Augmenting Counterexample-Guided Abstraction Refinement with Proof Templates

Existing software model checkers based on predicate abstraction and refinement typically perform poorly at verifying the absence of buffer overflows, with analyses depending on the sizes of the arrays checked. We observe that many of these analyses can be made efficient by providing proof templates for common array traversal idioms idioms, which guide the model checker towards proofs that are independent of array size. We have integrated this technique into our software model checker, PtYasm, and have evaluated our approach on a set of testcases derived from the Verisec suite, demonstrating that our technique enables verification of the safety of array accesses independently of array size.

[1]  Richard Lippmann,et al.  Testing static analysis tools using exploitable buffer overflows from open source code , 2004, SIGSOFT '04/FSE-12.

[2]  Sriram K. Rajamani,et al.  Thorough static analysis of device drivers , 2006, EuroSys.

[3]  Thomas A. Henzinger,et al.  Path invariants , 2007, PLDI '07.

[4]  Marsha Chechik,et al.  Yasm: A Software Model-Checker for Verification and Refutation , 2006, CAV.

[5]  Thomas A. Henzinger,et al.  Invariant Synthesis for Combined Theories , 2007, VMCAI.

[6]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[7]  Alex Groce,et al.  Predicate Abstraction with Minimum Predicates , 2003, CHARME.

[8]  Michael Rodeh,et al.  CSSV: towards a realistic tool for statically detecting all buffer overflows in C , 2003, PLDI '03.

[9]  Daniel Kroening,et al.  Counterexamples with Loops for Predicate Abstraction , 2006, CAV.

[10]  Daniel Kroening,et al.  SATABS: SAT-Based Predicate Abstraction for ANSI-C , 2005, TACAS.

[11]  Ewen Denney,et al.  Annotation Inference for Safety Certification of Automatically Generated Code (Extended Abstract) , 2006, 21st IEEE/ACM International Conference on Automated Software Engineering (ASE'06).

[12]  Andreas Podelski,et al.  ACSAR: Software Model Checking with Transfinite Refinement , 2007, SPIN.

[13]  Steven S. Muchnick,et al.  Advanced Compiler Design and Implementation , 1997 .

[14]  Alessandro Armando,et al.  Abstraction Refinement of Linear Programs with Arrays , 2007, TACAS.

[15]  Sriram K. Rajamani,et al.  Generating Abstract Explanations of Spurious Counterexamples in C Programs , 2002 .

[16]  Thomas A. Henzinger,et al.  Abstractions from proofs , 2004, POPL.

[17]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy software , 2005, TOPL.

[18]  Marsha Chechik,et al.  A buffer overflow benchmark for software model checkers , 2007, ASE.

[19]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[20]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[21]  Marsha Chechik,et al.  PtYasm: Software Model Checking with Proof Templates , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[22]  Chao Wang,et al.  Induction in CEGAR for Detecting Counterexamples , 2007, Formal Methods in Computer Aided Design (FMCAD'07).

[23]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[24]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[25]  Alex Groce,et al.  Counterexample Guided Abstraction Refinement Via Program Execution , 2004, ICFEM.

[26]  C. A. R. Hoare,et al.  An axiomatic basis for computer programming , 1969, CACM.

[27]  Sagar Chaki,et al.  Certifying the Absence of Buffer Overflows , 2006 .

[28]  Ranjit Jhala,et al.  A Practical and Complete Approach to Predicate Refinement , 2006, TACAS.

[29]  Yannick Moy,et al.  Sufficient Preconditions for Modular Assertion Checking , 2008, VMCAI.

[30]  Ronald A. Olsson,et al.  Reverse Engineering of Design Patterns from Java Source Code , 2006, 21st IEEE/ACM International Conference on Automated Software Engineering (ASE'06).

[31]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[32]  Joe D. Warren,et al.  The program dependence graph and its use in optimization , 1987, TOPL.

[33]  Guillaume Brat,et al.  Precise and efficient static array bound checking for large embedded C programs , 2004, PLDI '04.