stefan heule eric schkufza rahul sharma alex aiken
play

Stefan Heule, Eric Schkufza, Rahul Sharma, Alex Aiken PLDI, Santa - PowerPoint PPT Presentation

Oct 29, 2022 β€’308 likes β€’799 views

Stefan Heule, Eric Schkufza, Rahul Sharma, Alex Aiken PLDI, Santa Barbara, June 16, 2016 Symbolic Execution Automatically Program Reason about Verification Programs Program Equivalence 2 Automatically reasoning about

  1. Stefan Heule, Eric Schkufza, Rahul Sharma, Alex Aiken PLDI, Santa Barbara, June 16, 2016

  2. Symbolic Execution Automatically Program 𝜚 ≑ Reason about Verification Programs Program ≑ Equivalence … 2

  3. Automatically reasoning about programs requires 3

  4. testq %rdi , %rdi je .L1 xorq %rax , %rax .L0: movq %rdi , %rdx andq $0x1, %rdx addq %rdx , %rax shrq $0x1, %rdi jne .L0 cltq retq .L1: xorq %rax , %rax retq 4

  5. 64-bit bit-vector addition rax ← rax + 64 1 64 addq $0x1, %rax 64-bit constant previous value of rax 5

  6. rax ← rax + 64 1 64 addq $0x1, %rax al ← al + 8 1 8 addb $0x1, %al 6

  7. rax ← rax + 64 1 64 addq $0x1, %rax al ← al + 8 1 8 addb $0x1, %al rax 64 bits eax 32 bits ax 16 bits ah al 8 bits 8 bits 7

  8. rax ← rax + 64 1 64 addq $0x1, %rax al ← al + 8 1 8 addb $0x1, %al rax ← rax 63: 8 ∘ rax 7: 0 + 8 1 8 rax 64 bits eax 32 bits ax 16 bits ah al 8 bits 8 bits 8

  9. rax ← rax + 64 1 64 addq $0x1, %rax rax ← rax 63: 8 ∘ rax 7: 0 + 8 1 8 addb $0x1, %al rax ← rax 63: 16 ∘ rax 15: 0 + 16 1 16 addw $0x1, %ax rax ← rax[63: 32] ∘ (rax[31: 0] + 32 1 32 ) addl $0x1, %eax 9

  10. rax ← rax + 64 1 64 addq $0x1, %rax rax ← rax 63: 8 ∘ rax 7: 0 + 8 1 8 addb $0x1, %al rax ← rax 63: 16 ∘ rax 15: 0 + 16 1 16 addw $0x1, %ax rax ← 0 32 ∘ (rax[31: 0] + 32 1 32 ) addl $0x1, %eax 10

  11. rax ← rax + 64 1 64 addq $0x1, %rax rax ← rax 63: 8 ∘ rax 7: 0 + 8 1 8 addb $0x1, %al rax ← rax 63: 16 ∘ rax 15: 0 + 16 1 16 addw $0x1, %ax rax ← 0 32 ∘ (rax[31: 0] + 32 1 32 ) addl $0x1, %eax zf ← 0 32 = (eax + 32 1 32 ) cf ← 0 1 ∘ eax + 33 1 33 [32,32] sf ← eax + 32 1 32 [31,31] of ← Β¬eax 31,31 ∧ (eax + 32 1 32 )[31,31] pf ← (eax + 32 1 32 )[0,0] βŠ• (eax + 32 1 32 )[1,1] βŠ• (eax + 32 1 32 )[2,2] βŠ• (eax + 32 1 32 )[3,3] βŠ• (eax + 32 1 32 )[4,4] βŠ• (eax + 32 1 32 )[5,5] βŠ• (eax + 32 1 32 )[6,6] βŠ• (eax + 32 1 32 )[7,7] 11

  12. β€’ Manual partial specifications – CompCert [CACM’09] , BAP [CAV’11] , BitBlaze [ICISS’08] , Codesurfer/x86 [ETAPS’05] , McVeto [CAV’10] , STOKE [ASPLOS’13] , Jakstab [CAV’08] , many others β€’ Taly/Godefroid [PLDI’12] – Automatically synthesize specification from templates – Only 534 instructions 13

