Wang Ji-min,Ping Ling-di,Pan Xue-zeng,Shen Hai-bin,Yan Xiao-lang

DOI: https://doi.org/10.1007/bf02842479

2005-01-01

Journal of Zhejiang University SCIENCE A

Abstract:The C programming language is expressive and flexible, but not safe; as its expressive power and flexibility are obtained through unsafe language features, and improper use of these features can lead to program bugs whose causes are hard to identify. Since C is widely used, and it is impractical to rewrite all existing C programs in safe languages, so ways must be found to make C programs safe. This paper deals with the unsafe features of C and presents a survey on existing solutions to make C programs safe. We have studied binary-level instrumentation tools, source checkers, source-level instrumentation tools and safe dialects of C, and present a comparison of different solutions, summarized the strengths and weaknesses of different classes of solutions, and show measures that could possibly improve the accuracy or alleviate the overhead of existing solutions.

Guang Chen,Dexi Wang,Tianchi Li,Chao Zhang,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/apsec.2018.00027

2018-01-01

Abstract:Software verification has been well applied in safety critical areas and has shown the ability to provide better quality assurance for modern software. However, as lines of code and complexity of software systems increase, the scalability of verification becomes a challenge. In this paper, we present an automatic software verification framework TSV to address the scalability issues: (i) the extended structural abstraction and property-guided program slicing to solve large-scale program verification problem, saving time and memory without losing accuracy; (ii) automatically select different verification methods according to the program and property context to improve the verification efficiency. For evaluation, we compare TSV's different configurations with existing C program verifiers based on open benchmarks. We found that TSV with auto-selection performs better than with bounded model checking only or with extended structural abstraction only. Compared to existing tools such as CMBC and CPAChecker, it acquires 10%-20% improvement of accuracy and 50%-90% improvement of memory consumption.

YU Yin-Bo,LIU Jia-Jia,MU De-Jun

DOI: https://doi.org/10.21655/ijsi.1673-7288.00286

2022-01-01

International Journal of Software and Informatics

Abstract:Software verification has always been a popular research topic to ensure the correctness and security of software.However, due to the complex semantics and syntax of programming languages, the formal methods for verifying the correctness of programs have the problems of low accuracy and low efficiency.In particular, the state change in address space caused by pointer operations makes it difficult to guarantee the verification accuracy of existing model checking methods.By combining model checking and sparse value-flow analysis, this paper designs a spatial flow model to effectively describe the state behavior of C code at the symbolic-variable level and address-space level and proposes a model checking algorithm of CounterExample-Guided Abstraction refinement and Sparse value-flow strong update (CEGAS), which enables points-to-sensitive formal verification for C code.This paper establishes a C-code benchmark containing a variety of pointer operations and conducts comparative experiments on the basis of this benchmark.These experiments indicate that in the task of analyzing multi-class C code features, the model checking algorithm CEGAS proposed in this paper can achieve outstanding results compared with the existing model checking tools.The verification accuracy of CEGAS is 92.9%, and the average verification time of each line of code is 2.58 ms, both of which are better than those of existing verification tools.

Hongliang Liang,Daijie Zhang,Xiaoxiao Pei,Xiaodong Jia,Guangyuan Li,Jiuyun Xu

DOI: https://doi.org/10.1109/cscloud.2016.30

2016-01-01

Abstract:The correctness of implementation codes is important especially for safety-critical software usually written in C programming language. We present a correctness verification method (CVM for short) for C codes based on an automatic theorem proving tool-VCC, and propose a specification simplification method to im-prove the correctness and readability of verification specification codes. Using CVM method, the scheduling module of a real-time operating system FreeRTOS6.1.1 is verified, which shows the feasibility and effectiveness when CVM method is applied to the real production software. Experiments show that the CVM method is feasible and effective in verifying the correctness the C codes, and the specification simplification method is also effective.

