Parameterized model counting for string and numeric constraints

Recently, symbolic program analysis techniques have been extended to quantitative analyses using model counting constraint solvers. Given a constraint and a bound, a model counting constraint solver computes the number of solutions for the constraint within the bound. We present a parameterized model counting constraint solver for string and numeric constraints. We first construct a multi-track deterministic finite state automaton that accepts all solutions to the given constraint. We limit the numeric constraints to linear integer arithmetic, and for non-regular string constraints we over-approximate the solution set. Counting the number of accepting paths in the generated automaton solves the model counting problem. Our approach is parameterized in the sense that, we do not assume a finite domain size during automata construction, resulting in a potentially infinite set of solutions, and our model counting approach works for arbitrarily large bounds. We experimentally demonstrate the effectiveness of our approach on a large set of string and numeric constraints extracted from software applications. We experimentally compare our tool to five existing model counting constraint solvers for string and numeric constraints and demonstrate that our tool is as efficient and as or more precise than other solvers. Moreover, our tool can handle mixed constraints with string and integer variables that no other tool can.

[1]  John Kelsey,et al.  Compression and Information Leakage of Plaintext , 2002, FSE.

[2]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[3]  Corina S. Pasareanu,et al.  Model-Counting Approaches for Nonlinear Numerical Constraints , 2017, NFM.

[4]  Jérôme Leroux,et al.  A polynomial time Presburger criterion and synthesis for number decision diagrams , 2005, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05).

[5]  Corina S. Pasareanu,et al.  Reliability analysis in Symbolic PathFinder , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[6]  Xiangyu Zhang,et al.  Z3-str: a z3-based string solver for web application analysis , 2013, ESEC/FSE 2013.

[7]  Tevfik Bultan,et al.  Automata-Based Model Counting for String Constraints , 2015, CAV.

[8]  Matthew B. Dwyer,et al.  Probabilistic symbolic execution , 2012, ISSTA 2012.

[9]  Armando Solar-Lezama,et al.  Word Equations with Length Constraints: What's Decidable? , 2012, Haifa Verification Conference.

[10]  Bala Ravikumar,et al.  Weak minimization of DFA - an algorithm and applications , 2003, Theor. Comput. Sci..

[11]  Michael D. Ernst,et al.  HAMPI: a solver for string constraints , 2009, ISSTA.

[12]  Oscar H. Ibarra,et al.  Symbolic String Verification: Combining String Analysis and Size Analysis , 2009, TACAS.

[13]  R. Stanley Enumerative Combinatorics: Volume 1 , 2011 .

[14]  Guodong Li,et al.  PASS: String Solving with Parameterized Array and Interval Automaton , 2013, Haifa Verification Conference.

[15]  Corina S. Pasareanu,et al.  Symbolic quantitative information flow , 2012, SOEN.

[16]  Joxan Jaffar,et al.  S3: A Symbolic String Solver for Vulnerability Detection in Web Applications , 2014, CCS.

[17]  Shweta Shinde,et al.  A model counter for constraints over unbounded strings , 2014, PLDI.

[18]  Jesús A. De Loera,et al.  Effective lattice point counting in rational convex polytopes , 2004, J. Symb. Comput..

[19]  Fang Yu,et al.  Generating Vulnerability Signatures for String Manipulating Programs Using Automata-Based Forward and Backward Symbolic Analyses , 2009, 2009 IEEE/ACM International Conference on Automated Software Engineering.

[20]  Cesare Tinelli,et al.  A DPLL(T) Theory Solver for a Theory of Strings and Regular Expressions , 2014, CAV.

[21]  Martin Hofmann Foundations of Software Science and Computational Structures , 2011, Lecture Notes in Computer Science.

[22]  Supratik Chakraborty,et al.  Approximate Probabilistic Inference via Word-Level Counting , 2015, AAAI.

[23]  Tevfik Bultan,et al.  String analysis for side channels with segmented oracles , 2016, SIGSOFT FSE.

[24]  Marcelo d'Amorim,et al.  Quantifying information leaks using reliability analysis , 2014, SPIN.

[25]  Marcelo d'Amorim,et al.  Iterative distribution-aware sampling for probabilistic symbolic execution , 2015, ESEC/SIGSOFT FSE.

[26]  Westley Weimer,et al.  Solving string constraints lazily , 2010, ASE.

[27]  Siddhartha Chatterjee,et al.  An Automata-Theoretic Algorithm for Counting Solutions to Presburger Formulas , 2004, CC.

[28]  Sanjit A. Seshia,et al.  Distribution-Aware Sampling and Weighted Model Counting for SAT , 2014, AAAI.

[29]  Westley Weimer,et al.  A decision procedure for subset constraints over regular languages , 2009, PLDI '09.

[30]  Parosh Aziz Abdulla,et al.  String Constraints for Verification , 2014, CAV.

[31]  Oscar H. Ibarra,et al.  Automata-based symbolic string analysis for vulnerability detection , 2014, Formal Methods Syst. Des..

[32]  Tevfik Bultan,et al.  Semantic differential repair for input validation and sanitization , 2014, ISSTA 2014.

[33]  Geoffrey Smith,et al.  On the Foundations of Quantitative Information Flow , 2009, FoSSaCS.

[34]  Joxan Jaffar,et al.  Model Counting for Recursively-Defined Strings , 2017, CAV.

[35]  Alexander I. Barvinok,et al.  A Polynomial Time Algorithm for Counting Integral Points in Polyhedra when the Dimension Is Fixed , 1993, FOCS.

[36]  Louis Latour,et al.  From automata to formulas: convex integer polyhedra , 2004, Proceedings of the 19th Annual IEEE Symposium on Logic in Computer Science, 2004..

[37]  Abdulbaki Aydin Automata-based Model Counting String Constraint Solver for Vulnerability Analysis , 2017 .

[38]  Oscar H. Ibarra,et al.  Relational String Verification Using Multi-Track Automata , 2011, Int. J. Found. Comput. Sci..

[39]  Michael Backes,et al.  Automatic Discovery and Quantification of Information Leaks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[40]  Tevfik Bultan,et al.  Efficient Symbolic Representations for Arithmetic Constraints in Verification , 2003, Int. J. Found. Comput. Sci..