SMT, Strings, Security Philipp Rmmer Uppsala University SAT/SMT/AR, - - PowerPoint PPT Presentation

1

Philipp Rümmer

Uppsala University SAT/SMT/AR, July 6th, 2018

SMT, Strings, Security

2

Plan

 String constraints by example  A word equation primer  Decidable fragments of string constraints

3

Strings in Verifcation

4

String in verifiation

5

String in verifiation

ASCII, Unicode

6

String in verifiation

Regular expression assertion:

7

String in verifiation

Word/string ioniatenation

8

String in verifiation

Loop invariant combining word equations, regex constraints, length constraints

9

String in verifiation

Substring constraint

10

String in verifiation

Or regex:

11

String in verifiation

Presburger length constraint

12

String in verifiation

→ Need a solver that supports all those

• perators!

13

Alphabets

 All constraints are formulated w.r.t. to

some fxed fnite alphabet

  (e.g., 8-bit ASCII)  (e.g., UTF-32)

14

Semantiis and notation

 Finite sequences of letters:  Empty word:  Concatenation:  Equations:  Language/regex membership:  Word length:

15

LARGE Alphabets

 Naive use of fnite-state automata quickly

becomes impossible

 Conirete letters as transition guards →

far too many transitions are needed to express interesting languages

 Symbolii handling of letters is necessary

 Sometimes complex string conversion

functions necessary, e.g. UTF-8 ↔ UTF-32

16

Injeition attaiks

xkcd.com

17

What is happening here?

Possible SQL iommand in a program

database.execute( "INSERT INTO students (name) VALUES ('" + name + "');");

18

What is happening here?

Possible SQL iommand in a program

database.execute( "INSERT INTO students (name) VALUES ('" + name + "');");

Command with input substituted

INSERT INTO students (name) VALUES ('Robert'); DROP TABLE students;--');

19

What is happening here?

Possible SQL iommand in a program

database.execute( "INSERT INTO students (name) VALUES ('" + name + "');");

Command with input substituted

INSERT INTO students (name) VALUES ('Robert'); DROP TABLE students;--');

Problem: Input string ends quotation! Command embedded in user input is executed

20

What is happening here?

Possible SQL iommand in a program

database.execute( "INSERT INTO students (name) VALUES ('" + name + "');");

 Since no sanitisation is applied,

program is vulnerable to SQL injection attacks!

21

How ian this be deteited?

Program code Input: User-controlled strings Output: SQL commands

22

How ian this be deteited?

Program code Input: User-controlled strings Output: SQL commands

23

How ian this be deteited?

Program code Input: User-controlled strings Output: SQL commands Regex

• r CFG

24

What is happening here?

Possible SQL iommand in a program

database.execute( "INSERT INTO students (name) VALUES ('" + name + "');");

 However, this case could more easily be

found with techniques like taint traiking

 But what if sanitisation were actually

applied?

25

A subtle XSS vulnerability

JavaSiript embedded in a web-page

var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x); catElem.innerHTML = '<button onclick="createCatList(\'' + y + '\')">' + x + '</button>';

26

A subtle XSS vulnerability

JavaSiript embedded in a web-page

var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x); catElem.innerHTML = '<button onclick="createCatList(\'' + y + '\')">' + x + '</button>'; Input string

27

A subtle XSS vulnerability

JavaSiript embedded in a web-page

var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x); catElem.innerHTML = '<button onclick="createCatList(\'' + y + '\')">' + x + '</button>'; Input string HTML escape: & → &amp; JavaScript escape: ' → \'

28

A subtle XSS vulnerability

JavaSiript embedded in a web-page

var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x); catElem.innerHTML = '<button onclick="createCatList(\'' + y + '\')">' + x + '</button>'; Input string HTML escape: & → &amp; JavaScript escape: ' → \' Impliiit HTML unescape

• f the onclick

attribute: &amp; → &

29

An XSS vulnerability (2)

