Algorithmic Software Verification

Algorithmic Software Verification

Rajeev Alur

University of Pennsylvania

ARO Review, May 2005

Software Model Checking

Code Abstractor Model

Verifier Specification

Yes

Counter-example

Predicate abstraction

Finite-stateBoolean vars

On-the-fly explicit stateOr Symbolic fixpoint evaluation

LTL/CTL/Automata Regular!

Observables

Abstracting Modular Programs

main() { bool y; … x = P(y); … z = P(x); …}bool P(u: bool) {…return Q(u);}bool Q(w: bool) { if … else return P(~w)}

A2

A1

A3

A2

A2

A3

A3

A1Entry/Inputs

Exit/outputs

Box (function-calls)

Program Recursive State Machine (RSM)/ Pushdown automaton

Software Model Checking



Yes

Counter-example


Recursive State Machines

On-the-fly explicit state(see poster for VERA)

LTL/CTL/Automata Regular!

Observables

LTL

Linear-time Temporal Logic (LTL)

Q ::- p | not Q | Q or Q’ | Next Q | Always Q | Eventually Q | Q Until Q’

Interpreted over (infinite) sequences.Models of any LTL formula is a regular language.Useful for stating sequencing properties:

If req happens, then req holds until it is granted: Always ( req → (req Until grant) )

An exception is never raised: Always ( not Exception )

LTL is not expressive enough

LTL cannot express:

Classical Hoare-style pre/post conditions If p holds when procedure A is invoked, q holds upon

return Total correctness: every invocation of A terminates Integral part of emerging standard JML

Stack inspection properties For security/access control

If a setuuid bit is being set, process root must be in the call stack

Above requires matching of calls with returns, orfinding unmatched calls --- Context-free properties!

Context-free specifications

But model-checking context-free properties against context-free models is Undecidable.

However, the properties described are verifiable.

Existing work in security that handles some stack inspection properties [JMT99,JKS03]

Adding assert statements in the program (with additional local variables, if needed), and then checking regular properties (e.g. reachability) amounts to checking context-free properties

CARET

CARET: A temporal logic for Calls and Returns Expresses context-free properties

A

B

C

A

Global successor used by LTL

………….

CARET


A

B

C

D


………….

Local successor: Jump from calls to returns Otherwise global successor at the same level

CARET


A

B

C

A


………….


CARET


A

B

C

A


………….


Local path

CARET


A

B

C

A


………….


Caller modality: Jump to the caller of the current module Defined for every node except top-level nodes

CARET


A

B

C

A


………….

Abstract successor: Jump from calls to returns Otherwise global successor at the same level

Caller modality: Jump to the caller of the current module Defined for every node except top-level nodes

Caller path gives the stack content!

CARET Definition

Syntax: Q ::- p | not Q | Q or Q’ |

Next Q | Always Q | Eventually Q | Q Until Q’

Local-Next Q | Local-always Q Local-Eventually Q | Q Local-Until Q’

Caller Q | Callerpath-always Q CallerPath-Eventually Q | Q CallerPath-Until Q’

Local- and Caller- versions of all temporal operators All these operators can be nested

Expressing properties in Caret

Pre-post conditions If P holds when A is called, then Q must hold when

the call returns

Always ( (P and call-to-A) Local-Next Q )

A

PQ

Pre-post conditions are integral to specifications for JML (Java Modeling Language)


If A is called with low priority, then it cannot access the file Always ( call-to-A and low-priority

Local-Always ( not access-file ) )

Alowpriority

Ahighpriority access-file


Stack inspection properties

If variable x is accessed, then A must be on the call stack Always ( access-to-x

CallerPath-Eventually call-to-A )

access-to-x

A

Model checking CARET

Given: A (boolean) recursive state machine/ pushdown automaton M A CARET formula Q

Model-checking: Do all runs of M satisfy the specification Q?

CARET can be model-checked in time that is polynomial in M and exponential in Q.

|M|3 . 2O(|Q|)

Complexity same as that for LTL !

