proof certificates for smt based model checkers
play

Proof Certificates for SMT-based Model Checkers Alain Mebsout and - PowerPoint PPT Presentation

Jul 23, 2023 •318 likes •809 views

Proof Certificates for SMT-based Model Checkers Alain Mebsout and Cesare Tinelli SMT 2016 July 2 nd , 2016 Motivation Model checkers return error traces but no evidence when they say yes Complex tools Goal: improve trustworthiness

  1. Proof Certificates for SMT-based Model Checkers Alain Mebsout and Cesare Tinelli SMT 2016 July 2 nd , 2016

  2. Motivation • Model checkers return error traces but no evidence when they say yes • Complex tools • Goal: improve trustworthiness of these tools • Approach: produce proof certificates • Implemented in Kind 2 2

  3. Motivation • Model checkers return error traces but no evidence when they say yes • Complex tools • Implemented in Kind 2 2 • Goal: improve trustworthiness of these tools • Approach: produce proof certificates

  4. Motivation • Model checkers return error traces but no evidence when they say yes • Complex tools • Implemented in Kind 2 2 • Goal: improve trustworthiness of these tools • Approach: produce proof certificates

  5. Certificate generation and checking

  6. Proof certificate production as a two-steps process 4 Signatures System ! SMT k- induction Theories Property P safety validity Kind 2 SMT2 LFSC CVC4 proofs certificate proof

  7. Intermediate certificates 4 Signatures System ! SMT k- induction Theories Property P safety validity Kind 2 SMT2 LFSC CVC4 proofs certificate proof

  8. Intermediate Certificates where ϕ is k -inductive and implies the property P , 5 k ϕ ⇒ enough to prove that P holds in S = ( x , I , T )

  9. Intermediate Certificates where ϕ is k -inductive and implies the property P , 5 k ϕ ⇒ enough to prove that P holds in S = ( x , I , T ) Kind 2 core BMC k P k -induction max ( k 1 …k n ) ϕ 1 ∧ … ∧ ϕ n Supervisor k ϕ 1 P ∧ C ... IC3 (check-sat) SMT-LIB2 k i I Inv Gen

  10. Minimization of Intermediate (SMT-LIB 2) Certificates Two dimensions : • reduce k • simplify inductive invariant • simplify with unsat cores • simplify with counter-examples to induction Rationale : easier to check a smaller/simpler certificate 6

  11. from unsat core : R A taste of certificate minimization P R - no : restart with P - yes : keep R P R T P R n 1 7 (1) Trimming invariants property P invariants certificate: ( 1 , φ 1 ∧ . . . ∧ φ n ∧ P ) ∧ T ∧ ¬ P ′ | φ 1 ∧ . . . ∧ φ n ∧ = ⊥ � �� � ����

  12. A taste of certificate minimization (1) Trimming invariants P R - no : restart with P - yes : keep R P R T P R 7 property P invariants certificate: ( 1 , φ 1 ∧ . . . ∧ φ n ∧ P ) ∧ T ∧ ¬ P ′ | φ 1 ∧ . . . ∧ φ n ∧ = ⊥ � �� � ���� from unsat core : R ⊆ { φ 1 ∧ . . . ∧ φ n }

  13. A taste of certificate minimization P P R - no : restart with P - yes : keep R (1) Trimming invariants property 7 invariants certificate: ( 1 , φ 1 ∧ . . . ∧ φ n ∧ P ) ∧ T ∧ ¬ P ′ | φ 1 ∧ . . . ∧ φ n ∧ = ⊥ � �� � ���� from unsat core : R ⊆ { φ 1 ∧ . . . ∧ φ n } ? = R ′ ∧ P ′ R ∧ P ∧ T |

  14. A taste of certificate minimization invariants - yes : keep R (1) Trimming invariants P property 7 certificate: ( 1 , φ 1 ∧ . . . ∧ φ n ∧ P ) ∧ T ∧ ¬ P ′ | φ 1 ∧ . . . ∧ φ n ∧ = ⊥ � �� � ���� from unsat core : R ⊆ { φ 1 ∧ . . . ∧ φ n } ? = R ′ ∧ P ′ R ∧ P ∧ T | - no : restart with P := R ∧ P

  15. from model A taste of certificate minimization (cont.) R R P P R such that 8 R (2) Cherry-picking invariants � �� � certificate: ( 1 , φ 1 ∧ . . . ∧ φ n ∧ P ) = P ′ P ∧ T ̸|