JavaSiript embedded in a web-page

var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x); catElem.innerHTML = '<button onclick="createCatList(\'' + y + '\')">' + x + '</button>';

One possible attaik

Choose cat to be ');alert(1);// Generated HTML string is then:

<button onclick="createCatList('&#39;);alert(1);//')"> &#39;);alert(1);//</button>

30

An XSS vulnerability (2)

JavaSiript embedded in a web-page

var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x); catElem.innerHTML = '<button onclick="createCatList(\'' + y + '\')">' + x + '</button>';

One possible attaik

Choose cat to be ');alert(1);// Generated HTML string is then:

<button onclick="createCatList('&#39;);alert(1);//')"> &#39;);alert(1);//</button>

This will be unesiaped to

createCatList('');alert(1);//')

31

An XSS vulnerability (2)

JavaSiript embedded in a web-page

var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x); catElem.innerHTML = '<button onclick="createCatList(\'' + y + '\')">' + x + '</button>';

One possible attaik

Choose cat to be ');alert(1);// Generated HTML string is then:

<button onclick="createCatList('&#39;);alert(1);//')"> &#39;);alert(1);//</button>

This will be unesiaped to

createCatList('');alert(1);//')

Vulnerability since escape functions are applied in wrong order

32

Cross-site siripting

http://blog.aboutme.vn/choi-xss-tai-knock-xss-moe/

33

Solvers for esiape ops?

34

Solvers for esiape ops?

 We need transducers!

→ Automata with multiple tracks

35

Solvers for esiape ops?

toUpperCase

a/A b/B c/C ...

 We need transducers!

→ Automata with multiple tracks

36

Solvers for esiape ops?

toUpperCase

a/A b/B c/C ...

 We need transducers!

→ Automata with multiple tracks

htmlEsiape

</&lt; >/&gt; &/&amp; ...

replaieAll

...

37

Solvers for esiape ops?

toUpperCase

a/A b/B c/C ...

 We need transducers!

→ Automata with multiple tracks

htmlEsiape

</&lt; >/&gt; &/&amp; ...

replaieAll

...

Do not preserve length ...

38

Other operations

 String reversal  Context-free grammars  String-to-number conversions  Replace-all with symbolic arguments  ...

39

Solving String Constraints

40

Bit of Solver History

 Bounded-length solvers

 Bit-vector-based: Hampi, Kaluza  CP-based: Gecode

 Automata-based tools

 Stranger, TRAU

 SMT/DPLL/CDCL-based methods

 Z3-str/2/3, CVC4, S3/p, Norn, Sloth

(+ much theoretic work)

41

Solving Word Equations

 What are the solutions those equations?

42

Nielsen's transformation

(also called Levi's lemma)

Theorem

43

Nielsen's transformation

(also called Levi's lemma)

Theorem

44

Nielsen's transformation

As a tableau rule

45

Nielsen's transformation

As a tableau rule

46

In the example

47

How about this one?

48

How about this one?

49

How about this one?

Cyile!

50

What ian be done?

Ignore cycles and hope for the best! Identify fragments for which NT is guaranteed to terminate

 Acyclic; straight-line

Improve NT and add termination criteria

 Makanin's method  Simpler algorithms for quadratii equations

51

Quadratii word equations

 E.g.  Consider satisfability of a

single quadratii equation

Defnition A word equation is quadratii if each variable

• ccurs at most twice in the equation.

52

Nielsen's transformation

Quadratii = simpler?

53

Nielsen's transformation

Quadratii = simpler?

Number of variable

• ccurrences

cannot increase!

54

A deiision proiedure

Modifed Nielsen rule

55

A deiision proiedure

Modifed Nielsen rule Further rules

56

Example

57

Even more rules

One-sided Nielsen rule

58

Deiision proiedure?

