ABSTRACT
Symbolic program analysis techniques rely on satisfiability-checking constraint solvers, while quantitative program analysis techniques rely on model-counting constraint solvers. Hence, the efficiency of satisfiability checking and model counting is crucial for efficiency of modern program analysis techniques. In this paper, we present a constraint caching framework to expedite potentially expensive satisfiability and model-counting queries. Integral to this framework is our new constraint normalization procedure under which the cardinality of the solution set of a constraint, but not necessarily the solution set itself, is preserved. We extend these constraint normalization techniques to string constraints in order to support analysis of string-manipulating code. A group-theoretic framework which generalizes earlier results on constraint normalization is used to express our normalization techniques. We also present a parameterized caching approach where, in addition to storing the result of a model-counting query, we also store a model-counter object in the constraint store that allows us to efficiently recount the number of satisfying models for different maximum bounds. We implement our caching framework in our tool Cashew, which is built as an extension of the Green caching framework, and integrate it with the symbolic execution tool Symbolic PathFinder (SPF) and the model-counting constraint solver ABC. Our experiments show that constraint caching can significantly improve the performance of symbolic and quantitative program analyses. For instance, Cashew can normalize the 10,104 unique constraints in the SMC/Kaluza benchmark down to 394 normal forms, achieve a 10x speedup on the SMC/Kaluza-Big dataset, and an average 3x speedup in our SPF-based side-channel analysis experiments.
- Redis. https://redis.io/.Google Scholar
- P. A. Abdulla, M. F. Atig, Y. Chen, L. Holík, A. Rezine, P. Rümmer, and J. Stenman. String constraints for verification. In Proceedings of the 26th International Conference on Computer Aided Verification (CAV), pages 150–166, 2014. Google ScholarDigital Library
- F. A. Aloul, K. A. Sakallah, and I. L. Markov. Efficient symmetry breaking for boolean satisfiability. IEEE Transactions on Computers, 55(5):549–558, 2006. Google ScholarDigital Library
- A. Aquino, F. A. Bianchi, M. Chen, G. Denaro, and M. Pezzè. Reusing constraint proofs in program analysis. In Proceedings of the 2015 International Symposium on Software Testing and Analysis, pages 305–315. ACM, 2015. Google ScholarDigital Library
- A. Aquino, G. Denaro, and M. Pezzè. Heuristically matching solution spaces of arithmetic formulas to efficiently reuse solutions. In Proceedings of the 39th International Conference on Software Engineering, pages 427–437. IEEE Press, 2017. Google ScholarDigital Library
- A. Aydin, L. Bang, and T. Bultan. Automata-based model counting for string constraints. In Computer Aided Verification - 27th International Conference, CAV 2015, San Francisco, CA, USA, Proceedings, Part I, pages 255–272, 2015.Google Scholar
- M. Backes, B. Köpf, and A. Rybalchenko. Automatic discovery and quantification of information leaks. In 30th IEEE Symposium on Security and Privacy (S&P 2009), 17-20 May 2009, Oakland, California, USA, pages 141–153, 2009. Google ScholarDigital Library
- V. Baldoni, N. Berline, J. D. Loera, B. Dutra, M. Köppe, S. Moreinis, G. Pinto, M. Vergne, and J. Wu. Latte integrale v1.7.2. http://www.math.ucdavis.edu/ latte/, 2004.Google Scholar
- L. Bang, A. Aydin, Q.-S. Phan, C. S. Păsăreanu, and T. Bultan. String analysis for side channels with segmented oracles. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 193–204. ACM, 2016. Google ScholarDigital Library
- C. Barrett, L. de Moura, S. Ranise, A. Stump, and C. Tinelli. The smt-lib initiative and the rise of smt. In Haifa Verification Conference, pages 3–3. Springer, 2010. Google ScholarDigital Library
- ESEC/FSE’17, September 4–8, 2017, Paderborn, Germany T. Brennan, N. Tsiskaridze, N. Rosner, S. Aydin, and T. BultanGoogle Scholar
