specification of concretization and symbolization
play

Specification of Concretization and Symbolization Policies in - PowerPoint PPT Presentation

Nov 01, 2022 •241 likes •862 views

Specification of Concretization and Symbolization Policies in Symbolic Execution S ebastien Bardin joint work with Robin David, Josselin Feist, Laurent Mounier, Marie-Laure Potet, Thanh Dihn Ta, Jean-Yves Marion CEA LIST (Paris-Saclay,

  1. Specification of Concretization and Symbolization Policies in Symbolic Execution S´ ebastien Bardin joint work with Robin David, Josselin Feist, Laurent Mounier, Marie-Laure Potet, Thanh Dihn Ta, Jean-Yves Marion CEA LIST (Paris-Saclay, France) ISSTA 2016 Bardin et al. ISSTA 2016 1/ 27

  2. Preamble Takeaway Dynamic Symbolic Execution (DSE) : powerful approach to verif. and testing three key ingredients : path predicate computation & solving, path search, concretization & symbolization policy (C/S) C/S is an essential part, yet mostly not studied many policies (one per tool), no systematic study of C/S undocumented, unclear tools : often a single hardcoded policy, no reuse across tools Our goal : establish C/S as a proper field of study [focus first on specification] CSML, a specification language for C/S � ◮ clear, non-ambiguous [documentation] ◮ tool independent [reuse, sharing, tuning] ◮ executable [input for tools] implemented in BINSEC � an experimental comparison of C/S policies � Bardin et al. ISSTA 2016 2/ 27

  3. Preamble About formal verification Between Software Engineering and Theoretical Computer Science Goal = proves correctness in a mathematical way Key concepts : M | = ϕ Kind of properties absence of runtime error M : semantic of the program pre/post-conditions ϕ : property to be checked | = : algorithmic check temporal properties Bardin et al. ISSTA 2016 3/ 27

  4. Preamble From (a logician’s) dream to reality Industrial reality in some key areas, especially safety-critical domains hardware, aeronautics [airbus], railroad [metro 14], smartcards, drivers [Windows], certified compilers [CompCert] and OS [Sel4], etc. Ex : Airbus Verification of runtime errors [Astr´ ee] functional correctness [Frama-C] numerical precision [Fluctuat] source-binary conformance [CompCert] ressource usage [Absint] Bardin et al. ISSTA 2016 4/ 27

  5. Preamble Next big challenge Apply formal methods to less-critical software Very different context : no formal spec, less developer involvement, etc. Difficulties robustness [w.r.t. software constructs] no place for false alarms scale sometimes, not even source code Bardin et al. ISSTA 2016 5/ 27

  6. Preamble Next big challenge Apply formal methods to less-critical software Very different context : no formal spec, less developer involvement, etc. Difficulties DSE as a first step robustness [w.r.t. software constructs] very robust no place for false alarms (mostly) no false alarm scale scale in some ways sometimes, not even source code ok for binary code Bardin et al. ISSTA 2016 5/ 27

  7. DSE in a nutshell Introducing DSE Dynamic Symbolic Execution [since 2004-2005 : dart, cute, pathcrawler ] a very powerful formal approach to verification and testing many tools and successful case-studies since mid 2000’s ◮ SAGE, Klee, Mayhem, etc. ◮ coverage-oriented testing, bug finding, exploit generation, reverse arguably one of the most wide-spread use of formal methods Very good properties mostly no false alarm, robust, scale, ok for binary code Bardin et al. ISSTA 2016 6/ 27

  8. DSE in a nutshell Introducing DSE Dynamic Symbolic Execution [since 2004-2005 : dart, cute, pathcrawler ] a very powerful formal approach to verification and testing many tools and successful case-studies since mid 2000’s ◮ SAGE, Klee, Mayhem, etc. ◮ coverage-oriented testing, bug finding, exploit generation, reverse arguably one of the most wide-spread use of formal methods Very good properties mostly no false alarm, robust, scale, ok for binary code Key idea : path predicate [King 70’s] consider a program P on input v , and a given path σ a path predicate ϕ σ for σ is a formula s.t. v | = ϕ σ ⇒ P(v) follows σ intuitively the conjunction of all branching conditions old idea, recent renew interest [powerful solvers, dynamic+symbolic] Bardin et al. ISSTA 2016 6/ 27