Junyan Qian,Baowen Xu

DOI: https://doi.org/10.15388/informatica.2007.178

2007-01-01

Informatica

Abstract:Iterative abstraction refinement has emerged in the last few years as the leading approach to software model checking. We present an approach for automatically verifying C programs against safety specifications based on finite state machine. The approach eliminates unneeded variables using program slicing technique, and then automatically extracts an initial abstract model from C source code using predicate abstraction and theorem proving. In order to reduce time complexities, we partition the set of candidate predicates into subsets, and construct abstract model independently. On the basis of a counterexample-guided abstraction refinement scheme, the abstraction refines incrementally until the specification is either satisfied or refuted. Our methods can be extended to verifying concurrency C programs by parallel composition.

Zhao Duan,Cong Tian,Zhenhua Duan

DOI: https://doi.org/10.1007/978-3-319-68690-5_8

2017-01-01

Abstract:To verify both safety and liveness temporal properties of programs in practice, this paper investigates scalable Linear Temporal Logic (LTL) property verification approach of C programs. We show that the verification target can be accomplished as a scalable lazy abstraction supplemented Counter-Example Guided Abstraction Refinement (CEGAR) based program analysis task. As a result, the scalable lazy abstraction based safety property analysis approaches as well as their mature supporting tools can be reused to verify temporal properties of C programs. We have implemented the proposed approach in TPCHECKER to verify temporal properties of C programs. Experimental results on benchmark programs show that the proposed approach performs well when verifying non-safety temporal properties of C programs.

Kai Yang,Cong Tian,Nan Zhang,Zhenhua Duan,Hongwei Du

DOI: https://doi.org/10.1109/tr.2021.3118877

IF: 5.883

2021-12-01

IEEE Transactions on Reliability

Abstract:In this article, we present an approach based on counterexample-guided abstraction refinement to verifying full regular temporal properties of C programs by means of combining both static analysis and dynamic verification. To this end, a desired property is specified by a propositional projection temporal logic formula $p$, and the labeled normal form graph (LNFG) of $\lnot p$ is automatically produced. Furthermore, the control flow automaton of the C program is constructed, and an enriched abstract reachability tree is generated under the guidance of the LNFG. Throughout the construction of the eART, whenever a candidate counterexample $cp$ is found, a verification input w.r.t $cp$ is generated by the SMT solver Z3. Subsequently, the C program is converted into a modeling, simulation, and verification language (MSVL) program $m$, and $\lnot p$ is also transformed to an MSVL program $m^{\prime }$. As a result, $m\; \text{and} \;m^{\prime }$ is executed to check whether the counterexample is spurious. The $cp$ is returned if it is a real counterexample; otherwise, the eART is refined. This process is repeated until no counterexample is found, namely the property is valid, or the counterexample is a real one The proposed approach enables us to not only verify full regular properties of C programs, but also produce precise results, neither false negatives nor false positives. The approach has been implemented in a tool named SDMC. Experiments show that SDMC outperforms the relevant tools available.

engineering, electrical & electronic,computer science, software engineering, hardware & architecture

Zhou Conghua,Chen Zhenyu,Ju Shiguang

2008-01-01

Journal of Computer Research and Development

Abstract:For concurrent software systems, linear temporal logic SE-LTL is a specification language with high expressive power and the ability to reason about both states and events. Until now, the SE-LTL model checking algorithm is still explicit, and the state explosion is the primary verification difficulty. A bounded model checking procedure is introduced for SE-LTL which reduces model checking to propositional satisfiability. This new technique avoids the space blow up of BDDs, and sometimes speeds up the verification. For SE-LTL-X the procedure and stuttering equivalent technique is further integrated. The experiment result shows that the integration can reduce the verification time very much.

Kuanjiu Zhou,Jiawei Yong,Xiaolong Wang,Longtao Ren,Gang Hou,Junwang Chang

DOI: https://doi.org/10.1007/978-3-642-45293-2_26

2013-01-01

Abstract:Model checking technique has been gradually applied to verify the reliability of software systems. However, as to software with large scale and complex structure, the verification procedure suffers from the state space explosion, thus leading to a low efficiency or resource exhaustion. In this paper, we propose a method of accelerating software model checking based on program backbone to verify the properties in ANSI-C source codes. We prune the program with respect to the assertion property, and compress the circular paths by maximal strongly connected components to extract the program backbone. Subsequently, the Hoare theory is used to generate an invariant from the compressed circular nodes, which reduces the length of path encoding. The assertion property is finally translated into a quantifier-free formula and checked for satisfiability by the SMT solver Z3. The experiments show that this method substantially improves the efficiency of program verification.

