Results 1  10
of
157
HAMPI: A Solver for String Constraints
, 2009
"... Many automatic testing, analysis, and verification techniques for programs can be effectively reduced to a constraintgeneration phase followed by a constraintsolving phase. This separation of concerns often leads to more effective and maintainable tools. The increasing efficiency of offtheshelf ..."
Abstract

Cited by 102 (21 self)
 Add to MetaCart
(Show Context)
Many automatic testing, analysis, and verification techniques for programs can be effectively reduced to a constraintgeneration phase followed by a constraintsolving phase. This separation of concerns often leads to more effective and maintainable tools. The increasing efficiency of offtheshelf constraint solvers makes this approach even more compelling. However, there are few effective and sufficiently expressive offtheshelf solvers for string constraints generated by analysis techniques for stringmanipulating programs. We designed and implemented Hampi, a solver for string constraints over fixedsize string variables. Hampi constraints express membership in regular languages and fixedsize contextfree languages. Hampi constraints may contain contextfreelanguage definitions, regularlanguage definitions and operations, and the membership predicate. Given a set of constraints, Hampi outputs a string that satisfies all the constraints, or reports that the constraints are unsatisfiable. Hampi is expressive and efficient, and can be successfully applied to testing and analysis of real programs. Our experiments use Hampi in: static and dynamic analyses for finding SQL injection vulnerabilities in Web applications; automated bug finding in C programs using systematic testing; and compare Hampi with another string solver. Hampi’s source code, documentation, and the experimental data are available at
Creating Vulnerability Signatures Using Weakest PreConditions
 Proc. 20th IEEE Computer Security Foundations Symp. (CSF
, 2007
"... Signaturebased tools such as network intrusion detection systems are widely used to protect critical systems. Automatic signature generation techniques are needed to enable these tools due to the speed at which new vulnerabilities are discovered. In particular, we need automatic techniques whic ..."
Abstract

Cited by 49 (17 self)
 Add to MetaCart
(Show Context)
Signaturebased tools such as network intrusion detection systems are widely used to protect critical systems. Automatic signature generation techniques are needed to enable these tools due to the speed at which new vulnerabilities are discovered. In particular, we need automatic techniques which generate sound signatures — signatures which will not mistakenly block legitimate traffic or raise false alarms. In addition, we need signatures to have few false negatives and will catch many different exploit variants. We investigate new techniques for automatically generating sound vulnerability signatures with fewer false negatives than previous research using program binary analysis. The key problem to reducing false negatives is to consider as many as possible different program paths an exploit may take. Previous work considered each possible program path an exploit may take separately, thus generating signatures that are exponential in the size of the number of branches considered. In the exact same scenario, we show how to reduce the overall signature size and the generation time from exponential to polynomial. We do this without requiring any additional assumptions, or relaxing any properties. This efficiency gain allows us to consider many more program paths, which results in reducing the false negatives of generated signatures. We achieve these results by creating algorithms for generating vulnerability signatures that are based on computing weakest preconditions (WP). The weakest precondition for a program path to a vulnerability is a function which matches all exploits that may exploit the vulnerability along that path. We have implemented our techniques and generated signatures for several binary programs. Our results demonstrate that our WPbased algorithm generates more succinct signatures than previous approaches which were based on forward symbolic execution. 1
FRAIGs: A unifying representation for logic synthesis and verification
, 2005
"... ANDINV graphs (AIGs) are Boolean networks composed of twoinput ANDgates and inverters. In the known applications, such as equivalence checking and technology mapping, AIGs are used to represent and manipulate Boolean functions. AIGs powered by simulation and Boolean satisfiability lead to function ..."
Abstract

