7 Counterexample-guided abstraction refinement(CEGAR). CEGAR-based SMT solver (Презентации лекций), страница 2

PDF-файл 7 Counterexample-guided abstraction refinement(CEGAR). CEGAR-based SMT solver (Презентации лекций), страница 2 Boolean SAT-SMT Solvers for Software Engineering (64071): Лекции - 11 семестр (3 семестр магистратуры)7 Counterexample-guided abstraction refinement(CEGAR). CEGAR-based SMT solver (Презентации лекций) - PDF, страница 2 (64071) - СтудИзба2020-08-252020-08-25KoalaСтудИзба

Презентации лекций37

Описание файла

Файл "7 Counterexample-guided abstraction refinement(CEGAR). CEGAR-based SMT solver" внутри архива находится в папке "Презентации лекций". PDF-файл из архива "Презентации лекций", который расположен в категории "". Всё это находится в предмете "boolean sat-smt solvers for software engineering" из 11 семестр (3 семестр магистратуры), которые можно найти в файловом архиве МГУ им. Ломоносова. Не смотря на прямую связь этого архива с МГУ им. Ломоносова, его также можно найти и в других разделах. .

Просмотр PDF-файла онлайн

Текст 2 страницы из PDF

/ Trento / 2005 - presentGanesh / Stanford & MIT / 2005 - presentSeshia / CMU & Berkeley / 2004 - presentCombinationsVijay GaneshWednesday, 16 January, 1318Talk OutlineTopics covered in Lecture 1Motivation for SAT/SMT solvers in software engineering• Software engineering (SE) problems reduced to logic problems• Automation, engineering, usability of SE tools through solversHigh-level description of the SAT/SMT problem & logics• Rich logics close to program semantics• Demonstrably easy to solve in many practical casesModern SAT solver architecture & techniques• DPLL search, shortcomings• Modern CDCL SAT solver: propagate (BCP), decide (VSIDS), conflict analysis, clause learn, backJump,• Termination, correctness• Big lesson: learning from mistakesTopics covered in Lecture 2Modern SMT solver architecture & techniques• Rich logics closer to program semantics• DPLL(T), Combinations of solvers, Over/under approximations• My own contributions: STP & HAMPI• STP: Abstraction-refinement for solving• Applications to dynamic symbolic testing (aka concolic testing)• HAMPI: Bounded logics• SAT/SMT-based applications• Future of SAT/SMT solversVijay GaneshWednesday, 16 January, 1319STP Bit-vector & Array SolverProgramExpressionsSATSTP Solver(x = z+2 ORmem[i] + y <= 01)UNSAT• Bit-vector or machine arithmetic• Arrays for memory• C/C++/Java expressions• NP-completeVijay GaneshWednesday, 16 January, 1320The History of STP• Solver-based languages (Alloy team)1,000,000 Constraints• Solver-based debuggers• Solver-based type systems• Solver-based concurrency bugfinding• HAMPI: String Solvers• Ardilla by Ernst et al.• Kudzu & Kaluza by Song et al.• Klee by Engler et al.• George Candea’s Cloud 9 tester• STP + HAMPI exceed 100+ projects• STP• Enabled Concolic Testing• EXE by Engler et al• BAP/BitBlaze by Song et al.• Model checking by Dill et al.100,000 Constraints2005Vijay GaneshWednesday, 16 January, 132009Today21Programs Reasoning & STPWhy Bit-vectors and Arrays• STP logic tailored for software reliability applications• Support symbolic execution/program analysisC/C++/Java/...Bit-vectors and ArraysInt VarChar Var32 bit variable8 bit variableArithmetic operation(x+y, x-y, x*y, x/y,...)Arithmetic function(x+y,x-y,x*y,x/y,...)assignmentsx = expr;equalityx = expr;if conditionalif(cond) x = expr1 else x = expr2if-then-else constructx = if(cond) expr1 else expr2inequalityinequality predicateMemory read/writex = *ptr + i;Array read/writeptr[]; x = Read(ptr,i);Structure/ClassSerialized bit-vector expressionsFunctionSymbolic executionLoopsBoundingVijay GaneshWednesday, 16 January, 1322How to Automatically Crash Programs?Concolic Execution & STPProblem: Automatically generate crashing tests given only the codeProgramSymbolic ExecutionEnginewithImplicit SpecAutomatic TesterFormulasSTPSAT/UNSATCrashing TestsVijay GaneshWednesday, 16 January, 1323How to Automate Testing?Concolic Execution & STPStructured input processing code:PDF Reader, Movie Player,...Buggy_C_Program(int* data_field, int len_field) {int * ptr = malloc(len_field*sizeof(int));int i; //uninitialized}while (i++ < process(len_field)) {//1.