  13. Bit-vector formulas of input-output behavior 14

  14. All instructions Remaining Instructions Base set Learn specification automatically Specify manually 15

  15. combine base Program π‘ž Instruction 𝑗 formulas synthesize Formula 𝜚 How do we Formal synthesize guarantee? 𝑗 ≑ 𝜚 programs? 16

  16. combine base Program π‘ž Instruction 𝑗 formulas synthesize Formula 𝜚 Randomized search How do we Guided by cost function synthesize Based on test-cases programs? Using STOKE [ASPLOS’13] 17

  17. combine base Program π‘ž Instruction 𝑗 formulas synthesize Formula 𝜚 Formal π‘ž ≑ 𝜚 guarantee? 𝑗 ≑ 𝜚 18

  18. combine base Program π‘ž Instruction 𝑗 formulas synthesize Formula 𝜚 Formal 𝑗 ≑ π‘ž ≑ 𝜚 guarantee? 𝑗 ≑ 𝜚 19

  19. combine base Program π‘ž Instruction 𝑗 formulas synthesize Candidate formula 𝜚 Formal 𝑗 ≑ π‘ž ≑ 𝜚 guarantee? 𝑗 ≑ 𝜚 20

  20. combine base Program π‘ž Instruction 𝑗 formulas synthesize Candidate formula 𝜚 Candidate Program π‘žβ€² formula πœšβ€² Candidate … formula πœšβ€²β€² yes βœ” increase confidence ? πœšβ€² 𝜚 ֞ Add counter example, remove wrong program(s) no 21

  21. Increase confidence Remove incorrect program(s) ? πœšβ€² 𝜚 ֞ No information about equivalence 22

  22. Increase confidence Remove incorrect program(s) ? πœšβ€² 𝜚 ֞ No information about equivalence 23

  23. Increase confidence Remove incorrect program(s) ? πœšβ€² 𝜚 ֞ No information about equivalence Equivalence class 1 Equivalence class 2 24

  24. Equivalence class 1 Equivalence class 2 Equivalence class 3 β€’ Prefer programs whose formulas are – Precise (fewest uninterpreted functions) – Fast (fewest non-linear arithmetic operations) – Simple (fewest nodes) 25

  25. Equivalence class 1 Equivalence class 2 Equivalence class 3 β€’ Prefer programs whose formulas are – Precise (fewest uninterpreted functions) – Fast (fewest non-linear arithmetic operations) – Simple (fewest nodes) 26

  26. synthesize 27

  27. 28

  28. Learn dx ← dx + 16 ax addw %ax , %dx Rename addw %cx , %bx bx ← bx + 16 cx βœ” dx ← dx + 16 M rsp βœ” addw ( %rsp ), %dx dx ← dx + 16 5 16 addw $0x5, %dx βœ” 29

  29. 1. Learn formula for register-only instructions 2. Generalize formulas ‐ To other types of operands 3. Check on test inputs 30

  30. shufps $0xb3, %xmm0 , %xmm1 Problem: No corresponding register-only variant Solution: Brute force a formula for every constant 31

  31. β€’ Base set (51 instructions) – Integer, bitwise and float operations – Data movement (including conditional move) – Conversion operations β€’ Pseudo instructions (11 templates) – Split and combine registers – Changing status flags 32

  32. β€’ Total instructions 3,684 β€’ Out-of-scope – System instructions invpcid, jle 302 – Crypto instructions aeskeygenassist 35 – Deprecated instructions fadd 332 – String instructions scasq 97 β€’ Goal instructions 2,918 33

  33. β€’ Base set 51 β€’ Pseudo instructions 11 β€’ Register-only instructions learned 692 β€’ Generalized 984 β€’ 8-bit constant instructions learned 119.42 β€’ Total formulas learned 1,795.42 34

  34. Compare with handwritten formulas (from STOKE) Available for comparison 1,431.91 Automatically proven equivalent 1,377.91 4 Equivalent with additional lemma 35

  35. Compare with handwritten formulas (from STOKE) Available for comparison 1,431.91 fadd 𝑏, 𝑐 = fadd 𝑐, 𝑏 Automatically proven equivalent 1,377.91 4 Equivalent with additional lemma 36