Cited by 48 (13 self)
 Add to MetaCart
(Show Context)
ANDINV graphs (AIGs) are Boolean networks composed of twoinput ANDgates and inverters. In the known applications, such as equivalence checking and technology mapping, AIGs are used to represent and manipulate Boolean functions. AIGs powered by simulation and Boolean satisfiability lead to functionally reduced AIGs (FRAIGs), which are “semicanonical ” in the sense that each FRAIG node has unique functionality among all the nodes currently present in the FRAIG. The paper shows that FRAIGs can be used to unify and enhance many phases of logic synthesis: from the representation of the original and the intermediate netlists derived by logic optimization, through technology mapping over multiple logic structures, to combinational equivalence checking. Experimental results on large public benchmarks confirm the practicality of using FRAIGs throughout the logic synthesis flow. 1
Policy analysis for administrative role based access control
 In Proc. 19th IEEE Computer Security Foundations Workshop (CSFW
, 2006
"... RoleBased Access Control (RBAC) is a widely used model for expressing access control policies. In large organizations, the RBAC policy may be collectively managed by many administrators. Administrative RBAC (ARBAC) is a model for expressing the authority of administrators, thereby specifying how an ..."
Abstract

Cited by 41 (5 self)
 Add to MetaCart
RoleBased Access Control (RBAC) is a widely used model for expressing access control policies. In large organizations, the RBAC policy may be collectively managed by many administrators. Administrative RBAC (ARBAC) is a model for expressing the authority of administrators, thereby specifying how an organization’s RBAC policy may change. Changes by one administrator may interact in unintended ways with changes by other administrators. Consequently, the effect of an ARBAC policy is hard to understand by simple inspection. In this paper, we consider the problem of analyzing ARBAC policies, in particular to determine reachability properties (e.g., whether a user can eventually be assigned to a role by a group of administrators) and availability properties (e.g., whether a user cannot be removed from a role by a group of administrators) implied by a policy. We first establish the connection between security policy analysis and planning in Artificial Intelligence. Based partly on this connection, we show that reachability analysis for ARBAC is PSPACEcomplete. We also give algorithms and complexity results for reachability and related analysis problems for several categories of ARBAC policies, defined by simple restrictions on the policy language. 1.
Bounded synthesis
, 2007
"... The bounded synthesis problem is to construct an implementation that satisfies a given temporal specification and a given bound on the number of states. We present a solution to the bounded synthesis problem for lineartime temporal logic (LTL), based on a novel emptinesspreserving translation from ..."
Abstract

Cited by 41 (9 self)
 Add to MetaCart
(Show Context)
The bounded synthesis problem is to construct an implementation that satisfies a given temporal specification and a given bound on the number of states. We present a solution to the bounded synthesis problem for lineartime temporal logic (LTL), based on a novel emptinesspreserving translation from LTL to safety tree automata. For distributed architectures, where standard unbounded synthesis is in general undecidable, we show that bounded synthesis can be reduced to a SAT problem. As a result, we obtain an effective algorithm for the bounded synthesis from LTL specifications in arbitrary architectures. By iteratively increasing the bound, our construction can also be used as a semidecision procedure for the unbounded synthesis problem.
Linear encodings of bounded LTL model checking
 Logical Methods in Computer Science, 2(5):1–64, 2006. Matteo Pradella, Angelo Morzenti, and Pierluigi San Pietro
"... ABSTRACT. We consider the problem of bounded model checking (BMC) for linear temporal logic (LTL). We present several efficient encodings that have size linear in the bound. Furthermore, we show how the encodings can be extended to LTL with past operators (PLTL). The generalised encoding is still of ..."
Abstract

Cited by 27 (3 self)
 Add to MetaCart
ABSTRACT. We consider the problem of bounded model checking (BMC) for linear temporal logic (LTL). We present several efficient encodings that have size linear in the bound. Furthermore, we show how the encodings can be extended to LTL with past operators (PLTL). The generalised encoding is still of linear size, but cannot detect minimal length counterexamples. By using the virtual unrolling technique minimal length counterexamples can be captured, however, the size of the encoding is quadratic in the specification. We also extend virtual unrolling to Büchi automata, enabling them to accept minimal length counterexamples. Our BMC encodings can be made incremental in order to benefit from incremental SAT technology. With fairly small modifications the incremental encoding can be further enhanced with a termination check, allowing us to prove properties with BMC. An analysis of the livenesstosafety transformation reveals many similarities to the BMC encodings in this paper. We conduct experiments to determine the advantage of employing dedicated BMC encodings for PLTL over combining more general but potentially less efficient approaches with BMC: the livenesstosafety transformation with invariant checking and Büchi automata with fair cycle detection.
Mixed abstractions for floatingpoint arithmetic
 In FMCAD
, 2009
"... Abstract—Floatingpoint arithmetic is essential for many embedded and safetycritical systems, such as in the avionics industry. Inaccuracies in floatingpoint calculations can cause subtle changes of the control flow, potentially leading to disastrous errors. In this paper, we present a simple and ..."
Abstract

