The three-dimensional model we develop here is readily adaptable to problems such as transport in a solid state electrode, or corrosion scale growth

Verification Witnesses

Over the last years, witness-based validation of verification results has become an established practice in software verification: An independent validator re-establishes verification results of a software verifier using verification witnesses, which are stored in a standardized exchange format. In addition to validation, such exchangable information about proofs and alarms found by a verifier can be shared across verification tools, and users can apply independent third-party tools to visualize and explore witnesses to help them comprehend the causes of bugs or the reasons why a given program is correct. To achieve the goal of making verification results more accessible to engineers, it is necessary to consider witnesses as first-class exchangeable objects, stored independently from the source code and checked independently from the verifier that produced them, respecting the important principle of separation of concerns. We present the conceptual principles of verification witnesses, give a description of how to use them, provide a technical specification of the exchange format for witnesses, and perform an extensive experimental study on the application of witness-based result validation, using the validators CPAchecker, UAutomizer, CPA-witness2test, and FShell-witness2test

Model checking boot code from AWS data centers

© 2020, The Author(s). This paper describes our experience with symbolic model checking in an industrial setting. We have proved that the initial boot code running in data centers at Amazon Web Services is memory safe, an essential step in establishing the security of any data center. Standard static analysis tools cannot be easily used on boot code without modification owing to issues not commonly found in higher-level code, including memory-mapped device interfaces, byte-level memory access, and linker scripts. This paper describes automated solutions to these issues and their implementation in the C Bounded Model Checker (CBMC). CBMC is now the first source-level static analysis tool to extract the memory layout described in a linker script for use in its analysis

Concurrent Program Verification with Invariant-Guided Underapproximation

Automatic verification of concurrent programs written in low-level languages like ANSI-C is an important task as multi-core architectures are gaining widespread adoption. Formal verification, although very valuable for this domain, rapidly runs into the state-explosion problem due to multiple thread interleavings. Recently, Bounded Model Checking (BMC) has been used for this purpose, which does not scale in practice. In this work, we develop a method to further constrain the search space for BMC techniques using underapproximations of data flow of shared memory and lazy demand-driven refinement of the approximation. A novel contribution of our method is that our underapproximation is guided by likely data-flow invariants mined from dynamic analysis and our refinement is based on proof-based learning. We have implemented our method in a prototype tool. Initial experiments on benchmark examples show potential performance benefit

Using Model Checking Tools to Triage the Severity of Security Bugs in the Xen Hypervisor

185193

Code-level model checking in the software development workflow at Amazon Web Services

This article describes a style of applying symbolic model checking developed over the course of four years at Amazon Web Services (AWS). Lessons learned are drawn from proving properties of numerous C‐based systems, for example, custom hypervisors, encryption code, boot loaders, and an IoT operating system. Using our methodology, we find that we can prove the correctness of industrial low‐level C‐based systems with reasonable effort and predictability. Furthermore, AWS developers are increasingly writing their own formal specifications. As part of this effort, we have developed a CI system that allows integration of the proofs into standard development workflows and extended the proof tools to provide better feedback to users. All proofs discussed in this article are publicly available on GitHub

VerifyThis 2015 A program verification competition

VerifyThis 2015 was a one-day program verification competition which took place on April 12th, 2015 in London, UK, as part of the European Joint Conferences on Theory and Practice of Software (ETAPS 2015). It was the fourth instalment in the VerifyThis competition series. This article provides an overview of the VerifyThis 2015 event, the challenges that were posed during the competition, and a high-level overview of the solutions to these challenges. It concludes with the results of the competition and some ideas and thoughts for future instalments of VerifyThis