- C. Barrett, C. L. Conway, M. Deters, L. Hadarean, D. Jovanović, T. King, A. Reynolds, and C. Tinelli. Cvc4. In International Conference on Computer Aided Verification, pages 171–177. Springer, 2011. Google ScholarDigital Library
- C. Barrett, M. Deters, L. De Moura, A. Oliveras, and A. Stump. 6 years of smt-comp. Journal of Automated Reasoning, 50(3):243–277, 2013. Google ScholarDigital Library
- C. Barrett, P. Fontaine, and C. Tinelli. The SMT-LIB Standard: Version 2.5. Technical report, Department of Computer Science, The University of Iowa, 2015. Available at www.smt-lib.org.Google Scholar
- M. Borges, A. Filieri, M. d’Amorim, and C. S. Pasareanu. Iterative distributionaware sampling for probabilistic symbolic execution. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, ESEC/FSE 2015, Bergamo, Italy, August 30 - September 4, 2015, pages 866–877, 2015. Google ScholarDigital Library
- C. Cadar, D. Dunbar, and D. R. Engler. KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In 8th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2008, December 8-10, 2008, San Diego, California, USA, Proceedings, pages 209–224, 2008. Google ScholarDigital Library
- S. Chakraborty, K. S. Meel, R. Mistry, and M. Y. Vardi. Approximate probabilistic inference via word-level counting. arXiv preprint arXiv:1511.07663, 2015. Google ScholarDigital Library
- D. Clark, S. Hunt, and P. Malacaria. A static analysis for quantifying information flow in a simple imperative language. Journal of Computer Security, 15(3):321–371, 2007. Google ScholarDigital Library
- J. Crawford. A theoretical analysis of reasoning by symmetry in first-order logic. In AAAI Workshop on Tractable Reasoning. Citeseer, 1992.Google Scholar
- J. Crawford, M. Ginsberg, E. Luks, and A. Roy. Symmetry-breaking predicates for search problems. KR, 96:148–159, 1996. Google ScholarDigital Library
- L. De Moura and N. Bjørner. Z3: An efficient smt solver. In International conference on Tools and Algorithms for the Construction and Analysis of Systems, pages 337– 340. Springer, 2008. Google ScholarDigital Library
- B. Dutertre. Yices 2.2. In International Conference on Computer Aided Verification, pages 737–744. Springer, 2014. Google ScholarDigital Library
- A. Filieri, C. S. Pasareanu, and W. Visser. Reliability analysis in symbolic pathfinder. In 35th International Conference on Software Engineering, ICSE ’13, San Francisco, CA, USA, May 18-26, 2013, pages 622–631, 2013. Google ScholarDigital Library
- V. Ganesh, M. Minnes, A. Solar-Lezama, and M. C. Rinard. Word equations with length constraints: What’s decidable? In Proceedings of the 8th International Haifa Verification Conference (HVC), pages 209–226, 2012. Google ScholarDigital Library
- J. Geldenhuys, M. B. Dwyer, and W. Visser. Probabilistic symbolic execution. In International Symposium on Software Testing and Analysis, ISSTA 2012, Minneapolis, MN, USA, July 15-20, 2012, pages 166–176, 2012. Google ScholarDigital Library
- I. P. Gent and B. Smith. Symmetry breaking during search in constraint programming. Citeseer, 1999.Google Scholar
- I. P. Gent, K. E. Petrie, and J.-F. Puget. Symmetry in constraint programming. Foundations of Artificial Intelligence, 2:329–376, 2006.Google ScholarCross Ref
- P. Godefroid, N. Klarlund, and K. Sen. DART: directed automated random testing. In Proceedings of the ACM SIGPLAN 2005 Conference on Programming Language Design and Implementation, Chicago, IL, USA, June 12-15, 2005, pages 213–223, 2005. Google ScholarDigital Library
- J. Heusser and P. Malacaria. Quantifying information leaks in software. In Twenty-Sixth Annual Computer Security Applications Conference, ACSAC 2010, Austin, Texas, USA, 6-10 December 2010, pages 261–269, 2010. Google ScholarDigital Library
- P. Hooimeijer and W. Weimer. A decision procedure for subset constraints over regular languages. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 188–198, 2009. Google ScholarDigital Library