Soundness

• If root is satisfable, at least one branch cannot

be closed

Completeness

• If root is unsat, a closed proof exists
• Follows from termination
• Open branches → satisfying assignments

Termination

• # of variable occurrences does not increase
• Up to renaming of variables, only fnitely many

diferent equations exist

59

Soundness argument

 Label equations in the proof with:

 if equation is unsat  if equation is sat, has variable

• ccurrences, and is length of for the

shortest solution

 Order pairs lexicographically

Lemma In each application of the Nielsen rule, if the parent is labelled with , then at least one child has label .

60

Soundness argument

 Label equations in the proof with:

 if equation is unsat  if equation is sat, has variable

• ccurrences, and is length of for the

shortest solution

 Order pairs lexicographically

Lemma In each application of the Nielsen rule, if the parent is labelled with , then at least one child has label .

Decreasing labels → Branch cannot be closed!

61

Combinations ...

Equations Quadratii

62

Combinations ...

Equations Quadratii Regex Constraints

63

Combinations ...

Equations Quadratii Regex Constraints

✓

64

Combinations ...

Equations Quadratii Regex Constraints

✓

Length Constraints

65

Combinations ...

Equations Quadratii Regex Constraints

✓

Length Constraints

?

66

Combinations ...

Equations Quadratii Regex Constraints

✓

Length Constraints

? ?

67

Transduition

Combinations ...

Equations Quadratii Regex Constraints

✓

Length Constraints

? ?

68

Transduition

Combinations ...

Equations Quadratii Regex Constraints

✓

Length Constraints

? ?

Undeiidable

69

Transduition

Combinations ...

Equations Quadratii Regex Constraints

✓

Length Constraints

? ?

Undeiidable

70

Transduition

Combinations ...

Equations Quadratii Regex Constraints

✓

Length Constraints

? ?

Undeiidable

71

Transduition

Combinations ...

Equations Quadratii Regex Constraints

✓

Length Constraints

? ?

Undeiidable

72

The Norn fragment

• 1. Boolean structure
• 2. Acyclic (linear) word equations
• 3. Regex memberships
• 4. Length constraints

Parosh Aziz Abdulla, Mohamed Faouzi Atig, Yu-Fang Chen, Lukás Holík, Ahmed Rezine, Philipp Rümmer, Jari Stenman: String Constraints for Verifcation. CAV 2014

73

The Norn fragment

• 1. Boolean structure
• 2. Acyclic (linear) word equations
• 3. Regex memberships
• 4. Length constraints

Parosh Aziz Abdulla, Mohamed Faouzi Atig, Yu-Fang Chen, Lukás Holík, Ahmed Rezine, Philipp Rümmer, Jari Stenman: String Constraints for Verifcation. CAV 2014

(a decidable fragment)

74

The Norn fragment

• 1. Boolean structure
• 2. Acyclic (linear) word equations
• 3. Regex memberships
• 4. Length constraints

Parosh Aziz Abdulla, Mohamed Faouzi Atig, Yu-Fang Chen, Lukás Holík, Ahmed Rezine, Philipp Rümmer, Jari Stenman: String Constraints for Verifcation. CAV 2014

(a decidable fragment)

Order in which procedure handles

• perators

75

Examples

76

• 1. Boolean struiture

 Use standard DPLL/CDCL → Easy  Just consider conjunctions of literals  But we need to handle negation!

 Negated word equations  Negated regex constraints  Negated length constraints

77

• 1. Boolean struiture

 Use standard DPLL/CDCL → Easy  Just consider conjunctions of literals  But we need to handle negation!

 Negated word equations  Negated regex constraints  Negated length constraints

✓ ✓

?

78

• 1b. Negative word eqs.

Lemma

Can be reduced to positive equations:

79

• 1b. Negative word eqs.

Lemma

Large alphabets → a, b need to be handled symbolically in practice

Can be reduced to positive equations:

80

• 1b. Negative word eqs.

Lemma

Can be reduced to positive equations:

Theorem Any Boolean combination of word equations can be reduced to a single word equation with the same set of solutions (when projected to the

• riginal set of variables).

