Code-level model checking in the software development workflow

Chong, Nathan; Cook, Byron; Καλλάς, Κωνσταντίνος; Khazem, Kareem; Monteiro, Felipe R.; Schwartz-Narbonne, Daniel; Tasiran, Serdar; Tautschnig, Michael; Tuttle, Mark R.

doi:10.1145/3377813.3381347

Cited by 27 publications

(45 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Correct-by-construction correspondence between low-level code and high-level data types helps to some extent in, e.g., [13] and Cogent [3]. Recent work on "push-button" verification includes a verified TLS library [12], AWS C Common library [11], file system [50], a hyperkernel [42], network functions [56], where the high degree of proof automation is in part achieved by statically bounding the state space of the systems. The latter work [56] specifically notes how non-experts can formulate high-level correctness requirements (their specifications are written in Python), as evidence that refinement-based approaches may ultimately overcome the "specification bottleneck" [6,43].…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Bridging Arrays and ADTs in Recursive Proofs

Fedyukovich

Ernst

2021

Tools and Algorithms for the Construction and Analysis of Systems

View full text Add to dashboard Cite

We present an approach to synthesize relational invariants to prove equivalences between object-oriented programs. The approach bridges the gap between recursive data types and arrays that serve to represent internal states. Our relational invariants are recursively-defined, and thus are valid for data structures of unbounded size. Based on introducing recursion into the proofs by observing and lifting the constraints from joint methods of the two objects, our approach is fully automatic and can be seen as an algorithm for solving Constrained Horn Clauses (CHC) of a specific sort. It has been implemented on top of the SMT-based CHC solver AdtChc and evaluated on a range of benchmarks.

show abstract

Section: Related Workmentioning

confidence: 99%

“…Proofs found for one component can be reused while reasoning about another component, or even the system in a whole. Successful examples in large-scale verification projects include a step-wise refinement in seL4 [30] and the integration of model checking to software development workflow in AWS C Common [11].…”

Section: Introductionmentioning

confidence: 99%

Bridging Arrays and ADTs in Recursive Proofs

Fedyukovich

Ernst

2021

Tools and Algorithms for the Construction and Analysis of Systems

View full text Add to dashboard Cite

show abstract

“…All specifications, proofs, and related artifacts (such as continuous integration reports) described in this article have been integrated into the main AWS C Common repository on GitHub, and are publicly available at https://github.com/awslabs/aws-c-common/. This article is a substantially revised and extended version of our work presented at ICSE 2020 6 . The major difference is the detailed description of our continuous integration architecture and its leverage to integrate proofs into the software development workflow.…”

Section: Introductionmentioning

confidence: 99%

“…The major difference is the detailed description of our continuous integration architecture and its leverage to integrate proofs into the software development workflow. All tools, scripts, benchmarks, and results of our evaluation are also available on a replication package 7 …”

Section: Introductionmentioning

confidence: 99%

“…The focus of our work is the foundational security of software running in AWS data centers, SDKs, and devices. The breadth of our work includes boot code, 29 network communication protocols, 30 real‐time operating system code, 31,32 an SDK implementing data structures, 6 and an SDK facilitating principled use of cryptographic primitives.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Code‐level model checking in the software development workflow at Amazon Web Services

et al. 2021

Self Cite

View full text Add to dashboard Cite

This article describes a style of applying symbolic model checking developed over the course of four years at Amazon Web Services (AWS). Lessons learned are drawn from proving properties of numerous C‐based systems, for example, custom hypervisors, encryption code, boot loaders, and an IoT operating system. Using our methodology, we find that we can prove the correctness of industrial low‐level C‐based systems with reasonable effort and predictability. Furthermore, AWS developers are increasingly writing their own formal specifications. As part of this effort, we have developed a CI system that allows integration of the proofs into standard development workflows and extended the proof tools to provide better feedback to users. All proofs discussed in this article are publicly available on GitHub.

show abstract

Model checking C++ programs

Monteiro

Gadelha

Cordeiro

2021

Software Testing Verif & Rel

Self Cite

View full text Add to dashboard Cite

In the last three decades, memory safety issues in system programming languages such as C or C++ have been one of the most significant sources of security vulnerabilities. However, there exist only a few attempts with limited success to cope with the complexity of C++ program verification. We describe and evaluate a novel verification approach based on bounded model checking (BMC) and satisfiability modulo theories (SMT) to verify C++ programs. Our verification approach analyses bounded C++ programs by encoding into SMT various sophisticated features that the C++ programming language offers, such as templates, inheritance, polymorphism, exception handling, and the Standard Template Libraries. We formalize these features within our formal verification framework using a decidable fragment of first-order logic and then show how state-of-the-art SMT solvers can efficiently handle that. We implemented our verification approach on top of ESBMC. We compare ESBMC to LLBMC and DIVINE, which are state-of-the-art verifiers to check C++ programs directly from the LLVM bitcode. Experimental results show that ESBMC can handle a wide range of C++ programs, presenting a higher number of correct verification results. Additionally, ESBMC has been applied to a commercial C++ application in the telecommunication domain and successfully detected arithmetic-overflow errors, which could potentially lead to security vulnerabilities.

show abstract

Code-level model checking in the software development workflow

Cited by 27 publications

References 26 publications

Bridging Arrays and ADTs in Recursive Proofs

Bridging Arrays and ADTs in Recursive Proofs

Code‐level model checking in the software development workflow at Amazon Web Services

Model checking C++ programs

Contact Info

Product

Resources

About