1 / 93

Modeling Data in Formal Verification Bits , Bit Vectors, or Words

Modeling Data in Formal Verification Bits , Bit Vectors, or Words. Karam AbdElkader Based on: Presentations form Randal E. Bryant - Carnegie Mellon University Decision Procedures An Algorithmic Point of View D.Kroening – Oxsoford Unversity , O.Strichman - Technion. Agenda.

gaurav
Télécharger la présentation

Modeling Data in Formal Verification Bits , Bit Vectors, or Words

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Modeling Data in Formal VerificationBits, Bit Vectors, or Words • Karam AbdElkader • Based on: Presentations form • Randal E. Bryant - Carnegie Mellon University • Decision Procedures An Algorithmic Point of View D.Kroening – OxsofordUnversity, O.Strichman - Technion

  2. Agenda • Overview and Examples. • Introduction to Bit-Vector Logic • Syntax • Semantics • Decision procedures for Bit-Vector Logic • Flattening Bit-Vector Logic • Incremental Flattening • Bit-Vector Arithmetic With Abstraction 2

  3. Over View • Issue • How should data be modeled in formal analysis? • Verification, test generation, security analysis, … • Approaches • Bits: Every bit is represented individually • Basis for most CAD, model checking • Words: View each word as arbitrary value • E.g., unbounded integers • Historic program verification work • Bit Vectors: Finite precision words • Captures true semantics of hardware and software • More opportunities for abstraction than with bits

  4. Data Path Com. Log. 1 Com.Log. 2 Bit-Level Modeling Control Logic • Represent Every Bit of State Individually • Behavior expressed as Boolean next-state over current state • Historic method for most CAD, testing, and verification tools • E.g., model checkers

  5. Bit-Level Modeling in Practice • Strengths • Allows precise modeling of system • Well developed technology • BDDs & SAT for Boolean reasoning • Limitations • Every state bit introduces two Boolean variables • Current state & next state • Overly detailed modeling of system functions • Don’t want to capture full details of FPU • Making It Work • Use extensive abstraction to reduce bit count • Hard to abstract functionality

  6. x Word-Level Abstraction #1: Bits → Integers x0 • View Data as Symbolic Words • Arbitrary integers • No assumptions about size or encoding • Classic model for reasoning about software • Can store in memories & registers x1 x2 xn-1

  7. Data Path Data Path Com. Log. 1 Com. Log. 1 ? Com.Log. 2 Com. Log. 1 ? What do we do about logic functions? Abstracting Data Bits Control Logic

  8. ALU Word-Level Abstraction #2:Uninterpreted Functions • For any Block that Transforms or Evaluates Data: • Replace with generic, unspecified function • Only assumed property is functional consistency: a = x b = y f(a, b) = f(x, y) f

  9. F1 F2 Abstracting Functions Control Logic • For Any Block that Transforms Data: • Replace by uninterpreted function • Ignore detailed functionality • Conservative approximation of actual system Data Path Com. Log. 1 Com. Log. 1

  10. Word-Level Modeling: History • Historic • Used by theorem provers • More Recently • Burch & Dill, CAV ’94 • Verify that pipelined processor has same behavior as unpipelined reference model • Use word-level abstractions of data paths and memories • Use decision procedure to determine equivalence • Bryant, Lahiri, Seshia, CAV ’02 • UCLID verifier • Tool for describing & verifying systems at word level

  11. Pipeline Verification Example Pipelined Processor Reference Model

  12. Abstracted Pipeline Verification Pipelined Processor Reference Model

  13. Experience with Word-Level Modeling • Powerful Abstraction Tool • Allows focus on control of large-scale system • Can model systems with very large memories • Hard to Generate Abstract Model • Hand-generated: how to validate? • Automatic abstraction: limited success • Andraus & Sakallah, DAC 2004 • Realistic Features Break Abstraction • E.g., Set ALU function to A+0 to pass operand to output • Desire • Should be able to mix detailed bit-level representation with abstracted word-level representation

