Transcript Program Analysis and Testing using Satisfiability Modulo Theories Yandex 2 October 2012, Moscow Nikolaj Bjørner Senior Researcher Microsoft Research.

Program Analysis and Testing
using Satisfiability Modulo Theories
Yandex
2 October 2012, Moscow
Nikolaj Bjørner
Senior Researcher
Microsoft Research
1
Agenda
Context: Software Engineering Research @ Microsoft
Application: Fuzzing and Test Case Generation
Application: Program Verification & Bit precise Analysis
Application: String analysis - Formal Language Theory for Security
Technology: Z3 – An Efficient SMT Solver - Basics and Research
Propaganda: Software Engineering Research Tools
2
Context
Team
An Efficient SMT Solver
3
Leonardo de Moura, Nikolaj Bjørner, Christoph Wintersteiger
Context
Group
Research in Software Engineering
Improve Software Development Productivity
4
Context
Organization Microsoft Research
5
Context
Microsoft Research Labs
Research :1%
Sales,
Support,
Marketing
R&D
~40000
~50000
Company
6
Application: Fuzzing and Testing
Fuzzing and Test Case Generation
Dr. Strangelove?
SAGE
Bug: ***433
“2/29/2012 3:41 PM Edited by *****
SubStatus -> Local Fix
I think the fuzzers are starting to become sentient.
We must crush them before it is too late.
Internal. For Security Fuzzing
Runs on x86
External. For Developers
In this case, the fuzzer figured out that if
[X was between A and B then Y would get
Runs on .NET code
instructions
set to Z triggering U and V to happen……]
…..
And if this fuzzerTry
asks
for the
nuclear launch
it on:
http://pex4fun.com
codes, don’t tell it what they are …”
Finding security bugs before the
hackers
black hat
7
Application: Fuzzing and Testing
SAGE by numbers
100s CPU-years - largest dedicated fuzz lab in the world
100s apps - fuzzed using SAGE
100s previously unknown bugs found
Billion+ computers updated with bug fixes
Millions of $ saved for Users and Microsoft
10s of related tools (incl. Pex), 100s DART citations
3+ Billion constraints - largest usage for any SMT solver
8
Adapted from [Patrice Godefroid, ISSTA 2010]
Application: Fuzzing and Testing
Test case generation
unsigned GCD(x, y) {
(y0 > 0) and
requires(y > 0);
(m0 = x0 % y0) and
while (true) {
SSA
not (m0 = 0) and
unsigned m = x % y;
(x1 = y0) and
if (m == 0) return y;
(y1 = m0) and
x = y;
(m1 = x1 % y1) and
y = m;
(m1 = 0)
}
}
We want a trace where the loop is
Solver
x0 = 2
y0 = 4
m0 = 2
x1 = 4
y1 = 2
m1 = 0
executed twice.
9
Application: Fuzzing and Testing
Test Case Generation Procedure
Run Test and Monitor
seed
Execution
Path
Test
Inputs
Path Condition
Known
Paths
New input
Constraint
System
Solve
Unexplored path
10
Application: Scalable bit-precise analysis
What is wrong here?
-INT_MIN=
INT_MIN
(INT_MAX+1)/2 +
(INT_MAX+1)/2
int binary_search(int[]
arr, int low,
= INT_MIN
int high,
int key)
while (low <= high)
{
// Find middle value
int mid = (low + high) / 2;
int val = arr[mid];
if (val == key) return mid;
if (val < key) low = mid+1;
else high = mid-1;
}
return -1;
}
Package: java.util.Arrays
Function: binary_search
void itoa(int n, char* s) {
if (n < 0) {
*s++ = ‘-’;
n = -n;
}
// Add digits to s
….
Book: Kernighan and Ritchie
Function: itoa (integer to ascii)
Application: Scalable bit-precise analysis
Bit-precise analysis
1
0
1
0
1  0
1
1
1
0
0
1
1
0
1
0
1
1
0
1
1
0
0
0
1
0
1
1
1
1
0
0
1
0
1
=
0
Vector
Segments
1

=
1
0
Concatenation
0
1
Bit-wise
operations
0
Bit-wise and
1
0
1
0
1
1
0
0
1
0
0
+
1
0
1
0
1
1
[4:2] =
0
1
0
0
Extraction
1
=
0
Vector
Segments
1
Modular
arithmetic
0
0
1
Addition
Application: Verification
Hypervisor Verification (2007 – 2010) with
Partners:
• European Microsoft Innovation Center
• Microsoft Research
• Microsoft’s Windows Division
• Universität des Saarlandes
Hypervisor
Hardware
co-funded by the
German Ministry of Education and Research
http://www.verisoftxt.de
13
Application: Verification
Microsoft Verifying C Compiler
14
SAT/SMT progress driven by applications:
VCC Performance Trends Nov 08 – Mar 09
Application: Verification
1000
Modification in invariant
checking
Switch to Z3 v2
100
Z3 v2 update
10
1
Switch to Boogie2
0.1
Attempt to improve
Boogie/Z3 interaction
Application: Verification
Verification Attempt Time vs.
