Introduction to Computer-Aided Verification Rajeev Alur University of Pennsylvania CAV Mentoring Workshop, July 2015 Systems Software Can Microsoft Windows version X be bug-free? Millions of lines of code Types of bugs that cause crashes well-known Enormous effort spent on debugging/testing code Certifying third-party code (e.g. device drivers) do{ KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } }while(nPackets!= nPacketsOld); KeReleaseSpinLock(); Do lock operations, acquire and release strictly alternate on every program execution? Concurrency Libraries Exploiting concurrency efficiently and correctly dequeue(queue_t *queue, value_t *pvalue) { node_t *head; node_t *tail; node_t *next; } while (true) { head = queue->head; tail = queue->tail; next = head->next; if (head == queue->head) { if (head == tail) { if (next == 0) return false; cas(&queue->tail, tail, next); } else { *pvalue = next->value; if (cas(&queue->head, head, next)) break; } } } delete_node(head); return true; Concurrent Queue (MS’92) Can the code deadlock? Is sequential semantics of a queue preserved? (Sequential consistency) Security Checks for Java Applets https://java.sun.com/javame/ public Vector<String> phoneBook; public String number; public int Selected; public void sendEvent() { phoneBook = getPhoneBook(); selected = chhoseReceiver(); number=phoneBook.elementAt(selected); if ((number==null)|(number=“”)){ //output error } else{ String message = inputMessage(); sendMessage(number, message); } } How to certify applications for data integrity / confidentiality ? EventSharingMidlet from J2ME By listening to messages, can one infer whether a particular entry is in the addressbook? Certification of Safety-Critical Software How to verify that a pacemaker meets all the correctness requirements published by the FDA ? In Search of the Holy Grail… software/model correctness specification yes/proof Verifier no/bug Correctness is formalized as a mathematical claim to be proved or falsified rigorously Always with respect to the given specification Challenge: Impossibility results for automated verifier Verification problem is undecidable Even approximate versions are computationally intractable (model checking is Pspace-hard) This Talk History of CAV (not comprehensive…) Some guidelines for choosing a research problem 1970s: Proof calculi for program correctness Key to proof: BubbleSort (A : array[1..n] of int) { B = A : array[1..n] of int; Finding suitable for (i=0; i<n; i++) { loop invariants Permute(A,B) Sorted(B[n-i,n]) for 0<k<=n-i-1 and n-i<=k’<=n B[k]<=B[k’] for (j=0; j<n-i; j++) { Permute(A,B), Sorted(B[n-i,n], for 0<k<=n-i-1 and n-i<=k’<=n B[k]<=B[k’] for 0<k<j B[k] <= B[j] if (B[j]>B[j+1]) swap(B,j,j+1) } }; return B; } Deductive Program Verification Powerful mathematical logic (e.g. first-order logic, Higherorder logics) needed for formalization Great progress in decision procedures Finding proof decomposition requires expertise, but modern tools support many built-in proof tactics Contemporary theorem provers: Coq, PVS, ACL2, ESC-Java In practice … User partially annotates the program with invariants, and the tool infers remaining invariants needed to complete the proof Success story: CompCert: Fully verified optimizing compiler for a subset of C Current research: Automatic synthesis of loop invariants 1980s: Finite-state Protocol Analysis Automated analysis of finite-state protocols with respect to temporal logic specifications Network protocols, Distributed algorithms Specs: Is there a deadlock? Does every req get ack? Does a buffer overflow? Tools: SPIN, Murphi, CADP … Battling State-space Explosion Analysis is basically a reachability problem in a HUGE graph Size of graph grows exponentially as the number of bits required for state encoding Graph is constructed only incrementally, on-the-fly Many techniques for exploiting structure: symmetry, data independence, hashing, partial order reduction … Great flexibility in modeling: Scale down parameters (buffer size, number of network nodes…) Bad states State Transition 1990s: Symbolic Model Checking Constraint-based analysis of Boolean systems Symbolic Boolean representations (propositional formulas, OBDDs) used to encode system dynamics Success in finding high-quality bugs in hardware applications (VHDL/Verilog code) Global bus UIC UIC M UIC P M P Deadlock found in cache coherency protocol Gigamax by model checker SMV Cluster bus Read-shared/read-owned/write-invalid/write-shared/… Symbolic Reachability Problem Model variables X ={x1, … xn} Each var is of finite type, say, boolean Initialization: I(X): a formula over X e.g. (x1 && ~x2) Update: T(X,X’) How new vars X’ are related to old vars X as a result of executing one step of the program: Disjunction of clauses obtained by compiling individual instructions e.g. (x1 && x1’ = x1 && x2’ = ~x2 && x3’ = x3) Target set: F(X) e.g. (x2 && x3) Computational problem: Can F be satisfied starting with I by repeatedly applying T ? K-step reachability reduces to propositional satisfiability (SAT): Bounded Model Checking I(X0) && T(X0,X1) && T(X1,X2) && --- && T(Xk-1,Xk) && F(Xk) The Story of SAT Propositional Satisfiability: Given a formula over Boolean variables, is there an assignment of 0/1’s to vars which makes the formula true Canonical NP-hard problem (Cook 1973) Enormous progress in tools that can solve