81

• 2. Aiyilii word equations

 Reduce to solved form by systematic

application of Nielsen’s transformation: ( do not occur in )

 After that, eliminate equations by

inlining!

82

• 3. Regular expressions

 Membership tests with ioniatenation

can be split:

 Tests with same left-hand side can be

merged:

83

• 3. Regular expressions

 Membership tests with ioniatenation

can be split:

 Tests with same left-hand side can be

merged:

Disjunction over states of automaton representing

84

• 4. Length ionstraints

 Compute the length abstraition of

each regex constraint:

 Conjoin length abstractions with other

length constraints and check satisfability

85

• 4. Length ionstraints

 Compute the length abstraition of

each regex constraint:

 Conjoin length abstractions with other

length constraints and check satisfability

A Presburger formula that can be extracted in linear time from

86

• 5. Optimisations ...

 E.g., exploit length information when

splitting equations or regexes (still too slow ...)

87

Adding Transducers .

88

• 3. Regular expressions

 Membership tests with ioniatenation

can be split:

 Tests with same left-hand side can be

merged:

89

• 3. Regular expressions

 Membership tests with ioniatenation

can be split:

 Tests with same left-hand side can be

merged:

Does not work any more with transducers!

90

The Sloth fragments

• 1. Boolean structure (no negation)
• 2. Straight-line word equations
• 3. n-track transducer constraints

Lukás Holík, Petr Janku, Anthony W. Lin, Philipp Rümmer, Tomás Vojnar: String constraints with concatenation and transducers solved efciently. PACMPL 2(POPL): 4:1-4:32 (2018)

91

The Sloth fragments

• 1. Boolean structure (no negation)
• 2. Straight-line word equations
• 3. n-track transducer constraints

Lukás Holík, Petr Janku, Anthony W. Lin, Philipp Rümmer, Tomás Vojnar: String constraints with concatenation and transducers solved efciently. PACMPL 2(POPL): 4:1-4:32 (2018)

→ also decidable!

92

Transduiers

Defnition An n-traik transduier is a fnite-state automaton over the alphabet An n-track transducer defnes an n-ary rational relation.

93

Transduiers

Defnition An n-traik transduier is a fnite-state automaton over the alphabet An n-track transducer defnes an n-ary rational relation.

94

Transduiers

Defnition An n-traik transduier is a fnite-state automaton over the alphabet An n-track transducer defnes an n-ary rational relation.

95

HTML Esiaping

96

Undeiidability

Proposition/Folklore String constraints with rational relations are undeiidable.

 Post correspondence problem:

Given word pairs is there an index sequence with

97

Undeiidability

Proposition/Folklore String constraints with rational relations are undeiidable.

 Post correspondence problem:

Given word pairs is there an index sequence with U n d e i i d a b l e

98

Fragments: aiyilii formulas

 Positive Boolean comb. of rational

relations applied to distinct variables

 In every , and share at most

• ne variable

 PSPACE-complete

[Barcelo, Figuiera, and Libkin’13]

99

Straight-line fragment SL

 Conjunction of equations sorted by

dependency:

 All pairwise distinct  Each may only occur in  Each is concatenation, or

(interpreted as )

 Regex constraints

100

SL example

JavaSiript embedded in a web-page

var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x); catElem.innerHTML = '<button onclick="createCatList(\'' + y + '\')">' + x + '</button>';

101

SL example

JavaSiript embedded in a web-page

var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x); catElem.innerHTML = '<button onclick="createCatList(\'' + y + '\')">' + x + '</button>';

102

SL example

JavaSiript embedded in a web-page

var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x); catElem.innerHTML = '<button onclick="createCatList(\'' + y + '\')">' + x + '</button>';

103

SL example

JavaSiript embedded in a web-page

var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x); catElem.innerHTML = '<button onclick="createCatList(\'' + y + '\')">' + x + '</button>';