Model-checking CARET: intuition

Main Idea: The specification matches calls and returns of the program. Hence the push (pop) operations of the model and the

specifications synchronize Given M and formula Q,

Build a Buchi pushdown automaton that accepts words exhibited by M that satisfy (not Q) Check this pushdown automaton for emptiness Specification automaton also pushes onto the stack!

s, Q1

sPush s and Q1

Local-Next Q1 Pop s and Q1 ;

Check Q1

Can we generalize the idea?

LTL Regular Languages

CARET ?

Must be asuperset of CARET

Must be model-checkableagainst pushdown

models

Generalizing the idea

Structured words: Partitioned alphabet:

Σ = Spush Spop Sinternal

Consider finite words over Σ

A visibly pushdown automaton over Σ is a pushdown automaton that pushes a symbol onto the stack on a letter in Spush

pops the stack on a letter in Spop

cannot change the stack on a letter in Sinternal

Note: Stack size at any time is determined by the input wordbut not the stack content

A language is a VPL over a partitioned alphabet Σ, if there is a visibly pushdown automata that accepts it (acceptance by final state)

CARET is contained in VPLModel-checking:

CARET Q VPL LQ

Pushdown model M VPL LM

M satisfies Q iff LM LQ = (Emptiness of pushdown automata is decidable)

Visibly pushdown languages (VPL)

VPL is closed under boolean operations: union, intersection and complement

VPL

VPLs are also determinizable (Consequence: Runtime monitors for CARET/VPL can be built)

We have also extended this class to languages of infinite words.

Regular Lang

DCFL

CFL

VPL

VPL

Regular

CFL

DCFL

VPL

L

PSPACE

Emptiness Inclusion

Yes Yes Yes NLOG

Yes No No

No

UndecPTIME

No Yes PTIME Undec

Yes Yes Yes PTIME Exptime

VPL: Connection to tree languages

Let w = i5 c1 i1 c2 i4 i3 i3 r3 c1 i1 r1 r5 i5 i3

i5

c1

r5i1

c2

i4

i3

i3

i5

i3r3

Stack trees

r1

c1

i1

VPL: Connection to tree languages

Tree-language characterization:

Let L be a set of strings and let ST(L) be the set of stack trees that correspond to L.

Then L is a VPL iff ST(L) is a regular tree language

VPL is robust

Visibly pushdownlanguages

Regular stack-trees

Monadic second order logic with a matching predicate

Context-free Grammar Subset (generalizes Knuth’s Parantheses Languages)

ω-VPL - extension to infinite words

A Büchi VPA: VPA over infinite strings A word is accepted if along a run, the set QF is seen infinitely

often

ω-VPL – class of languages accepted by Büchi VPAs

ω-VPL is closed under all boolean operations Characterization using regular trees and MSO characterization hold.

However, ω-VPLs are not determinizable!

Let L be the set of all words such that the stack is “repeatedly bounded”

i.e. n. the stack depth is n infinitely often.

L is an ω-VPL but there is no deterministic Muller VPA for it.

“Regular-like” properties continue..

Congruences and minimization (Myhill-Nerode Theorem) cornerstone of theory of regular languages

Given a language L, for well-matched words u and v, define u ~L v iff for all words x and y, xuy in L iff xvy in L

Theorem: A language L of well-matched words is a VPL iff the congruence ~L is of finite index

Minimization No unique minimal deterministic VPA in general, but… Minimization of RSMs (i.e. procedural boolean programs)

possible. Partitioning into k procedures/modules is adequate to get canonicity!

Conclusions

Exposing calls and returns leads to an interesting subclass of context-free languages

VPLs seem robust and adequate to model software analysis problems

Publications: TACAS’04, STOC’04, TACAS’05, ICALP’05

Coauthors: S. Chaudhuri, K. Etessami, V. Kumar, P. Madhusudan, M. Viswanathan

Active area of current research DTDs, XML, and query languages Branching-time logics, Fixpoint calculus, and visibly

pushdown tree automata

New Foundations for Software Model Checking



Yes

Counter-example


Recursive State machines+

Boolean vars

On-the-fly explicit stateOr Symbolic fixpoint evaluation

Caret/VPAs/VPVPLs

ObservableCalls/rets

Date post:	02-Jan-2016
Category:	Documents
Upload:	laith-atkinson
View:	44 times
Download:	0 times

Algorithmic Software Verification

Documents