smt microsoft
play

SMT@Microsoft AFM 2007 Leonardo de Moura and Nikolaj Bjrner { - PowerPoint PPT Presentation

Sep 09, 2023 •545 likes •1.06k views

SMT@Microsoft AFM 2007 Leonardo de Moura and Nikolaj Bjrner { leonardo, nbjorner } @microsoft.com. Microsoft Research SMT@Microsoft p.1/36 Introduction Industry tools rely on powerful verification engines. Boolean satisfiability (SAT)

  1. SMT@Microsoft AFM 2007 Leonardo de Moura and Nikolaj Bjørner { leonardo, nbjorner } @microsoft.com. Microsoft Research SMT@Microsoft – p.1/36

  2. Introduction Industry tools rely on powerful verification engines. Boolean satisfiability (SAT) solvers. Binary decision diagrams (BDDs). Satisfiability Modulo Theories (SMT) The next generation of verification engines. SAT solvers + Theories Arithmetic Arrays Uninterpreted Functions Some problems are more naturally expressed in SMT. More automation. SMT@Microsoft – p.2/36

  3. Example x + 2 = y ⇒ f ( read ( write ( a, x, 3) , y − 2)) = f ( y − x + 1) SMT@Microsoft – p.3/36

  4. Example x + 2 = y ⇒ f ( read ( write ( a, x, 3 ) , y − 2 )) = f ( y − x + 1 ) Theory: Arithmetic SMT@Microsoft – p.3/36

  5. Example x + 2 = y ⇒ f ( read ( write ( a, x, 3) , y − 2)) = f ( y − x + 1) Theory: Arrays Usually used to model the memory/heap . read : array access. write : array update. SMT@Microsoft – p.3/36

  6. Example x + 2 = y ⇒ f ( read ( write ( a, x, 3) , y − 2)) = f ( y − x + 1) Theory: Free functions. Useful for abstracting complex operations. SMT@Microsoft – p.3/36

  7. SMT@Microsoft: Solver Z3 is a new SMT solver developed at Microsoft Research. Development/Research driven by internal customers. Textual input & APIs (C/C++, .NET, OCaml). Free for non-commercial use. http://research.microsoft.com/projects/z3 SMT@Microsoft – p.4/36

  8. SMT@Microsoft: Applications Test-case generation: Pex, SAGE, and Vigilante . Verifying Compiler: Spec#/Boogie, HAVOC, and VCC . Model Checking & Predicate Abstraction: SLAM/SDV and Yogi . Bounded Model Checking (BMC): AsmL model checker . Other: invariant generation, crypto, etc. SMT@Microsoft – p.5/36

  9. Roadmap Test-case generation Verifying Compiler Model Checking & Predicate Abstraction. Future SMT@Microsoft – p.6/36

  10. Test-case generation Test (correctness + usability) is 95% of the deal: Dev/Test is 1-1 in products. Developers are responsible for unit tests. Tools: Annotations and static analysis (SAL, ESP) File Fuzzing Unit test case generation SMT@Microsoft – p.7/36

  11. Security is Critical Security bugs can be very expensive: Cost of each MS Security Bulletin: $600K to $Millions. Cost due to worms (Slammer, CodeRed, Blaster, etc.): $Billions. The real victim is the customer. Most security exploits are initiated via files or packets: Ex: Internet Explorer parses dozens of files formats. Security testing: hunting for million-dollar bugs Write A/V (always exploitable), Read A/V (sometimes exploitable), NULL-pointer dereference, Division-by-zero (harder to exploit but still DOS attack), ... SMT@Microsoft – p.8/36

  12. Hunting for Security Bugs Two main techniques used by “black hats” : Code inspection (of binaries). Black box fuzz testing . Black box fuzz testing: A form of black box random testing. Randomly fuzz (=modify) a well formed input. Grammar-based fuzzing: rules to encode how to fuzz. Heavily used in security testing At MS: several internal tools. Conceptually simple yet effective in practice Has been instrumental in weeding out 1000 of bugs during development and test. SMT@Microsoft – p.9/36

  13. Automatic Code-Driven Test Generation Given program with a set of input parameters. Generate inputs that maximize code coverage. SMT@Microsoft – p.10/36

