1 / 69

Abstractions from Proofs

Abstractions from Proofs. Thomas A. Henzinger Ranjit Jhala [UC Berkeley] Rupak Majumdar [UC Los Angeles] Kenneth L. McMillan [Cadence Berkeley Labs]. Scalable Program Verification. Little theorems about big programs Partial Specifications Device drivers use kernel API correctly

kynan
Download Presentation

Abstractions from Proofs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Abstractions from Proofs Thomas A. Henzinger Ranjit Jhala [UC Berkeley] Rupak Majumdar [UC Los Angeles] Kenneth L. McMillan [Cadence Berkeley Labs]

  2. Scalable Program Verification • Little theorems about big programs • Partial Specifications • Device drivers use kernel API correctly • Applications use root privileges correctly • Behavioral, path-sensitive properties

  3. Predicate Abstraction: A crash course Error Initial Program State Space Abstraction • Abstraction: Predicates on program state • Signs: x > 0 • Aliasing: &x  &y • States satisfying the same predicates are equivalent • Merged into single abstract state

  4. (Predicate) Abstraction: A crash course Error Initial Program State Space Abstraction Q1: Which predicates are required to verify a property ?

  5. Scalability vs. Verification scalability verification • Few predicates tracked • e.g. type of variables • Imprecision hinders Verification • Spurious counterexamples • Many predicates tracked • e.g. values of variables • State explosion • Analysis drowned in detail

  6. Example while(*){ 1: if (p1) lock(); if (p1) unlock(); … 2: if (p2) lock(); if (p2) unlock(); … n: if (pn) lock(); if (pn) unlock(); } lock T F T unlock scalability lock Only track lock Bogus Counterexample • Must correlate branches Predicatep1makes trace abstractly infeasible pi required for verification

  7. Example while(*){ 1: if (p1) lock(); if (p1) unlock(); … 2: if (p2) lock(); if (p2) unlock(); … n: if (pn) lock(); if (pn) unlock(); } lock unlock verification scalability lock Only track lock Track lock, pi s Bogus Counterexample • Must correlate branches State Explosion • > 2n distinct states • intractable How can we get scalable verification ?

  8. p1 p2 pn By Localizing Precision while (*) { 1: if (p1) lock(); if (p1) unlock(); … 2: if (p2) lock(); if (p2) unlock(); … n: if (pn) lock(); if (pn) unlock(); } Preds. Used locally Ex: 2 £ n states Preds. used globally Ex: 2n states Q2: Where are the predicates required ?

  9. Check Is model safe ? Seed Abstraction • Program • YES • NO! (Trace) • explanation SAFE feasible Why infeasible ? Refine BUG Counterexample Guided Refinement • What predicates remove trace ? • Make it abstractly infeasible • Where are predicates needed ? Abstract • explanation Why infeasible ? [Kurshan et al. ’93] [Clarke et al. ’00] [Ball, Rajamani ’01]

  10. Check Is model safe ? Seed Abstraction • Program • YES • NO! (Trace) • explanation SAFE feasible Why infeasible ? Refine BUG Counterexample Guided Refinement Abstract

  11. Check Is model safe ? Seed Abstraction • Program • YES • NO! (Trace) • explanation SAFE feasible Why infeasible ? Refine BUG Counterexample Guided Refinement safe Abstract

  12. Check Is model safe ? Seed Abstraction • Program • YES • NO! (Trace) • explanation SAFE feasible Why infeasible ? Refine BUG This Talk: Counterexample Analysis • What predicates remove trace ? • Make it abstractly infeasible • Where are predicates needed ? Abstract

  13. Plan • Motivation • Refinement using Traces • Simple • Procedure calls • Results

  14. Counterexample Analysis Q0: Is trace feasible ? Feasible Trace Refine Q1: What predicates remove trace ? Explanation of Infeasibility Q2: Whereare preds required ? Feasible Y SSA Thm Pvr N Trace Trace Feasibility Formula Predicate Map: Prog Ctr ! Predicates Extract Proof of Unsat.

  15. Counterexample Analysis Q0: Is trace feasible ? Feasible Trace Refine Q1: What predicates remove trace ? Explanation of Infeasibility Q2: Whereare preds required ? Feasible Y SSA Thm Pvr N Trace Trace Feasibility Formula Predicate Map: Prog Ctr ! Predicates Extract Proof of Unsat.

  16. Traces pc1: x = ctr; pc2: ctr = ctr + 1; pc3: y = ctr; pc4: if (x = i-1){ pc5: if (y != i){ ERROR:} } pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) y = x +1

  17. Trace Feasibility Formulas pc1: x = ctr pc2: ctr = ctr+1 pc3: y = ctr pc4: assume(x=i-1) pc5: assume(yi) pc1: x1 = ctr0 pc2: ctr1 = ctr0+1 pc3: y1 = ctr1 pc4: assume(x1=i0-1) pc5: assume(y1i0) x1 = ctr0 Æctr1 = ctr0 + 1 Æy1 = ctr1 Æ x1 = i0- 1 Æy1i0 Trace SSA Trace Trace Feasibility Formula Theorem: Trace is Feasible, TFF is Satisfiable Compact Verification Conditions [Flanagan,Saxe ’00]

  18. Counterexample Analysis Q0: Is trace feasible ? Feasible Trace Refine Q1: What predicates remove trace ? Explanation of Infeasibility Q2: Whereare preds required ? Feasible Y SSA Thm Pvr N Trace Trace Feasibility Formula Predicate Map: Prog Ctr ! Predicates Extract Proof of Unsat.

