algorithmic software verification rajeev alur university of pennsylvania aro review, may 2005
TRANSCRIPT
Algorithmic Software Verification
Rajeev Alur
University of Pennsylvania
ARO Review, May 2005
Software Model Checking
Code Abstractor Model
Verifier Specification
Yes
Counter-example
Predicate abstraction
Finite-stateBoolean vars
On-the-fly explicit stateOr Symbolic fixpoint evaluation
LTL/CTL/Automata Regular!
Observables
Abstracting Modular Programs
main() { bool y; … x = P(y); … z = P(x); …}bool P(u: bool) {…return Q(u);}bool Q(w: bool) { if … else return P(~w)}
A2
A1
A3
A2
A2
A3
A3
A1Entry/Inputs
Exit/outputs
Box (function-calls)
Program Recursive State Machine (RSM)/ Pushdown automaton
Software Model Checking
Code Abstractor Model
Verifier Specification
Yes
Counter-example
Predicate abstraction
Recursive State Machines
On-the-fly explicit state(see poster for VERA)
LTL/CTL/Automata Regular!
Observables
LTL
Linear-time Temporal Logic (LTL)
Q ::- p | not Q | Q or Q’ | Next Q | Always Q | Eventually Q | Q Until Q’
Interpreted over (infinite) sequences.Models of any LTL formula is a regular language.Useful for stating sequencing properties:
If req happens, then req holds until it is granted: Always ( req → (req Until grant) )
An exception is never raised: Always ( not Exception )
LTL is not expressive enough
LTL cannot express:
Classical Hoare-style pre/post conditions If p holds when procedure A is invoked, q holds upon
return Total correctness: every invocation of A terminates Integral part of emerging standard JML
Stack inspection properties For security/access control
If a setuuid bit is being set, process root must be in the call stack
Above requires matching of calls with returns, orfinding unmatched calls --- Context-free properties!
Context-free specifications
But model-checking context-free properties against context-free models is Undecidable.
However, the properties described are verifiable.
Existing work in security that handles some stack inspection properties [JMT99,JKS03]
Adding assert statements in the program (with additional local variables, if needed), and then checking regular properties (e.g. reachability) amounts to checking context-free properties
CARET
CARET: A temporal logic for Calls and Returns Expresses context-free properties
A
B
C
A
Global successor used by LTL
………….
CARET
CARET: A temporal logic for Calls and Returns Expresses context-free properties
A
B
C
D
Global successor used by LTL
………….
Local successor: Jump from calls to returns Otherwise global successor at the same level
CARET
CARET: A temporal logic for Calls and Returns Expresses context-free properties
A
B
C
A
Global successor used by LTL
………….
Local successor: Jump from calls to returns Otherwise global successor at the same level
CARET
CARET: A temporal logic for Calls and Returns Expresses context-free properties
A
B
C
A
Global successor used by LTL
………….
Local successor: Jump from calls to returns Otherwise global successor at the same level
Local path
CARET
CARET: A temporal logic for Calls and Returns Expresses context-free properties
A
B
C
A
Global successor used by LTL
………….
Local successor: Jump from calls to returns Otherwise global successor at the same level
Caller modality: Jump to the caller of the current module Defined for every node except top-level nodes
CARET
CARET: A temporal logic for Calls and Returns Expresses context-free properties
A
B
C
A
Global successor used by LTL
………….
Abstract successor: Jump from calls to returns Otherwise global successor at the same level
Caller modality: Jump to the caller of the current module Defined for every node except top-level nodes
Caller path gives the stack content!
CARET Definition
Syntax: Q ::- p | not Q | Q or Q’ |
Next Q | Always Q | Eventually Q | Q Until Q’
Local-Next Q | Local-always Q Local-Eventually Q | Q Local-Until Q’
Caller Q | Callerpath-always Q CallerPath-Eventually Q | Q CallerPath-Until Q’
Local- and Caller- versions of all temporal operators All these operators can be nested
Expressing properties in Caret
Pre-post conditions If P holds when A is called, then Q must hold when
the call returns
Always ( (P and call-to-A) Local-Next Q )
A
PQ
Pre-post conditions are integral to specifications for JML (Java Modeling Language)
Expressing properties in Caret
If A is called with low priority, then it cannot access the file Always ( call-to-A and low-priority
Local-Always ( not access-file ) )
Alowpriority
Ahighpriority access-file
Expressing properties in Caret
Stack inspection properties
If variable x is accessed, then A must be on the call stack Always ( access-to-x
CallerPath-Eventually call-to-A )
access-to-x
A
Model checking CARET
Given: A (boolean) recursive state machine/ pushdown automaton M A CARET formula Q
Model-checking: Do all runs of M satisfy the specification Q?
