Results 1  10
of
41
Abstractions from Proofs
, 2004
"... The success of model checking for large programs depends crucially on the ability to efficiently construct parsimonious abstractions. A predicate abstraction is parsimonious if at each control location, it specifies only relationships between current values of variables, and only those which are req ..."
Abstract

Cited by 272 (32 self)
 Add to MetaCart
The success of model checking for large programs depends crucially on the ability to efficiently construct parsimonious abstractions. A predicate abstraction is parsimonious if at each control location, it specifies only relationships between current values of variables, and only those which are required for proving correctness. Previous methods for automatically refining predicate abstractions until sufficient precision is obtained do not systematically construct parsimonious abstractions: predicates usually contain symbolic variables, and are added heuristically and often uniformly to many or all control locations at once. We use Craig interpolation to efficiently construct, from a given abstract error trace which cannot be concretized, a parsominous abstraction that removes the trace. At each location of the trace, we infer the relevant predicates as an interpolant between the two formulas that define the past and the future segment of the trace. Each interpolant is a relationship between current values of program variables, and is relevant only at that particular program location. It can be found by a linear scan of the proof of infeasibility of the trace. We develop
SLAM and static driver verifier: Technology transfer of formal methods inside Microsoft
 In: IFM. (2004
, 2004
"... Abstract. The SLAM project originated in Microsoft Research in early 2000. Its goal was to automatically check that a C program correctly uses the interface to an external library. The project used and extended ideas from symbolic model checking, program analysis and theorem proving in novel ways to ..."
Abstract

Cited by 89 (6 self)
 Add to MetaCart
(Show Context)
Abstract. The SLAM project originated in Microsoft Research in early 2000. Its goal was to automatically check that a C program correctly uses the interface to an external library. The project used and extended ideas from symbolic model checking, program analysis and theorem proving in novel ways to address this problem. The SLAM analysis engine forms the core of a new tool called Static Driver Verifier (SDV) that systematically analyzes the source code of Windows device drivers against a set of rules that define what it means for a device driver to properly interact with the Windows operating system kernel. We believe that the history of the SLAM project and SDV is an informative tale of the technology transfer of formal methods and software tools. We discuss the context in which the SLAM project took place, the first two years of research on the SLAM project, the creation of the SDV tool and its transfer to the Windows development organization. In doing so, we call out many of the basic ingredients we believe to be essential to technology transfer: the choice of a critical problem domain; standing on the shoulders of those who have come before; the establishment of relationships with “champions ” in product groups; leveraging diversity in research and development experience and careful planning and honest assessment of progress towards goals. 1
A practical and complete approach to predicate refinement
 In Tools and Algorithms for the Construction and Analysis of Systems, LNCS 3920
, 2006
"... Abstract. Predicate abstraction is a method of synthesizing the strongest inductive invariant of a system expressible as a Boolean combination of a given set of atomic predicates. A predicate selection method can be said to be complete for a given theory if it is guaranteed to eventually find atomic ..."
Abstract

Cited by 87 (7 self)
 Add to MetaCart
(Show Context)
Abstract. Predicate abstraction is a method of synthesizing the strongest inductive invariant of a system expressible as a Boolean combination of a given set of atomic predicates. A predicate selection method can be said to be complete for a given theory if it is guaranteed to eventually find atomic predicates sufficient to prove a given property, when such exist. Current heuristics are incomplete, and often diverge on simple examples. We present a practical method of predicate selection that is complete in the above sense. The method is based on interpolation and uses a “split prover”, somewhat in the style of structurebased provers used in artificial intelligence. We show that it allows the verification of a variety of simple programs that cannot be verified by existing software model checkers. 1
A Survey of Automated Techniques for Formal Software Verification
 TRANSACTIONS ON CAD
, 2008
"... The software in an electronic system is often the greatest concern with respect to quality and design flaws. Formal verification tools can provide a guarantee that a design is free of specific flaws. We survey algorithms that perform automatic, static analysis of software to detect programming erro ..."
Abstract

Cited by 51 (5 self)
 Add to MetaCart
The software in an electronic system is often the greatest concern with respect to quality and design flaws. Formal verification tools can provide a guarantee that a design is free of specific flaws. We survey algorithms that perform automatic, static analysis of software to detect programming errors or prove their absence. The three techniques we consider are static analysis with abstract domains, model checking, and bounded model checking. We provide a short tutorial on the these techniques, highlighting their differences when applied to practical problems. We also survey the tools that are available implementing these techniques, and describe their merits and shortcomings.
Software Model Checking
"... Software model checking is the algorithmic analysis of programs to prove properties of their executions. It traces its roots to logic and theorem proving, both to provide the conceptual framework in which to formalize the fundamental questions and to provide algorithmic procedures for the analysis o ..."
Abstract