  14. Automatic Code-Driven Test Generation Given program with a set of input parameters. Generate inputs that maximize code coverage. Example: Input x , y z = x + y If z > x − y Then Return z Else Error SMT@Microsoft – p.10/36

  15. Automatic Code-Driven Test Generation Given program with a set of input parameters. Generate inputs that maximize code coverage. Example: Input x , y z = x + y If z > x − y Then Return z Else Error Solve z = x + y ∧ z > x − y SMT@Microsoft – p.10/36

  16. Automatic Code-Driven Test Generation Given program with a set of input parameters. Generate inputs that maximize code coverage. Example: Input x , y z = x + y If z > x − y Then Return z Else Error Solve z = x + y ∧ z > x − y = ⇒ x = 1 , y = 1 SMT@Microsoft – p.10/36

  17. Automatic Code-Driven Test Generation Given program with a set of input parameters. Generate inputs that maximize code coverage. Example: Input x , y z = x + y If z > x − y Then Return z Else Error Solve z = x + y ∧ ¬ ( z > x − y ) SMT@Microsoft – p.10/36

  18. Automatic Code-Driven Test Generation Given program with a set of input parameters. Generate inputs that maximize code coverage. Example: Input x , y z = x + y If z > x − y Then Return z Else Error Solve z = x + y ∧ ¬ ( z > x − y ) = ⇒ x = 1 , y = − 1 SMT@Microsoft – p.10/36

  19. Method: Dynamic Test Generation Run program with random inputs. Collect constraints on inputs. Use SMT solver to generate new inputs. Combination with randomization: DART (Godefroid-Klarlund-Sen-05) SMT@Microsoft – p.11/36

  20. Method: Dynamic Test Generation Run program with random inputs. Collect constraints on inputs. Use SMT solver to generate new inputs. Combination with randomization: DART (Godefroid-Klarlund-Sen-05) Repeat while finding new execution paths . SMT@Microsoft – p.11/36

  21. DARTish projects at Microsoft SAGE (CSE) implements DART for x86 binaries and merges it with “fuzz” testing for finding security bugs. PEX (MSR-Redmond FSE Group) implements DART for .NET binaries in conjunction with “parameterized-unit tests” for unit testing of .NET programs. YOGI (MSR-India) implements DART to check the feasibility of program paths generated statically using a SLAM-like tool. Vigilante (MSR Cambridge) partially implements DART to dynamically generate worm filters. SMT@Microsoft – p.12/36

  22. Inital Experiences with SAGE 25+ security bugs and counting. (most missed by blackbox fuzzers) OS component X 4 new bugs: “This was an area that we heavily fuzz tested in Vista”. OS component Y Arithmetic/stack overflow in y.dll Media format A Arithmetic overflow; DOS crash in previously patched component Media format B & C Hard-to-reproduce uninitialized-variable bug SMT@Microsoft – p.13/36

  23. Pex Pex monitors the execution of .NET application using the CLR profiling API. Pex dynamically checks for violations of programming rules, e.g. resource leaks. Pex suggests code snippets to the user, which will prevent the same failure from happening again. Very instrumental in exposing bugs in .NET libraries. SMT@Microsoft – p.14/36

  24. Test-case generation & SMT Formulas are usually a big conjunction. Incremental: solve several similar formulas. “Small models”. Arithmetic × Machine Arithmetic. SMT@Microsoft – p.15/36

  25. Test-case generation & SMT Formulas are usually a big conjunction. Pre-processing step. Eliminate variables and simplify input formula. Significant performance impact . Incremental: solve several similar formulas. “Small models”. Arithmetic × Machine Arithmetic. SMT@Microsoft – p.15/36

  26. Test-case generation & SMT Formulas are usually a big conjunction. Incremental: solve several similar formulas. New constraints can be asserted. push and pop : (user) backtracking. Reuse (some) lemmas. “Small models”. Arithmetic × Machine Arithmetic. SMT@Microsoft – p.15/36

  27. Test-case generation & SMT Formulas are usually a big conjunction. Incremental: solve several similar formulas. “Small models”. Given a set of constraints C , find a model M that minimizes the value of the variables x 0 , . . . , x n . Arithmetic × Machine Arithmetic. SMT@Microsoft – p.15/36

