Results 1  10
of
147
EXE: Automatically generating inputs of death
 In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS
, 2006
"... This article presents EXE, an effective bugfinding tool that automatically generates inputs that crash real code. Instead of running code on manually or randomly constructed input, EXE runs it on symbolic input initially allowed to be anything. As checked code runs, EXE tracks the constraints on ea ..."
Abstract

Cited by 236 (14 self)
 Add to MetaCart
This article presents EXE, an effective bugfinding tool that automatically generates inputs that crash real code. Instead of running code on manually or randomly constructed input, EXE runs it on symbolic input initially allowed to be anything. As checked code runs, EXE tracks the constraints on each symbolic (i.e., inputderived) memory location. If a statement uses a symbolic value, EXE does not run it, but instead adds it as an inputconstraint; all other statements run as usual. If code conditionally checks a symbolic expression, EXE forks execution, constraining the expression to be true on the true branch and false on the other. Because EXE reasons about all possible values on a path, it has much more power than a traditional runtime tool: (1) it can force execution down any feasible program path and (2) at dangerous operations (e.g., a pointer dereference), it detects if the current path constraints allow any value that causes a bug. When a path terminates or hits a bug, EXE automatically generates a test case by solving the current path constraints to find concrete values using its own codesigned constraint solver, STP. Because EXE’s constraints have no approximations, feeding this concrete input to an uninstrumented version of the checked code will cause it to follow the same path and hit the same bug (assuming deterministic code).
Towards automatic generation of vulnerabilitybased signatures
, 2006
"... In this paper we explore the problem of creating vulnerability signatures. A vulnerability signature matches all exploits of a given vulnerability, even polymorphic or metamorphic variants. Our work departs from previous approaches by focusing on the semantics of the program and vulnerability exerci ..."
Abstract

Cited by 133 (26 self)
 Add to MetaCart
In this paper we explore the problem of creating vulnerability signatures. A vulnerability signature matches all exploits of a given vulnerability, even polymorphic or metamorphic variants. Our work departs from previous approaches by focusing on the semantics of the program and vulnerability exercised by a sample exploit instead of the semantics or syntax of the exploit itself. We show the semantics of a vulnerability define a language which contains all and only those inputs that exploit the vulnerability. A vulnerability signature is a representation (e.g., a regular expression) of the vulnerability language. Unlike exploitbased signatures whose error rate can only be empirically measured for known test cases, the quality of a vulnerability signature can be formally quantified for all possible inputs. We provide a formal definition of a vulnerability signature and investigate the computational complexity of creating and matching vulnerability signatures. We also systematically explore the design space of vulnerability signatures. We identify three central issues in vulnerabilitysignature creation: how a vulnerability signature represents the set of inputs that may exercise a vulnerability, the vulnerability coverage (i.e., number of vulnerable program paths) that is subject to our analysis during signature creation, and how a vulnerability signature is then created for a given representation and coverage. We propose new dataflow analysis and novel adoption of existing techniques such as constraint solving for automatically generating vulnerability signatures. We have built a prototype system to test our techniques. Our experiments show that we can automatically generate a vulnerability signature using a single exploit which is of much higher quality than previous exploitbased signatures. In addition, our techniques have several other security applications, and thus may be of independent interest. 1
DPLL(T): Fast Decision Procedures
, 2004
"... The logic of equality with uninterpreted functions (EUF) and its extensions have been widely applied to processor verification, by means of a large variety of progressively more sophisticated (lazy or eager) translations into propositional SAT. Here we propose a new approach, namely a general DP ..."
Abstract

Cited by 121 (14 self)
 Add to MetaCart
The logic of equality with uninterpreted functions (EUF) and its extensions have been widely applied to processor verification, by means of a large variety of progressively more sophisticated (lazy or eager) translations into propositional SAT. Here we propose a new approach, namely a general DPLL(X) engine, whose parameter X can be instantiated with a specialized solver Solver T for a given theory T , thus producing a system DPLL(T ). We describe this DPLL(T ) scheme, the interface between DPLL(X) and Solver T , the architecture of DPLL(X), and our solver for EUF, which includes incremental and backtrackable congruence closure algorithms for dealing with the builtin equality and the integer successor and predecessor symbols. Experiments with a first implementation indicate that our technique already outperforms the previous methods on most benchmarks, and scales up very well.
Lazy Satisfiability Modulo Theories
 Journal on Satisfiability, Boolean Modeling and Computation
, 2007
"... Satisfiability Modulo Theories (SMT) is the problem of deciding the satisfiability of a firstorder formula with respect to some decidable firstorder theory T (SMT (T)). These problems are typically not handled adequately by standard automated theorem provers. SMT is being recognized as increasingl ..."
Abstract

Cited by 85 (34 self)
 Add to MetaCart
Satisfiability Modulo Theories (SMT) is the problem of deciding the satisfiability of a firstorder formula with respect to some decidable firstorder theory T (SMT (T)). These problems are typically not handled adequately by standard automated theorem provers. SMT is being recognized as increasingly important due to its applications in many domains in different communities, in particular in formal verification. An amount of papers with novel and very efficient techniques for SMT has been published in the last years, and some very efficient SMT tools are now available. Typical SMT (T) problems require testing the satisfiability of formulas which are Boolean combinations of atomic propositions and atomic expressions in T, so that heavy Boolean reasoning must be efficiently combined with expressive theoryspecific reasoning. The dominating approach to SMT (T), called lazy approach, is based on the integration of a SAT solver and of a decision procedure able to handle sets of atomic constraints in T (Tsolver), handling respectively the Boolean and the theoryspecific components of reasoning. Unfortunately, neither the problem of building an efficient SMT solver, nor even that of acquiring a comprehensive background knowledge in lazy SMT, is of simple solution. In this paper we present an extensive survey of SMT, with particular focus on the lazy approach. We survey, classify and analyze from a theoryindependent perspective the most effective techniques and optimizations which are of interest for lazy SMT and which have been proposed in various communities; we discuss their relative benefits and drawbacks; we provide some guidelines about their choice and usage; we also analyze the features for SAT solvers and Tsolvers which make them more suitable for an integration. The ultimate goals of this paper are to become a source of a common background knowledge and terminology for students and researchers in different areas, to provide a reference guide for developers of SMT tools, and to stimulate the crossfertilization of techniques and ideas among different communities.
A Symbolic Approach to Predicate Abstraction
 COMPUTERAIDED VERIFICATION (CAV 2003), LNCS 2725
, 2003
"... Predicate abstraction is a useful form of abstraction for the verification of transition systems with large or infinite state spaces. One of the main bottlenecks of this approach is the extremely large number of decision procedures calls that are required to construct the abstract state space. I ..."
Abstract

Cited by 59 (13 self)
 Add to MetaCart
Predicate abstraction is a useful form of abstraction for the verification of transition systems with large or infinite state spaces. One of the main bottlenecks of this approach is the extremely large number of decision procedures calls that are required to construct the abstract state space. In this paper we propose the use of a symbolic decision procedure and its application for predicate abstraction. The advantage of the approach is that it reduces the number of calls to the decision procedure exponentially and also provides for reducing the recomputations inherent in the current approaches. We provide two implementations of the symbolic decision procedure: one based on BDDs which leverages the current advances in early quantification algorithms, and the other based on SATsolvers. We also demonstrate our approach with quantified predicates for verifying parameterized systems. We illustrate the effectiveness of this approach on benchmarks from the verification of microprocessors, communication protocols, parameterized systems, and Microsoft Windows device drivers.
A Hybrid SATBased Decision Procedure for Separation Logic with Uninterpreted Functions
 In Proc. DAC’03
, 2003
"... SATbased decision procedures for quantifierfree fragments of firstorder logic have proved to be useful in formal verification. These decision procedures are either based on encoding atomic subformulas with Boolean variables, or by encoding integer variables as bitvectors. Based on evaluating the ..."
Abstract

Cited by 47 (4 self)
 Add to MetaCart
SATbased decision procedures for quantifierfree fragments of firstorder logic have proved to be useful in formal verification. These decision procedures are either based on encoding atomic subformulas with Boolean variables, or by encoding integer variables as bitvectors. Based on evaluating these two encoding methods on a diverse set of hardware and software benchmarks, we conclude that neither method is robust to variations in formula characteristics. We therefore propose a new hybrid technique that combines the two methods. We give experimental results showing that the hybrid method can significantly outperform either approach as well as other decision procedures.
Indexed Predicate Discovery for Unbounded System Verification
 IN CAV’04
, 2004
"... Predicate abstraction has been proved effective for verifying several infinitestate systems. In predicate abstraction, an abstract system is automatically constructed given a set of predicates. Predicate abstraction coupled with automatic predicate discovery provides for a completely automatic v ..."
Abstract