Zhaopeng Li,Zhong Zhuang,Yiyun Chen,Simin Yang,Zhenting Zhang,Dawei Fan

DOI: https://doi.org/10.1109/tase.2010.8

2010-01-01

Abstract:Proof-carrying code (PCC) is a technique that allows code consumers to check whether the code is safe to execute or not through a formal safety proof provided by the code producer. And a certifying compiler makes PCC practical by compiling annotated source code into low-level code and proofs. In this paper we present a certifying compiler for a subset of the C programming language, named Clike, with built-in automated theorem provers. Clike programs can be compiled by ANSI C compiler without any modification. Our compiler is intended to deal with data structures such as singly-linked lists, doubly-linked lists and trees. At the source level, we have designed a program logic combining a constrained first-order logic and a fragment of separation logic. We use a verification-condition-based method, and the generated verification conditions are sent to the built-in automated theorem prover. Our prover will generate proof terms when the input formula is valid. The low-level verification framework follows Hoare-style verification methods. The assembly code, its specification and proofs are generated automatically based on a variant of Stack-based Certifying Assembly Programming (SCAP). We implement our certifying compiler prototype in SML/NJ and build our prover libraries using the meta logic provided by Coq. We have used our prototype to successfully certify a considerable number of programs manipulating linked-lists and binary trees.

王大伟,张大方,缪力

DOI: https://doi.org/10.3969/j.issn.1007-130x.2010.04.022

2010-01-01

Abstract:Model checking is a formal method for verifying the temporal logic properties of finite state systems. To use the technique,an abstract model is usually constructed by hand,but this approach has some weaknesses,for instance,the cost of modeling is considerably high and the artificial models are error-prone. In this paper,we present a practical method for model checking the ANSI-C programs automatically. We built C2Spin,a model extractor which analyzes the C source code and extracts the PROMELA verification model from the source code,and thereby reduce the expense of modeling significantly. Then SPIN can detect various errors in the applications implemented in C mechanically using C2Spin,such as deadlock. In preliminary experiments,depending upon the models generated by C2Spin,we find a semantic bug in SPIN4.3.0 and similar livelocks in the implementation of two classic mutual exclusion algorithms written by Holzmann. The results show that C2Spin helps people test C programs more effectively and quickly.

Yu Tan,Dianfu Ma,Lei Qiao

DOI: https://doi.org/10.1155/2021/8352267

2021-01-01

Wireless Communications and Mobile Computing

Abstract:With the rapid increase in the number of wireless terminals and the openness of wireless networks, the security of wireless communication is facing serious challenges. The safety and security of computer communication have always been a research hotspot, especially the wireless communication that still has a more complex architecture which leads to more safety problems in the communication system development. In recent years, more and more wireless communication systems are applied in the safety-critical field which tends to need high safety guarantees. A compiler is an important tool for system development, and its safety and reliability have an important impact on the development of safety-critical software. As the strictest method, formal verification methods have been widely paid attention to in compiler verification, but the current formal verification methods have some problems, such as high proof complexity, weak verification ability, and low algorithm efficiency. In this paper, a compiler formal verification method based on safety C subsets is proposed. By abstracting the concept of C grammar units from safety C subsets, the formal verification of the compiler is transformed into the verification of limited C grammar units. In this paper, an axiom system of first-order logic and special axioms are introduced. On this axiom system, the semantic consistency verification of C grammar unit and target code pattern is completed by means of theorem proving, and the formal verification of the compiler is completed.

