Adaptive eager boolean encoding for arithmetic reasoning in verification

Decision procedures for first-order logics are widely applicable in design verification and static program analysis. However, existing procedures rarely scale to large systems, especially for verifying properties that depend on data or timing, in addition to control. This thesis presents a new approach for building efficient, automated decision procedures for first-order logics involving arithmetic. In this approach, decision problems involving arithmetic are transformed to problems in the Boolean domain, such as Boolean satisfiability solving, thereby leveraging recent advances in that area. The transformation automatically detects and exploits problem structure based on new theoretical results and machine learning. The results of experimental evaluations show that our decision procedures can outperform other state-of-the-art procedures by several orders of magnitude. The decision procedures form the computational engines for two verification systems, UCLID and TMV These systems have been applied to problems in computer security, electronic design automation, and software engineering that require efficient and precise analysis of system functionality and timing. This thesis describes two such applications: finding format-string exploits in software, and verifying circuits that operate under timing assumptions.

[1]  Wilhelm Ackermann,et al.  Solvable Cases Of The Decision Problem , 1954 .

[2]  J. Brenner,et al.  The Hadamard Maximum Determinant Problem , 1972 .

[3]  George B. Dantzig,et al.  Fourier-Motzkin Elimination and Its Dual , 1973, J. Comb. Theory, Ser. A.

[4]  M. Fischer,et al.  SUPER-EXPONENTIAL COMPLEXITY OF PRESBURGER ARITHMETIC , 1974 .

[5]  C. Ramchandani,et al.  Analysis of asynchronous concurrent systems by timed petri nets , 1974 .

[6]  Yuri Gurevich The Decision Problem for Standard Classes , 1976, J. Symb. Log..

[7]  I. Borosh,et al.  Bounds on positive integral solutions of linear Diophantine equations , 1976 .

[8]  John R. Rice,et al.  The Algorithm Selection Problem , 1976, Adv. Comput..

[9]  J. Gathen,et al.  A bound on solutions of linear integer equalities and inequalities , 1978 .

[10]  Clyde L. Monma,et al.  On the Computational Complexity of Integer Programming Problems , 1978 .

[11]  Greg Nelson,et al.  Simplification by Cooperating Decision Procedures , 1979, TOPL.

[12]  Greg Nelson,et al.  Fast Decision Procedures Based on Congruence Closure , 1980, JACM.

[13]  Kenneth Steiglitz,et al.  Combinatorial Optimization: Algorithms and Complexity , 1981 .

[14]  Christos H. Papadimitriou,et al.  On the complexity of integer programming , 1981, JACM.

[15]  Robert E. Shostak,et al.  Deciding Combinations of Theories , 1982, JACM.

[16]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[17]  I. Borosh,et al.  Small solutions of linear Diophantine equations , 1986, Discret. Math..

[18]  Leslie G. Valiant,et al.  Random Generation of Combinatorial Structures from a Uniform Distribution , 1986, Theor. Comput. Sci..

[19]  Laurence A. Wolsey,et al.  Integer and Combinatorial Optimization , 1988 .

[20]  I. Borosh,et al.  A sharp bound for solutions of linear Diophantine equations , 1989 .

[21]  Ronald L. Rivest,et al.  Introduction to Algorithms , 1990 .

[22]  Thomas A. Henzinger,et al.  Logics and Models of Real Time: A Survey , 1991, REX Workshop.

[23]  William Pugh,et al.  The Omega test: A fast and practical integer programming algorithm for dependence analysis , 1991, Proceedings of the 1991 ACM/IEEE Conference on Supercomputing (Supercomputing '91).

[24]  Alain J. Martin Synthesis of Asynchronous VLSI Circuits , 1991 .

[25]  D. Hosmer,et al.  Applied Logistic Regression , 1991 .

[26]  Thomas A. Henzinger,et al.  Temporal proof methodologies for real-time systems , 1991, POPL '91.

[27]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[28]  R. BurchJ.,et al.  Symbolic model checking , 1992 .

[29]  I. Borosh,et al.  A Sharp Bound on Positive Solutions of Linear Diophantine Equations , 1992, SIAM J. Matrix Anal. Appl..

[30]  Steven M. Nowick,et al.  Automatic synthesis of burst-mode asynchronous controllers , 1993 .

[31]  Vijay Chandru,et al.  Variable Elimination in Linear Constraints , 1993, Comput. J..

[32]  Kenneth L. McMillan,et al.  Symbolic model checking , 1992 .