  36. Compare with handwritten formulas (from STOKE) Available for comparison 1,431.91 Automatically proven equivalent 1,377.91 4 Equivalent with additional lemma Semantically different 50 Handwritten formula correct 0 Learned formula correct 50 37

  37. Stratum 1 Stratum 3 Stratum 0 Stratum 2 base set 0 if 𝑗 ∈ baseset stratum 𝑗 = ࡝ 𝑗 β€² βˆˆπ‘(𝑗) stratum i β€² 1 + max otherwise 38

  38. 0 if 𝑗 ∈ baseset stratum 𝑗 = ࡝ 𝑗 β€² βˆˆπ‘(𝑗) stratum i β€² 1 + max otherwise 39

  39. 800 Number of formulas learned 700 600 500 400 300 200 100 0 0 50 100 150 200 250 Wall-clock time elapsed [hours] Stratification Without stratification 40

  40. Fully inlined: 3526 instructions number of nodes in learned formula number of nodes in handwritten formula 41

  41. 1. Automatically learned 1,795 formulas 2. Stratification key to scale program synthesis 3. Compare to hand-written specification ‐ More correct, equally precise, same size Source code, formulas, experimental results https://github.com/StanfordPL/strata/ 42

  42. 43

  43. 1. Missing base instructions Some integer and floating point operations are missing 2. Program synthesis limits Shortest known program is long and outside of reach e.g., byte-vectorized operation 3. Cost function limitation For one bit of output, the cost function does not give enough signal 4. Crazy instructions 44

  44. β€’ Total decisions 7,075 β€’ Equivalent 6,669 (94.26%) β€’ New equivalence class 356 (5.03%) β€’ Counter-examples 50 (0.71%) β€’ β€’ Timeouts (45 seconds): 3 45

  45. β€’ Intel Xeon E5-2697 (28 cores) at 2.6 GHz – 268.86 hours (register-only) – 159.12 hours (8-bit constants) β€’ Total of 11,983.37 core hours 46

  46. β€’ Random inputs (random machine state) β€’ β€œInteresting” bit -patterns 0 , 1 , βˆ’1 , 2 π‘œ , NaN , Infinity β€’ Test cases learned from counter-examples 47

  47. β€’ Formulas are simplified – Constant propagation ≑ 8 64 2 64 βˆ— 64 4 64 – Move bit-selection over concatenation 0 64 ∘ rax 63,0 ≑ rax 48

  48. β€’ Formula precision (number of uninterpreted functions) – Learned formulas equally precise in all but 4 cases β€’ Formula quality (number of non-linear operations) – Learned formulas contain same number of non- linear operations, except for 11 cases 49

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Verifying Bit-Manipulations of Floating-P oint Wonyeol Lee Rahul Sharma Alex Aiken

Verifying Bit-Manipulations of Floating-P oint Wonyeol Lee Rahul Sharma Alex Aiken

Verifying Bit-Manipulations of Floating-P oint Wonyeol Lee Rahul Sharma Alex Aiken Stanford University PLDI 2016 This Talk Example: mathematical specification Goal: Bound the difference between spec and implementation

1.22k views β€’ 111 slides
the Correctness of math.h Implementations Wonyeol Lee 1,2 Rahul Sharma 3 Alex Aiken 1 1 Stanford

the Correctness of math.h Implementations Wonyeol Lee 1,2 Rahul Sharma 3 Alex Aiken 1 1 Stanford

On Automatically Proving the Correctness of math.h Implementations Wonyeol Lee 1,2 Rahul Sharma 3 Alex Aiken 1 1 Stanford University 2 KAIST 3 Microsoft Research POPL 2018 1 /146 Our Goal mathematical specification Industry

2.05k views β€’ 146 slides
A Data Driven Approach for Algebraic Loop Invariants Paper by Rahul Sharma, Saurabh Gupta,

A Data Driven Approach for Algebraic Loop Invariants Paper by Rahul Sharma, Saurabh Gupta,

A Data Driven Approach for Algebraic Loop Invariants Paper by Rahul Sharma, Saurabh Gupta, Bharath Hariharan, Alex Aiken, Percy Liang, and Aditya V. Nori In ESOP 2013 Vanya Dancheva Seminar: Research Topics in Software Engineering 22.04.2013