Chuyue Sun,Ying Sheng,Oded Padon,Clark Barrett

2024-06-04

Abstract:The use of large language models for code generation is a rapidly growing trend in software development. However, without effective methods for ensuring the correctness of generated code, this trend could lead to any number of undesirable outcomes. In this paper, we lay out a vision for addressing this challenge: the Clover paradigm, short for Closed-Loop Verifiable Code Generation, which reduces correctness checking to the more accessible problem of consistency checking. At the core of Clover lies a checker that performs consistency checks among code, docstrings, and formal annotations. The checker is implemented using a novel integration of formal verification tools and large language models. We provide a theoretical analysis to support our thesis that Clover should be effective at consistency checking. We also empirically investigate its feasibility on a hand-designed dataset (CloverBench) featuring annotated Dafny programs at a textbook level of difficulty. Experimental results show that for this dataset, (i) LLMs are reasonably successful at automatically generating formal specifications; and (ii) our consistency checker achieves a promising acceptance rate (up to 87%) for correct instances while maintaining zero tolerance for incorrect ones (no false positives).

Artificial Intelligence,Machine Learning,Software Engineering

Liyi Li,Yiyun Liu,Deena L. Postol,Leonidas Lampropoulos,David Van Horn,Michael Hicks

DOI: https://doi.org/10.48550/arXiv.2201.13394

2022-02-01

Abstract:We present a formal model of Checked C, a dialect of C that aims to enforce spatial memory safety. Our model pays particular attention to the semantics of dynamically sized, potentially null-terminated arrays. We formalize this model in Coq, and prove that any spatial memory safety errors can be blamed on portions of the program labeled unchecked; this is a Checked C feature that supports incremental porting and backward compatibility. While our model's operational semantics uses annotated ("fat") pointers to enforce spatial safety, we show that such annotations can be safely erased: Using PLT Redex we formalize an executable version of our model and a compilation procedure from it to an untyped C-like language, and use randomized testing to validate that generated code faithfully simulates the original. Finally, we develop a custom random generator for well-typed and almost-well-typed terms in our Redex model, and use it to search for inconsistencies between our model and the Clang Checked C implementation. We find these steps to be a useful way to co-develop a language (Checked C is still in development) and a core model of it.

Programming Languages,Software Engineering

Lei Wang,Qiang Zhang,Peng Zhao

DOI: https://doi.org/10.1109/SCAM.2008.24

2008-10-03

Abstract:Ensuring the correctness and reliability of software systems is one of the main problems in software development. Model checking, a static analysis method, is preponderant in improving the precision of vulnerabilities detection. However, when applied to buffer overflow and other bugs, it is hard to automatically construct the model for detecting the vulnerabilities. To address this problem we propose an approach that combines constraint based analysis and model checking together. We trace the memory size of buffer-related variables and instrument the code with corresponding constraint assertions before the potential vulnerable points by constraint based analysis. Then the problem of detecting vulnerabilities is converted into the problem of detecting vulnerabilities to verifying the reach ability of these assertions by model checking. In order to reduce the cost of model checking, program slicing is introduced to reduce the code size. CodeAuditor is a prototype implementation of our approach. With CodeAuditor, several yet unreported vulnerabilities are discovered in several open source software, and the performance is shown to be improved significantly with the help of program slicing.

Computer Science

Daniel Kroening,Peter Schrammel,Michael Tautschnig

DOI: https://doi.org/10.48550/arXiv.2302.02384

2023-02-05

Abstract:The C Bounded Model Checker (CBMC) demonstrates the violation of assertions in C programs, or proves safety of the assertions under a given bound. CBMC implements a bit-precise translation of an input C program, annotated with assertions and with loops unrolled to a given depth, into a formula. If the formula is satisfiable, then an execution leading to a violated assertion exists. CBMC is one of the most successful software verification tools. Its main advantages are its precision, robustness and simplicity. CBMC is shipped as part of several Linux distributions. It has been used by thousands of software developers to verify real-world software, such as the Linux kernel, and powers commercial software analysis and test generation tools. Table 1 gives an overview of CBMC's features. CBMC is also a versatile tool that can be applied to solve many practical program analysis problems such as bug finding, property checking, test input generation, detection of security vulnerabilities, equivalence checking and program synthesis. This chapter will give an introduction into CBMC, including practical examples and pointers to further reading. Moreover, we give insights about the development of CBMC itself, showing how its performance evolved over the last decade.