[33]  Rajeev Alur,et al.  Model-Checking in Dense Real-time , 1993, Inf. Comput..

[34]  Yuri Gurevich,et al.  The Classical Decision Problem , 1997, Perspectives in Mathematical Logic.

[35]  Mark Russell Greenstreet,et al.  Stari: a technique for high-bandwidth communication , 1993 .

[36]  Joseph Naor,et al.  Tight bounds and 2-approximation algorithms for integer programs with two variables per inequality , 1993, Math. Program..

[37]  Manolis Koubarakis,et al.  Complexity Results for First-Order Theories of Temporal Constraints , 1994, KR.

[38]  Rajeev Alur,et al.  A Theory of Timed Automata , 1994, Theor. Comput. Sci..

[39]  Thomas A. Henzinger,et al.  Symbolic Model Checking for Real-Time Systems , 1994, Inf. Comput..

[40]  Kenneth S. Stevens,et al.  Practical verification and synthesis of low latency asynchronous systems , 1994 .

[41]  Joseph Naor,et al.  Simple and Fast Algorithms for Linear and Integer Programs With Two Variables per Inequality , 1994, SIAM J. Comput..

[42]  Pierre Wolper,et al.  An Automata-Theoretic Approach to Presburger Arithmetic Constraints (Extended Abstract) , 1995, SAS.

[43]  Amir Pnueli,et al.  Timing analysis of asynchronous circuits using timed automata , 1995, CHARME.

[44]  Chris J. Myers,et al.  Computer-aided synthesis and verification of gate-level timed circuits , 1996 .

[45]  Dorit S. Hochbaum,et al.  Approximation Algorithms for NP-Hard Problems , 1996 .

[46]  David L. Dill,et al.  Validity Checking for Combinations of Theories with Equality , 1996, FMCAD.

[47]  George C. Necula,et al.  Proof-carrying code , 1997, POPL '97.

[48]  Amir Pnueli,et al.  Some Progress in the Symbolic Verification of Timed Automata , 1997, CAV.

[49]  Sergio Yovine,et al.  KRONOS: a verification tool for real-time systems , 1997, International Journal on Software Tools for Technology Transfer.

[50]  Thorsten Joachims,et al.  Making large scale SVM learning practical , 1998 .

[51]  Amir Pnueli,et al.  The Code Validation Tool (CVT) , 1998, International Journal on Software Tools for Technology Transfer (STTT).

[52]  Alexander Schrijver,et al.  Theory of linear and integer programming , 1986, Wiley-Interscience series in discrete mathematics and optimization.

[53]  Daniel S. Weld,et al.  The LPSAT Engine & Its Application to Resource Planning , 1999, IJCAI.

[54]  Randal E. Bryant,et al.  Exploiting Positive Equality in a Logic of Equality with Uninterpreted Functions , 1999, CAV.

[55]  Sanjit A. Seshia,et al.  A Translation of Statecharts to Esterel , 1999, World Congress on Formal Methods.

[56]  B. Schölkopf,et al.  Advances in kernel methods: support vector learning , 1999 .

[57]  Chris J. Myers,et al.  Algorithms for synthesis and verification of timed circuits and systems , 1999 .

[58]  Holger H. Hoos SAT-Encodings, Search Space Structure, and Local Search Performance , 1999, IJCAI.

[59]  Ran Ginosar,et al.  Relative timing , 1999, Proceedings. Fifth International Symposium on Advanced Research in Asynchronous Circuits and Systems.

[60]  Wang Yi,et al.  Efficient Timed Reachability Analysis Using Clock Difference Diagrams , 1998, CAV.

[61]  V. Chandru,et al.  Optimization Methods for Logical Inference , 1999 .

[62]  Tomohiro Yoneda,et al.  Timed trace theoretic verification using partial order reduction , 1999, Proceedings. Fifth International Symposium on Advanced Research in Asynchronous Circuits and Systems.

[63]  Rajeev Alur,et al.  Timed Automata , 1999, CAV.

[64]  Jordi Cortadella,et al.  Formal verification of safety properties in timed circuits , 2000, Proceedings Sixth International Symposium on Advanced Research in Asynchronous Circuits and Systems (ASYNC 2000) (Cat. No. PR00586).

[65]  Vladimir N. Vapnik,et al.  The Nature of Statistical Learning Theory , 2000, Statistics for Engineering and Information Science.

[66]  R. Bryant,et al.  The Hardness of Approximating Minima in OBDDs, FBDDs and Boolean Functions , 2000 .