  16. A taste of certificate minimization (cont.) (2) Cherry-picking invariants R R P P 8 R � �� � certificate: ( 1 , φ 1 ∧ . . . ∧ φ n ∧ P ) = P ′ P ∧ T ̸| from model M : φ ∈ R such that M ̸| = φ

  17. A taste of certificate minimization (cont.) (2) Cherry-picking invariants R 8 � �� � certificate: ( 1 , φ 1 ∧ . . . ∧ φ n ∧ P ) = P ′ P ∧ T ̸| from model M : φ ∈ R such that M ̸| = φ P := φ ∧ P R := R \ { φ }

  18. Front End Certificates

  19. Front end certificates in Kind 2 Translation from one formalism to another are sources of error In Kind 2, • several intermediate representations • many simplifications (slicing, path compression, encodings, …) How to trust the translation from input language to internal FOL representation ? Lightweight verification akin to Multiple-Version Dissimilar Software Verification of DO-178C (12.3.2) 10

  20. Front end certificates in Kind 2 Translation from one formalism to another are sources of error In Kind 2, • several intermediate representations • many simplifications (slicing, path compression, encodings, …) How to trust the translation from input language to internal FOL representation ? Lightweight verification akin to Multiple-Version Dissimilar Software Verification of DO-178C (12.3.2) 10

  21. Front end certificates in Kind 2 Translation from one formalism to another are sources of error In Kind 2, • several intermediate representations • many simplifications (slicing, path compression, encodings, …) How to trust the translation from input language to internal FOL representation ? Lightweight verification akin to Multiple-Version Dissimilar Software Verification of DO-178C (12.3.2) 10

  22. Front end certificates in Kind 2: approach 11 Observer of S 1 = ( x 1 , I 1 , T 1 ) Kind 2 equivalence ( OBS ) frontend P 1 x obs = x 1 ] x 2 S obs Lustre input file P obs ( x obs ) = x 1 ∼ x 2 S 2 = ( x 2 , I 2 , T 2 ) JKind frontend Native input P 2 Kind 2 core Previous certification chain for Kind 2 SMT-LIB 2 + CVC4 LFSC C ( S obs , P obs ) SMT2 Front End certificate ( FEC )

  23. LFSC Proofs

  24. Producing proofs 13 Signatures System ! SMT k- induction Theories Property P safety validity Kind 2 SMT2 LFSC CVC4 proofs certificate proof

  25. Producing proofs of invariance input system certificate produced by Kind 2 1. is k -inductive 2. implies P independently machine-checkable proof 14 S = ( s , I [ s ] , T [ s , s ′ ]) : P [ s ] : property proven invariant for S ( k , φ [ s ]) : • We can formally check that φ • Our goal: produce a detailed, self-contained and

  26. Proving invariance by k -induction input system certificate produced by Kind 2 15 S = ( s , I [ s ] , T [ s , s ′ ]) : P [ s ] : property proven invariant for S ( k , φ [ s ]) : φ is a k -inductive strengthening of P : I [ s 0 ] ∧ T [ s 0 , s 1 ] ∧ . . . ∧ T [ s k − 2 , s k − 1 ] ⊨ φ [ s 0 ] ∧ . . . ∧ φ [ s k − 1 ] ( base k ) φ [ s 0 ] ∧ T [ s 0 , s 1 ] ∧ . . . ∧ φ [ s k − 1 ] ∧ T [ s k − 1 , s k ] ⊨ φ [ s k ] ( step k ) φ [ s ] ⊨ P [ s ] ( implication )

  27. Proving invariance by k -induction input system certificate produced by Kind 2 15 S = ( s , I [ s ] , T [ s , s ′ ]) : P [ s ] : property proven invariant for S ( k , φ [ s ]) : φ is a k -inductive strengthening of P : I [ s 0 ] ∧ T [ s 0 , s 1 ] ∧ . . . ∧ T [ s k − 2 , s k − 1 ] ⊨ φ [ s 0 ] ∧ . . . ∧ φ [ s k − 1 ] ( base k ) φ [ s 0 ] ∧ T [ s 0 , s 1 ] ∧ . . . ∧ φ [ s k − 1 ] ∧ T [ s k − 1 , s k ] ⊨ φ [ s k ] ( step k ) φ [ s ] ⊨ P [ s ] ( implication )

