Nikolaj Bjørner Senior Researcher Microsoft Research
description
Transcript of Nikolaj Bjørner Senior Researcher Microsoft Research
PowerPoint Presentation
Program Analysis and Testing using Satisfiability Modulo Theories
Yet another Conference1 October 2012, MoscowNikolaj BjrnerSenior ResearcherMicrosoft Research1AgendaContext: Software Engineering Research @ Microsoft
Application: Fuzzing and Test Case Generation
Application: Program Verification & Analysis
Technology: Z3 An Efficient SMT Solver
Propaganda: Software Engineering Research Tools2
An Efficient SMT SolverLeonardo de Moura, Nikolaj Bjrner, Christoph WintersteigerTeamContext3
Research in Software EngineeringImprove Software Development ProductivityGroupContext4Context
Hardware and Devices Health and Well-being Human-computer InteractionInformation Retrieval & Management Machine Learning Security and Privacy Social Science Software EngineeringBiologyCommunication & Collaboration Computational Linguistics Systems and Networking Economics Education Gaming Graphics and Multimedia Theory Organization Microsoft Research5Microsoft Research Labs
R & D~40000Research :1%Context6Company6Fuzzing and Test Case GenerationSAGE
Internal. For Security Fuzzing
Runs on x86 instructionsExternal. For Developers
Runs on .NET code
Try it on: http://pex4fun.com
Finding security bugs before the hackersblack hat Application7Fuzzing and Test Case GenerationSAGE
Internal. For Security Fuzzing
Runs on x86 instructionsExternal. For Developers
Runs on .NET code
Try it on: http://pex4fun.com
Finding security bugs before the hackersblack hat Dr. Strangelove?
Bug: ***4332/29/2012 3:41 PM Edited by *****SubStatus -> Local Fix
I think the fuzzers are starting to become sentient. We must crush them before it is too late.
In this case, the fuzzer figured out that if [X was between A and B then Y would get set to Z triggering U and V to happen]..And if this fuzzer asks for the nuclear launch codes, dont tell it what they are Application8SAGE by numbers100s CPU-years - largest dedicated fuzz lab in the world
100s apps - fuzzed using SAGE
100s previously unknown bugs found
Billion+ computers updated with bug fixes
Millions of $ saved for Users and Microsoft
10s of related tools (incl. Pex), 100s DART citations
3+ Billion constraints - largest usage for any SMT solverAdapted from [Patrice Godefroid, ISSTA 2010]
Application9Test case generationunsigned GCD(x, y) { requires(y > 0); while (true) {unsigned m = x % y; if (m == 0) return y; x = y; y = m; }}We want a trace where the loop is executed twice.(y0 > 0) and(m0 = x0 % y0) andnot (m0 = 0) and(x1 = y0) and(y1 = m0) and(m1 = x1 % y1) and(m1 = 0)Solverx0 = 2y0 = 4m0 = 2x1 = 4y1 = 2m1 = 0SSAApplication1010Execution PathRun Test and MonitorPath ConditionUnexplored pathSolveseedNew inputTestInputsConstraint SystemKnownPathsTest Case Generation ProcedureApplication
119/29/2012 11:24 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
11Partners:European Microsoft Innovation CenterMicrosoft ResearchMicrosofts Windows DivisionUniversitt des Saarlandes
co-funded by the German Ministry of Education and Research
http://www.verisoftxt.de
Hypervisor Verification (2007 2010) with
HardwareHypervisor
Application12Microsoft Verifying C Compiler
Application13Building VerveVerifiedC# compilerKernel.csBoogie/Z3Translator/AssemblerTAL checkerLinker/ISO generatorVerve.iso Source fileCompilation toolVerification toolNucleus.bpl (x86)Kernel.obj (x86)
9 person-monthsApplication14Safe to the Last Instruction / Jean Yang & Chris Hawbliztl PLDI 2010In additions to the Nucleus we have the kernel and applications in C#, which we compiled to typed assembly using Bartok. We check this using the Tal checker.The C# code is untrusted: we do not have to trust its correctness because any C# code that runs goes through the TAL checker.To create the bootable CD-ROM image, we translate and assembly the Nucleus and link it with the kernel.Other than the trusted specification, all other instructions in the system have been verified.14SMT: Satisfiability Modulo Theoriesunsat, ProofIs execution path P feasible?Is assertion X violated?
SAGEIs Formula F Satisfiable (over Theory of Reals)?WITNESSSolution/ModelTechnology15Models are very important.Classical theorem provers do not produce models15ArithmeticArray TheoryUninterpreted FunctionsSMT: Satisfiability Modulo TheoriesTechnology16
Microsoft Tools using
HAVOCSAGEVigilante
Z3 is used by many research groups More than 19k downloadsZ3 places 1st in most categories in SMT competitions
Z3 solved more than 3 billion constraints created by SAGEChecking Win8 and Office.Z3 ships in Windows Server with the Static Driver Verifier
SecGuruZ3 used to check Azure Firewall Policies
Technology17 Research AreasAlgorithmsDecidable FragmentsData structuresHeuristicsUndecidable (FOL + LIA)Semi Decidable (FOL)NEXPTIME (EPR)PSPACE (QBF)NP (SAT)Generalized array theoryEssentially Uninterpreted FormulasQuantified Bit-Vector Logic
Practical problems often have structure that can be exploited.Logic is The Calculus of Computer Science Zohar MannaTechnology1818 Little Engines of ProofFreely available from http://research.microsoft.com/projects/z3
Technology19mc(x) = x-10 if x > 100mc(x) = mc(mc(x+11)) if x 100 assert (x 101 mc(x) = 91) Research: Solving Horn ClausesKrystof Hoder & Nikolaj Bjorner, SAT 2012Bjorner, McMillan, Rybalchenko, SMT 2012
Technology20 Research: SolvingR Efficiently
A key idea: Use partial solution to guide the searchFeasible RegionWhat is the core?Dejan Jojanovich & Leonardo de Moura, IJCAR 2012
Technology21
.comPropaganda22 Core ExpertiseEmpirical Software EngineeringFoundations:LogicProgram Analysis:Performance, Reliability, SecurityProgramming LanguagesDesign & Implementation
Propaganda2323
24http://rise4fun.com/z3py 24 Academic Interns
Propaganda2525SummaryAn outline of an efficient SMT solverEfficient logic solver for SE tools tackling intractable problemshttp://research.microsoft.com/projects/z3
Software Engineering Research @ Microsoft http://rise4fun.com
Academic internships http://research.microsoft.com/en-us/jobs/intern
Contacthttp://research.microsoft.com/~nbjorner [email protected]
26