Concurrent Bug Finding Based on Bounded Model Checking

Automated and reliable software verification is of crucial importance for development of high-quality software. Formal methods can be used for finding different kinds of bugs without executing the software, for example, for finding possible run-time errors. The methods like model checking and symbolic execution offer very precise static analysis but on real world programs do not always scale well. One way to tackle the scalability problem is to apply new concurrent and sequential approaches to complex algorithms used in these kinds of software analysis. In this paper, we compare different variants of bounded model checking and propose two concurrent approaches: concurrency of intra-procedural analysis and concurrency of inter-procedural analysis. We implemented these approaches in a software verification tool LAV, a tool that is based on bounded model checking and symbolic execution. For assessing the improvements gained, we experimentally compared the concurrent approaches with the standard bounded model checking approach (where all correctness conditions are put into a single compound formula) and with a sequential approach (where correctness conditions are checked separately, one after the other). The results show that, in many cases, the proposed concurrent approaches give significant improvements.

Download Full-text

A Theory of Arrays with set and copy Operations

10.29007/q58t ◽

2018 ◽

Author(s):

Stephan Falke ◽

Carsten Sinz ◽

Florian Merz

Keyword(s):

Model Checking ◽

Program Analysis ◽

Software Verification ◽

Symbolic Execution ◽

Bounded Model Checking ◽

Main Memory ◽

Basic Theory ◽

Analysis Software

The theory of arrays is widely used in order to model main memory in program analysis, software verification, bounded model checking, symbolic execution, etc. Nonetheless, the basic theory as introduced by McCarthy is not expressive enough for important practical cases since it only supports array updates at single locations. In programs, the memory is often modified using functions such as memset or memcpy/memmove, which modify a user-specified range of locations whose size might not be known statically. In this paper we present an extension of the theory of arrays with set and copy operations which make it possible to reason about such functions. We also discuss further applications of the theory.

Download Full-text

FuSeBMC: A White-Box Fuzzer for Finding Security Vulnerabilities in C Programs (Competition Contribution)

Fundamental Approaches to Software Engineering - Lecture Notes in Computer Science ◽

10.1007/978-3-030-71500-7_19 ◽

2021 ◽

pp. 363-367 ◽

Cited By ~ 1

Author(s):

Kaled M. Alshmrany ◽

Rafael S. Menezes ◽

Mikhail R. Gadelha ◽

Lucas C. Cordeiro

Keyword(s):

Model Checking ◽

Symbolic Execution ◽

Bounded Model Checking ◽

Test Cases ◽

Security Vulnerabilities ◽

C Programs ◽

Code Coverage

AbstractWe describe and evaluate a novel white-box fuzzer for C programs named , which combines fuzzing and symbolic execution, and applies Bounded Model Checking (BMC) to find security vulnerabilities in C programs. explores and analyzes C programs (1) to find execution paths that lead to property violations and (2) to incrementally inject labels to guide the fuzzer and the BMC engine to produce test-cases for code coverage. successfully participates in Test-Comp’21 and achieves first place in the category and second place in the category.

Download Full-text

Comparison of Model Checking Tools

Advanced Materials Research ◽

10.4028/www.scientific.net/amr.659.181 ◽

2013 ◽

Vol 659 ◽

pp. 181-185

Author(s):

Wei Gong ◽

Jun Wei Jia

Keyword(s):

Model Checking ◽

Software Verification ◽

Bounded Model Checking ◽

Hardware Verification ◽

Model Checker ◽

Software And Hardware ◽

Inherent Part

Model Checking is a method for verification. The model will be checked until the specification of it is proved or disproved. With the rising complexity of big models, there are non-checkable cases, in which cases the problem can be analyzed by some models, for example, bounded Model Checking means to analyze the model until a defined time or depth. The verification happens automatically. The programs for doing this are called Model Checking Tools or Model Checker. Model Checking are used in both software and hardware verification. It is an inherent part of hardware verification, whereas it is less used in the software verification.

Download Full-text

Efficient SAT-based bounded model checking for software verification

Theoretical Computer Science ◽

10.1016/j.tcs.2008.03.013 ◽

2008 ◽

Vol 404 (3) ◽

pp. 256-274 ◽

Cited By ~ 44

Author(s):

Franjo Ivančić ◽

Zijiang Yang ◽

Malay K. Ganai ◽

Aarti Gupta ◽

Pranav Ashar

Keyword(s):

Model Checking ◽

Software Verification ◽

Bounded Model Checking

Download Full-text

Map2Check: Using Symbolic Execution and Fuzzing

Tools and Algorithms for the Construction and Analysis of Systems - Lecture Notes in Computer Science ◽

10.1007/978-3-030-45237-7_29 ◽

2020 ◽

pp. 403-407 ◽

Cited By ~ 1

Author(s):

Herbert Rocha ◽

Rafael Menezes ◽

Lucas C. Cordeiro ◽

Raimundo Barreto

Keyword(s):

Software Verification ◽

Symbolic Execution ◽

Source Code ◽

Reachability Analysis ◽

Experimental Results ◽

Safety Properties ◽

C Programs ◽

Verification Tool ◽

Inductive Invariants ◽

Monitor Data

Abstract Map2Check is a software verification tool that combines fuzzing, symbolic execution, and inductive invariants. It automatically checks safety properties in C programs by adopting source code instrumentation to monitor data (e.g., memory pointers) from the program’s executions using LLVM compiler infrastructure. For SV-COMP 2020, we extended Map2Check to exploit an iterative deepening approach using LibFuzzer and Klee to check for safety properties. We also use Crab-LLVM to infer program invariants based on reachability analysis. Experimental results show that Map2Check can handle a wide variety of safety properties in several intricate verification tasks from SV-COMP 2020.