Integer overflow causing NULL deref//2. Buffer overflow*(ptr+i) = process_data(*(data_field+i));}• Formula captures computation• Tester attaches formula to capture specVijay GaneshWednesday, 16 January, 1324How to Automate Testing?Concolic Execution & STPStructured input processing code:PDF Reader, Movie Player,...Buggy_C_Program(int* data_field, int len_field) {int * ptr = malloc(len_field*sizeof(int));int i; //uninitialized}while (i++ < process(len_field)) {//1. Integer overflow causing NULL deref//2. Buffer overflow*(ptr+i) = process_data(*(data_field+i));}Equivalent Logic Formula derived usingsymbolic executiondata_field, mem_ptr : ARRAY;len_field : BITVECTOR(32); //symbolici, j, ptr : BITVECTOR(32);//symbolic..mem_ptr[ptr+i] = process_data(data_field[i]);mem_ptr[ptr+i+1] = process_data(data_field[i+1]);..• Formula captures computation• Tester attaches formula to capture specVijay GaneshWednesday, 16 January, 1324How to Automate Testing?Concolic Execution & STPStructured input processing code:PDF Reader, Movie Player,...Buggy_C_Program(int* data_field, int len_field) {int * ptr = malloc(len_field*sizeof(int));int i; //uninitialized}while (i++ < process(len_field)) {//1.

Integer overflow causing NULL deref//2. Buffer overflow*(ptr+i) = process_data(*(data_field+i));}Equivalent Logic Formula derived usingsymbolic executiondata_field, mem_ptr : ARRAY;len_field : BITVECTOR(32); //symbolici, j, ptr : BITVECTOR(32);//symbolic..mem_ptr[ptr+i] = process_data(data_field[i]);mem_ptr[ptr+i+1] = process_data(data_field[i+1]);..//INTEGER OVERFLOW QUERY0 <= j <= process(len_field);ptr + i + j = 0?• Formula captures computation• Tester attaches formula to capture specVijay GaneshWednesday, 16 January, 1324How STP WorksBird’s Eye View: Translate to SATSTPBit-vector&Array Formula(x = z+2 ORmem[i] + y <= 01)...TranslateToSATBooleanSAT SolverSATUNSATWhy Translate to SAT?• Both theories NP-complete• Non SAT approaches didn’t work• Translation to SAT leverages solid engineeringVijay GaneshWednesday, 16 January, 1325How STP WorksRich Theories cause MEM Blow-upSTPBit-vector&Array Formula(x = z+2 ORmem[i] + y <= 01)...TranslateFormulaToGrowthSATBooleanSAT SolverSATUNSAT• Making information explicit• Space cost• Time costVijay GaneshWednesday, 16 January, 1326Explicit Information causes Blow-upArray Memory Read ProblemLogic Formula derived usingsymbolic executiondata_field, mem_ptr : ARRAY;len_field : BITVECTOR(32); //symbolici, j, ptr : BITVECTOR(32);//symbolic..mem_ptr[ptr+i] = process_data(data_field[i]);mem_ptr[ptr+i+1] = process_data(data_field[i+1]);..if(ptr+i = ptr+j) then mem_ptr[ptr+i] = mem_ptr[ptr+j);//INTEGER OVERFLOW QUERY0 <= j <= process(len_field);ptr + i + j < ptr?• Array Aliasing is implicit• Need to make information explicit during solving• Cannot be avoidedVijay GaneshWednesday, 16 January, 1327How STP WorksArray-read MEM Blow-up Problem• Problem: O(n2) axioms added, n is number of read indices• Lethal, if n is large, say, n = 100,000; # of axioms is 10 BillionFormula Growthv0 = expr0v1 = expr1Read(Mem,i0) = expr0Read(Mem,i1) = expr1Read(Mem,i2) = expr2...Read(Mem,in) = exprn...vn = exprn(i0 = i1) => (v0 = v1)(i0 = i2) => (v0 = v2)...(i1 = i2) => (v1 = v2)...Vijay GaneshWednesday, 16 January, 1328How STP WorksThe Array-read Solution• Key Observation• Most indices don’t alias in practice• Exploit locality of memory access in typical programs• Need only a fraction of array axioms for equivalenceRead(Mem,i0) = expr0Read(Mem,i1) = expr1Read(Mem,i2) = expr2...Read(Mem,in) = exprnVijay GaneshWednesday, 16 January, 13v0 = expr0v1 = expr1...vn = exprn(i0 = i1) => (v0 = v1)29STP Key Conceptual ContributionAbstraction-refinement PrincipleInput FormulaAbstraction StepAbstractedFormulaRefinementBoolean SAT SolverCheck AnswerVijay GaneshWednesday, 16 January, 13CorrectAnswer30How STP WorksWhat to Abstract & How to Refine?AbstractionRefinement1.