Satisfaction and Productivity
By Michal Moskal (VCC Designer and Software Verification Expert),
Language quiz: “loose” or “lose” ?
Application: Verification
The Importance of Speed
Application: Verification
Building Verve
Source file
Verification tool
Compilation tool
Kernel.cs
C# compiler
Kernel.obj (x86)
Boogie/Z3
Translator/
Assembler
Verified
Nucleus.bpl (x86)
9 person-months
TAL checker
Linker/ISO generator
Safe to the Last Instruction / Jean Yang & Chris
Hawbliztl PLDI 2010
Verve.iso
18
Application: String Analysis
Why string analysis?
(motivating scenario)
Tomcat
v. < 6.0.18
req = http://www.x.com/%c0%ae%c0%ae/%c0%ae%c0%ae/private/
1)
Analysis question:
Does utf8decode
reject overlong
utf8-encodings such
as "%C0%AE" for '.'?
security check: req
must not contain
"../"
2) dir =
utf8decode("%c0%ae
%c0%ae/%c0%ae%c
0%ae/private/")
= "../../private/"
access granted to "../../private/"
Windows 2000 vulnerability: http://www.sans.org/security-resources/malwarefaq/wnt-unicode.php
Apache Tomcat vulnerability: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2938
Application: String Analysis
Relativized Formal Language Theory
string transformation
Symbolic Word Transducers

Classical Word Transducers modulo Th()
Classical Word Transducers
(e.g. decoding automata,
rational transductions)
Classical I/O Automata
(e.g. Mealy machine)
Symbolic Word Acceptors
Classical

Classical Word
Word Acceptors
Acceptorsmodulo Th()
(NFA, DFA)
regex matching
Application: String Analysis
Rex & Bek – Symbolic RegEx
&
Transducers
Margus Veanes
Application: String Analysis
Symbolic Finite Transducer (SFT)
• Classical transducer modulo a rich label theory
• Core Idea: represent labels with guarded
transformation functions
– Separation of concerns: finite graph / theory of labels
Concrete transitions:
p
‘\x80’/
“\xC2\x80”
…
q
1920
transitions
Symbolic transition:
p
guard
 x. 8016 ≤ x ≤ 7FF16/
[C016|x10,6, 8016|x5,0]
‘\x7FF’/
“\xDF\xBF”
q
bitvector
operations
Technology
SMT: Satisfiability Modulo Theories
Solution/Model
𝑥2
+
𝑦2
< 1 𝑎𝑛𝑑 𝑥𝑦 > 0.1
𝑥 2 + 𝑦 2 < 1 𝑎𝑛𝑑 𝑥𝑦 > 1
=
7
8
unsat, Proof
Is execution path P feasible?
SAGE
sat, 𝑥 =
1
,𝑦
8
Is assertion X violated?
W
I
T
N
E
S
S
Is Formula F Satisfiable (over Theory of Reals)?
23
Technology
SMT: Satisfiability Modulo Theories
𝑥 + 2 = 𝑦 ⇒ 𝑓 𝑠𝑒𝑙𝑒𝑐𝑡 𝑠𝑡𝑜𝑟𝑒 𝑎, 𝑥, 3 , 𝑦 − 2
Array Theory
Arithmetic
= 𝑓(𝑦 − 𝑥 + 1)
Uninterpreted
Functions
𝑠𝑒𝑙𝑒𝑐𝑡(𝑠𝑡𝑜𝑟𝑒 𝑎, 𝑖, 𝑣 , 𝑖) = 𝑣
𝑖 ≠ 𝑗 ⇒ 𝑠𝑒𝑙𝑒𝑐𝑡(𝑠𝑡𝑜𝑟𝑒 𝑎, 𝑖, 𝑣 , 𝑗) = 𝑠𝑒𝑙𝑒𝑐𝑡(𝑎, 𝑗)
24
Job Shop Scheduling
Technology
Machines
Tasks
Jobs
P = NP?