Download Full-text

Not All Bugs Are Created Equal, But Robust Reachability Can Tell the Difference

Computer Aided Verification - Lecture Notes in Computer Science ◽

10.1007/978-3-030-81685-8_32 ◽

2021 ◽

pp. 669-693

Author(s):

Guillaume Girol ◽

Benjamin Farinier ◽

Sébastien Bardin

Keyword(s):

Symbolic Execution ◽

Bounded Model Checking ◽

Standard Case ◽

Formal Treatment ◽

Standard Notion ◽

Bug Finding ◽

Criticality Assessment ◽

The Difference ◽

Deductive Power ◽

Test Suites

AbstractThis paper introduces a new property called robust reachability which refines the standard notion of reachability in order to take replicability into account. A bug is robustly reachable if a controlled input can make it so the bug is reached whatever the value of uncontrolled input. Robust reachability is better suited than standard reachability in many realistic situations related to security (e.g., criticality assessment or bug prioritization) or software engineering (e.g., replicable test suites and flakiness). We propose a formal treatment of the concept, and we revisit existing symbolic bug finding methods through this new lens. Remarkably, robust reachability allows differentiating bounded model checking from symbolic execution while they have the same deductive power in the standard case. Finally, we propose the first symbolic verifier dedicated to robust reachability: we use it for criticality assessment of 4 existing vulnerabilities, and compare it with standard symbolic execution.

Download Full-text

Disk Based Software Verification via Bounded Model Checking

14th Asia-Pacific Software Engineering Conference (APSEC'07) ◽

10.1109/apsec.2007.43 ◽

2007 ◽

Author(s):

Fernando Brizzolari ◽

Igor Melatti ◽

Enrico Tronci ◽

Giuseppe Della Penna

Keyword(s):

Model Checking ◽

Software Verification ◽

Bounded Model Checking

Download Full-text

Cooperative verifier-based testing with CoVeriTest

International Journal on Software Tools for Technology Transfer ◽

10.1007/s10009-020-00587-8 ◽

2021 ◽

Author(s):

Dirk Beyer ◽

Marie-Christine Jakobs

Keyword(s):

Model Checking ◽

Test Generation ◽

Symbolic Execution ◽

Bounded Model Checking ◽

Test Suite ◽

Hybrid Technique ◽

Conditional Model ◽

Level Information ◽

High Level ◽

Test Suite Generation

AbstractTesting is a widely applied technique to evaluate software quality, and coverage criteria are often used to assess the adequacy of a generated test suite. However, manually constructing an adequate test suite is typically too expensive, and numerous techniques for automatic test-suite generation were proposed. All of them come with different strengths. To build stronger test-generation tools, different techniques should be combined. In this paper, we study cooperative combinations of verification approaches for test generation, which exchange high-level information. We present CoVeriTest, a hybrid technique for test-suite generation. CoVeriTest iteratively applies different conditional model checkers and allows users to adjust the level of cooperation and to configure individual time limits for each conditional model checker. In our experiments, we systematically study different CoVeriTest cooperation setups, which either use combinations of explicit-state model checking and predicate abstraction, or bounded model checking and symbolic execution. A comparison with state-of-the-art test-generation tools reveals that CoVeriTest achieves higher coverage for many programs (about 15%).

Download Full-text

Disk Based Software Verification via Bounded Model Checking

14th Asia-Pacific Software Engineering Conference (APSEC'07) ◽

10.1109/aspec.2007.55 ◽

2007 ◽

Cited By ~ 3

Author(s):

Fernando Brizzolari ◽

Igor Melatti ◽

Enrico Tronci ◽

Giuseppe Della Penna

Keyword(s):

Model Checking ◽

Software Verification ◽

Bounded Model Checking

Download Full-text

Finding More Property Violations in Model Checking via the Restart Policy

Electronics ◽

10.3390/electronics10232957 ◽

2021 ◽

Vol 10 (23) ◽

pp. 2957

Author(s):

Mengtao Geng ◽

Xiaoyu Zhang ◽

Jianwen Li

Keyword(s):

Model Checking ◽

State Of The Art ◽

Wide Spectrum ◽

Current Model ◽

Bounded Model Checking ◽

Search Problem ◽

Sat Solving ◽

Car Model ◽

Bug Finding ◽

Incremental Construction

Model checking is an efficient formal verification technique that has been applied to a wide spectrum of applications in software engineering. Popular model checking algorithms include Bounded Model Checking (BMC) and Incremental Construction of Inductive Clauses for Indubitable Correctness/Property Directed Reachability(IC3/PDR). The recently proposed Complementary Approximate Reachability (CAR) model checking algorithm has a performance close to BMC in bug-finding, while its depth-first strategy sometimes leads the algorithm to a trap, which will waste lots of computation. In this paper, we enhance the recently proposed Complementary Approximate Reachability (CAR) model checking algorithm by integrating the restart policy, which yields a restartable CAR model (abbreviated as r-CAR). The restart policy can help avoid the trap problem caused by the depth-first strategy and has played an important role in modern SAT-solving algorithms to search for a satisfactory solution. As the bug-finding in model checking is reducible to a similar search problem, the restart policy can be useful to enhance the bug-finding capability. We made an extensive experiment to evaluate the new algorithm. Our results show that out of the 749 industrial instances, r-CAR is able to find 13 instances that the state-of-the-art BMC technique cannot find and can solve more than 11 instances than the original CAR. The new algorithm successfully contributes to the current model-checking portfolio in practice.

Download Full-text