  9. DSE in a nutshell DSE int main () { σ := ∅ int x = input(); PC := ⊤ int y = input(); x = input() int z = 2 * y; y = input() z = 2 * y if (z == x) { if (x > y + 10) σ := { x → x 0 , y → y 0 , z → 2 y 0 } failure; } z == x success; PC := ⊤ ∧ 2 y 0 = x 0 } x > y + 10 PC := ⊤ ∧ 2 y 0 � = x 0 given a path of the program automatically find input that PC := ⊤ ∧ 2 y 0 = x 0 ∧ x 0 > y 0 + 10 follows the path PC := ⊤ ∧ 2 y 0 = x 0 ∧ x 0 ≤ y 0 + 10 then, iterate over all paths Bardin et al. ISSTA 2016 7/ 27

  10. DSE in a nutshell DSE int main () { σ := ∅ int x = input(); PC := ⊤ int y = input(); Three key ingredients x = input() int z = 2 * y; y = input() path predicate computation & solving z = 2 * y if (z == x) { if (x > y + 10) path search σ := { x → x 0 , y → y 0 , z → 2 y 0 } failure; C/S policy } z == x success; PC := ⊤ ∧ 2 y 0 = x 0 } x > y + 10 PC := ⊤ ∧ 2 y 0 � = x 0 given a path of the program automatically find input that PC := ⊤ ∧ 2 y 0 = x 0 ∧ x 0 > y 0 + 10 follows the path PC := ⊤ ∧ 2 y 0 = x 0 ∧ x 0 ≤ y 0 + 10 then, iterate over all paths Bardin et al. ISSTA 2016 7/ 27

  11. DSE in a nutshell Path predicate computation Usually easy to compute [forward, introduce new logical variables at each step] Loc Instruction input(y,z) 0 1 w := y+1 x := w + 3 2 if (x < 2 * z) [True branch] 3 4 if (x < z) [False branch] Path predicate (input Y 0 et Z 0 ) Bardin et al. ISSTA 2016 8/ 27

  12. DSE in a nutshell Path predicate computation Usually easy to compute [forward, introduce new logical variables at each step] Loc Instruction input(y,z) 0 1 w := y+1 x := w + 3 2 if (x < 2 * z) [True branch] 3 4 if (x < z) [False branch] Path predicate (input Y 0 et Z 0 ) let W 1 � Y 0 + 1 in Bardin et al. ISSTA 2016 8/ 27

  13. DSE in a nutshell Path predicate computation Usually easy to compute [forward, introduce new logical variables at each step] Loc Instruction input(y,z) 0 1 w := y+1 x := w + 3 2 if (x < 2 * z) [True branch] 3 4 if (x < z) [False branch] Path predicate (input Y 0 et Z 0 ) let W 1 � Y 0 + 1 in let X 2 � W 1 + 3 in Bardin et al. ISSTA 2016 8/ 27

  14. DSE in a nutshell Path predicate computation Usually easy to compute [forward, introduce new logical variables at each step] Loc Instruction input(y,z) 0 1 w := y+1 x := w + 3 2 if (x < 2 * z) [True branch] 3 4 if (x < z) [False branch] Path predicate (input Y 0 et Z 0 ) let W 1 � Y 0 + 1 in let X 2 � W 1 + 3 in X 2 < 2 × Z 0 Bardin et al. ISSTA 2016 8/ 27

