PowerPoint Presentation

Program Analysis and Testing using Satisfiability Modulo Theories

Yet another Conference1 October 2012, MoscowNikolaj BjrnerSenior ResearcherMicrosoft Research1AgendaContext: Software Engineering Research @ Microsoft

Application: Fuzzing and Test Case Generation

Application: Program Verification & Analysis

Technology: Z3 An Efficient SMT Solver

Propaganda: Software Engineering Research Tools2

An Efficient SMT SolverLeonardo de Moura, Nikolaj Bjrner, Christoph WintersteigerTeamContext3

Research in Software EngineeringImprove Software Development ProductivityGroupContext4Context

Hardware and Devices Health and Well-being Human-computer InteractionInformation Retrieval & Management Machine Learning Security and Privacy Social Science Software EngineeringBiologyCommunication & Collaboration Computational Linguistics Systems and Networking Economics Education Gaming Graphics and Multimedia Theory Organization Microsoft Research5Microsoft Research Labs

R & D~40000Research :1%Context6Company6Fuzzing and Test Case GenerationSAGE

Internal. For Security Fuzzing

Runs on x86 instructionsExternal. For Developers

Runs on .NET code

Try it on: http://pex4fun.com

Finding security bugs before the hackersblack hat Application7Fuzzing and Test Case GenerationSAGE

Internal. For Security Fuzzing

Runs on x86 instructionsExternal. For Developers

Runs on .NET code

Try it on: http://pex4fun.com

Finding security bugs before the hackersblack hat Dr. Strangelove?

Bug: ***4332/29/2012 3:41 PM Edited by *****SubStatus -> Local Fix

I think the fuzzers are starting to become sentient. We must crush them before it is too late.

In this case, the fuzzer figured out that if [X was between A and B then Y would get set to Z triggering U and V to happen]..And if this fuzzer asks for the nuclear launch codes, dont tell it what they are Application8SAGE by numbers100s CPU-years - largest dedicated fuzz lab in the world

100s apps - fuzzed using SAGE

100s previously unknown bugs found

Billion+ computers updated with bug fixes

Millions of $ saved for Users and Microsoft

10s of related tools (incl. Pex), 100s DART citations

3+ Billion constraints - largest usage for any SMT solverAdapted from [Patrice Godefroid, ISSTA 2010]

Application9Test case generationunsigned GCD(x, y) { requires(y > 0); while (true) {unsigned m = x % y; if (m == 0) return y; x = y; y = m; }}We want a trace where the loop is executed twice.(y0 > 0) and(m0 = x0 % y0) andnot (m0 = 0) and(x1 = y0) and(y1 = m0) and(m1 = x1 % y1) and(m1 = 0)Solverx0 = 2y0 = 4m0 = 2x1 = 4y1 = 2m1 = 0SSAApplication1010Execution PathRun Test and MonitorPath ConditionUnexplored pathSolveseedNew inputTestInputsConstraint SystemKnownPathsTest Case Generation ProcedureApplication

119/29/2012 11:24 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11Partners:European Microsoft Innovation CenterMicrosoft ResearchMicrosofts Windows DivisionUniversitt des Saarlandes

co-funded by the German Ministry of Education and Research

http://www.verisoftxt.de

Hypervisor Verification (2007 2010) with

HardwareHypervisor

Application12Microsoft Verifying C Compiler

Application13Building VerveVerifiedC# compilerKernel.csBoogie/Z3Translator/AssemblerTAL checkerLinker/ISO generatorVerve.iso Source fileCompilation toolVerification toolNucleus.bpl (x86)Kernel.obj (x86)

9 person-monthsApplication14Safe to the Last Instruction / Jean Yang & Chris Hawbliztl PLDI 2010In additions to the Nucleus we have the kernel and applications in C#, which we compiled to typed assembly using Bartok. We check this using the Tal checker.The C# code is untrusted: we do not have to trust its correctness because any C# code that runs goes through the TAL checker.To create the bootable CD-ROM image, we translate and assembly the Nucleus and link it with the kernel.Other than the trusted specification, all other instructions in the system have been verified.14SMT: Satisfiability Modulo Theoriesunsat, ProofIs execution path P feasible?Is assertion X violated?

SAGEIs Formula F Satisfiable (over Theory of Reals)?WITNESSSolution/ModelTechnology15Models are very important.Classical theorem provers do not produce models15ArithmeticArray TheoryUninterpreted FunctionsSMT: Satisfiability Modulo TheoriesTechnology16

Microsoft Tools using

HAVOCSAGEVigilante

Z3 is used by many research groups More than 19k downloadsZ3 places 1st in most categories in SMT competitions

Z3 solved more than 3 billion constraints created by SAGEChecking Win8 and Office.Z3 ships in Windows Server with the Static Driver Verifier

SecGuruZ3 used to check Azure Firewall Policies

Technology17 Research AreasAlgorithmsDecidable FragmentsData structuresHeuristicsUndecidable (FOL + LIA)Semi Decidable (FOL)NEXPTIME (EPR)PSPACE (QBF)NP (SAT)Generalized array theoryEssentially Uninterpreted FormulasQuantified Bit-Vector Logic

Practical problems often have structure that can be exploited.Logic is The Calculus of Computer Science Zohar MannaTechnology1818 Little Engines of ProofFreely available from http://research.microsoft.com/projects/z3

Technology19mc(x) = x-10 if x > 100mc(x) = mc(mc(x+11)) if x 100 assert (x 101 mc(x) = 91) Research: Solving Horn ClausesKrystof Hoder & Nikolaj Bjorner, SAT 2012Bjorner, McMillan, Rybalchenko, SMT 2012

Technology20 Research: SolvingR Efficiently

A key idea: Use partial solution to guide the searchFeasible RegionWhat is the core?Dejan Jojanovich & Leonardo de Moura, IJCAR 2012

Technology21

.comPropaganda22 Core ExpertiseEmpirical Software EngineeringFoundations:LogicProgram Analysis:Performance, Reliability, SecurityProgramming LanguagesDesign & Implementation

Propaganda2323

24http://rise4fun.com/z3py 24 Academic Interns

Propaganda2525SummaryAn outline of an efficient SMT solverEfficient logic solver for SE tools tackling intractable problemshttp://research.microsoft.com/projects/z3

Software Engineering Research @ Microsoft http://rise4fun.com

Academic internships http://research.microsoft.com/en-us/jobs/intern

Contacthttp://research.microsoft.com/~nbjorner nbjorner@microsoft.com

26