Laundry
𝜁 𝑠 =0⇒𝑠=
1
+ 𝑖𝑟
2
Job Shop Scheduling
Technology
Constraints:
Precedence: between two tasks of the same
job
3
4
1
2
Resource: Machines execute at most one job
at a time
𝑠𝑡𝑎𝑟𝑡2,2 . . 𝑒𝑛𝑑2,2 ∩ 𝑠𝑡𝑎𝑟𝑡4,2 . . 𝑒𝑛𝑑4,2 = ∅
Job Shop Scheduling
Constraints:
Encoding:
Precedence:
3
4
1
Technology
2
𝑡2,3 - start time of
job 2 on mach 3
𝑑2,3 - duration of
job 2 on mach 3
𝑡2,3 + 𝑑2,3 ≤ 𝑡2,4
Resource:
Not convex
𝑠𝑡𝑎𝑟𝑡2,2 . . 𝑒𝑛𝑑2,2 ∩ 𝑠𝑡𝑎𝑟𝑡4,2 . . 𝑒𝑛𝑑4,2 = ∅
𝑡2,2 + 𝑑2,2 ≤ 𝑡4,2
∨
𝑡4,2 + d4,2 ≤ 𝑡2,2
Technology
Job Shop Scheduling
Technology
Job Shop Scheduling
case split
Efficient solvers:
- Floyd-Warshal algorithm
- Ford-Fulkerson algorithm
case split
𝑧 − 𝑧 = 5 – 2 – 3 – 2 = −2 < 0
Microsoft Tools using
Technology
Z3 is used by many research groups
More than 19k downloads
Z3 places 1st in most categories in SMT competitions
SAGE
Z3 used to check
HAVOC
Z3 solved more than 3 billion
constraints created by SAGE
Checking Win8 and Office.
Azure Firewall Policies
Vigilante
Z3 ships
in
Windows Server with the
Static Driver Verifier
30
Technology
Practical
problems often have
Researchstructure
Areas
that can be exploited.
Undecidable (FOL + LIA)
Algorithms
Semi
Decidable
(FOL)
Essentially
Uninterpreted
Formulas
Decidable
Fragments
NEXPTIME
(EPR)
Quantified Bit-Vector Logic
PSPACE (QBF)
NP (SAT)
Generalized array theory
Heuristics
31
Logic is “The Calculus of Computer Science” Zohar Manna
Technology
Little Engines of Proof
Freely available from http://research.microsoft.com/projects/z3
32
Research around Z3
Technology
Decision Procedures
Modular Difference Logic is Hard
TR 08 B, Blass Gurevich, Muthuvathi.
Linear Functional Fixed-points.
CAV 09 B. & Hendrix.
A Priori Reductions to Zero for Strategy-Independent Gröbner Bases SYNASC 09 M& Passmore.
Efficient, Generalized Array Decision Procedures
FMCAD 09 M & B
Quantifier Elimination as an Abstract Decision Procedure
IJCAR 10, B
Cutting to the Chase
CADE 11, Jojanovich, M
Polynomials
IJCAR 12, Jojanovich, M
Combining Decision Procedures
Model-based Theory Combination
Proofs, Refutations and Z3
On Locally Minimal Nullstellensatz Proofs.
A Concurrent Portfolio Approach to SMT Solving
Conflict Directed Theory Resolution
SMT 07 M & B. .
IWIL 08 M & B
SMT 09 M & Passmore.
CAV 09 Wintersteiger, Hamadi & M
Cambridge Univ. Press 12, M & B
Quantifiers, quantifiers, quantifiers
Efficient E-matching for SMT Solvers.
CADE 07 M & B.
Relevancy Propagation.
TR 07 M & B.
.Deciding Effectively Propositional Logic using DPLL and substitution sets IJCAR 08 M & B.
.Engineering DPLL(T) + saturation.
IJCAR 08 M & B.
Complete instantiation for quantified SMT formulas
CAV 09 Ge & M.
.On deciding satisfiability by DPLL(+ T) and unsound theorem proving. CADE 09 Bonachina, M & Lynch.
Generalized PDR
SAT 12 Hoder & B..
