skip to main content
research-article
Open Access

Program analysis via efficient symbolic abstraction

Published:15 October 2021Publication History
Skip Abstract Section

Abstract

This paper concerns the scalability challenges of symbolic abstraction: given a formula ϕ in a logic L and an abstract domain A, find a most precise element in the abstract domain that over-approximates the meaning of ϕ. Symbolic abstraction is an important point in the space of abstract interpretation, as it allows for automatically synthesizing the best abstract transformers. However, current techniques for symbolic abstraction can have difficulty delivering on its practical strengths, due to performance issues.

In this work, we introduce two algorithms for the symbolic abstraction of quantifier-free bit-vector formulas, which apply to the bit-vector interval domain and a certain kind of polyhedral domain, respectively. We implement and evaluate the proposed techniques on two machine code analysis clients, namely static memory corruption analysis and constrained random fuzzing. Using a suite of 57,933 queries from the clients, we compare our approach against a diverse group of state-of-the-art algorithms. The experiments show that our algorithms achieve a substantial speedup over existing techniques and illustrate significant precision advantages for the clients. Our work presents strong evidence that symbolic abstraction of numeric domains can be efficient and practical for large and realistic programs.

Skip Supplemental Material Section

Supplemental Material

Auxiliary Presentation Video

Paper 90

References

  1. 2014. AFL: american fuzzy lop. http://lcamtuf.coredump.cx/afl/ Accessed: 2014Google ScholarGoogle Scholar
  2. Bijan Alizadeh and Masahiro Fujita. 2009. Modular arithmetic decision procedure with auto-correction mechanism. In IEEE International High Level Design Validation and Test Workshop, HLDVT 2009, San Francisco, CA, USA, 4-6 November 2009. IEEE Computer Society, 138–145.Google ScholarGoogle ScholarCross RefCross Ref
  3. Dennis S. Arnon. 1988. A Bibliography of Quantifier Elimination for Real Closed Fields. J. Symb. Comput., 5, 1/2 (1988).Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Benjamin Assarf, Ewgenij Gawrilow, Katrin Herr, Michael Joswig, Benjamin Lorenz, Andreas Paffenholz, and Thomas Rehn. 2017. Computing convex hulls and counting integer points with polymake. Math. Program. Comput., 9, 1 (2017), 1–38.Google ScholarGoogle ScholarCross RefCross Ref
  5. Peter Backeman, Philipp Rümmer, and Aleksandar Zeljic. 2018. Bit-Vector Interpolation and Quantifier Elimination by Lazy Reduction. In 2018 Formal Methods in Computer Aided Design, FMCAD 2018, Austin, TX, USA, October 30 - November 2, 2018, Nikolaj Bjørner and Arie Gurfinkel (Eds.). IEEE, 1–10.Google ScholarGoogle Scholar
  6. Tiffany Bao, Ruoyu Wang, Yan Shoshitaishvili, and David Brumley. 2017. Your Exploit is Mine: Automatic Shellcode Transplant for Remote Exploits. In 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, May 22-26, 2017. IEEE Computer Society, 824–839.Google ScholarGoogle ScholarCross RefCross Ref
  7. Clark W. Barrett and Cesare Tinelli. 2018. Satisfiability Modulo Theories. In Handbook of Model Checking, Edmund M. Clarke, Thomas A. Henzinger, Helmut Veith, and Roderick Bloem (Eds.). Springer, 305–343.Google ScholarGoogle Scholar
  8. Edd Barrett and Andy King. 2010. Range and Set Abstraction using SAT. Electron. Notes Theor. Comput. Sci., 267, 1 (2010).Google ScholarGoogle Scholar
  9. Thomas Becker, Volker Weispfenning, and Heinz Kredel. 1993. Gröbner bases - a computational approach to commutative algebra (Graduate texts in mathematics, Vol. 141). Springer. isbn:978-3-540-97971-5Google ScholarGoogle Scholar
  10. Dirk Beyer, Alessandro Cimatti, Alberto Griggio, M. Erkan Keremoglu, and Roberto Sebastiani. 2009. Software model checking via large-block encoding. In Proceedings of 9th International Conference on Formal Methods in Computer-Aided Design, FMCAD 2009, 15-18 November 2009, Austin, Texas, USA. IEEE, 25–32.Google ScholarGoogle ScholarCross RefCross Ref
  11. Fabrizio Biondi, Michael A. Enescu, Annelie Heuser, Axel Legay, Kuldeep S. Meel, and Jean Quilbeuf. 2018. Scalable Approximation of Quantitative Information Flow in Programs. In Verification, Model Checking, and Abstract Interpretation - 19th International Conference, VMCAI 2018, Los Angeles, CA, USA, January 7-9, 2018, Proceedings, Isil Dillig and Jens Palsberg (Eds.) (Lecture Notes in Computer Science, Vol. 10747). Springer, 71–93.Google ScholarGoogle Scholar
  12. Nikolaj Bjørner, Anh-Dung Phan, and Lars Fleckenstein. 2015. ν Z-an optimizing SMT solver. In Proceedings of the 21st International Conference on Tools and Algorithms for the Construction and Analysis of Systems - Volume 9035. Springer-Verlag, Berlin, Heidelberg. 194–199. isbn:978-3-662-46680-3Google ScholarGoogle Scholar
  13. Bruno Blanchet, Patrick Cousot, Radhia Cousot, Jérome Feret, Laurent Mauborgne, Antoine Miné, David Monniaux, and Xavier Rival. 2003. A Static Analyzer for Large Safety-critical Software. In Proceedings of the ACM SIGPLAN 2003 Conference on Programming Language Design and Implementation (PLDI ’03). ACM, New York, NY, USA. 196–207. isbn:1-58113-662-5Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Jörg Brauer and Andy King. 2010. Automatic Abstraction for Intervals Using Boolean Formulae.. In Proceedings of the 17th International Conference on Static Analysis (SAS’10). Springer-Verlag, Berlin, Heidelberg. 167–183. isbn:3-642-15768-8, 978-3-642-15768-4Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Michael Brickenstein, Alexander Dreyer, Gert-Martin Greuel, Markus Wedler, and Oliver Wienand. 2009. New developments in the theory of Gröbner bases and applications to formal verification. Journal of Pure and Applied Algebra, 213, 8 (2009).Google ScholarGoogle ScholarCross RefCross Ref
  16. Stefan Bygde, Björn Lisper, and Niklas Holsti. 2012. Fully Bounded Polyhedral Analysis of Integers with Wrapping. Electron. Notes Theor. Comput. Sci., 288 (2012), 3–13.Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. P. Chen and H. Chen. 2018. Angora: Efficient Fuzzing by Principled Search. In 2018 IEEE Symposium on Security and Privacy (SP). 00, 711–725. issn:2375-1207Google ScholarGoogle Scholar
  18. Yuansi Chen, Raaz Dwivedi, Martin J. Wainwright, and Bin Yu. 2018. Fast MCMC Sampling Algorithms on Polytopes. J. Mach. Learn. Res., 19 (2018), 55:1–55:86.Google ScholarGoogle Scholar
  19. Victor Chernozhukov and Han Hong. 2003. An MCMC approach to classical estimation. Journal of Econometrics, 115, 2 (2003), 293–346.Google ScholarGoogle ScholarCross RefCross Ref
  20. Patrick Cousot and Radhia Cousot. 1977. Static Determination of Dynamic Properties of Generalized Type Unions. In Proceedings of an ACM Conference on Language Design for Reliable Software. Association for Computing Machinery, New York, NY, USA. 77–94. isbn:9781450373807Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Patrick Cousot and Radhia Cousot. 1979. Systematic Design of Program Analysis Frameworks. In Proceedings of the 6th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages (POPL ’79). Association for Computing Machinery, New York, NY, USA. 269–282. isbn:9781450373579Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Patrick Cousot and Nicolas Halbwachs. 1978. Automatic Discovery of Linear Restraints Among Variables of a Program. In Conference Record of the Fifth Annual ACM Symposium on Principles of Programming Languages, Tucson, Arizona, USA, January 1978, Alfred V. Aho, Stephen N. Zilles, and Thomas G. Szymanski (Eds.). ACM Press, 84–96.Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Sandeep Dasgupta, Daejun Park, Theodoros Kasampalis, Vikram S. Adve, and Grigore Rosu. 2019. A complete formal semantics of x86-64 user-level instruction set architecture. In Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2019, Phoenix, AZ, USA, June 22-26, 2019, Kathryn S. McKinley and Kathleen Fisher (Eds.). ACM, 1133–1148.Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Sumanth Dathathri, Nikos Aréchiga, Sicun Gao, and Richard M. Murray. 2017. Learning-Based Abstractions for Nonlinear Constraint Solving. In Proceedings of the Twenty-Sixth International Joint Conference on Artificial Intelligence, IJCAI 2017, Melbourne, Australia, August 19-25, 2017, Carles Sierra (Ed.). ijcai.org, 592–599.Google ScholarGoogle Scholar