  15. DSE in a nutshell Path predicate computation Usually easy to compute [forward, introduce new logical variables at each step] Loc Instruction input(y,z) 0 1 w := y+1 x := w + 3 2 if (x < 2 * z) [True branch] 3 4 if (x < z) [False branch] Path predicate (input Y 0 et Z 0 ) let W 1 � Y 0 + 1 in let X 2 � W 1 + 3 in X 2 < 2 × Z 0 ∧ X 2 ≥ Z 0 Bardin et al. ISSTA 2016 8/ 27

  16. DSE in a nutshell Path Exploration input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ solve ϕ σ for satisfiability SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. ISSTA 2016 9/ 27

  17. DSE in a nutshell Path Exploration input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ solve ϕ σ for satisfiability SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. ISSTA 2016 9/ 27

  18. DSE in a nutshell Path Exploration input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ solve ϕ σ for satisfiability SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. ISSTA 2016 9/ 27

  19. DSE in a nutshell Path Exploration input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ solve ϕ σ for satisfiability SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. ISSTA 2016 9/ 27

  20. DSE in a nutshell Path Exploration input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ solve ϕ σ for satisfiability SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. ISSTA 2016 9/ 27

  21. DSE in a nutshell Path Exploration input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ solve ϕ σ for satisfiability SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. ISSTA 2016 9/ 27

  22. DSE in a nutshell Path Exploration input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ solve ϕ σ for satisfiability SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. ISSTA 2016 9/ 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Adaptive)Concretization)for) Parallel)Program)Synthesis) Jinseong(Jeon 1 ,)Xiaokang)Qiu 2 ,)

Adaptive)Concretization)for) Parallel)Program)Synthesis) Jinseong(Jeon 1 ,)Xiaokang)Qiu 2 ,)

Adaptive)Concretization)for) Parallel)Program)Synthesis) Jinseong(Jeon 1 ,)Xiaokang)Qiu 2 ,) Armando)Solar@Lezama 2 ,)and)Jeffrey)S.)Foster 1) ) 1.)University)of)Maryland,)College)Park) 2.)MIT)CSAIL ) Syntax@guided)Synthesis) bit[32]

579 views • 57 slides
Adaptive)Concretization)for) Parallel)Program)Synthesis) Jinseong(Jeon 1 ,)Xiaokang)Qiu 2 ,)

Adaptive)Concretization)for) Parallel)Program)Synthesis) Jinseong(Jeon 1 ,)Xiaokang)Qiu 2 ,)

Adaptive)Concretization)for) Parallel)Program)Synthesis) Jinseong(Jeon 1 ,)Xiaokang)Qiu 2 ,) Armando)Solar@Lezama 2 ,)and)Jeffrey)S.)Foster 1) ) 1.)University)of)Maryland,)College)Park) 2.)MIT)CSAIL ) Syntax@guided)Synthesis) bit[32]

310 views • 27 slides
1 Good Requirements Graphical Languages? Specification Qualities Examples: Complete -

1 Good Requirements Graphical Languages? Specification Qualities Examples: Complete -

REQUIREMENT SPECIFICATION The Basic Waterfall Model Today: Requirements Specification Requirements Requirements tell us what the system should do - specification not how it should do it. Analysis &amp; Requirements are

363 views • 3 slides
Formal Specification and Verification Formal specification (2) 6.12.2016 Viorica

Formal Specification and Verification Formal specification (2) 6.12.2016 Viorica

Formal Specification and Verification Formal specification (2) 6.12.2016 Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de 1 Until now Logic Formal specification (generalities) Algebraic specification Transition systems 2

798 views • 62 slides
REQUIREMENT Requirement specification SPECIFICATION motivation and basics Today:

REQUIREMENT Requirement specification SPECIFICATION motivation and basics Today:

REQUIREMENT Requirement specification SPECIFICATION motivation and basics Today: Requirements Specification Requirement specification is generally a crucial phase of an Jyrki Nummenmaa University of Tampere, CS Department Jyrki

244 views • 3 slides
Formal Specification and Verification Formal specification Temporal logic 12.06.2012

Formal Specification and Verification Formal specification Temporal logic 12.06.2012