Cited by 49 (0 self)
 Add to MetaCart
Software model checking is the algorithmic analysis of programs to prove properties of their executions. It traces its roots to logic and theorem proving, both to provide the conceptual framework in which to formalize the fundamental questions and to provide algorithmic procedures for the analysis of logical questions. The undecidability theorem [Turing 1936] ruled out the possibility of a sound and complete algorithmic solution for any sufficiently powerful programming model, and even under restrictions (such as finite state spaces), the correctness problem remained computationally intractable. However, just because a problem is hard does not mean it never appears in practice. Also, just because the general problem is undecidable does not imply that specific instances of the problem will also be hard. As the complexity of software systems grew, so did the need for some reasoning mechanism about correct behavior. (While we focus here on analyzing the behavior of a program relative to given correctness specifications, the development of specification mechanisms happened in parallel, and merits a different survey.) Initially, the focus of program verification research was on manual reasoning, and
Refining Approximations in Software Predicate Abstraction
 In: TACAS 04: Tools and Algorithms for Construction and Analysis of Systems, SpringerVerlag
, 2004
"... Predicate abstraction is an automatic technique that can be used to find abstract models of large or infinitestate systems. In tools like Slam, where predicate abstraction is applied to software model checking, a number of heuristic approximations must be used to improve the performance of comp ..."
Abstract

Cited by 44 (10 self)
 Add to MetaCart
(Show Context)
Predicate abstraction is an automatic technique that can be used to find abstract models of large or infinitestate systems. In tools like Slam, where predicate abstraction is applied to software model checking, a number of heuristic approximations must be used to improve the performance of computing an abstraction from a set of predicates.
Cogent: Accurate theorem proving for program verification
 Proceedings of CAV 2005, volume 3576 of Lecture Notes in Computer Science
, 2005
"... Abstract. Many symbolic software verification engines such as Slam and ESC/Java rely on automatic theorem provers. The existing theorem provers, such as Simplify, lack precise support for important programming language constructs such as pointers, structures and unions. This paper describes a theore ..."
Abstract

Cited by 40 (11 self)
 Add to MetaCart
(Show Context)
Abstract. Many symbolic software verification engines such as Slam and ESC/Java rely on automatic theorem provers. The existing theorem provers, such as Simplify, lack precise support for important programming language constructs such as pointers, structures and unions. This paper describes a theorem prover, Cogent, that accurately supports all ANSIC expressions. The prover’s implementation is based on a machinelevel interpretation of expressions into propositional logic, and supports finite machinelevel variables, bit operations, structures, unions, references, pointers and pointer arithmetic. When used by Slam during the model checking of over 300 benchmarks, Cogent’s improved accuracy reduced the number of Slam timeouts by half, increased the number of true errors found, and decreased the number of false errors. 1
Predicate Abstraction with Minimum Predicates
 In Advanced Research Working Conference on Correct Hardware Design and Verification Methods (CHARME
, 2003
"... Predicate abstraction is a popular abstraction technique employed in formal software verification. A crucial requirement to make predicate abstraction effective is to use as few predicates as possible, since the abstraction process is in the worst case exponential (in both time and memory requiremen ..."
Abstract

Cited by 38 (11 self)
 Add to MetaCart
(Show Context)
Predicate abstraction is a popular abstraction technique employed in formal software verification. A crucial requirement to make predicate abstraction effective is to use as few predicates as possible, since the abstraction process is in the worst case exponential (in both time and memory requirements) in the number of predicates involved. If a property can be proven to hold or not hold based on a given finite set of predicates P, the procedure we propose in this paper finds automatically a minimal subset of P that is sufficient for the proof. We explain how our technique can be used for more efficient verification of C programs. Our experiments show that predicate minimization can result in a significant reduction of both verification time and memory usage compared to earlier methods.
ASPIER: An Automated Framework for Verifying Security Protocol Implementations
"... Abstract—We present ASPIER – the first framework that combines software model checking with a standard protocol security model to automatically analyze authentication and secrecy properties of protocol implementations in C. The technical approach extends the iterative abstractionrefinement methodol ..."
Abstract

Cited by 36 (0 self)
 Add to MetaCart
(Show Context)
Abstract—We present ASPIER – the first framework that combines software model checking with a standard protocol security model to automatically analyze authentication and secrecy properties of protocol implementations in C. The technical approach extends the iterative abstractionrefinement methodology for software model checking with a domainspecific protocol and symbolic attacker model. We have implemented the ASPIER tool and used it to verify authentication and secrecy properties of a part of an industrial strength protocol implementation – the handshake in OpenSSL – for configurations consisting of up to 3 servers and 3 clients. We have also implemented two distinct methods for reasoning about attacker message derivations, and evaluated them in the context of OpenSSL verification. ASPIER detected the “versionrollback ” vulnerability in OpenSSL 0.9.6c source code and successfully verified the implementation when clients and servers are only willing to run SSL 3.0. Keywordssecurity protocol; verification; model checking; abstraction refinement. I.
Efficient Verification of Sequential and Concurrent C Programs
, 2003
"... There has been considerable progress in the domain of software veri cation over the last few years. This advancement has been driven, to a large extent, by the emergence of powerful yet automated abstraction techniques like predicate abstraction. However, the state space explosion problem in model c ..."
Abstract

Cited by 34 (12 self)
 Add to MetaCart
(Show Context)
There has been considerable progress in the domain of software veri cation over the last few years. This advancement has been driven, to a large extent, by the emergence of powerful yet automated abstraction techniques like predicate abstraction. However, the state space explosion problem in model checking remains the chief obstacle to the practical veri cation of realworld distributed systems. Even in the case of purely sequential programs, a crucial requirement to make predicate abstraction eective is to use as few predicates as possible. This is because, in the worst case, the state space of the abstraction generated (and consequently the time and memory complexity of the abstraction process) is exponential in the number of predicates involved. In addition, for concurrent programs, the number of reachable states could grow exponentially with the number of components.