  19. Counterexample Analysis Q0: Is trace feasible ? Feasible Trace Refine Q1: What predicates remove trace ? Explanation of Infeasibility Q2: Whereare preds required ? Feasible Y SSA Thm Pvr N Trace Trace Feasibility Formula Predicate Map: Prog Ctr ! Predicates Extract Proof of Unsat.

  20. Proof of Unsatisfiability x1 = ctr0 Æctr1 = ctr0 + 1 Æy1 = ctr1 Æ x1 = i0- 1 Æy1i0 x1 = ctr0 x1 = i0 -1 ctr1= ctr0+1 ctr0 = i0-1 ctr1 = i0 y1= ctr1 y1= i0 y1 i0 ; Proof of Unsatisfiability Trace Formula • PROBLEM • Proof uses entire history of execution • Information flows up and down • No localized or state information !

  21. The Present State… Trace pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) … is all the information the executing program has here State… 1. … after executing trace prefix 2. … knows present values of variables 3. … makes trace suffix infeasible At pc4, which predicate on present state shows infeasibility of suffix ?

  22. What Predicate is needed ? Trace Formula (TF) Trace x1 = ctr0 Æctr1 = ctr0 + 1 Æy1 = ctr1 Æ x1 = i0- 1 Æy1i0 pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) State… Predicate … … implied by TF prefix 1. … after executing trace prefix 2. … has present values of variables 3. … makes trace suffix infeasible

  23. What Predicate is needed ? Trace Formula (TF) Trace x1 = ctr0 Æctr1 = ctr0 + 1 Æy1 = ctr1 Æ x1 = i0- 1 Æy1i0 x1 pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 State… Predicate … … implied by TF prefix … on common variables 1. … after executing trace prefix 2. … has present values of variables 3. … makes trace suffix infeasible

  24. What Predicate is needed ? Trace Formula (TF) Trace x1 = ctr0 Æctr1 = ctr0 + 1 Æy1 = ctr1 Æ x1 = i0- 1 Æy1i0 pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) State… Predicate … … implied by TF prefix … on common variables … & TF suffix is unsatisfiable 1. … after executing trace prefix 2. … has present values of variables 3. … makes trace suffix infeasible

  25. What Predicate is needed ? Trace Formula (TF) Trace x1 = ctr0 Æctr1 = ctr0 + 1 Æy1 = ctr1 Æ x1 = i0- 1 Æy1i0 pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) State… Predicate … … implied by TF prefix … on common variables … & TF suffix is unsatisfiable 1. … after executing trace prefix 2. … knows present values of variables 3. … makes trace suffix infeasible

  26. Craig’s Interpolation Theorem [Craig ’57] Given formulas - , + s.t. -Æ + is unsatisfiable There exists an Interpolant for - , +, s.t. • -implies •  has symbols common to -, + • Æ+ is unsatisfiable  computable from Proof of Unsat. of - Æ+ [Krajicek ’97] [Pudlak ’97] (boolean) SAT-based Model Checking [McMillan ’03]

  27. Interpolant = Predicate ! Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æctr1 = ctr0 + 1 Æy1 = ctr1 Æ x1 = i0- 1 Æy1i0 - Interpolate  + Require: Interpolant: • 1. -implies • 2.  has symbols common to-,+ • 3. Æ+ is unsatisfiable 1. Predicate implied by trace prefix 2. Predicate on common variables common = current value 3. Predicate & suffix yields a contradiction

  28. Interpolant = Predicate ! Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æctr1 = ctr0 + 1 Æy1 = ctr1 Æ x1 = i0- 1 Æy1i0 - Interpolate  + y1 = x1 + 1 Require: Interpolant: • 1. -implies • 2.  has symbols common to-,+ • 3. Æ+ is unsatisfiable • 1. Predicate implied by trace prefix • 2. Predicate on common variables • 3. Predicate & suffix yields a contradiction

  29. Interpolant = Predicate ! Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æctr1 = ctr0 + 1 Æy1 = ctr1 Æ x1 = i0- 1 Æy1i0 Predicate at pc4: y= x+1 - Interpolate  pc4 + y1 = x1 + 1 Require: Interpolant: • 1. -implies • 2.  has symbols common to-,+ • 3. Æ+ is unsatisfiable • 1. Predicate implied by trace prefix • 2. Predicate on common variables • 3. Predicate & suffix yields a contradiction

  30. Building Predicate Maps Predicate Map pc2: x= ctr Trace Trace Formula - pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æctr1 = ctr0 + 1 Æy1 = ctr1 Æ x1 = i0- 1 Æy1i0 Interpolate x1 = ctr0 + pc2 • Cut + Interpolate at each point • Pred. Map: pci Interpolant from cut i