Introductory Background Reading
September 2011
Technology
literal assignments
Proofs
Conflict Clauses
Propagate
Backjump
Models
Mile High: Modern SAT/SMT search
Core Engine in Z3:
Modern DPLL/CDCL
Technology
Conflict
One𝐹SAT
expert
to another:
𝑖𝑠 𝑎 𝑠𝑒𝑡
𝑜𝑓 𝑐𝑙𝑎𝑢𝑠𝑒𝑠
“It took me a year to
𝑀 𝐹 ⟹ 𝑀, ℓ 𝐹
ℓ 𝑖𝑠 𝑢𝑛𝑎𝑠𝑠𝑖𝑔𝑛𝑒𝑑
understand
the Mini-SAT
FUIP code”
𝐶 𝑖𝑠 𝑓𝑎𝑙𝑠𝑒 𝑢𝑛𝑑𝑒𝑟 𝑀
𝑀 𝐹, 𝐶 ∨ ℓ ⟹ 𝑀, ℓ𝐶∨ℓ 𝐹, 𝐶 ∨ ℓ
Mate Soos to
Niklas
Sörenson
𝑀 |𝐹 ⟹ 𝑀
𝐹 𝑡𝑟𝑢𝑒
𝑢𝑛𝑑𝑒𝑟 𝑀
over ice-cream
𝑀 𝐹, 𝐶 ⟹ 𝑀 𝐹, 𝐶 | 𝐶
𝐶 𝑖𝑠2012
𝑓𝑎𝑙𝑠𝑒 in
𝑢𝑛𝑑𝑒𝑟
𝑀
at SAT
Trento
Learn
𝑀 𝐹|𝐶 ⟹𝑀
Unsat
𝑀 𝐹 ∅ ⟹ 𝑈𝑛𝑠𝑎𝑡
Backjump
𝑀𝑀′ 𝐹 | 𝐶 ∨ ℓ ⟹ 𝑀ℓ𝐶∨ℓ
Resolve
𝑀 𝐹 | 𝐶′ ∨ ¬ℓ ⟹ 𝑀
Forget
𝑀 𝐹, 𝐶 ⟹ 𝑀 𝐹
Restart
𝑀 𝐹⟹ 𝜖
Initialize
Decide
Propagate
Sat
𝜖| 𝐹
𝐹
𝐹, 𝐶 | 𝐶
𝐹
𝐹 | 𝐶′ ∨ 𝐶
𝐶 ⊆ 𝑀, ¬ℓ ∈ 𝑀′
ℓ𝐶∨ℓ ∈ 𝑀
𝐶 is a learned clause
[Nieuwenhuis, Oliveras, Tinelli J.ACM 06] customized
Technology
Proofs
A way to certify
unsatisfiability
values to satisfy
formula
Conflict Lemmas
Learn new
fact that
prune as
many dead
branches as
possible
Propagate
to equisatisfiable
state
Backjump
Efficiently
Backtrack
Models
Mile High: Modern SMT procedures
A way to
certify
satisfiability
Efficient
indexing for
propagating
consequences
Technology
Research: Solving Horn Clauses
mc(x) = x-10
if x > 100
mc(x) = mc(mc(x+11))
if x  100
assert (x ≤ 101  mc(x) = 91)
∀𝑿. 𝑿 > 𝟏𝟎𝟎  mc(𝑿, 𝑿 − 𝟏𝟎)
∀𝑿, 𝒀, 𝑹. 𝑿 ≤ 𝟏𝟎𝟎  mc(𝑿 + 𝟏𝟏, 𝒀)  mc(𝒀, 𝑹)  mc(𝑿, 𝑹)
∀𝑿, 𝑹. mc(𝑿, 𝑹) ∧ 𝑿 ≤ 𝟏𝟎𝟏 → 𝑹 = 𝟗𝟏
Solver finds solution for mc
Krystof Hoder & Nikolaj Bjorner, SAT382012
Bjorner, McMillan, Rybalchenko, SMT 2012
Technology
Research: SolvingR Efficiently
A key idea: Use partial solution to guide the search
Feasible Region
𝑥 3 + 2𝑥 2 + 3𝑦 2 − 5 < 0
Starting search
Partial solution:
𝑥 = 0.5
−4𝑥𝑦 − 4𝑥 + 𝑦 > 1
What is the core?
𝑥2 + 𝑦2 < 1
Can we extend it to 𝑦?
39
Dejan Jojanovich & Leonardo de Moura, IJCAR 2012
Propaganda
.com
40
Propaganda
Core Expertise
Empirical
Software Engineering
Program Analysis:
Performance, Reliability,
Security
Foundations:
Logic
Programming Languages
Design & Implementation
41
http://rise4fun.com/z3py
42
Propaganda
Academic Interns
43
Summary
An outline of
– an efficient SMT solver
Efficient logic solver for SE tools tackling intractable problems
http://research.microsoft.com/projects/z3
Software Engineering Research @ Microsoft
http://rise4fun.com
Academic internships
http://research.microsoft.com/en-us/jobs/intern
Contact
http://research.microsoft.com/~nbjorner
[email protected]
44