CARET can be model-checked in time that is polynomial in M and exponential in Q.
|M|3 . 2O(|Q|)
Complexity same as that for LTL !
Model-checking CARET: intuition
Main Idea: The specification matches calls and returns of the program. Hence the push (pop) operations of the model and the
specifications synchronize Given M and formula Q,
Build a Buchi pushdown automaton that accepts words exhibited by M that satisfy (not Q) Check this pushdown automaton for emptiness Specification automaton also pushes onto the stack!
s, Q1
sPush s and Q1
Local-Next Q1 Pop s and Q1 ;
Check Q1
Can we generalize the idea?
LTL Regular Languages
CARET ?
Must be asuperset of CARET
Must be model-checkableagainst pushdown
models
Generalizing the idea
Structured words: Partitioned alphabet:
Σ = Spush Spop Sinternal
Consider finite words over Σ
A visibly pushdown automaton over Σ is a pushdown automaton that pushes a symbol onto the stack on a letter in Spush
pops the stack on a letter in Spop
cannot change the stack on a letter in Sinternal
Note: Stack size at any time is determined by the input wordbut not the stack content
A language is a VPL over a partitioned alphabet Σ, if there is a visibly pushdown automata that accepts it (acceptance by final state)
CARET is contained in VPLModel-checking:
CARET Q VPL LQ
Pushdown model M VPL LM
M satisfies Q iff LM LQ = (Emptiness of pushdown automata is decidable)
Visibly pushdown languages (VPL)
VPL is closed under boolean operations: union, intersection and complement
VPL
VPLs are also determinizable (Consequence: Runtime monitors for CARET/VPL can be built)
We have also extended this class to languages of infinite words.
Regular Lang
DCFL
CFL
VPL
VPL
Regular
CFL
DCFL
VPL
L
PSPACE
Emptiness Inclusion
Yes Yes Yes NLOG
Yes No No
No
UndecPTIME
No Yes PTIME Undec
Yes Yes Yes PTIME Exptime
VPL: Connection to tree languages
Let w = i5 c1 i1 c2 i4 i3 i3 r3 c1 i1 r1 r5 i5 i3
i5
c1
r5i1
c2
i4
i3
i3
i5
i3r3
Stack trees
r1
c1
i1
VPL: Connection to tree languages
Tree-language characterization:
Let L be a set of strings and let ST(L) be the set of stack trees that correspond to L.
Then L is a VPL iff ST(L) is a regular tree language
VPL is robust
Visibly pushdownlanguages
Regular stack-trees
Monadic second order logic with a matching predicate
Context-free Grammar Subset (generalizes Knuth’s Parantheses Languages)
ω-VPL - extension to infinite words
A Büchi VPA: VPA over infinite strings A word is accepted if along a run, the set QF is seen infinitely
often
ω-VPL – class of languages accepted by Büchi VPAs
ω-VPL is closed under all boolean operations Characterization using regular trees and MSO characterization hold.
However, ω-VPLs are not determinizable!
Let L be the set of all words such that the stack is “repeatedly bounded”
i.e. n. the stack depth is n infinitely often.
L is an ω-VPL but there is no deterministic Muller VPA for it.
“Regular-like” properties continue..
Congruences and minimization (Myhill-Nerode Theorem) cornerstone of theory of regular languages
Given a language L, for well-matched words u and v, define u ~L v iff for all words x and y, xuy in L iff xvy in L
Theorem: A language L of well-matched words is a VPL iff the congruence ~L is of finite index
Minimization No unique minimal deterministic VPA in general, but… Minimization of RSMs (i.e. procedural boolean programs)
possible. Partitioning into k procedures/modules is adequate to get canonicity!
Conclusions
Exposing calls and returns leads to an interesting subclass of context-free languages
VPLs seem robust and adequate to model software analysis problems
Publications: TACAS’04, STOC’04, TACAS’05, ICALP’05
Coauthors: S. Chaudhuri, K. Etessami, V. Kumar, P. Madhusudan, M. Viswanathan
Active area of current research DTDs, XML, and query languages Branching-time logics, Fixpoint calculus, and visibly
pushdown tree automata
New Foundations for Software Model Checking
Code Abstractor Model
Verifier Specification
Yes
Counter-example
Predicate abstraction
Recursive State machines+
Boolean vars
On-the-fly explicit stateOr Symbolic fixpoint evaluation
Caret/VPAs/VPVPLs
ObservableCalls/rets