Results 1 - 10
of
165
HAMPI: A Solver for String Constraints
, 2009
"... Many automatic testing, analysis, and verification techniques for programs can be effectively reduced to a constraint-generation phase followed by a constraint-solving phase. This separation of concerns often leads to more effective and maintainable tools. The increasing efficiency of off-the-shelf ..."
Abstract
-
Cited by 101 (19 self)
- Add to MetaCart
(Show Context)
Many automatic testing, analysis, and verification techniques for programs can be effectively reduced to a constraint-generation phase followed by a constraint-solving phase. This separation of concerns often leads to more effective and maintainable tools. The increasing efficiency of off-the-shelf constraint solvers makes this approach even more compelling. However, there are few effective and sufficiently expressive off-the-shelf solvers for string constraints generated by analysis techniques for string-manipulating programs. We designed and implemented Hampi, a solver for string constraints over fixed-size string variables. Hampi constraints express membership in regular languages and fixed-size context-free languages. Hampi constraints may contain context-free-language definitions, regular-language definitions and operations, and the membership predicate. Given a set of constraints, Hampi outputs a string that satisfies all the constraints, or reports that the constraints are unsatisfiable. Hampi is expressive and efficient, and can be successfully applied to testing and analysis of real programs. Our experiments use Hampi in: static and dynamic analyses for finding SQL injection vulnerabilities in Web applications; automated bug finding in C programs using systematic testing; and compare Hampi with another string solver. Hampi’s source code, documentation, and the experimental data are available at
Creating Vulnerability Signatures Using Weakest Pre-Conditions
- Proc. 20th IEEE Computer Security Foundations Symp. (CSF
, 2007
"... Signature-based tools such as network intrusion detec-tion systems are widely used to protect critical systems. Au-tomatic signature generation techniques are needed to en-able these tools due to the speed at which new vulnera-bilities are discovered. In particular, we need automatic techniques whic ..."
Abstract
-
Cited by 49 (16 self)
- Add to MetaCart
(Show Context)
Signature-based tools such as network intrusion detec-tion systems are widely used to protect critical systems. Au-tomatic signature generation techniques are needed to en-able these tools due to the speed at which new vulnera-bilities are discovered. In particular, we need automatic techniques which generate sound signatures — signatures which will not mistakenly block legitimate traffic or raise false alarms. In addition, we need signatures to have few false negatives and will catch many different exploit vari-ants. We investigate new techniques for automatically gener-ating sound vulnerability signatures with fewer false nega-tives than previous research using program binary analysis. The key problem to reducing false negatives is to consider as many as possible different program paths an exploit may take. Previous work considered each possible program path an exploit may take separately, thus generating signatures that are exponential in the size of the number of branches considered. In the exact same scenario, we show how to reduce the overall signature size and the generation time from exponential to polynomial. We do this without requir-ing any additional assumptions, or relaxing any properties. This efficiency gain allows us to consider many more pro-gram paths, which results in reducing the false negatives of generated signatures. We achieve these results by creat-ing algorithms for generating vulnerability signatures that are based on computing weakest preconditions (WP). The weakest precondition for a program path to a vulnerability is a function which matches all exploits that may exploit the vulnerability along that path. We have implemented our techniques and generated sig-natures for several binary programs. Our results demon-strate that our WP-based algorithm generates more suc-cinct signatures than previous approaches which were based on forward symbolic execution. 1
FRAIGs: A unifying representation for logic synthesis and verification
, 2005
"... AND-INV graphs (AIGs) are Boolean networks composed of twoinput AND-gates and inverters. In the known applications, such as equivalence checking and technology mapping, AIGs are used to represent and manipulate Boolean functions. AIGs powered by simulation and Boolean satisfiability lead to function ..."
