Range and Set Abstraction using SAT

Symbolic decision trees are not the only way to correlate the relationship between flags and numeric variables. Boolean formulae can also represent such relationships where the integer variables are modelled with bit-vectors of propositional variables. Boolean formulae can be composed to express the semantics of a block and program state, but they are hardly tractable, hence the need to compute their abstractions. This paper shows how incremental SAT can be applied to derive range and set abstractions for bit-vectors that are constrained by Boolean formulae.

[1]  Randal E. Bryant,et al.  Symbolic Boolean manipulation with ordered binary-decision diagrams , 1992, CSUR.

[2]  Thomas W. Reps,et al.  Symbolic Implementation of the Best Transformer , 2004, VMCAI.

[3]  Jörg Brauer,et al.  Automatic Abstraction for Intervals Using Boolean Formulae , 2010, SAS.

[4]  Patrick Cousot,et al.  Why does Astrée scale up? , 2009, Formal Methods Syst. Des..

[5]  Saumya K. Debray,et al.  Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[6]  David A. Plaisted,et al.  A Structure-Preserving Clause Form Translation , 1986, J. Symb. Comput..

[7]  Antoine Mid The Octagon Abstract Domain , 2001 .

[8]  Cesare Tinelli,et al.  Solving SAT and SAT Modulo Theories: From an abstract Davis--Putnam--Logemann--Loveland procedure to DPLL(T) , 2006, JACM.

[9]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[10]  Michael Karr,et al.  Affine relationships among variables of a program , 1976, Acta Informatica.

[11]  Cristina Cifuentes,et al.  Recovery of jump table case statements from binary code , 2001, Sci. Comput. Program..

[12]  Patrick Cousot,et al.  A Scalable Segmented Decision Tree Abstract Domain , 2010, Essays in Memory of Amir Pnueli.

[13]  Bart Demoen,et al.  On the Static Analysis of Indirect Control Transfers in Binaries , 2000, PDPTA.

[14]  Joonyoung Kim,et al.  SATIRE: A new incremental satisfiability engine , 2001, Proceedings of the 38th Design Automation Conference (IEEE Cat. No.01CH37232).

[15]  Antoine Miné,et al.  The octagon abstract domain , 2001, High. Order Symb. Comput..

[16]  Helmut Veith,et al.  An Abstract Interpretation-Based Framework for Control Flow Reconstruction from Binaries , 2008, VMCAI.

[17]  Jacob M. Howe,et al.  Two Variables per Linear Inequality as an Abstract Domain , 2002, LOPSTR.

[18]  John N. Hooker,et al.  Solving the incremental satisfiability problem , 1993, J. Log. Program..

[19]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI.