Results 1 
8 of
8
Bridging boolean and quantitative synthesis using smoothed proof search
, 2014
"... We present a new technique for parameter synthesis under boolean and quantitative objectives. The input to the technique is a “sketch” — a program with missing numerical parameters — and a probabilistic assumption about the program’s inputs. The goal is to automatically synthesize values for the p ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
(Show Context)
We present a new technique for parameter synthesis under boolean and quantitative objectives. The input to the technique is a “sketch” — a program with missing numerical parameters — and a probabilistic assumption about the program’s inputs. The goal is to automatically synthesize values for the parameters such that the resulting program satisfies: (1) a boolean specification, which states that the program must meet certain assertions, and (2) a quantitative specification, which assigns a real valued rating to every program and which the synthesizer is expected to optimize. Our method — called smoothed proof search — reduces this task to a sequence of unconstrained smooth optimization problems that are then solved numerically. By iteratively solving these problems, we obtain parameter values that get closer and closer to meeting the boolean specification; at the limit, we obtain values that provably meet the specification. The approximations are computed using a new notion of smoothing for program abstractions, where an abstract transformer is approximated by a function that is continuous according to a metric over abstract states. We present a prototype implementation of our synthesis procedure, and experimental results on two benchmarks from the embedded control domain. The experiments demonstrate the benefits of smoothed proof search over an approach that does not meet the boolean and quantitative synthesis goals simultaneously.
ICE: A Robust Framework for Learning Invariants
"... Abstract. We introduce ICE, a robust learning paradigm for synthesizing invariants, that learns using examples, counterexamples, and implications, and show that it admits honest teachers and strongly convergent mechanisms for invariant synthesis. We observe that existing algorithms for blackbox a ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce ICE, a robust learning paradigm for synthesizing invariants, that learns using examples, counterexamples, and implications, and show that it admits honest teachers and strongly convergent mechanisms for invariant synthesis. We observe that existing algorithms for blackbox abstract interpretation can be interpreted as ICElearning algorithms. We develop new strongly convergent ICElearning algorithms for two domains, one for learning Boolean combinations of numerical invariants for scalar variables and one for quantified invariants for arrays and dynamic lists. We implement these ICElearning algorithms in a verification tool and show they are robust, practical, and efficient. 1
R.: Termination proofs from tests
 In: ESEC/SIGSOFT FSE
"... ABSTRACT We show how a test suite for a sequential program can be profitably used to construct a termination proof. In particular, we describe an algorithm TpT for proving termination of a program based on information derived from testing it. TpT iteratively calls two phases: (a) an infer phase, an ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
ABSTRACT We show how a test suite for a sequential program can be profitably used to construct a termination proof. In particular, we describe an algorithm TpT for proving termination of a program based on information derived from testing it. TpT iteratively calls two phases: (a) an infer phase, and (b) a validate phase. In the infer phase, machine learning, in particular, linear regression is used to efficiently compute a candidate loop bound for every loop in the program. These loop bounds are verified for correctness by an offtheshelf checker. If a loop bound is invalid, then the safety checker provides a test or a counterexample that is used to generate more data which is subsequently used by the next infer phase to compute better estimates for loop bounds. On the other hand, if all loop bounds are valid, then we have a proof of termination. We also describe a simple extension to our approach that allows us to infer polynomial loop bounds automatically. We have evaluated TpT on two benchmark sets, microbenchmarks obtained from recent literature on program termination, and Windows device drivers. Our results are promising on the microbenchmarks, we show that TpT is able to prove termination on 15% more benchmarks than any previously known technique, and our evaluation on Windows device drivers demonstrates TpT's ability to analyze and scale to real world applications.
Interactively Verifying Absence of Explicit Information Flows in Android Apps
"... App stores are increasingly the preferred mechanism for distributing software, including mobile apps (Google Play), desktop apps (Mac App Store and Ubuntu Software Center), computer games (the Steam Store), and browser extensions (Chrome Web Store). The centralized nature of these stores has importa ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
App stores are increasingly the preferred mechanism for distributing software, including mobile apps (Google Play), desktop apps (Mac App Store and Ubuntu Software Center), computer games (the Steam Store), and browser extensions (Chrome Web Store). The centralized nature of these stores has important implications for security. While app stores have unprecedented ability to audit apps, users now trust hosted apps, making them more vulnerable to malware that evades detection and finds its way onto the app store. Sound static explicit information flow analysis has the potential to significantly aid human auditors, but it is handicapped by high false positive rates. Instead, auditors currently rely on a combination of dynamic analysis (which is unsound) and lightweight static analysis (which cannot identify information flows) to help detect malicious behaviors. We propose a process for producing apps certified to be free of malicious explicit information flows. In practice, imprecision in the reachability analysis is a major source of false positive information flows that are difficult to understand and discharge. In our approach, the developer provides tests that specify what code is reachable, allowing the static analysis to restrict its search to tested code. The app hosted on the store is instrumented to enforce the provided specification (i.e., executing untested code terminates the app). We use abductive inference to minimize the necessary instrumentation, and then interact with the developer to ensure that the instrumentation only cuts unreachable code. We demonstrate the effectiveness of our approach in verifying a corpus of 77 Android apps—our interactive verification process successfully discharges 11 out of the 12 false positives.