Less essential parts2. Causes MEM blow-up1. Guided2. Must rememberAbstraction managesformula growth hardnessRefinement managessearch-space hardnessVijay GaneshWednesday, 16 January, 1331How STP WorksAbstraction-refinement for Array-readsInputRead(A,i0)=0Read(A,i1)=1…Read(A,in)=10,000(i0,i1)SubstitutionsSimplificationsLinear SolvingArray AbstractionRefinement LoopConversion to SATBoolean SAT SolverResultVijay GaneshWednesday, 16 January, 1332How STP WorksAbstraction-refinement for Array-readsSubstitutionsRead(A,i0)=0Read(A,i1)=1…Read(A,in)=10,000’(i0,i1)SimplificationsLinear SolvingArray Abstractioni0 = i1Refinement LoopConversion to SATBoolean SAT SolverResultVijay GaneshWednesday, 16 January, 1333How STP WorksAbstraction-refinement for Array-readsAbstracted InputArray Axioms DroppedInputRead(A,i0)=0Read(A,i1)=1…Read(A,in)=10,000(i0,i1)v0=0v1=1…vn=10,000’ (i0,i1)Refinement LoopSubstitutionsSimplificationsLinear SolvingArray AbstractionConversion to SATBoolean SAT SolverResultVijay GaneshWednesday, 16 January, 1334How STP WorksAbstraction-refinement for Array-readsAbstracted InputArray Axioms DroppedInputRead(A,i0)=0Read(A,i1)=1…Read(A,in)=10,000(i0,i1)v0=0v1=1…vn=10,000’ (i0,i1)Vijay GaneshWednesday, 16 January, 13SimplificationsLinear SolvingArray AbstractionRefinement LoopInputFormula falseinAssignmentSubstitutionsi0=0,i1=0v0=0, v1=1…Conversion to SATBoolean SAT SolverResult35How STP WorksAbstraction-refinement for Array-readsAbstracted InputArray Axioms DroppedInputRead(A,i0)=0Read(A,i1)=1…Read(A,in)=10,000(i0,i1)v0=0v1=1…vn=10,000’ (i0,i1)Refinement LoopVijay GaneshWednesday, 16 January, 13SimplificationsLinear SolvingArray Abstraction(i0=i1)!v0=v1Add Axiom thatis FalsifiedSubstitutionsi0=0,i1=0v0=0, v1=1…Conversion to SATBoolean SAT SolverResult36How STP WorksAbstraction-refinement for Array-readsInputRead(A,i0)=0Read(A,i1)=1…Read(A,in)=10,000(i0,i1)SubstitutionsSimplificationsLinear SolvingArray AbstractionRefinement LoopConversion to SATBoolean SAT SolverUNSATVijay GaneshWednesday, 16 January, 1337STP vs.

Other SolversTestcase (Formula Size)Result610dd9c(~15K)SATGrep65(~60K)Grep84Z3(sec)Yices(sec)STP(sec)TimeOut MemOut37UNSAT0.3 TimeOut4(~69K)SAT176 TimeOut18Grep106(~69K)SAT130 TimeOut227Blaster4(~262K)UNSATMemOut MemOut10Testcase20 (~1.2M)SATMemOut MemOut56Testcase21 (~1.2M)SATMemOut MemOut43* All experiments on 3.2 GHz, 512 Kb cache* MemOut: 3.2 GB (Memory used by STP much smaller), TimeOut: 1800 seconds* Examples obtained from Dawn Song at Berkeley, David Molnar at Berkeley and Dawson Engler at Stanford* Experiments conducted in 2007Vijay GaneshWednesday, 16 January, 1338STP vs.