  28. Approach step Use CVC4 to generate proofs for the validity of each sub-case implication 16 base reuses the proofs of CVC4 Kind 2 generates a proof of invariance by k -induction and LFSC proof LFSC proof LFSC proof from from from CVC4 CVC4 CVC4 LFSC proof of invariance and safety constructed by Kind 2

  29. LFSC rules 17 Signatures System ! SMT k- induction Theories Property P safety validity Kind 2 SMT2 LFSC CVC4 proofs certificate proof

  30. LFSC encodings Encoding of Lustre variables as functions over naturals (indexes) In the LFSC proof: 18 In Lustre node main (a: bool ) returns (OK: bool ) var b: bool ; ... In the LFSC signature: ( declare index sort ) ( declare ind int → index) ( declare a ( term (arrow index Bool))) ( declare b ( term (arrow index Bool))) ( declare OK ( term (arrow index Bool))) ...

  31. LFSC encodings (cont.) Predicates and relations over copies of the same state 19 ⇝ predicates/relations over indexes • P ( s i ) P s ( i ) ⇝ • R ( s i , s j ) ⇝ R s ( i , j )

  32. LFSC encodings (cont.) Predicates and relations over copies of the same state 19 ⇝ predicates/relations over indexes • P ( s i ) P s ( i ) ⇝ • R ( s i , s j ) ⇝ R s ( i , j ) In the LFSC signature: ;; relations over indexes (used for transition relation) ( define rel int → int → formula) ;; sets over indexes (used for initial formula and properties) ( define set int → formula) ;; derivability judgment for invariance proofs ( declare invariant set → rel → set → type )

  33. LFSC encodings (cont.) Predicates and relations over copies of the same state In the LFSC proof: 19 ⇝ predicates/relations over indexes • P ( s i ) P s ( i ) ⇝ • R ( s i , s j ) ⇝ R s ( i , j ) ;; encoding of property ( define P : set ( λ i . (p_app (apply _ _ OK ( int i))))) ;; encoding of transition relation ( define T : rel ( λ i . λ j . ...))

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Foundational Proof Certificates Making proof universal and permanent Dale Miller INRIA-Saclay

Foundational Proof Certificates Making proof universal and permanent Dale Miller INRIA-Saclay

Foundational Proof Certificates Making proof universal and permanent Dale Miller INRIA-Saclay & LIX, Ecole Polytechnique 23 September 2013 Can we standardize, communicate, and trust formal proofs? Joint work with Zakaria Chihani and

864 views • 37 slides
Welcome to the Quality Checkers Presentation Northamptonshire Quality Checkers How did the

Welcome to the Quality Checkers Presentation Northamptonshire Quality Checkers How did the

Welcome to the Quality Checkers Presentation Northamptonshire Quality Checkers How did the Quality Checkers project happen? The quality checkers project has been jointly funded by: Northamptonshire Learning Disability Partnership

749 views • 21 slides
Long-term Storage of Forgery-Proof Certificates Patrick Roth, Omar Benkacem, Anne Ronchi, Pierre

Long-term Storage of Forgery-Proof Certificates Patrick Roth, Omar Benkacem, Anne Ronchi, Pierre

Long-term Storage of Forgery-Proof Certificates Patrick Roth, Omar Benkacem, Anne Ronchi, Pierre L'hostis, Rolf Brugger, Cline Restrepo Zea Long-term Storage of Forgery-Proof Certificates (WP 1.4) NTICE An exploratory study and reflections

536 views • 9 slides
The Quality Checkers Project Employing the Quality Checkers There were information days in

The Quality Checkers Project Employing the Quality Checkers There were information days in

The Quality Checkers Project Employing the Quality Checkers There were information days in January. There were interviews in February. The Great Quality Checkers Paul C Paul B Tom Victor Mike Karl John Sandra Paul G Debbie Alex

368 views • 14 slides
Runtime Programmable Pipelines for Model Checkers on FPGAs Mrunal Patel, Shenghsun Cho , Michael

Runtime Programmable Pipelines for Model Checkers on FPGAs Mrunal Patel, Shenghsun Cho , Michael

Runtime Programmable Pipelines for Model Checkers on FPGAs Mrunal Patel, Shenghsun Cho , Michael Ferdman, Peter Milder FPGA Accelerates Model Checking Model checking ensures system correctness By exploring all states of a system Hours

814 views • 37 slides
Foundational Proof Certificates Dale Miller INRIA-Saclay & LIX, Ecole Polytechnique

Foundational Proof Certificates Dale Miller INRIA-Saclay & LIX, Ecole Polytechnique