Abstract
-
Cited by 48 (13 self)
- Add to MetaCart
(Show Context)
AND-INV graphs (AIGs) are Boolean networks composed of twoinput AND-gates and inverters. In the known applications, such as equivalence checking and technology mapping, AIGs are used to represent and manipulate Boolean functions. AIGs powered by simulation and Boolean satisfiability lead to functionally reduced AIGs (FRAIGs), which are “semi-canonical ” in the sense that each FRAIG node has unique functionality among all the nodes currently present in the FRAIG. The paper shows that FRAIGs can be used to unify and enhance many phases of logic synthesis: from the representation of the original and the intermediate netlists derived by logic optimization, through technology mapping over multiple logic structures, to combinational equivalence checking. Experimental results on large public benchmarks confirm the practicality of using FRAIGs throughout the logic synthesis flow. 1
Policy analysis for administrative role based access control
- In Proc. 19th IEEE Computer Security Foundations Workshop (CSFW
, 2006
"... Role-Based Access Control (RBAC) is a widely used model for expressing access control policies. In large organizations, the RBAC policy may be collectively managed by many administrators. Administrative RBAC (ARBAC) is a model for expressing the authority of administrators, thereby specifying how an ..."
Abstract
-
Cited by 43 (5 self)
- Add to MetaCart
Role-Based Access Control (RBAC) is a widely used model for expressing access control policies. In large organizations, the RBAC policy may be collectively managed by many administrators. Administrative RBAC (ARBAC) is a model for expressing the authority of administrators, thereby specifying how an organization’s RBAC policy may change. Changes by one administrator may interact in unintended ways with changes by other administrators. Consequently, the effect of an ARBAC policy is hard to understand by simple inspection. In this paper, we consider the problem of analyzing ARBAC policies, in particular to determine reachability properties (e.g., whether a user can eventually be assigned to a role by a group of administrators) and availability properties (e.g., whether a user cannot be removed from a role by a group of administrators) implied by a policy. We first establish the connection between security policy analysis and planning in Artificial Intelligence. Based partly on this connection, we show that reachability analysis for ARBAC is PSPACE-complete. We also give algorithms and complexity results for reachability and related analysis problems for several categories of AR-BAC policies, defined by simple restrictions on the policy language. 1.
Bounded synthesis
, 2007
"... The bounded synthesis problem is to construct an implementation that satisfies a given temporal specification and a given bound on the number of states. We present a solution to the bounded synthesis problem for linear-time temporal logic (LTL), based on a novel emptiness-preserving translation from ..."
Abstract
-
Cited by 41 (9 self)
- Add to MetaCart
(Show Context)
The bounded synthesis problem is to construct an implementation that satisfies a given temporal specification and a given bound on the number of states. We present a solution to the bounded synthesis problem for linear-time temporal logic (LTL), based on a novel emptiness-preserving translation from LTL to safety tree automata. For distributed architectures, where standard unbounded synthesis is in gen-eral undecidable, we show that bounded synthesis can be reduced to a SAT problem. As a result, we obtain an effective algorithm for the bounded synthesis from LTL specifications in arbitrary architectures. By iteratively increasing the bound, our construction can also be used as a semi-decision procedure for the unbounded synthesis problem.
Linear encodings of bounded LTL model checking
- Logical Methods in Computer Science, 2(5):1–64, 2006. Matteo Pradella, Angelo Morzenti, and Pierluigi San Pietro
"... ABSTRACT. We consider the problem of bounded model checking (BMC) for linear temporal logic (LTL). We present several efficient encodings that have size linear in the bound. Furthermore, we show how the encodings can be extended to LTL with past operators (PLTL). The generalised encoding is still of ..."
Abstract
-
Cited by 28 (4 self)
- Add to MetaCart
ABSTRACT. We consider the problem of bounded model checking (BMC) for linear temporal logic (LTL). We present several efficient encodings that have size linear in the bound. Furthermore, we show how the encodings can be extended to LTL with past operators (PLTL). The generalised encoding is still of linear size, but cannot detect minimal length counterexamples. By using the virtual unrolling technique minimal length counterexamples can be captured, however, the size of the encoding is quadratic in the specification. We also extend virtual unrolling to Büchi automata, enabling them to accept minimal length counterexamples. Our BMC encodings can be made incremental in order to benefit from incremental SAT technology. With fairly small modifications the incremental encoding can be further enhanced with a termination check, allowing us to prove properties with BMC. An analysis of the liveness-to-safety transformation reveals many similarities to the BMC encodings in this paper. We conduct experiments to determine the advantage of employing dedicated BMC encodings for PLTL over combining more general but potentially less efficient approaches with BMC: the liveness-to-safety transformation with invariant checking and Büchi automata with fair cycle detection.