436 views β€’ 15 slides
Program Verification via Machine Learning Aditya V. Nori Programming Languages and Tools group

Program Verification via Machine Learning Aditya V. Nori Programming Languages and Tools group

Program Verification via Machine Learning Aditya V. Nori Programming Languages and Tools group Microsoft Research India Joint work with Alex Aiken, Rahul Sharma (Stanford University) Software validation problem I hope some hacker cannot

1.15k views β€’ 46 slides
Compilers Scope Alex Aiken Scope Matching identifier declarations with uses Important

Compilers Scope Alex Aiken Scope Matching identifier declarations with uses Important

Compilers Scope Alex Aiken Scope Matching identifier declarations with uses Important static analysis step in most languages Including COOL! Alex Aiken Scope Example 1 let y: String abc in y + 3 Example 2 let y:

155 views β€’ 13 slides
Compilers Recursive Descent Algorithm Alex Aiken RD Algorithm Let TOKEN be the type of

Compilers Recursive Descent Algorithm Alex Aiken RD Algorithm Let TOKEN be the type of

Compilers Recursive Descent Algorithm Alex Aiken RD Algorithm Let TOKEN be the type of tokens Special tokens INT, OPEN, CLOSE, PLUS, TIMES Let the global next point to the next input token Alex Aiken RD Algorithm Define boolean

87 views β€’ 8 slides
Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers

Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers

Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology One of the most popular application platforms Easy to deploy and access Almost anything available as a web app

385 views β€’ 20 slides
Compilers Structure of a Compiler Alex Aiken Intro to Compilers 1. Lexical Analysis 2. Parsing

Compilers Structure of a Compiler Alex Aiken Intro to Compilers 1. Lexical Analysis 2. Parsing

Compilers Structure of a Compiler Alex Aiken Intro to Compilers 1. Lexical Analysis 2. Parsing 3. Semantic Analysis 4. Optimization 5. Code Generation Alex Aiken Intro to Compilers First step: recognize words. Smallest unit above

469 views β€’ 16 slides
Computer-Generated Residential Building Layouts Paul Merrell Eric Schkufza Vladlen Koltun

Computer-Generated Residential Building Layouts Paul Merrell Eric Schkufza Vladlen Koltun

Computer-Generated Residential Building Layouts Paul Merrell Eric Schkufza Vladlen Koltun Stanford University 1 Modeling Buildings with Interiors n Goal: Model the internal structure of buildings n Crucial in many interactive

824 views β€’ 34 slides
Compilers Spilling Alex Aiken Spilling What happens if the graph coloring heuristic fails to

Compilers Spilling Alex Aiken Spilling What happens if the graph coloring heuristic fails to

Compilers Spilling Alex Aiken Spilling What happens if the graph coloring heuristic fails to find a coloring? In this case, we cant hold all values in registers. Some values are spilled to memory Alex Aiken Spilling What if

340 views β€’ 16 slides
Machine learning Aditya V. Nori Programming Languages & Tools group Microsoft Research India

Machine learning Aditya V. Nori Programming Languages & Tools group Microsoft Research India

Program verification via Machine learning Aditya V. Nori Programming Languages & Tools group Microsoft Research India Joint work with Rahul Sharma, Alex Aiken (Stanford University) Program verification 1: x = y = 0; 1: gcd(int x, int

309 views β€’ 26 slides
IFC Inside: Retrofitting Languages with Dynamic Information Flow Control Stefan Heule, Deian

IFC Inside: Retrofitting Languages with Dynamic Information Flow Control Stefan Heule, Deian

IFC Inside: Retrofitting Languages with Dynamic Information Flow Control Stefan Heule, Deian Stefan, Edward Z. Yang, John C. Mitchell, Alejandro Russo Stanford University, Chalmers University Motivating Example: Web Security Website uses

487 views β€’ 28 slides
Compilers Alignment Alex Aiken Alignment Most modern machines are 32 or 64 bit 8 bits in

Compilers Alignment Alex Aiken Alignment Most modern machines are 32 or 64 bit 8 bits in

Compilers Alignment Alex Aiken Alignment Most modern machines are 32 or 64 bit 8 bits in a byte 4 or 8 bytes in a word Machines are either byte or word addressable Alex Aiken Alignment Data is word aligned if it begins at a

267 views β€’ 4 slides
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Modern web experience Modern web experience Modern web experience Web apps Extensions AdBlock NYTimes Chase Evernote Core browser Web

591 views β€’ 40 slides
Compilers Lexical Analysis Alex Aiken Lexical Analysis 1. Lexical Analysis 2. Parsing 3.