  28. Test-case generation & SMT Formulas are usually a big conjunction. Incremental: solve several similar formulas. “Small models”. Given a set of constraints C , find a model M that minimizes the value of the variables x 0 , . . . , x n . Eager (cheap) Solution: Assert C . While satisfiable Peek x i such that M [ x i ] is big Assert x i < c , where c is a small constant Return last found model Arithmetic × Machine Arithmetic. SMT@Microsoft – p.15/36

  29. Test-case generation & SMT Formulas are usually a big conjunction. Incremental: solve several similar formulas. “Small models”. Given a set of constraints C , find a model M that minimizes the value of the variables x 0 , . . . , x n . Refinement: Eager solution stops as soon as the context becomes unsatisfiable. A “bad” choice (peek x i ) may prevent us from finding a good solution. Use push and pop to retract “bad” choices. Arithmetic × Machine Arithmetic. SMT@Microsoft – p.15/36

  30. Test-case generation & SMT Formulas are usually a big conjunction. Incremental: solve several similar formulas. “Small models”. Arithmetic × Machine Arithmetic. Precision × Performance . SAGE has flags to abstract expensive operations. SMT@Microsoft – p.15/36

  31. Roadmap Test-case generation Verifying Compiler Model Checking & Predicate Abstraction. Future SMT@Microsoft – p.16/36

  32. The Verifying Compiler A verifying compiler uses automated reasoning to check the correctness of a program that is compiles. Correctness is specified by types, assertions, . . . and other redundant annotations that accompany the program. Hoare 2004 SMT@Microsoft – p.17/36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

5.2 Microsoft Excel Microsoft Excel Microsoft Excel is the spreadsheet component of the

5.2 Microsoft Excel Microsoft Excel Microsoft Excel is the spreadsheet component of the

5.2 Microsoft Excel Microsoft Excel Microsoft Excel is the spreadsheet component of the Microsoft Office Suite. It is used primarily to enter, edit, format, sort, perform mathematical computations, save, retrieve and print numeric

717 views • 32 slides
4.2 Microsoft Word Microsoft Word is the word processing component of the Microsoft Office

4.2 Microsoft Word Microsoft Word is the word processing component of the Microsoft Office

4.2 Microsoft Word Microsoft Word is the word processing component of the Microsoft Office Suite It is used primarily to enter, edit, format, save, retrieve and print documents Objectives Identify the main components of the user

399 views • 29 slides
Formal Methods and Tools for Distributed Systems Thomas Ball Microsoft

Formal Methods and Tools for Distributed Systems Thomas Ball Microsoft

Formal Methods and Tools for Distributed Systems Thomas Ball Microsoft http://research.microsoft.com/~tball Outline 20 Years at Microsoft (1999-present) The great work of others at Microsoft 20 Years at Microsoft From EULA to SLA

888 views • 72 slides
ML.NET Presented by: Markus Weimer Markus.Weimer@Microsoft.com https://dot.net/ml Brought to

ML.NET Presented by: Markus Weimer Markus.Weimer@Microsoft.com https://dot.net/ml Brought to

ML.NET Presented by: Markus Weimer Markus.Weimer@Microsoft.com https://dot.net/ml Brought to you by (amongst others) Zeeshan Ahmed (Microsoft) zeahmed@microsoft.com, Saeed Amizadeh (Microsoft) &lt;saamizad@microsoft.com&gt;, Mikhail Bilenko

394 views • 10 slides
Principal Consultant @muellermarc Microsoft I like but Im a Microsoft Fan-Boy

Principal Consultant @muellermarc Microsoft I like but Im a Microsoft Fan-Boy

Marc Mller Principal Consultant @muellermarc Microsoft I like but Im a Microsoft Fan-Boy https://twitter.com/dberkholz/status/689211852157407233 100 Deployments pro Tag! UI BL DAL Order Order Orders Logic Data Product

668 views • 46 slides
Power-up Networking for Containers Jason Messer, Microsoft Focus and Key Takeaways Microsoft

Power-up Networking for Containers Jason Messer, Microsoft Focus and Key Takeaways Microsoft