Cited by 46 (7 self)
 Add to MetaCart
Predicate abstraction has been proved effective for verifying several infinitestate systems. In predicate abstraction, an abstract system is automatically constructed given a set of predicates. Predicate abstraction coupled with automatic predicate discovery provides for a completely automatic verification scheme. For systems with unbounded integer state variables (e.g. software), counterexample guided predicate discovery has been successful in identifying the necessary predicates. For
Improvements to Combinational Equivalence Checking
 In Proc. Int’l Conf. on ComputerAided Design
, 2006
"... The paper explores several ways to improve the speed and capacity of combinational equivalence checking based on Boolean satisfiability (SAT). Stateoftheart methods use simulation and BDD/SAT sweeping on the input side (i.e. proving equivalence of some internal nodes in a topological order), inte ..."
Abstract

Cited by 44 (20 self)
 Add to MetaCart
The paper explores several ways to improve the speed and capacity of combinational equivalence checking based on Boolean satisfiability (SAT). Stateoftheart methods use simulation and BDD/SAT sweeping on the input side (i.e. proving equivalence of some internal nodes in a topological order), interleaved with attempts to run SAT on the output (i.e. proving equivalence of the output to constant 0). This paper improves on this method by (a) using more intelligent simulation, (b) using CNFbased SAT with circuitbased decision heuristics, and (c) interleaving SAT with loweffort logic synthesis. Experimental results on public and industrial benchmarks demonstrate substantial reductions in runtime, compared to the current methods. In several cases, the new solver succeeded in solving previously unsolved problems. 1
Modeling and Verification of OutofOrder Microprocessors in UCLID
, 2002
"... In this paper, we describe the modeling and verification of outoforder microprocessors with unbounded resources using an expressive, yet efficiently decidable, quantifierfree fragment of first order logic. This logic includes uninterpreted functions, equality, ordering, constrained lambda express ..."
Abstract

Cited by 44 (14 self)
 Add to MetaCart
In this paper, we describe the modeling and verification of outoforder microprocessors with unbounded resources using an expressive, yet efficiently decidable, quantifierfree fragment of first order logic. This logic includes uninterpreted functions, equality, ordering, constrained lambda expressions, and counter arithmetic. UCLID is a tool for specifying and verifying systems expressed in this logic. The paper makes two main contributions. First, we show that the logic is expressive enough to model components found in most modern microprocessors, independent of their actual sizes. Second, we demonstrate UCLID's verification capabilities, ranging from full automation for bounded property checking to a high degree of automation in proving restricted classes of invariants. These techniques, coupled with a counterexample generation facility, are useful in establishing correctness of processor designs. We demonstrate UCLID's methods using a case study of a synthetic model of an outoforder processor where all the invariants were proved automatically.
DPLL(T) with Exhaustive Theory Propagation and its Application to Difference Logic
 In Proc. CAV’05, volume 3576 of LNCS
, 2005
"... Abstract. At CAV’04 we presented the DPLL(T) approach for satisfiability modulo theories T. It is based on a general DPLL(X) engine whose X can be instantiated with different theory solvers SolverT for conjunctions of literals. Here we go one important step further: we require SolverT to be able to ..."
Abstract

Cited by 43 (6 self)
 Add to MetaCart
Abstract. At CAV’04 we presented the DPLL(T) approach for satisfiability modulo theories T. It is based on a general DPLL(X) engine whose X can be instantiated with different theory solvers SolverT for conjunctions of literals. Here we go one important step further: we require SolverT to be able to detect all input literals that are Tconsequences of the partial model that is being explored by DPLL(X). Although at first sight this may seem too expensive, we show that for difference logic the benefits compensate by far the costs. Here we describe and discuss this new version of DPLL(T), the DPLL(X) engine, and our SolverT for difference logic. The resulting very simple DPLL(T) system importantly outperforms the existing techniques for this logic. Moreover, it has very good scaling properties: especially on the larger problems it gives improvements of orders of magnitude w.r.t. the existing stateoftheart tools. 1