A.: Biasvariance tradeoffs in program analysis
 In: POPL (2014
"... It is often the case that increasing the precision of a program analysis leads to worse results. It is our thesis that this phenomenon is domains as the basis for inferring strong invariants of programs. We show that biasvariance tradeoffs, an idea from learning theory, can be used to explain why ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
It is often the case that increasing the precision of a program analysis leads to worse results. It is our thesis that this phenomenon is domains as the basis for inferring strong invariants of programs. We show that biasvariance tradeoffs, an idea from learning theory, can be used to explain why more precise abstractions do not necessarily lead to better results and also provides practical techniques for coping with such limitations. Learning theory captures precision using a combinatorial quantity called the VC dimension. We compute the VC dimension for different abstractions and report on its usefulness as a precision metric for program analyses. We evaluate cross validation, a technique for addressing biasvariance tradeoffs, on an industrial strength program verification tool called YOGI. The tool produced using cross validation has significantly better running time, finds new defects, and has fewer timeouts than the current production version. Finally, we make some recommendations for tackling biasvariance tradeoffs in program analysis.
Learning Refinement Types
"... We propose the integration of a random test generation system (capable of discovering program bugs) and a refinement type system (capable of expressing and verifying program invariants), for higherorder functional programs, using a novel lightweight learning algorithm as an effective intermediary ..."
Abstract
 Add to MetaCart
(Show Context)
We propose the integration of a random test generation system (capable of discovering program bugs) and a refinement type system (capable of expressing and verifying program invariants), for higherorder functional programs, using a novel lightweight learning algorithm as an effective intermediary between the two. Our approach is based on the wellunderstood intuition that useful, but difficult to infer, program properties can often be observed from concrete program states generated by tests; these properties act as likely invariants, which if used to refine simple types, can have their validity checked by a refinement type checker. We describe an implementation of our technique for a variety of benchmarks written in ML, and demonstrate its effectiveness in inferring and proving useful invariants for programs that express complex higherorder control and dataflow.
Learning to Verify the Heap
"... Abstract. We present a datadriven verification framework to automatically prove memory safety and functional correctness of heap programs. For this, we introduce a novel statistical machine learning technique that maps observed program states to (possibly disjunctive) separation logic formulas des ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. We present a datadriven verification framework to automatically prove memory safety and functional correctness of heap programs. For this, we introduce a novel statistical machine learning technique that maps observed program states to (possibly disjunctive) separation logic formulas describing the invariant shape of (possibly nested) data structures at relevant program locations. We then attempt to verify these predictions using a theorem prover, where counterexamples to a predicted invariant are used as additional input to the shape predictor in a refinement loop. After obtaining valid shape invariants, we use a second learning algorithm to strengthen them with data invariants, again employing a refinement loop using the underlying theorem prover. We have implemented our techniques in Cricket, an extension of the GRASShopper verification tool. Cricket is able to automatically prove memory safety and correctness of implementations of a variety of classical heapmanipulating programs such as insertionsort, quicksort and traversals of nested data structures.
Dependent Array Type Inference from Tests
"... Abstract. We present a typebased program analysis capable of inferring expressive invariants over array programs. Our system combines dependent types with two additional key elements. First, we associate dependent types with effects and precisely track effectful array updates, yielding a sound flo ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. We present a typebased program analysis capable of inferring expressive invariants over array programs. Our system combines dependent types with two additional key elements. First, we associate dependent types with effects and precisely track effectful array updates, yielding a sound flowsensitive dependent type system that can capture invariants associated with sideeffecting array programs. Second, without imposing an annotation burden for quantified invariants on array indices, we automatically infer useful array invariants by initially guessing very coarse invariant templates, using test suites to exercise the functionality of the program to faithfully instantiate these templates with more precise (likely) invariants. These inferred invariants are subsequently encoded as dependent types for validation. Experimental results demonstrate the utility of our approach, with respect to both expressivity of the invariants inferred, and the time necessary to converge to a result.