Power-up Networking for Containers Jason Messer, Microsoft Focus and Key Takeaways Microsoft is active in and engaged with the FOSS community Microsoft understands DevOps and Microservice architectures Developers and IT Pros have a

710 views • 43 slides
Z3 - a Tutorial Leonardo de Moura Nikolaj Bjrner Microsoft Research Microsoft Research

Z3 - a Tutorial Leonardo de Moura Nikolaj Bjrner Microsoft Research Microsoft Research

Z3 - a Tutorial Leonardo de Moura Nikolaj Bjrner Microsoft Research Microsoft Research leonardo@microsoft.com nbjorner@microsoft.com Abstract This tutorial introduces the use of the state-of-the-art Satisfiability Modulo Theories Solver

1k views • 61 slides
Microsoft Power BI Microsoft Power BI Whole Business On One Dashboard Interactive Visualization

Microsoft Power BI Microsoft Power BI Whole Business On One Dashboard Interactive Visualization

Microsoft Power BI Microsoft Power BI Whole Business On One Dashboard Interactive Visualization Natural Language Queries Turning Data Into Business Advantage Microsoft Power BI 45.000 Organizations 500.000 Unique users 185 Countries

135 views • 13 slides
Communications Marketing Manager Microsoft Canada 1. Feb 26: Why Microsoft? The opportunity for

Communications Marketing Manager Microsoft Canada 1. Feb 26: Why Microsoft? The opportunity for

Communications Marketing Manager Microsoft Canada 1. Feb 26: Why Microsoft? The opportunity for Canadian partners (On-demand) 2. 2. Mar 25 25: Build ld a bett tter er produc oduct t or service ice 3. Apr 22: Develop your technical skills

407 views • 24 slides
Acquisition of a three- dimensional model through Microsoft Kinect The Microsoft Kinect RGB

Acquisition of a three- dimensional model through Microsoft Kinect The Microsoft Kinect RGB

Acquisition of a three- dimensional model through Microsoft Kinect The Microsoft Kinect RGB camera sensor IR projector and sensor Microphones array Three axis accelerometer The Microsoft Kinect 30 fps: RGB: 640 x 480 pixels;

396 views • 25 slides
Classified as Microsoft Confidential ACCELERATING DIGITAL TRANSFORMATION WITH MICROSOFT

Classified as Microsoft Confidential ACCELERATING DIGITAL TRANSFORMATION WITH MICROSOFT

Classified as Microsoft Confidential ACCELERATING DIGITAL TRANSFORMATION WITH MICROSOFT BUSINESS APPLICATIONS David OBryan Partner Development Manager Classified as Microsoft Confidential Industries in Transition Industries in

391 views • 37 slides
a force of .0059 nN/volt2 per comb-finger height (ym)

a force of .0059 nN/volt2 per comb-finger height (ym)

A High Force Low Area MEMS Thermal Actuator Michael J. Sinclair Microsoft Research Microsoft Corporation ABSTRACT zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA One Microsoft Way, Redmond, WA 98052 Phone: (425) 703-8343 Fax: (425) 936-7329

180 views • 6 slides
Microsoft Access 2010 Powerpoint Presentation 2003 Microsoft Access 2010 is a software program

Microsoft Access 2010 Powerpoint Presentation 2003 Microsoft Access 2010 is a software program

Microsoft Access 2010 Powerpoint Presentation 2003 Microsoft Access 2010 is a software program used to build and run databases. Microsoft Excel 2003 is a spreadsheet application and part of Microsoft Office. for five Microsoft Office 2010

86 views • 4 slides
msroot@microsoft.com https://docs.microsoft.com/en-us/ https://aka.ms/RootCert

msroot@microsoft.com https://docs.microsoft.com/en-us/ https://aka.ms/RootCert

msroot@microsoft.com https://docs.microsoft.com/en-us/ https://aka.ms/RootCert https://aka.ms/auditreqs Removal of root from the Certificate Trust List (CTL). All certificates no longer trusted Introduced in Windows10RS1. Disables all

381 views • 6 slides
Large-scale deployment of statistical machine translation Example Microsoft

Large-scale deployment of statistical machine translation Example Microsoft

10/26/2008 Large-scale deployment of statistical machine translation Example Microsoft Chris.Wendt@microsoft.com Microsoft Research Machine Translation Agenda Microsoft MT engine basics Architecture and design for scale