Cited by 26 (7 self)
 Add to MetaCart
Abstract—Floatingpoint arithmetic is essential for many embedded and safetycritical systems, such as in the avionics industry. Inaccuracies in floatingpoint calculations can cause subtle changes of the control flow, potentially leading to disastrous errors. In this paper, we present a simple and general, yet powerful framework for building abstractions from formulas, and instantiate this framework to a bitaccurate, sound and complete decision procedure for IEEEcompliant binary floatingpoint arithmetic. Our procedure benefits in practice from its ability to flexibly harness both over and underapproximations in the abstraction process. We demonstrate the potency of the procedure for the formal analysis of floatingpoint software. I.
Largescale directed model checking LTL
 In Model Checking Software (SPIN
, 2006
"... Abstract. To analyze larger models for explicitstate model checking, directed model checking applies errorguided search, external model checking uses secondary storage media, and distributed model checking exploits parallel exploration on multiple processors. In this paper we propose an external, ..."
Abstract

Cited by 25 (8 self)
 Add to MetaCart
(Show Context)
Abstract. To analyze larger models for explicitstate model checking, directed model checking applies errorguided search, external model checking uses secondary storage media, and distributed model checking exploits parallel exploration on multiple processors. In this paper we propose an external, distributed and directed onthefly model checking algorithm to check general LTL properties in the model checker SPIN. Previous attempts restricted to checking safety properties. The worstcase I/O complexity is bounded by O(sort(FR)/p + l · scan(FS)), where S and R are the sets of visited states and transitions in the synchronized product of the Büchi automata for the model and the property specification, F is the number of accepting states, l is the length of the shortest counterexample, and p is the number of processors. The algorithm we propose returns minimal lassoshaped counterexamples and includes refinements for propertydriven exploration. 1
Model Checking a Path (Preliminary Report
 In 14th Int. Conf. Concurrency Theory, Lecture Notes in Computer Science 2761
, 2003
"... Abstract. We consider the problem of checking whether a finite (or ultimately periodic) run satisfies a temporal logic formula. This problem is at the heart of “runtime verification ” but it also appears in many other situations. By considering several extended temporal logics, we show that the prob ..."
Abstract

Cited by 24 (1 self)
 Add to MetaCart
Abstract. We consider the problem of checking whether a finite (or ultimately periodic) run satisfies a temporal logic formula. This problem is at the heart of “runtime verification ” but it also appears in many other situations. By considering several extended temporal logics, we show that the problem of model checking a path can usually be solved efficiently, and profit from specialized algorithms. We further show it is possible to efficiently check paths given in compressed form. 1
The Essentials of the SAT 2003 Competition
 In Theory and Applications of Satisfiability Testing
, 2004
"... SAT 2002 competition, it was not clear that significant progress could be made in the area in such a little time. The competition was a success – 34 solvers and 993 benchmarks, needing 522 CPU days – with a number of brand new solvers. Several 2003 competitors were even able to solve within 15mn be ..."
Abstract

Cited by 23 (2 self)
 Add to MetaCart
(Show Context)
SAT 2002 competition, it was not clear that significant progress could be made in the area in such a little time. The competition was a success – 34 solvers and 993 benchmarks, needing 522 CPU days – with a number of brand new solvers. Several 2003 competitors were even able to solve within 15mn benchmarks remained unsolved within 6 hours by 2002 competitors. We report here the essential results of the competition, interpret and statistically analyse them, and at last provide some suggestions for the future competitions. 1