Abstract not found

Model checking has been widely successful in validating and debugging designs in the hardware and protocol domains. However, state-space explosion limits the applicability of model checking tools, so model checkers typically operate on abstractions of systems. Recently, there has been significant interest in applying model checking to software. For infinite-state systems like software, abstraction is even more critical. Techniques for abstracting software are a prerequisite to making software model checking a reality. We present the first algorithm to automatically construct a predicate abstraction of programs written in an industrial programming language such as C, and its implementation in a tool-- C2bp. The C2bp tool is part of the SLAM toolkit, which uses a combination of predicate abstraction, model checking, symbolic reasoning, and iterative refinement to statically check temporal safety properties of programs. Predicate abstraction of software has many applications, including detecting program errors, synthesizing program invariants, and improving the precision of program analyses through predicate sensitivity. We discuss our experience applying the C2bp predicate abstraction tool to a variety of problems, ranging from checking that list-manipulating code preserves heap invariants to finding errors in Windows NT device drivers.

We present a new framework for verifying partial specifications of programs in order to catch type and memory errors and check data structure invariants. Our technique can verify a large class of data structures, namely all those that can be expressed as graph types. Earlier versions were restricted to simple special cases such as lists or trees. Even so, our current implementation is as fast as the previous specialized tools. Programs are annotated with partial specifications expressed in Pointer Assertion Logic, a new notation for expressing properties of the program store. We work in the logical tradition by encoding the programs and partial specifications as formulas in monadic second-order logic. Validity of these formulas is checked by the MONA tool, which also can provide explicit counterexamples to invalid formulas. To make verification decidable, the technique requires explicit loop and function call invariants. In return, the technique is highly modular: every statement of a given program is analyzed only once. The main target applications are safety-critical data-type algorithms, where the cost of annotating a program with invariants is justified by the value of being able to automatically verify complex properties of the program.

A novel and important feature of our framework is its simultaneous support for both formal reasoning and sophisticated compiler transformations that deal with the program and the target machine at a very low level. In particular, our logics allow the compiler to prove the correctness of lowlevel optimizations such as register allocation and instruction scheduling even in the presence of potentially aliased pointers into the memory of the machine.

We present a compositional program logic for call-by-value imperative higherorder functions with general forms of aliasing, which can arise from the use of reference names as function parameters, return values, content of references and part of data structures. The program logic

Predicate abstraction is a technique for creating abstract models of software that are amenable to model checking algorithms. We show how polymorphism, a well-known concept in programming languages and program analysis, can be incorporated in a predicate abstraction algorithm for C programs. The use of polymorphism in predicates, via the introduction of symbolic names for values, allows us to model the effect of a procedure independent of its calling contexts. Therefore, we can safely and precisely abstract a procedure once and then reuse this abstraction across multiple calls and multiple applications containing the procedure. Polymorphism also enables us to handle programs that need to be analyzed in an open environment, for all possible callers. We have proved that our algorithm is sound and have implemented it in the C2BP tool as part of the SLAM software model checking toolkit.

In this thesis, the refinement calculus is extended to support a variety of object-oriented programming styles. The late binding of procedure calls in object-oriented languages is modelled by defining an object-oriented system to be a function from procedure names and argument values to the procedures that are invoked by late binding. The first model allows multiple dispatch late binding, in the style of CLOS. This model is then specialised to the single dispatch case, giving a model that associates types with objects, which is similar to existing class based object-oriented languages. Both models are then restricted so that they support modular reasoning. The concept of modular reasoning has been defined informally in the literature, both for non-object-oriented systems and for object-oriented systems. This thesis gives the first formal definition of modular reasoning for object-oriented languages. Intuitively, the definition seems to capture the minimum possible requirements necessa...

In recent years, the use of symbolic analysis in systems for testing and verifying programs has experienced a resurgence. By “symbolic program analysis”, we mean logic-based techniques to analyze state changes along individual program paths. The three basic primitives used in symbolic analysis are functions that perform forward symbolic evaluation, weakest precondition, and symbolic composition by manipulating formulas. The conventional approach to implementing systems that use symbolic analysis is to write each of the three symbolic-analysis functions by hand for the programming language of interest. In this paper, we develop a method to create implementations of these primitives so that they can be made available easily for multiple programming languages—particularly for multiple machine-code instruction sets. In particular, we have created a system in which, for the cost of writing just one specification—of the semantics of the programming language of interest, in the form of an interpreter expressed in a functional language—one obtains automaticallygenerated implementations of all three symbolic-analysis functions. We show that this can be carried out even for programming languages with pointers, aliasing, dereferencing, and address arithmetic. The technique has been implemented, and used to automatically generate symbolic-analysis primitives for multiple machinecode instruction sets. 1.

Abstract not found

Software model-checking based on abstraction-refinement has recently achieved widespread success in verifying critical properties of real-world device drivers. We believe this success can be replicated for the problem of buffer overflow detection. This thesis presents two projects which contribute to this objective. First, it discusses the design and construction of a buffer overflow benchmark for software model-checkers. The benchmark consists of 298 code fragments of varying complexity capturing 22 buffer overflow vulnerabilities in 12 open source applications. We give a preliminary evaluation of the benchmark using the SatAbs model checker. Second, the thesis describes the implementation of several components for supporting buffer overflow analysis in the YASM software model-checker.