Other Leading SolversSTP vs. Boolector & MathSAT on 615 SMTCOMP 2007 - 2010 examplesTime in Seconds40003000200010000BoolectorMSATSTP* All experiments on 2.4 GHz, 1 GB RAM* Timeout: 500 seconds/exampleVijay GaneshWednesday, 16 January, 1339Impact of STP• Enabled existing SE technologies to scale• Bounded model checkers, e.g., Chang and Dill• Easier to engineer SE technologies• Formal tools (ACL2+STP) for verifying Crypto, Smith & Dill• Enabled new SE technologies• Concolic testing (EXE,Klee,...) by Engler et al., Binary Analysis by Song et al.Vijay GaneshWednesday, 16 January, 1340Impact of STP: Notable Projects• Enabled Concolic Testing• 100+ reliability and security projectsCategoryResearch ProjectProject Leader/InstitutionFormal MethodsACL2 Theorem Prover + STPVerification-aware Design CheckerJava PathFinder Model CheckerEric Smith & David Dill/StanfordJacob Chang & David Dill/StanfordMehlitz & Pasareanu/NASAProgram AnalysisBitBlaze & WebBlazeBAPDawn Song et al./BerkeleyDavid Brumley/CMUAutomatic TestingSecurityKlee, EXESmartFuzzKudzuEngler & Cadar/StanfordMolnar & Wagner/BerkeleySaxena & Song/BerkeleyHardware BoundedBlue-spec BMCModel-cheking (BMC) BMCVijay GaneshWednesday, 16 January, 13Katelman & Dave/MITHaimed/NVIDIA41Impact of STPhttp://www.metafuzz.comProgram NameLines of Number ofTeamCodeBugs FoundMplayer~900,000 HundredsDavid Molnar/Berkeley & MicrosoftResearchEvince~90,000HundredsDavid Molnar/Berkeley & MicrosoftResearchUnix Utilities1000sDozensDawson Engler et al./StanfordCrypto HashImplementations1000sVerifiedEric Smith & David Dill/StanfordVijay GaneshWednesday, 16 January, 1342Rest of the Talk• STP Bit-vector and Array Solver• Why Bit-vectors and Arrays?• How does STP scale: Abstraction-refinement• Impact: Concolic testing• Experimental Results• HAMPI String Solver• Why Strings?• How does HAMPI scale: Bounding• Impact: String-based program analysis• Experimental Results• Future Work• Multicore SAT• SAT-based LanguagesVijay GaneshWednesday, 16 January, 1343HAMPI String SolverStringExpressionsSATHAMPI Solver• X = concat(“SELECT...”,v) AND (X• JavaScript and PHP Expressions• Web applications, SQL queries• NP-completeVijay GaneshWednesday, 16 January, 13UNSAT∈ SQL_grammar)44Theory of StringsThe Hampi LanguagePHP/JavaScript/C++...HAMPI: Theory of StringsNotesVar a;$a = ‘name’Var a : 1...20;a = ‘name’Bounded String VariablesString Constantsstring_expr.” is ”concat(string_expr, “ is “);Concat Functionsubstr(string_expr,1,3)string_expr[1:3]Extract Functionassignments/strcmpa = string_expr;a /= string_expr;equalitya = string_expr;a /= string_expr;Equality PredicateSanity check in regular expression RESanity check in context-free grammar CFGstring_expr in REstring_expr in SQLstring_expr NOT in SQLMembership Predicatestring_expr contains a sub_strstring_expr does not contain a sub_strstring_expr contains sub_strstring_expr NOT?contains sub_strContains Predicate(Substring Predicate)Vijay GaneshWednesday, 16 January, 1345Theory of StringsThe Hampi Language•X = concat(“SELECT msg FROM msgs WHERE topicid = ”,v)AND(X ∈ SQL_Grammar)•input ∈ RegExp([0-9]+)•X = concat (str_term1, str_term2, “c”)[1:42]ANDX contains “abc”Vijay GaneshWednesday, 16 January, 1346HAMPI Solver Motivating ExampleSQL Injection VulnerabilitiesBuggyScriptMalicious SQL QueryUnauthorizedDatabase ResultsBackendDataBaseSELECT m FROM messages WHERE id=’1’ OR 1 = 1Vijay GaneshWednesday, 16 January, 1347HAMPI Solver Motivating ExampleSQL Injection VulnerabilitiesSource: IBM Internet Security Systems, 2009Source: Fatbardh Veseli, Gjovik University College, NorwayVijay GaneshWednesday, 16 January, 1348HAMPI Solver Motivating ExampleSQL Injection VulnerabilitiesBuggy Scriptif (input in regexp(“[0-9]+”))query := “SELECT m FROM messages WHERE id=‘ ” + input + “ ’ “)• input passes validation (regular expression check)• query is syntactically-valid SQL• query can potentially contain an attack substring(e.g., 1’ OR ‘1’ = ‘1)Vijay GaneshWednesday, 16 January, 1349HAMPI Solver Motivating ExampleSQL Injection VulnerabilitiesShould be: “^[0-9]+$”Buggy Scriptif (input in regexp(“[0-9]+”))query := “SELECT m FROM messages WHERE id=‘ ” + input + “ ’ “)• input passes validation (regular expression check)• query is syntactically-valid SQL• query can potentially contain an attack substring(e.g., 1’ OR ‘1’ = ‘1)Vijay GaneshWednesday, 16 January, 1349HAMPI Solver Motivating ExampleSQL Injection Vulnerabilitiesif (input in regexp(“[0-9]+”))query := “SELECT m FROM messages WHERE id=‘ ” + input + “ ’ “)SpecificationString FormulasProgram Reasoning ToolHAMPISAT/UNSATGenerate Tests/Report VulnerabilityVijay GaneshWednesday, 16 January, 1350Rest of the Talk• HAMPI Logic: A Theory of Strings• Motivating Example: HAMPI-based Vulnerability Detection App• How HAMPI works• Experimental Results• Related Work: Theory and Practice• HAMPI 2.0• SMTization: Future of StringsVijay GaneshWednesday, 16 January, 1351Expressing the Problem in HAMPISQL Injection VulnerabilitiesInput StringVar v : 12;cfg SqlSmall := "SELECT ” [a-z]+ " FROM ” [a-z]+ " WHERE " Cond;SQLGrammarcfg Cond := Val "=" Val | Cond " OR " Cond;cfg Val := [a-z]+ | "'” [a-z0-9]* "'" | [0-9]+;SQL Queryval q := concat("SELECT msg FROM messages WHERE topicid='", v, "'");assert v in [0-9]+;SQLI attackconditionsVijay GaneshWednesday, 16 January, 13“q is a valid SQL query”assert q in SqlSmall;assert q contains "OR ‘1'=‘1'";“q contains an attack vector”52Hampi Key Conceptual IdeaBounding, expressiveness and efficiencyLiComplexity of∅ = L1 ∩ ...