- P. Hooimeijer and W. Weimer. Solving string constraints lazily. In Proceedings of the 25th IEEE/ACM International Conference on Automated Software Engineering (ASE), pages 377–386, 2010. Google ScholarDigital Library
- X. Jia, C. Ghezzi, and S. Ying. Enhancing reuse of constraint solutions to improve symbolic execution. In Proceedings of the 2015 International Symposium on Software Testing and Analysis, pages 177–187. ACM, 2015. Google ScholarDigital Library
- S. Khurshid, C. S. Pasareanu, and W. Visser. Generalized symbolic execution for model checking and testing. In Tools and Algorithms for the Construction and Analysis of Systems, 9th International Conference, TACAS 2003, Warsaw, Poland, April 7-11, 2003, Proceedings, pages 553–568, 2003. Google ScholarDigital Library
- A. Kiezun, V. Ganesh, P. J. Guo, P. Hooimeijer, and M. D. Ernst. Hampi: a solver for string constraints. In Proceedings of the 18th International Symposium on Software Testing and Analysis (ISSTA), pages 105–116, 2009. Google ScholarDigital Library
- G. Li and I. Ghosh. PASS: string solving with parameterized array and interval automaton. In Proceedings of the 9th International Haifa Verification Conference (HVC), pages 15–31, 2013.Google ScholarCross Ref
- T. Liang, N. Tsiskaridze, A. Reynolds, C. Tinelli, and C. Barrett. A decision procedure for regular membership and length constraints over unbounded strings. In C. Lutz and S. Ranise, editors, Proceedings of the 10th International Symposium on Frontiers of Combining Systems, volume 9322 of Lecture Notes in Computer Science, pages 135–150. Springer, 2015. Google ScholarDigital Library
- T. Liang, A. Reynolds, N. Tsiskaridze, C. Tinelli, C. Barrett, and M. Deters. An efficient smt solver for string constraints. Formal Methods in System Design, 48 (3):206–234, 2016. Google ScholarDigital Library
- J. A. D. Loera, R. Hemmecke, J. Tauzer, and R. Yoshida. Effective lattice point counting in rational convex polytopes. Journal of Symbolic Computation, 38(4): 1273 – 1302, 2004. ISSN 0747-7171.Google ScholarCross Ref
- K. Luckow, C. S. Păsăreanu, M. B. Dwyer, A. Filieri, and W. Visser. Exact and approximate probabilistic symbolic execution for nondeterministic programs. In Proceedings of the 29th ACM/IEEE international conference on Automated software engineering, pages 575–586. ACM, 2014. Google ScholarDigital Library
- L. Luu, S. Shinde, P. Saxena, and B. Demsky. A model counter for constraints over unbounded strings. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), page 57, 2014. Google ScholarDigital Library
- B. Mao, W. Hu, A. Althoff, J. Matai, J. Oberg, D. Mu, T. Sherwood, and R. Kastner. Quantifying timing-based information flow in cryptographic hardware. In Proceedings of the IEEE/ACM International Conference on Computer-Aided Design, pages 552–559. IEEE Press, 2015. Google ScholarDigital Library
- S. McCamant and M. D. Ernst. Quantitative information flow as network flow capacity. In Proceedings of the ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation, Tucson, AZ, USA, June 7-13, 2008, pages 193–205, 2008. Google ScholarDigital Library
- C. S. Pasareanu, W. Visser, D. H. Bushnell, J. Geldenhuys, P. C. Mehlitz, and N. Rungta. Symbolic pathfinder: integrating symbolic execution with model checking for java bytecode analysis. Autom. Softw. Eng., 20(3):391–425, 2013.Google ScholarCross Ref
- Q. Phan, P. Malacaria, O. Tkachuk, and C. S. Pasareanu. Symbolic quantitative information flow. ACM SIGSOFT Software Engineering Notes, 37(6):1–5, 2012. Google ScholarDigital Library
- Q. Phan, P. Malacaria, C. S. Pasareanu, and M. d’Amorim. Quantifying information leaks using reliability analysis. In Proceedings of the International Symposium on Model Checking of Software, SPIN 2014, San Jose, CA, USA, pages 105–108, 2014. Google ScholarDigital Library
- Q.-S. Phan and P. Malacaria. Abstract model counting: a novel approach for quantification of information leaks. In Proceedings of the 9th ACM symposium on Information, computer and communications security, pages 283–292. ACM, 2014. Google ScholarDigital Library
- J. Rizzo and T. Duong. The crime attack. Ekoparty Security Conference, 2012.Google Scholar
- P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A symbolic execution framework for javascript. In Proceedings of the 31st IEEE Symposium on Security and Privacy, 2010. Google ScholarDigital Library
- K. Sen, D. Marinov, and G. Agha. CUTE: a concolic unit testing engine for C. In Proceedings of the 10th European Software Engineering Conference held jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering, 2005, Lisbon, Portugal, September 5-9, 2005, pages 263–272, 2005. Google ScholarDigital Library
- I. Shlyakhter. Generating effective symmetry-breaking predicates for search problems. Electronic Notes in Discrete Mathematics, 9:19–35, 2001.Google ScholarCross Ref
- G. Smith. On the foundations of quantitative information flow. In Foundations of Software Science and Computational Structures, 12th International Conference, FOSSACS 2009, York, UK, March 22-29, 2009. Proceedings, pages 288–302, 2009.Google Scholar
- M. Thurley. sharpsat–counting models with advanced component caching and implicit bcp. In International Conference on Theory and Applications of Satisfiability Testing, pages 424–429. Springer, 2006. Google ScholarDigital Library
- M. Trinh, D. Chu, and J. Jaffar. S3: A symbolic string solver for vulnerability detection in web applications. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 1232–1243, 2014. Google ScholarDigital Library
- C. G. Val, M. A. Enescu, S. Bayless, W. Aiello, and A. J. Hu. Precisely measuring quantitative information flow: 10k lines of code and beyond. In Security and Privacy (EuroS&P), 2016 IEEE European Symposium on, pages 31–46. IEEE, 2016.Google Scholar
- S. Verdoolaege. barvinok: User guide. Version 0.23), Electronically available at http://www. kotnet. org/˜ skimo/barvinok, 2007.Google Scholar
- W. Visser, J. Geldenhuys, and M. B. Dwyer. Green: reducing, reusing and recycling constraints in program analysis. In Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering, page 58. ACM, 2012. Google ScholarDigital Library
- M. Weir, S. Aggarwal, M. P. Collins, and H. Stern. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, Chicago, Illinois, USA, October 4-8, 2010, pages 162–175, 2010. Google ScholarDigital Library
- Y. Zheng, X. Zhang, and V. Ganesh. Z3-str: A z3-based string solver for web application analysis. In Proceedings of the 9th Joint Meeting on Foundations of Software Engineering (ESEC/FSE), pages 114–124, 2013. Google ScholarDigital Library
Index Terms
- Constraint normalization and parameterized caching for quantitative program analysis
Recommendations
Parameterized model counting for string and numeric constraints
ESEC/FSE 2018: Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software EngineeringRecently, symbolic program analysis techniques have been extended to quantitative analyses using model counting constraint solvers. Given a constraint and a bound, a model counting constraint solver computes the number of solutions for the constraint ...
Subformula caching for model counting and quantitative program analysis
ASE '19: Proceedings of the 34th IEEE/ACM International Conference on Automated Software EngineeringQuantitative program analysis is an emerging area with applications to software reliability, quantitative information flow, side-channel detection and attack synthesis. Most quantitative program analysis techniques rely on model counting constraint ...
Variable and clause ordering in an FSA approach to propositional satisfiability
CIAA'11: Proceedings of the 16th international conference on Implementation and application of automataWe use a finite state (FSA) construction approach to address the problem of propositional satisfiability (SAT). We use a very simple translation from formulas in conjunctive normal form (CNF) to regular expressions and use regular expressions to ...
Comments