  31. Building Predicate Maps Predicate Map pc2: x = ctr pc3:x= ctr-1 Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æctr1 = ctr0 + 1 Æy1 = ctr1 Æ x1 = i0- 1 Æy1i0 - Interpolate x1= ctr1-1 pc3 + • Cut + Interpolate at each point • Pred. Map: pci Interpolant from cut i

  32. Building Predicate Maps Predicate Map pc2: x = ctr pc3:x = ctr-1 pc4:y = x+1 pc5:y= i Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æctr1 = ctr0 + 1 Æy1 = ctr1 Æ x1 = i0- 1 Æy1i0 - Interpolate y1= i0 pc5 + • Cut + Interpolate at each point • Pred. Map: pci Interpolant from cut i

  33. Building Predicate Maps Predicate Map pc2: x = ctr pc3:x = ctr-1 pc4:y = x+1 pc5:y = i Trace Trace Formula pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x1 = ctr0 Æctr1 = ctr0 + 1 Æy1 = ctr1 Æ x1 = i0- 1 Æy1i0 Theorem:Predicatemap makes trace abstractly infeasible

  34. Plan • Motivation • Refinement using Traces • Simple • Procedure calls • Results

  35. Traces with Procedure Calls Trace Trace Formula pc1: x1 = 3 pc2: assume (x1>0) pc3: x3 = f1(x1) pc4: y2 = y1 pc5: y3 = f2(y2) pc6: z2 = z1+1 pc7: z3 = 2*z2 pc8: return z3 pc9: return y3 pc10: x4 = x3+1 pc11: x5 = f3(x4) pc12: assume(w1<5) pc13: return w1 pc14: assume x4>5 pc15: assume (x1=x3+2) pc1: x1 = 3 pc2: assume (x1>0) pc3: x3 = f1(x1) pc4: y2 = y1 pc5: y3 = f2(y2) pc6: z2 = z1+1 pc7: z3 = 2*z2 pc8: return z3 pc9: return y3 pc10: x4 = x3+1 pc11: x5 = f3(x4) pc12: assume(w1<5) pc13: return w1 pc14: assume x4>5 pc15: assume(x1=x3+2) Find predicate needed at point i i i

  36. Interprocedural Analysis Trace Trace Formula NO Find predicate needed at point i YES i i NO Require at each point i: Well-scopedpredicates YES: Variables visible at i NO: Caller’s local variables Procedure Summaries [Reps,Horwitz,Sagiv ’95] Polymorphic Predicate Abstraction [Ball,Millstein,Rajamani ’02]

  37. Problems with Cutting Trace Trace Formula - i i + Caller variables common to - and + • Unsuitable interpolant: not well-scoped

  38. Interprocedural Cuts Trace Trace Formula Call begins i i

  39. Interprocedural Cuts Trace Trace Formula Call begins + - i i Predicate at pci= Interpolant from cut i

  40. Common Variables Trace Trace Formula Common Variables Formals + - Formals Current locals i i Well-scoped Predicate at pci= Interpolant from i-cut

  41. Plan • Motivation • Refinement using Traces • Simple • Procedure calls • Results

  42. Implementation • Algorithms implemented in BLAST • Verifier for C programs, Lazy Abstraction [POPL ’02] • FOCI : Interpolating decision procedure • Examples: • Windows Device Drivers (DDK) • IRP Specification: 22 state FSM • Current: Security properties of Linux programs

  43. Windows DDK IRP 22 state Results * Pre-processed

  44. Windows DDK IRP 22 state Localizing works… * Pre-processed

  45. Conclusion • Scalability and Precision by localizing • Craig Interpolation • Interprocedural cuts give well-scoped predicates • Some Current and Future Work: • Multithreaded Programs • Project local info of thread to predicates over globals • Hierarchical trace analysis

  46. BLAST Berkeley Lazy Abstraction Software * Tool www.eecs.berkeley.edu/~blast/

  47. Pointers and Aliasing • McCarthy’s Axioms (Arrays, Select, Update) • Theory of arrays doesn’t have q.f. interpolants! • Instantiate axioms when building TF • Using Morris’ generalized rule for assignment • Cuts, Interpolants remain the same

  48. Abstract Infeasibility Property: Strongest Postcondition of ith predicate w.r.t. opi+1 implies i+1th predicate Predicate Map pc2: x = ctr pc3:x = ctr-1 pc4:y = x-1 pc5:y = i pc1: x = ctr pc2: ctr = ctr + 1 pc3: y = ctr pc4: assume(x = i-1) pc5: assume(y  i) x = ctr -1 Æ y = ctr ) x = ctr -1 y=x+1 2ndPredicate 3rdPredicate Strongest Postcondition Trace

  49. Another Interprocedural Cut Trace Trace Formula Call begins - + i i Predicate at pci= Interpolant from i-cut

  50. Interprocedural Cuts Trace Formula Call begins x1 x1 = a0 Æ y1 = x1 + 1 Æ r1 = y1 + 1 Æ b1 = r1 Æ a0 b1 - 1 + - x1 r1 r1 Common Symbols x1 : Value of passed parameter x r1 : Value of local r

More Related