On Strings in Software Model Checking

Strings represent one of the most common and most intricate data-types found in software programs, with correct string processing often being a decisive factor for correctness and security properties. This has led to a wide range of recent research results on how to analyse programs operating on strings, using methods like testing, fuzzing, symbolic execution, abstract interpretation, or model checking, and, increasingly, support for strings is also added to constraint solvers and SMT solvers. In this paper, we focus on the verification of software programs with strings using model checking. We give a survey of the existing approaches to handle strings in this context, and propose methods based on algebraic data-types, Craig interpolation, and automata learning.

[1]  Yang Liu,et al.  S-looper: automatic summarization for multipath string loops , 2015, ISSTA.

[2]  Guy L. Steele,et al.  The Java Language Specification, Java SE 8 Edition , 2013 .

[3]  Philipp Rümmer,et al.  Liveness of Randomised Parameterised Systems under Arbitrary Schedulers , 2016, CAV.

[4]  Aske Simon Christensen,et al.  Precise Analysis of String Expressions , 2003, SAS.

[5]  Andrey Rybalchenko,et al.  Synthesizing software verifiers from proof rules , 2012, PLDI.

[6]  Daniel Kroening,et al.  JBMC: A Bounded Model Checking Tool for Verifying Java Bytecode , 2018, CAV.

[7]  Philipp Rümmer,et al.  The ELDARICA Horn Solver , 2018, 2018 Formal Methods in Computer Aided Design (FMCAD).

[8]  Temesghen Kahsai,et al.  Quantified Heap Invariants for Object-Oriented Programs , 2017, LPAR.

[9]  Fang Yu,et al.  String Analysis for Software Verification and Security , 2018, Springer International Publishing.

[10]  M. Rinard,et al.  What is Decidable about Strings , 2011 .

[11]  Margus Veanes Symbolic String Transformations with Regular Lookahead and Rollback , 2014, Ershov Memorial Conference.

[12]  Philipp Rümmer,et al.  String constraints with concatenation and transducers solved efficiently , 2017, Proc. ACM Program. Lang..

[13]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[14]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[15]  Benjamin Livshits,et al.  Fast and Precise Sanitizer Analysis with BEK , 2011, USENIX Security Symposium.

[16]  Ufuk Topcu,et al.  An Automaton Learning Approach to Solving Safety Games over Infinite Graphs , 2016, TACAS.

[17]  Kenneth L. McMillan,et al.  Interpolation and SAT-Based Model Checking , 2003, CAV.

[18]  Corina S. Pasareanu,et al.  Symbolic Pathfinder for SV-COMP - (Competition Contribution) , 2019, TACAS.

[19]  Tomás Vojnar,et al.  Byte-Precise Verification of Low-Level List Manipulation , 2013, SAS.

[20]  Michael D. Ernst,et al.  HAMPI: A String Solver for Testing, Analysis and Vulnerability Detection , 2011, CAV.

[21]  Mandayam K. Srivas,et al.  2LS: Memory Safety and Non-termination - (Competition Contribution) , 2018, TACAS.

[22]  Philipp Rümmer,et al.  Decision procedures for path feasibility of string-manipulating programs with complex operations , 2018, Proc. ACM Program. Lang..

[23]  K. Rustan M. Leino,et al.  Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[24]  Alberto Pettorossi,et al.  Solving Horn Clauses on Inductive Data Types Without Induction , 2018, Theory and Practice of Logic Programming.

[25]  Parosh Aziz Abdulla,et al.  Norn: An SMT Solver for String Constraints , 2015, CAV.

[26]  Thomas A. Henzinger,et al.  Handbook of Model Checking , 2018, Springer International Publishing.

[27]  Bernhard Beckert,et al.  Deductive Software Verification – The KeY Book , 2016, Lecture Notes in Computer Science.

[28]  Xiangyu Zhang,et al.  Z3-str: a z3-based string solver for web application analysis , 2013, ESEC/FSE 2013.

[29]  Bernd Finkbeiner,et al.  Encodings of Bounded Synthesis , 2017, TACAS.

[30]  Parosh Aziz Abdulla,et al.  String Constraints for Verification , 2014, CAV.

[31]  Temesghen Kahsai,et al.  JayHorn: A Framework for Verifying Java programs , 2016, CAV.

[32]  Rajeev Alur Keynote talk I: Syntax-guided synthesis , 2015, 2015 ACM/IEEE International Conference on Formal Methods and Models for Codesign (MEMOCODE).

[33]  Isil Dillig,et al.  Inductive invariant generation via abductive inference , 2013, OOPSLA.

[34]  Philipp Rümmer,et al.  Deciding and Interpolating Algebraic Data Types by Reduction , 2017, 2017 19th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC).

[35]  Dirk Beyer,et al.  Automatic Verification of C and Java Programs: SV-COMP 2019 , 2019, TACAS.

[36]  Parosh Aziz Abdulla,et al.  Trau: SMT solver for string constraints , 2018, 2018 Formal Methods in Computer Aided Design (FMCAD).

[37]  Tevfik Bultan,et al.  Automata-Based Model Counting for String Constraints , 2015, CAV.

[38]  Sagar Chaki,et al.  SMT-based model checking for recursive programs , 2014, Formal Methods in System Design.

[39]  Reiner Hähnle,et al.  A Formalisation of Java Strings for Program Specification and Verification , 2011, SEFM.

[40]  Alexander Aiken,et al.  From invariant checking to invariant inference using randomized search , 2014, Formal Methods Syst. Des..