[67]  Dirk Beyer,et al.  Improvements in BDD-Based Reachability Analysis of Timed Automata , 2001, FME.

[68]  Andreas Thuemmel,et al.  Analysis of Format String Bugs , 2001 .

[69]  Michail G. Lagoudakis,et al.  Selecting the Right Algorithm , 2001 .

[70]  Randal E. Bryant,et al.  Processor verification using efficient reductions of the logic of uninterpreted functions to propositional logic , 1999, TOCL.

[71]  Ivan E. Sutherland,et al.  GasP: a minimal FIFO control , 2001, Proceedings Seventh International Symposium on Asynchronous Circuits and Systems. ASYNC 2001.

[72]  Ran Ginosar,et al.  An asynchronous instruction length decoder , 2001, IEEE J. Solid State Circuits.

[73]  Ieee Circuits,et al.  IEEE/ACM International Conference on Computer Aided Design, ICCAD-2001, a conference for the EE CAD professional, November 4-8, 2001, Doubletree Hotel, San Jose, CA , 2001 .

[74]  Crispin Cowan,et al.  FormatGuard: Automatic Protection From printf Format String Vulnerabilities , 2001, USENIX Security Symposium.

[75]  Armin Biere,et al.  Bounded Model Checking Using Satisfiability Solving , 2001, Formal Methods Syst. Des..

[76]  Sanjit A. Seshia,et al.  Modeling and Verification of Out-of-Order Microprocessors in UCLID , 2002, FMCAD.

[77]  Sanjit A. Seshia,et al.  Modeling and Verifying Systems Using a Logic of Counter Arithmetic with Lambda Expressions and Uninterpreted Functions , 2002, CAV.

[78]  George C. Necula,et al.  Temporal-Safety Proofs for Systems Code , 2002, CAV.

[79]  Natarajan Shankar,et al.  Combining Shostak Theories , 2002, RTA.

[80]  David L. Dill,et al.  Deciding Presburger Arithmetic by Model Checking and Comparisons with Other Methods , 2002, FMCAD.

[81]  J. Saxe,et al.  Extended static checking for Java , 2002, PLDI '02.

[82]  Ofer Strichman,et al.  Deciding Separation Formulas with SAT , 2002, CAV.

[83]  Gilles Audemard,et al.  Bounded Model Checking for Timed Systems , 2002, FORTE.

[84]  Peter A. Beerel,et al.  Relative timing based verification of timed circuits and systems , 2002, Proceedings Eighth International Symposium on Asynchronous Circuits and Systems.

[85]  Alain J. Martin,et al.  Asynchronous Pulse Logic , 2002 .

[86]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[87]  Rolf Drechsler,et al.  RTL-datapath verification using integer linear programming , 2002, Proceedings of ASP-DAC/VLSI Design 2002. 7th Asia and South Pacific Design Automation Conference and 15h International Conference on VLSI Design.

[88]  Eugene Goldberg,et al.  BerkMin: A Fast and Robust Sat-Solver , 2002 .

[89]  Kenneth L. McMillan,et al.  Applying SAT Methods in Unbounded Symbolic Model Checking , 2002, CAV.

[90]  V. Pratt Two Easy Theories Whose Combination is Hard , 2002 .

[91]  Shuvendu K. Lahiri,et al.  Deciding CLU Logic Formulas via Boolean and Pseudo-Boolean Encodings , 2002 .

[92]  Piergiorgio Bertoli,et al.  A SAT Based Approach for Solving Formulas over Boolean and Linear Mathematical Propositions , 2002, CADE.

[93]  O. Strichman Optimizations in Decision Procedures for Propositional Linear Inequalities , 2002 .

[94]  Ofer Strichman On Solving Presburger and Linear Arithmetic with SAT , 2002, FMCAD.

[95]  Harald Ruess,et al.  Lazy Theorem Proving for Bounded Model Checking over Infinite Domains , 2002, CADE.

[96]  Xinming Ou,et al.  Theorem Proving Using Lazy Proof Explication , 2003, CAV.

[97]  Farn Wang,et al.  Efficient verification of timed automata with BDD-like data structures , 2004, International Journal on Software Tools for Technology Transfer.

[98]  Peter A. Beerel,et al.  CORRECTNESS AND REDUCTION IN TIMED CIRCUIT ANALYSIS , 2003 .

[99]  Yoav Shoham,et al.  A portfolio approach to algorithm select , 2003, IJCAI 2003.

[100]  Sanjit A. Seshia,et al.  Unbounded, Fully Symbolic Model Checking of Timed Automata using Boolean Methods , 2003, CAV.

[101]  Harald Ruess,et al.  Bounded Model Checking and Induction: From Refutation to Verification (Extended Abstract, Category A) , 2003, CAV.

[102]  Steven David Prestwich,et al.  Local Search on SAT-encoded Colouring Problems , 2003, SAT.

[103]  Sanjit A. Seshia,et al.  A hybrid SAT-based decision procedure for separation logic with uninterpreted functions , 2003, Proceedings 2003. Design Automation Conference (IEEE Cat. No.03CH37451).

[104]  David L. Dill,et al.  An Online Proof-Producing Decision Procedure for Mixed-Integer Linear Arithmetic , 2003, TACAS.

[105]  Hai Zhou,et al.  BDD Based Procedures for a Theory of Equality with Uninterpreted Functions , 2003, Formal Methods Syst. Des..

[106]  Bart Selman,et al.  Backdoors To Typical Case Complexity , 2003, IJCAI.

[107]  Sanjit A. Seshia,et al.  Convergence Testing in Term-Level Bounded Model Checking , 2003, CHARME.

[108]  Stephen McCamant,et al.  Predicting problems caused by component upgrades , 2003, ESEC/FSE-11.

[109]  Kim Guldstrand Larsen,et al.  The power of reachability testing for timed automata , 2003, Theor. Comput. Sci..

[110]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[111]  Shuvendu K. Lahiri,et al.  A Symbolic Approach to Predicate Abstraction , 2003, CAV.

[112]  Shuvendu K. Lahiri,et al.  Deductive Verification of Advanced Out-of-Order Microprocessors , 2003, CAV.

[113]  R. Bryant,et al.  On Solving Boolean Combinations of Generalized 2SAT Constraints , 2004 .

[114]  Alex Groce,et al.  Modular verification of software components in C , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[115]  Jordi Cortadella,et al.  Verification of timed circuits with symbolic delays , 2004 .

[116]  Farn Wang,et al.  Formal verification of timed systems: a survey and perspective , 2004, Proceedings of the IEEE.

[117]  Sergey Berezin,et al.  CVC Lite: A New Implementation of the Cooperating Validity Checker Category B , 2004, CAV.

[118]  Gary McGraw,et al.  Exploiting Software: How to Break Code , 2004 .

[119]  Panagiotis Manolios,et al.  Automatic verification of safety and liveness for XScale-like processor models using WEB refinements , 2004, Proceedings Design, Automation and Test in Europe Conference and Exhibition.

[120]  K. Subramani,et al.  On deciding the non‐emptiness of 2SAT polytopes with respect to First Order Queries , 2004, Math. Log. Q..

[121]  Cesare Tinelli,et al.  DPLL( T): Fast Decision Procedures , 2004, CAV.

[122]  Amir Pnueli,et al.  Range Allocation for Separation Logic , 2004, CAV.

[123]  Karem A. Sakallah,et al.  Automatic abstraction and verification of verilog models , 2004, Proceedings. 41st Design Automation Conference, 2004..

[124]  Christopher J. C. Burges,et al.  A Tutorial on Support Vector Machines for Pattern Recognition , 1998, Data Mining and Knowledge Discovery.

[125]  Kenneth S. Stevens,et al.  Modeling and verifying circuits using generalized relative timing , 2005, 11th IEEE International Symposium on Asynchronous Circuits and Systems.

[126]  Kenneth L. McMillan An interpolating theorem prover , 2005, Theor. Comput. Sci..

[127]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[128]  Vitaly Osipov,et al.  Format String Attacks , 2005 .

[129]  David Detlefs,et al.  Simplify: a theorem prover for program checking , 2005, JACM.

[130]  V. Ganapathy,et al.  Automatic discovery of API-level exploits , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[131]  Chris J. Myers,et al.  Verification of timed circuits with failure-directed abstractions , 2006, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[132]  Sanjit A. Seshia,et al.  Integrated Verification for Robust Computing , 2006 .

[133]  Sanjit A. Seshia,et al.  Verification-Guided Soft Error Resilience , 2007, 2007 Design, Automation & Test in Europe Conference & Exhibition.

[134]  Daniel Kroening,et al.  Formal verification at higher levels of abstraction , 2007, 2007 IEEE/ACM International Conference on Computer-Aided Design.

[135]  Sanjit A. Seshia Autonomic Reactive Systems via Online Learning , 2007, Fourth International Conference on Autonomic Computing (ICAC'07).