Compilers Lexical Analysis Alex Aiken Lexical Analysis 1. Lexical Analysis 2. Parsing 3.

Compilers Lexical Analysis Alex Aiken Lexical Analysis 1. Lexical Analysis 2. Parsing 3. Semantic Analysis 4. Optimization 5. Code Generation Alex Aiken Lexical Analysis if (i == j) Z = 0; else Z = 1; \tif (i == j)\n\t\tz =

228 views β€’ 9 slides
without the Fractions Stefan Heule ETH Zurich Joint work with : Rustan Leino, Peter Mller,

without the Fractions Stefan Heule ETH Zurich Joint work with : Rustan Leino, Peter Mller,

Fractional Permissions without the Fractions Stefan Heule ETH Zurich Joint work with : Rustan Leino, Peter Mller, Alexander Summers Microsoft Research ETH Zurich ETH Zurich 2 Overview Verification of (race-free)

220 views β€’ 19 slides
Review of Probability 1 Probability Theory: Many techniques in speech processing require the

Review of Probability 1 Probability Theory: Many techniques in speech processing require the

Review of Probability 1 Probability Theory: Many techniques in speech processing require the manipulation of probabilities and statistics. The two principal application areas we will encounter are: Statistical pattern recognition.

859 views β€’ 39 slides
Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron Hutchinson and Koray Karabina Florida Atlantic University INDOCRYPT 2018 Acknowledgment: This research was supported by the Army Research Office

288 views β€’ 18 slides
Burning Your Skis LESSON 9 Your Response to the

Burning Your Skis LESSON 9 Your Response to the

Burning Your Skis LESSON 9 Your Response to the Lesson What was most interes3ng in the Bible story? What ac3vity was most enjoyable?

543 views β€’ 22 slides
Budget Allocation for Sequential Customer Engagement Craig Boutilier, Google Research, Mountain

Budget Allocation for Sequential Customer Engagement Craig Boutilier, Google Research, Mountain

Budget Allocation for Sequential Customer Engagement Craig Boutilier, Google Research, Mountain View (joint work with Tyler Lu) Were hiring: https://sites.google.com/site/icmlconf2016/careers 1 Sequential Models of Customer Engagement

702 views β€’ 47 slides
Chapter 3: Basics from Probability Theory and Statistics It is likely that unlikely things should

Chapter 3: Basics from Probability Theory and Statistics It is likely that unlikely things should

Chapter 3: Basics from Probability Theory and Statistics It is likely that unlikely things should happen. -- Aristotle The excitement that a gambler feels when making a bet is equal to the amount he might win times the probability of winning

427 views β€’ 38 slides
X 1 1 1 1 0 0 0 0 1000

X 1 1 1 1 0 0 0 0 1000

704 views β€’ 3 slides
The Effective Audit Committee 2 April 2019 The Holiday Inn Housekeeping Fire alarms test

The Effective Audit Committee 2 April 2019 The Holiday Inn Housekeeping Fire alarms test

Welcome to The Effective Audit Committee 2 April 2019 The Holiday Inn Housekeeping Fire alarms test at midday Toilets Tea/Coffee Lunch Mobile Phones Evaluation Forms Overview of the Day Overview Agendas on the

898 views β€’ 50 slides
Probability and Independence Definition If P(B) > 0 , the conditional probability of A given

Probability and Independence Definition If P(B) > 0 , the conditional probability of A given

Ch3: Conditional Probability and Independence Definition If P(B) > 0 , the conditional probability of A given B, denoted by P(A | B), is ( | ) P A B 2 Example 3.2 From the set of all families with two children, a family is

610 views β€’ 33 slides

More recommend