  25. Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMT solver. In Proceedings of the Theory and Practice of Software, 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’08/ETAPS’08). Springer-Verlag, Berlin, Heidelberg. 337–340. isbn:3-540-78799-2, 978-3-540-78799-0Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. B. Dolan-Gavitt, P. Hulin, E. Kirda, T. Leek, A. Mambretti, W. Robertson, F. Ulrich, and R. Whelan. 2016. LAVA: Large-Scale Automated Vulnerability Addition. In 2016 IEEE Symposium on Security and Privacy (SP). 110–121. issn:2375-1207Google ScholarGoogle Scholar
  27. Rafael Dutra, Kevin Laeufer, Jonathan Bachrach, and Koushik Sen. 2018. Efficient Sampling of SAT Solutions for Testing. In Proceedings of the 40th International Conference on Software Engineering (ICSE ’18). Association for Computing Machinery, New York, NY, USA. 549–559. isbn:9781450356381Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Martin E. Dyer and Alan M. Frieze. 1988. On the Complexity of Computing the Volume of a Polyhedron. SIAM J. Comput., 17, 5 (1988), 967–974.Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Stefano Ermon, Carla P. Gomes, Ashish Sabharwal, and Bart Selman. 2013. Taming the Curse of Dimensionality: Discrete Integration by Hashing and Optimization. In Proceedings of the 30th International Conference on Machine Learning, ICML 2013, Atlanta, GA, USA, 16-21 June 2013 (JMLR Workshop and Conference Proceedings, Vol. 28). JMLR.org, 334–342.Google ScholarGoogle Scholar
  30. Katalin Fazekas, Fahiem Bacchus, and Armin Biere. 2018. Implicit Hitting Set Algorithms for Maximum Satisfiability Modulo Theories. In Automated Reasoning - 9th International Joint Conference, IJCAR 2018, Held as Part of the Federated Logic Conference, FloC 2018, Oxford, UK, July 14-17, 2018, Proceedings, Didier Galmiche, Stephan Schulz, and Roberto Sebastiani (Eds.) (Lecture Notes in Computer Science, Vol. 10900). Springer, 134–151.Google ScholarGoogle ScholarCross RefCross Ref
  31. Vijay Ganesh and David L Dill. 2007. A decision procedure for bit-vectors and arrays. In Proceedings of the 19th International Conference on Computer Aided Verification (CAV’07). Springer-Verlag, Berlin, Heidelberg. 519–531. isbn:978-3-540-73367-6Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Graeme Gange, Jorge A. Navas, Peter Schachte, Harald Søndergaard, and Peter J. Stuckey. 2015. Interval Analysis and Machine Arithmetic: Why Signedness Ignorance Is Bliss. ACM Trans. Program. Lang. Syst., 37, 1 (2015), Article 1, Jan., 1:1–1:35 pages. issn:0164-0925Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Denis Gopan and Thomas Reps. 2007. Low-level Library Analysis and Summarization. In Proceedings of the 19th International Conference on Computer Aided Verification (CAV’07). Springer-Verlag, Berlin, Heidelberg. 68–81. isbn:978-3-540-73367-6Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Sumit Gulwani and Madan Musuvathi. 2008. Cover Algorithms and Their Combination. In Programming Languages and Systems, 17th European Symposium on Programming, ESOP 2008, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2008, Budapest, Hungary, March 29-April 6, 2008. Proceedings, Sophia Drossopoulou (Ed.) (Lecture Notes in Computer Science, Vol. 4960). Springer, 193–207.Google ScholarGoogle ScholarCross RefCross Ref
  35. Jingxuan He, Gagandeep Singh, Markus Püschel, and Martin T. Vechev. 2020. Learning fast and precise numerical analysis. In Proceedings of the 41st ACM SIGPLAN International Conference on Programming Language Design and Implementation, PLDI 2020, London, UK, June 15-20, 2020, Alastair F. Donaldson and Emina Torlak (Eds.). ACM, 1112–1127.Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Julien Henry, Mihail Asavoae, David Monniaux, and Claire Maiza. 2014. How to compute worst-case execution time by optimization modulo theory and a clever encoding of program semantics. In SIGPLAN/SIGBED Conference on Languages, Compilers and Tools for Embedded Systems 2014, LCTES ’14, Edinburgh, United Kingdom - June 12 - 13, 2014, Youtao Zhang and Prasad Kulkarni (Eds.). ACM, 43–52.Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Heqing Huang, Peisen Yao, Rongxin Wu, Qingkai Shi, and Charles Zhang. 2020. Pangolin: Incremental Hybrid Fuzzing with Polyhedral Path Abstraction. In 2020 IEEE Symposium on Security and Privacy, SP 2020, San Francisco, CA, USA, May 18-21, 2020. IEEE, 1613–1627.Google ScholarGoogle Scholar