  14. Bit Vectors: Motivating Example #1 • Do these functions produce identical results? • Strategy • Represent and reason about bit-level program behavior • Specific to machine word size, integer representations, and operations int abs(int x) { int mask = x>>31; return (x ^ mask) + ~mask + 1; } int test_abs(int x) { return (x < 0) ? -x : x; }

  15. Motivating Example #2 void fun() { char fmt[16]; fgets(fmt, 16, stdin); fmt[15] = '\0'; printf(fmt); } • Is there an input string that causes value 234 to be written to address a4a3a2a1? • Answer • Yes: "a1a2a3a4%230g%n" • Depends on details of compilation • But no exploit for buffer size less than 8 • [Ganapathy, Seshia, Jha, Reps, Bryant, ICSE ’05]

  16. Motivating Example #3 bit[W] popSpec(bit[W] x) { int cnt = 0; for (int i=0; i<W; i++) { if (x[i]) cnt++; } return cnt; } bit[W] popSketch(bit[W] x) { loop (??) { x = (x&??) + ((x>>??)&??); } return x; } • Is there a way to expand the program sketch to make it match the spec? • Answer • W=16: • [Solar-Lezama, et al., ASPLOS ‘06] x = (x&0x5555) + ((x>>1)&0x5555); x = (x&0x3333) + ((x>>2)&0x3333); x = (x&0x0077) + ((x>>8)&0x0077); x = (x&0x000f) + ((x>>4)&0x000f);

  17. Motivating Example #4 Sequential Reference Model Pipelined Microprocessor • Is pipelined microprocessor identical to sequential reference model? • Strategy • Represent machine instructions, data, and state as bit vectors • Compatible with hardware description language representation • Verifier finds abstractions automatically

  18. Decision Procedures for System-Level Software • What kind of logic do we need for system-level software? • We need bit-vector logic - with bit-wise operators, arithmeticoverflow • We want to scale to large programs - must verify largeformulas

  19. Decision Procedures for System-Level Software • What kind of logic do we need for system-level software? • We need bit-vector logic - with bit-wise operators, arithmeticoverflow • We want to scale to large programs - must verify largeformulas • Examples of program analysis tools that generate bit-vectorformulas: • CBMC • SATABS • SATURN (Stanford, Alex Aiken) • EXE (Stanford, Dawson Engler, David Dill) • Variants of those developed at IBM, Microsoft

  20. Bit-Vector Logic: Syntax

  21. Bit-Vector Logic: Syntax formula : formula ∨ formula | ¬formula | atom atom : term rel term | Boolean-Identifier | term[ constant ] : = | < rel ∼ term | constant | term : term op term | identifier | atom?term:term | term[ constant : constant ] | ext ( term ) << | >> | & | | | ⊕ | ◦ op : +| − | · |/| ∼ x: bit-wise negation of x ext (x): sign- or zero-extension of xx << d: left shift with distance dx ◦ y: concatenation of x and y

  22. Semantics Danger! (x − y > 0) if and only if (x > y) Valid over R/N, but not over the bit-vectors. (Many compilers have this sort of bug)

  23. Width and Encoding The meaning depends on the width and encoding of thevariables. 7

  24. Width and Encoding The meaning depends on the width and encoding of thevariables. Typical encodings: Binary encoding Two’s complement But maybe also fixed-point, floating-point, . . . 7

  25. Examples

  26. Width and Encoding Notation to clarify width and encoding:

  27. Bit-vectors Made Formal Definition (Bit-Vector) A bit-vector is a vector of Boolean values with a given length l: b : {0,...,l − 1} → {0,1}

  28. Bit-vectors Made Formal Definition (Bit-Vector) Definition (Bit-Vector) A bit-vector is a vector of Boolean values with a given length l: b : {0,...,l − 1} → {0,1} The value of bit number i of x is x(i). We also writefor

  29. Lambda-Notation for Bit-Vectors λ expressions are functions without a name

  30. Lambda-Notation for Bit-Vectors Examples: λ expressions are functions without a name • The vector of length l that consists of zeros: • A function that inverts (flips all bits in) a bit-vector: • A bit-wise OR: ⇒ we now have semantics for the bit-wise operators.