104

SL example

JavaSiript embedded in a web-page

var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x); catElem.innerHTML = '<button onclick="createCatList(\'' + y + '\')">' + x + '</button>';

105

SL example

JavaSiript embedded in a web-page

var x = goog.string.htmlEscape(cat); var y = goog.string.escapeString(x); catElem.innerHTML = '<button onclick="createCatList(\'' + y + '\')">' + x + '</button>';

106

Deiision proiedure for SL

SL Acyclic

Splitting concat

107

Deiision proiedure for SL

SL Acyclic

Splitting concat Linear blow-up for each split

108

Deiision proiedure for SL

SL Acyclic

Splitting concat Linear blow-up for each split

Boolean Trans. System

109

Deiision proiedure for SL

SL Acyclic

Splitting concat Linear blow-up for each split

Boolean Trans. System

Hardware Model Cheiker (PSPACE!)

110

Deiidability for aiyilii f.

111

Deiidability for aiyilii f.

112

Deiidability for aiyilii f.

(Product automaton)

113

Deiidability for aiyilii f.

(Product automaton) Consistency = Non-emptiness

114

Deiidability for aiyilii f.

(Product automaton) Consistency = Non-emptiness

But how to do this in PSPACE?

Alternating Finite Automata

q1 q2 a q3 a q4 q5 a q6 a

AFA P AFA P has

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 11 / 22

Alternating Finite Automata

q1 q2 a q3 a q4 q5 a q6 a

AFA P AFA P has Q – a set of states, ∆ – a set of transitions

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 11 / 22

Alternating Finite Automata

q1 q2 a q3 a q4 q5 a q6 a

AFA P AFA P has Q – a set of states, ∆ – a set of transitions, for example,

◮ ∆(q4) = a ∧ (q5 ∨ q6),

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 11 / 22

Alternating Finite Automata

q1 q2 a q3 a q4 q5 a q6 a

AFA P AFA P has Q – a set of states, ∆ – a set of transitions, for example,

◮ ∆(q4) = a ∧ (q5 ∨ q6), ◮ ∆(q1) = a ∧ q2 ∧ q3,

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 11 / 22

Alternating Finite Automata

q1 q2 a q3 a q4 q5 a q6 a

AFA P AFA P has Q – a set of states, ∆ – a set of transitions, for example,

◮ ∆(q4) = a ∧ (q5 ∨ q6), ◮ ∆(q1) = a ∧ q2 ∧ q3,

The main advantage compared to NFA is that AFA/AFT can easily encode concatenation and all Boolean operations on formulae.

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 11 / 22

Alternating Finite Automata

q1 q2 a q3 a q4 q5 a q6 a

AFA P AFA P has Q – a set of states, ∆ – a set of transitions, for example,

◮ ∆(q4) = a ∧ (q5 ∨ q6), ◮ ∆(q1) = a ∧ q2 ∧ q3,

I – a positive Boolean formula over states, F – a negative Boolean formula over states, The main advantage compared to NFA is that AFA/AFT can easily encode concatenation and all Boolean operations on formulae.

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 11 / 22

AND between Two AFTs

c/a a/d a/b b/c d/c c/b

R1(name, x) R2(x, y) ∧

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 14 / 22

AND between Two AFTs

c/a/? ?/a/d a/b/? ?/b/c d/c/? ?/c/b

R1(name, x) R2(x, y) R12(name, x, y) ∧ QR12 = QR1 ∪ QR2 IR12 = IR1 ∧ IR2 FR12 = FR1 ∧ FR2 ∆R12 = ∆R1 ∪ ∆R2

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 14 / 22

SL → AFT

The translation into an AFT will be carried out in the following steps:

1 A translation of conjunctions to AFTs.

ϕ ::= R12(name, x, y) ∧ z = w1 ◦ y ◦ w2 ◦ x ◦ w3 ∧ R3(z, innerHtml) ∧ P(innerHtml) AFT R12 AFT R3 AFT P

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 15 / 22

AFT → BTS

Variables of the Boolean transition system (BTS) = states of the automaton (AFT):

◮ q1, q2, q3.

q1 q2 q3 a

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 20 / 22

AFT → BTS

Variables of the Boolean transition system (BTS) = states of the automaton (AFT):

◮ q1, q2, q3.

