Model Counting Modulo Theories

PhD finalThis thesis is concerned with the quantitative assessment of security in software. More specifically, it tackles the problem of efficient computation of channel capacity, the maximum amount of confidential information leaked by software, measured in Shannon entropy or R²nyi's min-entropy. Most approaches to computing channel capacity are either efficient and return only (possibly very loose) upper bounds, or alternatively are inefficient but precise; few target realistic programs. In this thesis, we present a novel approach to the problem by reducing it to a model counting problem on first-order logic, which we name Model Counting Modulo Theories or #SMT for brevity. For quantitative security, our contribution is twofold. First, on the theoretical side we establish the connections between measuring confidentiality leaks and fundamental verification algorithms like Symbolic Execution, SMT solvers and DPLL. Second, exploiting these connections, we develop novel #SMT-based techniques to compute channel capacity, which achieve both accuracy and efficiency. These techniques are scalable to real-world programs, and illustrative case studies include C programs from Linux kernel, a Java program from a European project and anonymity protocols. For formal verification, our contribution is also twofold. First, we introduce and study a new research problem, namely #SMT, which has other potential applications beyond computing channel capacity, such as returning multiple-counterexamples for Bounded Model Checking or automated test generation. Second, we propose an alternative approach for Bounded Model Checking using classical Symbolic Execution, which can be parallelised to leverage modern multi-core and distributed architecture. For software engineering, our first contribution is to demonstrate the correspondence between the algorithm of Symbolic Execution and the DPLL(T ) algorithm used in state-of-the-art SMT solvers. This correspondence could be leveraged to improve Symbolic Execution for automated test generation. Finally, we show the relation between computing channel capacity and reliability analysis in software.School of Electronic Engineering and Computer Science scholarshi

Concolic Testing Heap-Manipulating Programs

Concolic testing is a test generation technique which works effectively by integrating random testing generation and symbolic execution. Existing concolic testing engines focus on numeric programs. Heap-manipulating programs make extensive use of complex heap objects like trees and lists. Testing such programs is challenging due to multiple reasons. Firstly, test inputs for such program are required to satisfy non-trivial constraints which must be specified precisely. Secondly, precisely encoding and solving path conditions in such programs are challenging and often expensive. In this work, we propose the first concolic testing engine called CSF for heap-manipulating programs based on separation logic. CSF effectively combines specification-based testing and concolic execution for test input generation. It is evaluated on a set of challenging heap-manipulating programs. The results show that CSF generates valid test inputs with high coverage efficiently. Furthermore, we show that CSF can be potentially used in combination with precondition inference tools to reduce the user effort

Concurrent Bounded Model Checking

The Definitive Version can be found in the ACM Digital Library here: http://dx.doi.org/10.1145/2693208.2693240issue_date: January 2015 numpages: 5 acmid: 2693240 keywords: Bounded Model Checking, Concurrency, Symbolic Executionissue_date: January 2015 numpages: 5 acmid: 2693240 keywords: Bounded Model Checking, Concurrency, Symbolic Executionissue_date: January 2015 numpages: 5 acmid: 2693240 keywords: Bounded Model Checking, Concurrency, Symbolic Executio

An Exactly Soluble Equation for the Stationary Probability Distribution in a Nonlinear System under the Influence of Two-telegraph Noise: Application to the Noise Reduction in a Raman Ring Laser

In this paper, we will consider a model of nonlinear system with random telegraph noises and a Raman ring laser by modeling the laser pump light by a pregaussian process and find an exactly soluble equations for the stationary probability distribution of fluctuations in this nonlinear system under the influence of two-telegraph noise. In consequence, we will obtain the so-called noise reduction in this system: the Stokes output of this laser tends to the stabilize under the influence of the broad-band two-telegraph pregaussian pump and compare this results with that obtained in our previous paper (Cao Long Van, Doan Quoc Khoa, Opt. Quant. Electron. 43, 137 (2012)) for the case of one telegraph noise

Safety and efficacy of fluoxetine on functional outcome after acute stroke (AFFINITY): a randomised, double-blind, placebo-controlled trial