Software Engineering,Logic in Computer Science,Programming Languages

Junyan Qian,Baowen Xu

2006-01-01

WSEAS TRANSACTIONS ON COMPUTERS

Abstract:Model checking has been interest in applying model checking to software. However, the major problem of software model checking is the state space explosion problem. For model checking software, abstraction is a key issue. We present a methodology for automatically constructing an abstraction of C programs based on finite state machine. Firstly eliminate unneeded variables using program slicing technique and restrict C program to a simple intermediate form before constructing an abstract model of program. And then automatically extract a finite model from C source code using predicate abstraction and theorem proving. Finally, in order to reduce time complexities, we partition the set of candidate predicates into subsets, and construct abstract model independently.

Zhenhua Duan,Kangkang Bu,Cong Tian,Nan Zhang

DOI: https://doi.org/10.1007/978-3-319-21398-9_41

2015-01-01

Abstract:In this paper, we propose a DSE based model checking approach (DSE-MC) for verifying programs written in Modelling, Simulation and Verification Language (MSVL) [1, 3]. For doing so, we adopt a DSE method to execute an MSVL program to generate a symbolic execution tree (SEtree) which is used as the abstract model of the program. Further, a property to be verified is specified by a Propositional Projection Temporal Logic (PPTL) formula [8, 13]. To check whether or not the program satisfies the property, first the SEtree and the negation of the property are both described in Labelled Normal Form Graphs (LNFGs) [21], then the product of two LNFGs is produced. As a result, a counter example is encountered if the product is not empty. Otherwise, we cannot determine if the program satisfies the property. In this case, the verification process could be restarted with new inputs. In this way, a software system written in C can also be verified since the C program can be transformed to an MSVL program automatically by using toolkit MSV [19] developed by us.

Yinbo Yu,Jiajia Liu,Dejun Mu

DOI: https://doi.org/10.1109/jiot.2022.3163383

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:The Internet of Things (IoT) provides convenience for our daily lives via a huge number of devices. However, due to low-resource and poor computing capability, these devices have a high number of firmware vulnerabilities. Software verification is a powerful solution to ensure the correctness and security of IoT firmware programs. Unfortunately, due to the complex semantics and syntax of program languages (typically C), applying software verification in IoT firmware faces the tradeoff between efficiency and accuracy. One of the fundamental reasons is that verification methods cannot support verifying state transitions on the memory space caused by pointer operations well. To this end, by combining sparse value flow (SVF) analysis into model checking and optimizing computational redundancy among them, we design a novel points-to-sensitive model checker, called PCHECKER, which can provide a highly precise and efficient verification for IoT firmware programs. We first design a spatial flow model to effectively describe state behaviors of a C program both on the symbolic and memory space. We then propose a counterexample-guided model checking algorithm that can dynamically refine abstract precisions and update nondeterministic points-to relations. With a set of C benchmarks containing a variety of pointer operations and other complex C features, our experiments have shown that compared with state of the art (SOTA), PCHECKER can achieve outstanding results in the verification tasks of C programs that its verification accuracy is 95.9%, and its average verification time of each line of code is 1.27 ms, which are both better than existing model checkers.

Syrine Tlili,XiaoChun Yang,Rachid Hadjidj,Mourad Debbabi

DOI: https://doi.org/10.1007/978-3-642-05151-7_12

2009-01-01

Abstract:Growing security requirements for systems and applications have raised the stakes on software security verification techniques. Recently, model-checking is settling in the arena of software verification. It is effective in verifying high-level security properties related to software functionalities. In this paper, we present the experiments conducted with our security verification framework based on model-checking. We embedded a wide range of the CERT secure coding rules into our framework. Then, we verified real software packages against these rules for purpose of demonstrating the capability and the efficiency of our tool in detecting real errors.