Formal Specification and Verification Formal specification Temporal logic 12.06.2012 Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de 1 Formal specification Specification for program/system Specification for

443 views • 21 slides
specification free monitoring CS 119 can we avoid writing specs? specification and programming

specification free monitoring CS 119 can we avoid writing specs? specification and programming

specification free monitoring CS 119 can we avoid writing specs? specification and programming specification runtime verification program input output 2 properties can be hard to write To quote quite excellent NASA software engineer

987 views • 65 slides
Formal Specification and Verification Formal specification (2) 29.11.2016 Viorica

Formal Specification and Verification Formal specification (2) 29.11.2016 Viorica

Formal Specification and Verification Formal specification (2) 29.11.2016 Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de 1 Until now Logic Formal specification (generalities) Algebraic specification 2 Formal

627 views • 19 slides
Software specification in CASL - The Common Algebraic Specification Language Till Mossakowski,

Software specification in CASL - The Common Algebraic Specification Language Till Mossakowski,

Software specification in CASL - The Common Algebraic Specification Language Till Mossakowski, Lutz Schr oder October 2006 2 Overview Why formal specification? Waterfall Model Example: sorting CASL the Common Algebraic

542 views • 43 slides
Formal Specification Techniques Knowledge of typical approaches to formal software specification

Formal Specification Techniques Knowledge of typical approaches to formal software specification

Goals Understanding of the motivation of mathematical approaches to software specification Formal Specification Techniques Knowledge of typical approaches to formal software specification CAS 707 and verification McMaster University, Winter

106 views • 6 slides
Looking Ahead Developing New Products and Specification Updates Specification Review Project

Looking Ahead Developing New Products and Specification Updates Specification Review Project

Looking Ahead Developing New Products and Specification Updates Specification Review Project Establish a timeline for annual research/new product development Seek versatile, high volume products that could be offered to both schools

430 views • 17 slides
Specification and Analysis of Contracts Lecture 7 Specification of Deontic Contracts Using

Specification and Analysis of Contracts Lecture 7 Specification of Deontic Contracts Using

Specification and Analysis of Contracts Lecture 7 Specification of Deontic Contracts Using CL Gerardo Schneider gerardo@ifi.uio.no http://folk.uio.no/gerardo/ Department of Informatics, University of Oslo SEFM School, Oct. 27 - Nov. 7,

873 views • 54 slides
What is a Compiler? A compiler translates a source specification into a target specification.

What is a Compiler? A compiler translates a source specification into a target specification.

8/27/2012 What is a Compiler? A compiler translates a source specification into a target specification. Traditionally, we consider compilers that take a source language and produce CS 1622: target (machine) code. However, there can be many

305 views • 3 slides
Identification and Specification of Identification and Specification of NGN Service and Control

Identification and Specification of Identification and Specification of NGN Service and Control

I nternational Telecom m unication Union ITU-T Identification and Specification of Identification and Specification of NGN Service and Control NGN Service and Control Requirements Requirements Tobey Trygar Telcordia Technologies I TU-T W

703 views • 21 slides
A Hierarchy of System Specification Basis of System Specification 1. Set Theory 2. Time Base 3.

A Hierarchy of System Specification Basis of System Specification 1. Set Theory 2. Time Base 3.

A Hierarchy of System Specification Basis of System Specification 1. Set Theory 2. Time Base 3. Segments and Trajectories Hierarchy of System Specification (causal, deterministic) 1. I/O Observation Frame 2. I/O Observation Relation

794 views • 58 slides
Community Navigation m 1 st October 2018 Agenda Service Specification Background

Community Navigation m 1 st October 2018 Agenda Service Specification Background

Community Navigation m 1 st October 2018 Agenda Service Specification Background Contract Design Tender Process Timelines Feedback and Questions Draft Specification On Friday, a draft version of the specification was

353 views • 20 slides
Kernel-based Reinforcement Learning in Robust Markov Decision Processes Shiau Hong Lim, Arnaud

Kernel-based Reinforcement Learning in Robust Markov Decision Processes Shiau Hong Lim, Arnaud