Background Trials of fluoxetine for recovery after stroke report conflicting results. The Assessment oF FluoxetINe In sTroke recoverY (AFFINITY) trial aimed to show if daily oral fluoxetine for 6 months after stroke improves functional outcome in an ethnically diverse population. Methods AFFINITY was a randomised, parallel-group, double-blind, placebo-controlled trial done in 43 hospital stroke units in Australia (n=29), New Zealand (four), and Vietnam (ten). Eligible patients were adults (aged ≥18 years) with a clinical diagnosis of acute stroke in the previous 2–15 days, brain imaging consistent with ischaemic or haemorrhagic stroke, and a persisting neurological deficit that produced a modified Rankin Scale (mRS) score of 1 or more. Patients were randomly assigned 1:1 via a web-based system using a minimisation algorithm to once daily, oral fluoxetine 20 mg capsules or matching placebo for 6 months. Patients, carers, investigators, and outcome assessors were masked to the treatment allocation. The primary outcome was functional status, measured by the mRS, at 6 months. The primary analysis was an ordinal logistic regression of the mRS at 6 months, adjusted for minimisation variables. Primary and safety analyses were done according to the patient's treatment allocation. The trial is registered with the Australian New Zealand Clinical Trials Registry, ACTRN12611000774921. Findings Between Jan 11, 2013, and June 30, 2019, 1280 patients were recruited in Australia (n=532), New Zealand (n=42), and Vietnam (n=706), of whom 642 were randomly assigned to fluoxetine and 638 were randomly assigned to placebo. Mean duration of trial treatment was 167 days (SD 48·1). At 6 months, mRS data were available in 624 (97%) patients in the fluoxetine group and 632 (99%) in the placebo group. The distribution of mRS categories was similar in the fluoxetine and placebo groups (adjusted common odds ratio 0·94, 95% CI 0·76–1·15; p=0·53). Compared with patients in the placebo group, patients in the fluoxetine group had more falls (20 [3%] vs seven [1%]; p=0·018), bone fractures (19 [3%] vs six [1%]; p=0·014), and epileptic seizures (ten [2%] vs two [<1%]; p=0·038) at 6 months. Interpretation Oral fluoxetine 20 mg daily for 6 months after acute stroke did not improve functional outcome and increased the risk of falls, bone fractures, and epileptic seizures. These results do not support the use of fluoxetine to improve functional outcome after stroke

Stochastic local search for SMT: Combining theory solvers with WalkSAT. In

Abstract. A dominant approach to Satisfiability Modulo Theories (SMT) relies on the integration of a Conflict-Driven-Clause-Learning (CDCL) SAT solver and of a decision procedure able to handle sets of atomic constraints in the underlying theory T (T -solver). In pure SAT, however, Stochastic Local-Search (SLS) procedures sometimes are competitive with CDCL SAT solvers on satisfiable instances. Thus, it is a natural research question to wonder whether SLS can be exploited successfully also inside SMT tools. In this paper we investigate this issue. We first introduce a general procedure for integrating a SLS solver of the WalkSAT family with a T -solver. Then we present a group of techniques aimed at improving the synergy between these two components. Finally we implement all these techniques into a novel SLSbased SMT solver for the theory of linear arithmetic over the rationals, combining UBCSAT/UBCSAT++ and MathSAT, and perform an empirical evaluation on satisfiable instances. The results confirm the potential of the approach

Optimisation of quantitative miRNA panels to consolidate the diagnostic surveillance of HBV-related hepatocellular carcinoma

Background: Circulating microRNAs (miRNA) are biomarkers for several neoplastic diseases, including hepatocellular carcinoma (HCC). We performed a literature search, followed by experimental screening and validation in order to establish a miRNA panel in combination with the assessment of alpha-fetoprotein (AFP) levels and to evaluate its performance in HCC diagnostics. Methods: Expression of miRNAs was quantified by quantitative PCR (qPCR) in 406 serum samples from 118 Vietnamese patients with hepatitis B (HBV)-related HCC, 69 patients with HBV-related liver cirrhosis (LC), 100 chronic hepatitis B (CHB) patients and 119 healthy controls (HC). Results: Three miRNAs (mir-21, mir-122, mir-192) were expressed differentially among the studied subgroups and positively correlated with AFP levels. The individual miRNAs mir-21, mir-122, mir192 or the triplex miRNA panel showed high diagnostic accuracy for HCC (HCC vs. CHB, AUC = 0.906; HCC vs. CHB+LC, AUC = 0.81; HCC vs. CHB+LC+HC, AUC = 0.854). When AFP levels were ≤20ng/ml, the triplex miRNA panel still was accurate in distinguishing HCC from the other conditions (CHB, AUC = 0.922; CHB+LC, AUC = 0.836; CHB+LC+HC, AUC = 0.862). When AFP levels were used in combination with the triplex miRNA panel, the diagnostic performance was significantly improved in discriminating HCC from the other groups (LC, AUC = 0.887; CHB, AUC = 0.948; CHB+LC, AUC = 0.887). Conclusions: The three miRNAs mir-21, mir-122, mir-192, together with AFP, are biomarkers that may be applied to improve diagnostics of HCC in HBV patients, especially in HBV-related LC patients with normal AFP levels or HCC patients with small tumor sizes.Peer Reviewe