Поделитесь ссылкой:

Ставлю 10/10
Все нравится, очень удобный сайт, помогает в учебе. Кроме этого, можно заработать самому, выставляя готовые учебные материалы на продажу здесь. Рейтинги и отзывы на преподавателей очень помогают сориентироваться в начале нового семестра. Спасибо за такую функцию. Ставлю максимальную оценку.

Лучшая платформа для успешной сдачи сессии
Познакомился со СтудИзбой благодаря своему другу, очень нравится интерфейс, количество доступных файлов, цена, в общем, все прекрасно. Даже сам продаю какие-то свои работы.

Студизба ван лав ❤
Очень офигенный сайт для студентов. Много полезных учебных материалов. Пользуюсь студизбой с октября 2021 года. Серьёзных нареканий нет. Хотелось бы, что бы ввели подписочную модель и сделали материалы дешевле 300 рублей в рамках подписки бесплатными.

Отличный сайт
Лично меня всё устраивает - и покупка, и продажа; и цены, и возможность предпросмотра куска файла, и обилие бесплатных файлов (в подборках по авторам, читай, ВУЗам и факультетам). Есть определённые баги, но всё решаемо, да и администраторы реагируют в течение суток.

Маленький отзыв о большом помощнике!
Студизба спасает в те моменты, когда сроки горят, а работ накопилось достаточно. Довольно удобный сайт с простой навигацией и огромным количеством материалов.

Студ. Изба как крупнейший сборник работ для студентов
Тут дофига бывает всего полезного. Печально, что бывают предметы по которым даже одного бесплатного решения нет, но это скорее вопрос к студентам. В остальном всё здорово.

Спасательный островок
Если уже не успеваешь разобраться или застрял на каком-то задание поможет тебе быстро и недорого решить твою проблему.

Всё и так отлично
Всё очень удобно. Особенно круто, что есть система бонусов и можно выводить остатки денег. Очень много качественных бесплатных файлов.

Отзыв о системе "Студизба"
Отличная платформа для распространения работ, востребованных студентами. Хорошо налаженная и качественная работа сайта, огромная база заданий и аудитория.

Отличный помощник
Отличный сайт с кучей полезных файлов, позволяющий найти много методичек / учебников / отзывов о вузах и преподователях.

Отлично помогает студентам в любой момент для решения трудных и незамедлительных задач
Хотелось бы больше конкретной информации о преподавателях. А так в принципе хороший сайт, всегда им пользуюсь и ни разу не было желания прекратить. Хороший сайт для помощи студентам, удобный и приятный интерфейс. Из недостатков можно выделить только отсутствия небольшого количества файлов.

Спасибо за шикарный сайт
Великолепный сайт на котором студент за не большие деньги может найти помощь с дз, проектами курсовыми, лабораторными, а также узнать отзывы на преподавателей и бесплатно скачать пособия.