PowerPoint Presentation

Program Analysis and Testing using Satisfiability Modulo Theories

Yandex2 October 2012, MoscowNikolaj BjrnerSenior ResearcherMicrosoft Research1AgendaContext: Software Engineering Research @ Microsoft

Application: Fuzzing and Test Case Generation

Application: Program Verification & Bit precise Analysis

Application: String analysis - Formal Language Theory for Security

Technology: Z3 An Efficient SMT Solver - Basics and Research

Propaganda: Software Engineering Research Tools2

An Efficient SMT SolverLeonardo de Moura, Nikolaj Bjrner, Christoph WintersteigerTeamContext3

Research in Software EngineeringImprove Software Development ProductivityGroupContext4Context

Hardware and Devices Health and Well-being Human-computer InteractionInformation Retrieval & Management Machine Learning Security and Privacy Social Science Software EngineeringBiologyCommunication & Collaboration Computational Linguistics Systems and Networking Economics Education Gaming Graphics and Multimedia Theory Organization Microsoft Research5Microsoft Research Labs

R & D~40000Research :1%Context6Company6Fuzzing and Test Case GenerationSAGE

Internal. For Security Fuzzing

Runs on x86 instructionsExternal. For Developers

Runs on .NET code

Try it on: http://pex4fun.com

Finding security bugs before the hackersblack hat Dr. Strangelove?

Bug: ***4332/29/2012 3:41 PM Edited by *****SubStatus -> Local Fix

I think the fuzzers are starting to become sentient. We must crush them before it is too late.

In this case, the fuzzer figured out that if [X was between A and B then Y would get set to Z triggering U and V to happen]..And if this fuzzer asks for the nuclear launch codes, dont tell it what they are Application: Fuzzing and Testing7SAGE by numbers100s CPU-years - largest dedicated fuzz lab in the world

100s apps - fuzzed using SAGE

100s previously unknown bugs found

Billion+ computers updated with bug fixes

Millions of $ saved for Users and Microsoft

10s of related tools (incl. Pex), 100s DART citations

3+ Billion constraints - largest usage for any SMT solverAdapted from [Patrice Godefroid, ISSTA 2010]

8Application: Fuzzing and TestingTest case generationunsigned GCD(x, y) { requires(y > 0); while (true) {unsigned m = x % y; if (m == 0) return y; x = y; y = m; }}We want a trace where the loop is executed twice.(y0 > 0) and(m0 = x0 % y0) andnot (m0 = 0) and(x1 = y0) and(y1 = m0) and(m1 = x1 % y1) and(m1 = 0)Solverx0 = 2y0 = 4m0 = 2x1 = 4y1 = 2m1 = 0SSA9Application: Fuzzing and Testing9Execution PathRun Test and MonitorPath ConditionUnexplored pathSolveseedNew inputTestInputsConstraint SystemKnownPathsTest Case Generation Procedure

10Application: Fuzzing and Testing9/28/2012 1:20 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10int binary_search(int[] arr, int low, int high, int key) while (low 100mc(x) = mc(mc(x+11)) if x 100 assert (x 101 mc(x) = 91) Research: Solving Horn ClausesKrystof Hoder & Nikolaj Bjorner, SAT 2012Bjorner, McMillan, Rybalchenko, SMT 2012

Technology38 Research: SolvingR Efficiently

A key idea: Use partial solution to guide the searchFeasible RegionWhat is the core?Dejan Jojanovich & Leonardo de Moura, IJCAR 2012

Technology39

.comPropaganda40 Core ExpertiseEmpirical Software EngineeringFoundations:LogicProgram Analysis:Performance, Reliability, SecurityProgramming LanguagesDesign & Implementation

Propaganda4141

42http://rise4fun.com/z3py 42 Academic Interns

Propaganda4343SummaryAn outline of an efficient SMT solverEfficient logic solver for SE tools tackling intractable problemshttp://research.microsoft.com/projects/z3

Software Engineering Research @ Microsoft http://rise4fun.com

Academic internships http://research.microsoft.com/en-us/jobs/intern

Contacthttp://research.microsoft.com/~nbjorner nbjorner@microsoft.com

44