The initial and final formulae of the BTS = initial and final formulae of the AFT:

◮ I = q1, ◮ F = q2 ∧ q3.

q1 q2 q3 a

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 20 / 22

AFT → BTS

Variables of the Boolean transition system (BTS) = states of the automaton (AFT):

◮ q1, q2, q3.

The initial and final formulae of the BTS = initial and final formulae of the AFT:

◮ I = q1, ◮ F = q2 ∧ q3.

The transition function of the BTS = conjunction of formulae derived from individual transitions of the AFT:

◮ Trans = ∃ symb : q1 → symb = a ∧ q′

2 ∧ q′ 3.

q1 q2 q3 a

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 20 / 22

SL → AFT

The translation into an AFT will be carried out in the following steps:

1 A translation of conjunctions to AFTs. 2 A translation of concatenations to AFTs: 1 Eliminating equations by substitutions.

ϕ ::= R12(name, x, y) ∧ z = w1 ◦ y ◦ w2 ◦ x ◦ w3 ∧ R3(z, innerHtml) ∧ P(innerHtml) AFT R12 AFT R3 AFT P

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 15 / 22

Eliminating Equations by Substitutions

ϕ ::= R12(name, x, y) ∧ z = w1 ◦ y ◦ w2 ◦ x ◦ w3 ∧ R3(z, innerHtml) ∧ P(innerHtml)

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 16 / 22

Eliminating Equations by Substitutions

ϕ ::= R12(name, x, y) ∧ z = w1 ◦ y ◦ w2 ◦ x ◦ w3 ∧ R3(z, innerHtml) ∧ P(innerHtml)

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 16 / 22

Eliminating Equations by Substitutions

ϕ ::= R12(name, x, y) ∧ z = w1 ◦ y ◦ w2 ◦ x ◦ w3 ∧ R3(z, innerHtml) ∧ P(innerHtml) ϕ ::= R12(name, x, y) ∧ R3(w1 ◦ y ◦ w2 ◦ x ◦ w3, innerHtml) ∧ P(innerHtml)

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 16 / 22

SL → AFT

The translation into an AFT will be carried out in the following steps:

1 A translation of conjunctions to AFTs. 2 A translation of concatenations to AFTs: 1 Eliminating equations by substitutions.

ϕ ::= R12(name, x, y) ∧ R3(w1 ◦ y ◦ w2 ◦ x ◦ w3, innerHtml) ∧ P(innerHtml) AFT R12 AFT R3 AFT P

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 17 / 22

SL → AFT

The translation into an AFT will be carried out in the following steps:

1 A translation of conjunctions to AFTs. 2 A translation of concatenations to AFTs: 1 Eliminating equations by substitutions. 2 Handling rational relations with concatenations in arguments.

ϕ ::= R12(name, x, y) ∧ R3(w1 ◦ y ◦ w2 ◦ x ◦ w3, innerHtml) ∧ P(innerHtml) AFT R12 AFT R3 AFT P

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 17 / 22

Splitting of Arguments

Run of the AFT R z x y Consider ϕ ::= R(x ◦ y, z) ∧ ψ.

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 18 / 22

Splitting of Arguments

Run of the AFT R z x y Consider ϕ ::= R(x ◦ y, z) ∧ ψ. We need to split z into two parts.

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 18 / 22

Splitting of Arguments

Run of the AFT R z1 z2 x y Consider ϕ ::= R(x ◦ y, z) ∧ ψ. We need to split z into two parts. z = z1 ◦ z2 where z1 and z2 are fresh variables.

