CTL+FO verification as constraint solving

Beyene, Tewodros A.; Brockschmidt, Marc; Rybalchenko, Andrey

doi:10.1145/2632362.2632364

Cited by 6 publications

(4 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We are currently working on the verification of CTL formulas, by using a recently developed encoding into Horn clauses [4]. Furthermore, we plan to extend our tool in order to check non-interference properties and prove the absence of implicit information flows.…”

Section: Resultsmentioning

confidence: 99%

“…The Horn clauses are encoded in the SMT-LIB format supported by many popular SMT solvers, including our choice Z3 [9]. HornDroid automatically generates analysis queries based on its database of sources and sinks 4 and the unsatisfiability of the queries is verified using the Property-Directed Reachability (PDR) engine implemented in Z3 [16]. If no query is satisfiable, no information leak from a source to a sink may occur in the analysed application.…”

Section: Methodsmentioning

confidence: 99%

See 1 more Smart Citation

HornDroid: Practical and Sound Static Analysis of Android Applications by SMT Solving

Calzavara

Grishchenko

Maffei

2016

2016 IEEE European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

We present HornDroid, a new tool for the static analysis of information flow properties in Android applications. The core idea underlying HornDroid is to use Horn clauses for soundly abstracting the semantics of Android applications and to express security properties as a set of proof obligations that are automatically discharged by an off-the-shelf SMT solver. This approach makes it possible to fine-tune the analysis in order to achieve a high degree of precision while still using off-the-shelf verification tools, thereby leveraging the recent advances in this field. As a matter of fact, HornDroid outperforms state-of-the-art Android static analysis tools on benchmarks proposed by the community. Moreover, HornDroid is the first static analysis tool for Android to come with a formal proof of soundness, which covers the core of the analysis technique: besides yielding correctness assurances, this proof allowed us to identify some critical corner-cases that affect the soundness guarantees provided by some of the previous static analysis tools for Android.

show abstract

Section: Resultsmentioning

confidence: 99%

Section: Methodsmentioning

confidence: 99%

HornDroid: Practical and Sound Static Analysis of Android Applications by SMT Solving

Calzavara

Grishchenko

Maffei

2016

2016 IEEE European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

show abstract

“…With respect to the verification of temporal properties, a danger invariant for a loop with an assertion A essentially proves the CTL property EF¬A over the loop. While there exist CTL verifiers based on a reduction to exist-forall quantified Horn clauses [11,12], we specialise the concept for finding deep bugs and describe a modular constraint generation technique over arbitrary programs, rather than for transition systems.…”

Section: Bug Findingmentioning

confidence: 99%

Program Synthesis for Program Analysis

David

Kesseli

Kroening

et al. 2018

ACM Trans. Program. Lang. Syst.

View full text Add to dashboard Cite

In this paper, we propose a unified framework for designing static analysers based on program synthesis. For this purpose, we identify a fragment of second-order logic with restricted quantification that is expressive enough to model numerous static analysis problems (e.g., safety proving, bug finding, termination and non-termination proving, refactoring). As our focus is on programs that use bit-vectors, we build a decision procedure for this fragment over finite domains in the form of a program synthesiser. We provide instantiations of our framework for solving a diverse range of program verification tasks such as termination, non-termination, safety and bug finding, superoptimisation and refactoring. Our experimental results show that our program synthesiser compares positively with specialised tools in each area as well as with general-purpose synthesisers.

show abstract

“…Various kinds of symbolic techniques such as: (i) automata and grammars, e.g., [1,15,13,14,38,66,5,4,3,33]; (ii) SMT and other forms of constraint solving, e.g., [6,20,35,36,64,73,75,39,11]; and (iii) narrowing [72,30,31,9,10], have been employed for this purpose. All are useful in their own way and can complement each other; and there is great interest in combining the power of these different symbolic approaches to handle a wider range of applications [59,60] (see, e.g., [70] and the survey [58] for combinations of this kind).…”

Section: Introductionmentioning

confidence: 99%

Constrained narrowing for conditional equational theories modulo axioms

Cholewa

Escobar²,

Meseguer

2015

Science of Computer Programming

View full text Add to dashboard Cite

For an unconditional equational theory (Σ, E) whose oriented equations E are confluent and terminating, narrowing provides an E-unification algorithm. This has been generalized by various authors in two directions: (i) by considering unconditional equational theories (Σ, E∪B) where the E are confluent, terminating and coherent modulo axioms B, and (ii) by considering conditional equational theories. Narrowing for a conditional theory (Σ, E ∪ B) has also been studied, but much less and with various restrictions. In this paper we extend these prior results by allowing conditional equations with extra variables in their conditions, provided the corresponding rewrite rules E are confluent, strictly coherent, operationally terminating modulo B and satisfy a natural determinism condition allowing incremental computation of matching substitutions for their extra variables. We also generalize the type structure of the types and operations in Σ to be order-sorted. The narrowing method we propose, called constrained narrowing, treats conditions as constraints whose solution is postponed. This can greatly reduce the search space of narrowing and allows notions such as constrained variant and constrained unifier that can cover symbolically possibly infinite sets of actual variants and unifiers. It also supports a hierarchical method of solving constraints. We give an inference system for hierarchical constrained narrowing modulo B and prove its soundness and completeness.

show abstract

CTL+FO verification as constraint solving

Cited by 6 publications

References 21 publications

HornDroid: Practical and Sound Static Analysis of Android Applications by SMT Solving

HornDroid: Practical and Sound Static Analysis of Android Applications by SMT Solving

Program Synthesis for Program Analysis

Constrained narrowing for conditional equational theories modulo axioms

Contact Info

Product

Resources

About