  31. Semantics for Arithmetic Expressions What is the output of the following program? unsigned char number = 200; number = number + 100; printf("Sum: %d\n", number);

  32. Semantics for Arithmetic Expressions Semantics for Arithmetic Expressions What is the output of the following program? unsigned char number = 200; number = number + 100; printf("Sum: %d\n", number); On most architectures, this is 44! = 200 11001000 + = 100 01100100 = 00101100 = 44

  33. Semantics for Arithmetic Expressions Semantics for Arithmetic Expressions What is the output of the following program? unsigned char number = 200; number = number + 100; printf("Sum: %d\n", number); On most architectures, this is 44! = 200 11001000 + = 100 01100100 = 00101100 = 44 ⇒ Bit-vector arithmetic uses modular arithmetic!

  34. Semantics for Arithmetic Expressions Semantics for addition, subtraction:

  35. Semantics for Arithmetic Expressions Semantics for addition, subtraction: We can even mix the encodings:

  36. Semantics for Relational Operators Semantics for <, ≤, ≥, and so on: Mixed encodings: Note that most compilers don’t support comparisons with mixed encodings.

  37. Complexity Complexity Satisfiability is undecidable for an unbounded width, evenwithout arithmetic.

  38. Complexity Satisfiability is undecidable for an unbounded width, evenwithout arithmetic. It is NP-complete otherwise.

  39. Decision Procedure Satisfying solution Formula Unsatisfiable (+ proof) Decision Procedures • Core technology for formal reasoning • Boolean SAT • Pure Boolean formula • SAT Modulo Theories (SMT) • Support additional logic fragments • Example theories • Linear arithmetic over reals or integers • Functions with equality • Bit vectors • Combinations of theories

  40. SAT made aprogress…

  41. BV Decision Procedures:Some History • B.C. (Before Chaff) • String operations (concatenate, field extraction) • Linear arithmetic with bounds checking • Modular arithmetic • Limitations • Cannot handle full range of bit-vector operations

  42. BV Decision Procedures:Using SAT • SAT-Based “Bit Blasting” • Generate Boolean circuit based on bit-level behavior of operations • Convert to Conjunctive Normal Form (CNF) and check with best available SAT checker • Handles arbitrary operations • Effective in Many Applications • CBMC [Clarke, Kroening, Lerda, TACAS ’04] • Microsoft Cogent + SLAM [Cook, Kroening, Sharygina, CAV ’05] • CVC-Lite [Dill, Barrett, Ganesh], Yices [deMoura, et al]

  43. A Simple Decision Procedure Transform Bit-Vector Logic to Propositional LogicMost commonly used decision procedureAlso called ’bit-blasting’

  44. A Simple Decision Procedure A Simple Decision Procedure • Transform Bit-Vector Logic to Propositional LogicMost commonly used decision procedureAlso called ’bit-blasting’ • Bit-Vector Flattening 1. Convert propositional part as before 1 2. Add a Boolean variable for each bit of each sub-expression(term) 2 3. Add constraint for each sub-expression 3 We denote the new Boolean variable for biti of term t by. 17

  45. Bit-vector Flattening What constraints do we generate for a given term?

  46. Bit-vector Flattening What constraints do we generate for a given term? This is easy for the bit-wise operators. Example for (read x = y over bits as x y)

  47. Bit-vector Flattening What constraints do we generate for a given term? This is easy for the bit-wise operators. Example for (read x = y over bits as x y) We can transform this into CNF using Tseitin’s method.

  48. Bit-vector Flattening

  49. Flattening Bit-Vector Arithmetic How to flatten a + b?

  50. Flattening Bit-Vector Arithmetic Flattening Bit-Vector Arithmetic How to flatten a + b? → we can build a circuit that adds them! The full adder in CNF:

More Related