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 18 / 22

Splitting of Arguments

Run of the AFT R z1 z2 C x y Consider ϕ ::= R(x ◦ y, z) ∧ ψ. We need to split z into two parts. z = z1 ◦ z2 where z1 and z2 are fresh variables. ϕ ::= RCF(x, z1) ∧ RCI(y, z2) ∧ ψ[z/z1 ◦ z2].

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 18 / 22

Splitting of Arguments

Run of the AFT R z1 z2 C x y Consider ϕ ::= R(x ◦ y, z) ∧ ψ. We need to split z into two parts. z = z1 ◦ z2 where z1 and z2 are fresh variables. ϕ ::= RCF(x, z1) ∧ RCI(y, z2) ∧ ψ[z/z1 ◦ z2]. A simple variant:

◮ One conjuction for every

configuration (set of states) C where a run may be split.

◮ Exponentional (2Q) for general

AFTs.

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 18 / 22

Splitting of Arguments

Given a formula ϕ ::= R(x ◦ y, z) ∧ ψ.

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 19 / 22

Splitting of Arguments

Given a formula ϕ ::= R(x ◦ y, z) ∧ ψ. R is split to two AFTs: R(x, z1) and R(y, z2). R(x, z1) R(y, z2)

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 19 / 22

Splitting of Arguments

Given a formula ϕ ::= R(x ◦ y, z) ∧ ψ. R is split to two AFTs: R(x, z1) and R(y, z2). Guess the initial configuration R(y, z2) nondeterministically. R(x, z1) R(y, z2)

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 19 / 22

Splitting of Arguments

Given a formula ϕ ::= R(x ◦ y, z) ∧ ψ. R is split to two AFTs: R(x, z1) and R(y, z2). Guess the initial configuration R(y, z2) nondeterministically.

◮ Remember the configuration by using additional states.

R(x, z1) R(y, z2) R′(x, y, z1, z2)

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 19 / 22

Splitting of Arguments

Given a formula ϕ ::= R(x ◦ y, z) ∧ ψ. R is split to two AFTs: R(x, z1) and R(y, z2). Guess the initial configuration R(y, z2) nondeterministically.

◮ Remember the configuration by using additional states.

Check whether the final states of R(x, z1) correspond to the initial states of R(y, z2). R(x, z1) R(y, z2) R′(x, y, z1, z2)

• P. Jank˚

u, et.al. String Constraints with Concatenation and Transducers Solved Efficiently 19 / 22

115

Deiision proiedure for SL

SL Acyclic

Splitting concat Linear blow-up for each split

Boolean Trans. System

Model Cheiker (nuXmv, ABC)

116

The TRAU fragment

• 1. General word-equations
• 2. General transducers
• 3. Context-free grammars
• 4. Length constraints

Parosh Aziz Abdulla, Mohamed Faouzi Atig, Yu-Fang Chen, Bui Phi Diep, Lukas Holik, Ahmed Rezine, Philipp Rümmer: Flatten and conquer, a framework for efcient analysis of string

• constraints. PLDI 2017: 602-617

117

The TRAU fragment

• 1. General word-equations
• 2. General transducers
• 3. Context-free grammars
• 4. Length constraints

Parosh Aziz Abdulla, Mohamed Faouzi Atig, Yu-Fang Chen, Bui Phi Diep, Lukas Holik, Ahmed Rezine, Philipp Rümmer: Flatten and conquer, a framework for efcient analysis of string

• constraints. PLDI 2017: 602-617

→ undecidable!

118

Overview of TRAU ...

119

Are we there yet?

Expressiveness Efciency Precision/ guarantees

120

Joint work with ...

 Parosh Aziz Abdulla  Mohamed Faouzi

Atig

 Yu-Fang Chen  Bui Phi Diep  Lukás Holík  Petr Janků  Anthony W. Lin  Ahmed Rezine  Jari Stenman  Tomás Vojnar  and others