instances with thousands of variables and millions of clauses Extensions to richer classes of constraints (SMT solvers) 1960 DP 10 var 1952 Quine 10 var 1988 SOCRATES 3k var 1962 DLL 10 var 1986 BDDs 100 var 1994 Hannibal 3k var 1992 GSAT 300 var 1996 GRASP 1k var 1996 Stålmarck 1000 var 1996 SATO 1k var 2002 Berkmin 10k var 2001 Chaff 10k var 2000s: Model Checking of C code Phase 1: Given a program P, build an abstract finite-state (Boolean) model A such that set of behaviors of P is a subset of those of A (conservative abstraction) Phase 2: Model check A wrt specification: this can prove P to be correct, or reveal a bug in P, or suggest inadequacy of A Shown to be effective on Windows device drivers in Microsoft Research project SLAM (follow-up: SDV) do{ KeAcquireSpinLock(); nPacketsOld = nPackets; if(request){ request = request->Next; KeReleaseSpinLock(); nPackets++; } }while(nPackets!= nPacketsOld); KeReleaseSpinLock(); Do lock operations, acquire and release, strictly alternate on every program execution? Software Model Checking Tools for verifying source code combine many techniques Program analysis techniques such as slicing, range analysis Abstraction Model checking Refinement from counter-examples (CEGAR) New challenges for model checking (beyond finite-state reachability analysis) Recursion gives pushdown control Pointers, dynamic creation of objects, inheritence…. Active research area Abstraction-based tools: SLAM, BLAST,… Direct state encoding: F-SOFT, CBMC, CheckFence… SMT Success Story CBMC SAGE VCC Spec# SMT-LIB Standardized Interchange Format (smt-lib.org) Problem classification + Benchmark repositories LIA, LIA_UF, LRA, QF_LIA, … + Annual Competition (smt-competition.org) Z3 Yices CVC4 MathSAT5 Since 1990s: Cyber-Physical Systems Discrete software interacting with a continuously evolving physical system Need to model physical world using differential equations/timing delays Models: Timed automata, Hybrid automata Symbolic reachability analysis over sets of real-valued variables Finite-state abstractions Beyond correctness: Stability, Timely response Fruitful collaboration between control theory and formal methods Formal Methods for Cyber-Physical Systems Tools for verifying timed/hybrid systems models Uppaal, Taliro, Keymaera, dReal, Space-Ex … Applications Medical devices (infusion pump, pacemaker) Autonomous driving (collision avoidance protocols) Industrial technology transfer Model-based design tools (e.g. Hybrid automata as Simulink domain) Simulink Design Verifier (model-based testing, static analysis) Industry research groups (Toyota, Ford…) How to choose a research problem ? Common Themes in CAV Success Stories Phase 1: Initial demonstration of a compelling match between the capability of a research prototype and real-world need Phase 2: Sustained research on improving scalability But the path to the promised land is unclear … Incremental vs. Transformative Symbolic model checking using binary decision diagrams (McMillan et al, 1990) Importance was immediately obvious and celebrated Critical for industrial adoption of hardware model checking Chaff: Engineering an efficient SAT solver (Malik etal,2001) Low-level optimization exploiting cache perforamce Played critical role in boosting performance of SAT solvers Don’t keep searching for “big” ideas by dismissing research problems as incremental Source: Existing Literature vs. Real-world Problems? Hybrid automata (Alur, Henzinger et al, 1991) Started as a theoretical extension of timed automata Now with significant research and adoption in CPS community SAGE (Godefroid et al, CACM 2012) A response to pressing industrial need for effective testing for discovering security vulnerabilities Integration of many research ideas into a highly successful tool Keep looking everywhere! Theoretical Results vs. Prototype Tools Nested depth-first search (CVWY, CAV 1990) Beautiful algorithm for on-the-fly detection of fair cycles Key ingredient of all explicit-state LTL model checkers SLAM (Ball and Rajamani, 2001) Integration of predicate abstraction, symbolic model checking, and counter-example guided abstraction refinement Prototype tool and evaluation essential to demonstrate utility CAV offers many options for research: theoretical, practical, and theory in practice! Advice 1: Be sure of the motivation If you were to succeed in finding a good solution to the problem you are studying, what would be the consequence? Tool: who is a potential user? Algorithm: which tool can use and why should it use? Method: which design/analysis task can be done better? Be convinced of the answer yourself first, and worry about reviewers later Advice 2: Know the related work Is your idea new? How does it fit into what people know and have tried earlier? Vast literature, but there is no way around this question Be an expert on work related to your thesis Caution: this is not an excuse for inaction! Advice 3: Don’t live in a silo! Computer science is rapidly expanding in exciting directions Need to know at a high level what’s happening around you Organization into conferences/sub-disciplines is artificial Other fields can be a source of new ideas, applications, solution techniques How can statistical machine learning help CAV? Can CAV techniques be applied to problems in system biology? Goal: Become an expert in Formal Methods AND X