Foundational Proof Certificates Dale Miller INRIA-Saclay & LIX, Ecole Polytechnique Palaiseau, France Joint work with Zakaria Chihani and Fabien Renaud, INRIA. See: CADE 2013, CPP 2011. APPA 2014, Vienna, 18 July 2014 The network is

514 views • 25 slides
A Logic of Proofs for Differential Dynamic Logic Toward Independently Checkable Proof Certificates

A Logic of Proofs for Differential Dynamic Logic Toward Independently Checkable Proof Certificates

A Logic of Proofs for Differential Dynamic Logic Toward Independently Checkable Proof Certificates for Differential Dynamic Logic Nathan Fulton Andr` e Platzer Carnegie Mellon University CPP16 January 19, 2016 1 Motivation Strong

383 views • 37 slides
Lecture 5. Symbolic model checking. NuSMV and SPIN model checkers. User-friendly model checking

Lecture 5. Symbolic model checking. NuSMV and SPIN model checkers. User-friendly model checking

Lecture 5. Symbolic model checking. NuSMV and SPIN model checkers. User-friendly model checking ELEC-E8110 Automation Systems Synthesis and Analysis Igor Buzhinsky igor.buzhinskii@aalto.fi 2018 Igor Buzhinsky Lecture 5 2018 1 / 28 Symbolic

833 views • 61 slides
Proof Systems and Proof Complexity Marijn J.H. Heule http://www.cs.cmu.edu/~mheule/15816-f19/

Proof Systems and Proof Complexity Marijn J.H. Heule http://www.cs.cmu.edu/~mheule/15816-f19/

Proof Systems and Proof Complexity Marijn J.H. Heule http://www.cs.cmu.edu/~mheule/15816-f19/ Automated Reasoning and Satisfiability, September 24, 2019 Certificates What makes a problem hard? Certificate angle: can one efficiently check an

1.11k views • 107 slides
Sequentialization targeted to Bounded Model-Checkers Salvatore La Torre Dipartimento di

Sequentialization targeted to Bounded Model-Checkers Salvatore La Torre Dipartimento di

Sequentialization targeted to Bounded Model-Checkers Salvatore La Torre Dipartimento di Informatica Universit degli Studi di Salerno Sequentialization Code-to-code translation from a multithreaded program to an equivalent

1.21k views • 58 slides
CS 671 Automated Reasoning Proof Automation in First Order Logic 1. Tactic-based proof search 2.

CS 671 Automated Reasoning Proof Automation in First Order Logic 1. Tactic-based proof search 2.

CS 671 Automated Reasoning Proof Automation in First Order Logic 1. Tactic-based proof search 2. Complete proof search with JProver Tactic-based proof search Sort rule applications by cost of induced proof search let simple prover = Repeat (

562 views • 9 slides
Proof-of-work Certificates for High Complexity Computations for Linear Algebra Erich L. Kaltofen

Proof-of-work Certificates for High Complexity Computations for Linear Algebra Erich L. Kaltofen

Proof-of-work Certificates for High Complexity Computations for Linear Algebra Erich L. Kaltofen NCSU , DUKE UNIVERSITY google->kaltofen 2 Computations for the Cloud: RSA Challenge RSA220 =

543 views • 38 slides
Testing Planning Domains (without Model Checkers) Franco Raimondi, Charles Pecheur, Guillaume Brat

Testing Planning Domains (without Model Checkers) Franco Raimondi, Charles Pecheur, Guillaume Brat

Testing Planning Domains (without Model Checkers) Franco Raimondi, Charles Pecheur, Guillaume Brat Overview Motivational introduction Flight rules Review of MC/DC and definition of UFC with weak/strong coverage. Planning: Europa 2

594 views • 27 slides
GLMC Connecting ACL2 with Hardware Model Checkers Proving Invariants in Hardware Verification

GLMC Connecting ACL2 with Hardware Model Checkers Proving Invariants in Hardware Verification

GLMC Connecting ACL2 with Hardware Model Checkers Proving Invariants in Hardware Verification Inductive invariants are easy to prove Provable by SAT for finite state machines In ACL2, can use GL. Downsides:

596 views • 12 slides
Finding and Understanding Bugs in Software Model Checkers Chengyu Zhang , Ting Su, Yichen Yan,

Finding and Understanding Bugs in Software Model Checkers Chengyu Zhang , Ting Su, Yichen Yan,