Kernel-based Reinforcement Learning in Robust Markov Decision Processes Shiau Hong Lim, Arnaud Autef Motivation Robust Markov Decision Process (MDP) framework Tackle model mismatch and parameter uncertainty Previously, for state

520 views • 13 slides
Soft Actor-Critic Zikun Chen, Minghan Li Jan. 28, 2020 Soft Actor-Critic: Ofg-Policy Maximum

Soft Actor-Critic Zikun Chen, Minghan Li Jan. 28, 2020 Soft Actor-Critic: Ofg-Policy Maximum

Soft Actor-Critic Zikun Chen, Minghan Li Jan. 28, 2020 Soft Actor-Critic: Ofg-Policy Maximum Entropy Deep Reinforcement Learning with a Stochastic Actor Tuomas Haarnoja, Aurick Zhou, Pieter Abbeel, Sergey Levine Outline Problem: Sample

1.42k views • 62 slides
Option Pricing with Semi-Markov Switching Lvy Process Financial Mathematics Lunch Talk Yi

Option Pricing with Semi-Markov Switching Lvy Process Financial Mathematics Lunch Talk Yi

Option Pricing with Semi-Markov Switching Lvy Process Financial Mathematics Lunch Talk Yi (Ivy) Zhang Department of Mathematics and Statistics University of Calgary February 26, 2019 Yi (Ivy) Zhang (Universities of Calgary) Option Pricing

516 views • 35 slides
A structural risk-neutral model for pricing and hedging power derivatives FiME Research Centre

A structural risk-neutral model for pricing and hedging power derivatives FiME Research Centre

Position of the problem Spot model Pricing &amp; hedging Risk premium vs error model Conclusion A structural risk-neutral model for pricing and hedging power derivatives FiME Research Centre Monthly Seminar - Paris Ren e A d, Luciano

1.25k views • 124 slides
Poverty Measurement and the Distribution of Deprivations among the Poor Sabina Alkire OPHI,

Poverty Measurement and the Distribution of Deprivations among the Poor Sabina Alkire OPHI,

Poverty Measurement and the Distribution of Deprivations among the Poor Sabina Alkire OPHI, Oxford James E. Foster George Washington University and OPHI, Oxford UNU-WIDER Conference on 'Inequality - measurement, trends, impacts, and

718 views • 44 slides
CS885 Reinforcement Learning Module 2: June 6, 2020 Maximum Entropy Reinforcement Learning

CS885 Reinforcement Learning Module 2: June 6, 2020 Maximum Entropy Reinforcement Learning

CS885 Reinforcement Learning Module 2: June 6, 2020 Maximum Entropy Reinforcement Learning Haarnoja, Tang et al. (2017) Reinforcement Learning with Deep Energy Based Policies, ICML . Haarnoja, Zhou et al. (2018) Soft Actor-Critic: Off-Policy

682 views • 24 slides
The Robustness of Go A study of Go and its ecosystem Agenda - What does it mean to be robust?

The Robustness of Go A study of Go and its ecosystem Agenda - What does it mean to be robust?

The Robustness of Go A study of Go and its ecosystem Agenda - What does it mean to be robust? - Robust features of Go - Fragile features of Go - Giving up - Well, actually: Erlang - A new hope About me Francesc Campoy (@francesc /

822 views • 57 slides
in 4 Steps Dr. Michle B. Nuijten Sounds like Newton/Nowton @MicheleNuijten m.b.nuijten@uvt.nl

in 4 Steps Dr. Michle B. Nuijten Sounds like Newton/Nowton @MicheleNuijten m.b.nuijten@uvt.nl

Checking Robustness in 4 Steps Dr. Michle B. Nuijten Sounds like Newton/Nowton @MicheleNuijten m.b.nuijten@uvt.nl http://mbnuijten.com My background. @MicheleNuijten 2 Today. Assessing and improving robustness of psychological science

427 views • 29 slides

More recommend