Mixed abstractions for floatingpoint arithmetic
- In FMCAD
, 2009
"... Abstract—Floating-point arithmetic is essential for many embedded and safety-critical systems, such as in the avionics industry. Inaccuracies in floating-point calculations can cause subtle changes of the control flow, potentially leading to disastrous errors. In this paper, we present a simple and ..."
Abstract
-
Cited by 26 (7 self)
- Add to MetaCart
Abstract—Floating-point arithmetic is essential for many embedded and safety-critical systems, such as in the avionics industry. Inaccuracies in floating-point calculations can cause subtle changes of the control flow, potentially leading to disastrous errors. In this paper, we present a simple and general, yet powerful framework for building abstractions from formulas, and instantiate this framework to a bit-accurate, sound and complete decision procedure for IEEE-compliant binary floatingpoint arithmetic. Our procedure benefits in practice from its ability to flexibly harness both over- and underapproximations in the abstraction process. We demonstrate the potency of the procedure for the formal analysis of floating-point software. I.
Large-scale directed model checking LTL
- In Model Checking Software (SPIN
, 2006
"... Abstract. To analyze larger models for explicit-state model checking, directed model checking applies error-guided search, external model checking uses secondary storage media, and distributed model checking exploits parallel exploration on multiple processors. In this paper we propose an external, ..."
Abstract
-
Cited by 25 (8 self)
- Add to MetaCart
(Show Context)
Abstract. To analyze larger models for explicit-state model checking, directed model checking applies error-guided search, external model checking uses secondary storage media, and distributed model checking exploits parallel exploration on multiple processors. In this paper we propose an external, distributed and directed on-the-fly model checking algorithm to check general LTL properties in the model checker SPIN. Previous attempts restricted to checking safety properties. The worst-case I/O complexity is bounded by O(sort(|F||R|)/p + l · scan(|F||S|)), where S and R are the sets of visited states and transitions in the synchronized product of the Büchi automata for the model and the property specification, F is the number of accepting states, l is the length of the shortest counterexample, and p is the number of processors. The algorithm we propose returns minimal lasso-shaped counterexamples and includes refinements for property-driven exploration. 1
Model Checking a Path (Preliminary Report
- In 14th Int. Conf. Concurrency Theory, Lecture Notes in Computer Science 2761
, 2003
"... Abstract. We consider the problem of checking whether a finite (or ultimately periodic) run satisfies a temporal logic formula. This problem is at the heart of “runtime verification ” but it also appears in many other situations. By considering several extended temporal logics, we show that the prob ..."
Abstract
-
Cited by 23 (1 self)
- Add to MetaCart
Abstract. We consider the problem of checking whether a finite (or ultimately periodic) run satisfies a temporal logic formula. This problem is at the heart of “runtime verification ” but it also appears in many other situations. By considering several extended temporal logics, we show that the problem of model checking a path can usually be solved efficiently, and profit from specialized algorithms. We further show it is possible to efficiently check paths given in compressed form. 1
The Essentials of the SAT 2003 Competition
- In Theory and Applications of Satisfiability Testing
, 2004
"... SAT 2002 competition, it was not clear that significant progress could be made in the area in such a little time. The competition was a suc-cess – 34 solvers and 993 benchmarks, needing 522 CPU days – with a number of brand new solvers. Several 2003 competitors were even able to solve within 15mn be ..."
Abstract
-
Cited by 23 (2 self)
- Add to MetaCart
(Show Context)
SAT 2002 competition, it was not clear that significant progress could be made in the area in such a little time. The competition was a suc-cess – 34 solvers and 993 benchmarks, needing 522 CPU days – with a number of brand new solvers. Several 2003 competitors were even able to solve within 15mn benchmarks remained unsolved within 6 hours by 2002 competitors. We report here the essential results of the competi-tion, interpret and statistically analyse them, and at last provide some suggestions for the future competitions. 1