Finding and Understanding Bugs in Software Model Checkers Chengyu Zhang , Ting Su, Yichen Yan, Fuyuan Zhang, Geguang Pu, Zhendong Su Software Model Checking 2 Software Model Checking P 3 Software Model Checking P 4 Software

1.41k views • 114 slides
Logic-Based Systems AI Lecture Prof. Carolina Ruiz Worcester Polytechnic Institute Using

Logic-Based Systems AI Lecture Prof. Carolina Ruiz Worcester Polytechnic Institute Using

Logic-Based Systems AI Lecture Prof. Carolina Ruiz Worcester Polytechnic Institute Using Theorem Provers AS ASSISTANTS AS REASONING SYSTEMS tool for mathemathicians Proof-Checkers: to implement independent agents that

491 views • 13 slides
Lives 4/4/2019 UCSF Symposium Sukgu M Han, MD, MS Assistant Professor of Clinical Surgery

Lives 4/4/2019 UCSF Symposium Sukgu M Han, MD, MS Assistant Professor of Clinical Surgery

4/4/2019 EVAR for Ruptured AAA: This Step-by-Step Approach Will Save Lives 4/4/2019 UCSF Symposium Sukgu M Han, MD, MS Assistant Professor of Clinical Surgery Division of Vascular Sugery and Endovascular Therapy Co-director, Comprehensive

447 views • 10 slides
Obversion, Conversion & Contraposition The Three relations of equivalence Obversion Double

Obversion, Conversion & Contraposition The Three relations of equivalence Obversion Double

Three Acts of the Mind Mental Act: Verbal Expression: Simple Apprehension Term Judgment Proposition Deductive Inference Syllogism Slide 9-1 Obversion, Conversion & Contraposition The Three relations of

431 views • 10 slides
Ensuring Opportunity Campaign to End Poverty in Contra Costa County What is Ensuring

Ensuring Opportunity Campaign to End Poverty in Contra Costa County What is Ensuring

January 2019 Ensuring Opportunity Campaign to End Poverty in Contra Costa County What is Ensuring Opportunity? 2 A countywide initiative to end poverty in Contra Costa by addressing root causes Goal: Achieve equity and opportunity for

302 views • 7 slides
I ntroduction to Mobile Robotics Techniques for 3 D Mapping Wolfram Burgard 1 W hy 3 D

I ntroduction to Mobile Robotics Techniques for 3 D Mapping Wolfram Burgard 1 W hy 3 D

I ntroduction to Mobile Robotics Techniques for 3 D Mapping Wolfram Burgard 1 W hy 3 D Representations Robots live in the 3D world. 2D maps have been applied successfully for navigation tasks such as localization. Reliable

518 views • 41 slides
Contra Molinism Terms: (p) = actual world (n) = number of people who freely believe G = known by

Contra Molinism Terms: (p) = actual world (n) = number of people who freely believe G = known by

Contra Molinism Terms: (p) = actual world (n) = number of people who freely believe G = known by God O = actualizable for an omnipotent being A = actualized 1. (p) O(p) 1. If (p) is possible, then it is possible for an omnipotent

388 views • 4 slides
long live(d) economic growth peter rupert professor department of economics, ucsb director,

long live(d) economic growth peter rupert professor department of economics, ucsb director,

long live(d) economic growth peter rupert professor department of economics, ucsb director, ucsb economic forecast project beautiful granada theater may 16, 2019 roadmap for today global and national outlook the changing nature of

1.14k views • 82 slides
Real Cost Measure by Neighborhood Clusters California: 31% N=265 Low 9% Contra Costa:

Real Cost Measure by Neighborhood Clusters California: 31% N=265 Low 9% Contra Costa:

Real Cost Measure by Neighborhood Clusters California: 31% N=265 Low 9% Contra Costa: San Ramon & Danville Los Angeles: High Southeast LA City/ 80% East Vernon What it Takes a Household with 2 Adults, 1 Infant and 1

170 views • 3 slides
Fundamental butting ::i::::: Galois ness ) intermediate Chandu Eakins

Fundamental butting ::i::::: Galois ness ) intermediate Chandu Eakins

Theorem Fundamental butting ::i::::: Galois ness ) intermediate Chandu Eakins of Thur ( Equivalent ( iii ) Gal ( Elk ) A Gal ( EIF ) ( iv ) Khs Galois . is Leatherback HH et Aut ( E ) sub extensions of E

328 views • 8 slides

More recommend