285 views • 16 slides
Microsoft Office Online What you can do for free Starting Microsoft online You must have a

Microsoft Office Online What you can do for free Starting Microsoft online You must have a

Microsoft Office Online What you can do for free Starting Microsoft online You must have a Microsoft account its free too Start your browser Edge is best for this Go to one of these sites Office.com starts

604 views • 22 slides
ADDRESSING RACIAL EQUITY THROUGH THE STATE TAX CODE: CALIFORNIA CONTEXT &amp; CONSIDERATIONS

ADDRESSING RACIAL EQUITY THROUGH THE STATE TAX CODE: CALIFORNIA CONTEXT &amp; CONSIDERATIONS

ADDRESSING RACIAL EQUITY THROUGH THE STATE TAX CODE: CALIFORNIA CONTEXT &amp; CONSIDERATIONS 3.27.19 JENNIFER ITO 1 CHALLENGE OF INEQUALITY Income Percentiles, Earned Income for Full-Time Workers 25-64 ($2010) U.S. and California, 1980 to

420 views • 19 slides
Black Hats can also benefit from Formal Methods jean-louis.lanet@inria.fr PROOF 2015 Saint

Black Hats can also benefit from Formal Methods jean-louis.lanet@inria.fr PROOF 2015 Saint

Black Hats can also benefit from Formal Methods jean-louis.lanet@inria.fr PROOF 2015 Saint Malo, September the 28th 1 Agenda Retro-futurism, Retrieving keys, Vulnerability analysis Fault enabled malware Conclusion 2 ZB

633 views • 37 slides
Lightweight Concurrency in GHC KC Sivaramakrishnan Tim Harris Simon Marlow Simon Peyton Jones

Lightweight Concurrency in GHC KC Sivaramakrishnan Tim Harris Simon Marlow Simon Peyton Jones

Lightweight Concurrency in GHC KC Sivaramakrishnan Tim Harris Simon Marlow Simon Peyton Jones 1 GHC: Concurrency and Parallelism MVars Safe foreign forkIO calls Bound threads Asynchronous Par Monad exceptions STM 2 Concurrency

913 views • 28 slides
An Open-Source Tool for Automated Generation of Black-box xUnit Test Code and its Industrial

An Open-Source Tool for Automated Generation of Black-box xUnit Test Code and its Industrial

An Open-Source Tool for Automated Generation of Black-box xUnit Test Code and its Industrial Evaluation Christian Wiederseiner, Shahnewaz A. Jolly Matt M. Eskandar Vahid Garousi MR Control Systems International Inc., Calgary, Software

294 views • 17 slides
Bad channels DUNE 35-ton simulaAon and reconstrucAon David

Bad channels DUNE 35-ton simulaAon and reconstrucAon David

Bad channels DUNE 35-ton simulaAon and reconstrucAon David Adams BNL December 21, 2016 IntroducAon I remain interested in using 35t data to

516 views • 27 slides
Verification and validation of computer codes Exercise

Verification and validation of computer codes Exercise

IAEA Safety Assessment Education and Training (SAET) Programme Joint ICTP-IAEA Essential Knowledge Workshop on Deterministic Safety Assessment and

301 views • 12 slides
CS 105 Intel x86 (IA32/64) Processors Intel x86 (IA32/64) Processors Tour of the Black Holes

CS 105 Intel x86 (IA32/64) Processors Intel x86 (IA32/64) Processors Tour of the Black Holes

CS 105 Intel x86 (IA32/64) Processors Intel x86 (IA32/64) Processors Tour of the Black Holes of Computing Totally Dominate

365 views • 9 slides
Clang Interface Stubs Syntax Directed Stub Library Generation Puyan Lotfi Facebook Interface

Clang Interface Stubs Syntax Directed Stub Library Generation Puyan Lotfi Facebook Interface

Clang Interface Stubs Syntax Directed Stub Library Generation Puyan Lotfi Facebook Interface Stubs echo &quot;&quot; | clang -shared -fPIC -x c - -o - | llvm-objdump -section-headers a.out: file format ELF64-x86-64 Sections: Idx Name

568 views • 24 slides

More recommend