  38. Jiahong Jiang, Liqian Chen, Xueguang Wu, and Ji Wang. 2017. Block-Wise Abstract Interpretation by Combining Abstract Domains with SMT. In Verification, Model Checking, and Abstract Interpretation - 18th International Conference, VMCAI 2017, Paris, France, January 15-17, 2017, Proceedings, Ahmed Bouajjani and David Monniaux (Eds.) (Lecture Notes in Computer Science, Vol. 10145). Springer, 310–329.Google ScholarGoogle Scholar
  39. Ajith K John and Supratik Chakraborty. 2011. A quantifier elimination algorithm for linear modular equations and disequations. In Proceedings of the 23rd International Conference on Computer Aided Verification (CAV’11). Springer-Verlag, Berlin, Heidelberg. 486–503. isbn:978-3-642-22109-5Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Ajith K John and Supratik Chakraborty. 2013. Extending quantifier elimination to linear inequalities on bit-vectors. In Proceedings of the 19th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’13). Springer-Verlag, Berlin, Heidelberg. 78–92. isbn:978-3-642-36741-0Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Martin Jonás and Jan Strejcek. 2016. Solving Quantified Bit-Vector Formulas Using Binary Decision Diagrams. In Theory and Applications of Satisfiability Testing - SAT 2016 - 19th International Conference, Bordeaux, France, July 5-8, 2016, Proceedings, Nadia Creignou and Daniel Le Berre (Eds.) (Lecture Notes in Computer Science, Vol. 9710). Springer, 267–283.Google ScholarGoogle Scholar
  42. Ravi Kannan and Hariharan Narayanan. 2009. Random Walks on Polytopes and an Affine Interior Point Method for Linear Programming. In Proceedings of the Forty-first Annual ACM Symposium on Theory of Computing (STOC ’09). ACM, New York, NY, USA. 561–570. isbn:978-1-60558-506-2Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Ravindran Kannan and Hariharan Narayanan. 2012. Random Walks on Polytopes and an Affine Interior Point Method for Linear Programming. Math. Oper. Res., 37, 1 (2012), 1–20.Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Zachary Kincaid, John Cyphert, Jason Breck, and Thomas Reps. 2017. Non-Linear Reasoning for Invariant Synthesis. Proc. ACM Program. Lang., 2, POPL (2017), Article 54, Dec., 33 pages.Google ScholarGoogle Scholar
  45. Nathan Kitchen and Andreas Kuehlmann. 2007. Stimulus generation for constrained random simulation. In 2007 International Conference on Computer-Aided Design, ICCAD 2007, San Jose, CA, USA, November 5-8, 2007, Georges G. E. Gielen (Ed.). IEEE Computer Society, 258–265.Google ScholarGoogle ScholarCross RefCross Ref
  46. Ali Sinan Köksal, Viktor Kuncak, and Philippe Suter. 2012. Constraints as Control. In Proceedings of the 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’12). Association for Computing Machinery, New York, NY, USA. 151–164. isbn:9781450310833Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Anvesh Komuravelli, Arie Gurfinkel, and Sagar Chaki. 2016. SMT-based model checking for recursive programs. Formal Methods Syst. Des., 48, 3 (2016), 175–205.Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Soonho Kong, Armando Solar-Lezama, and Sicun Gao. 2018. Delta-Decision Procedures for Exists-Forall Problems over the Reals. 10982 (2018), 219–235.Google ScholarGoogle Scholar
  49. Shuvendu K Lahiri, Robert Nieuwenhuis, and Albert Oliveras. 2006. SMT techniques for fast predicate abstraction. In Proceedings of the 18th International Conference on Computer Aided Verification (CAV’06). Springer-Verlag, Berlin, Heidelberg. 424–437. isbn:3-540-37406-X, 978-3-540-37406-0Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Yi Li, Aws Albarghouthi, Zachary Kincaid, Arie Gurfinkel, and Marsha Chechik. 2014. Symbolic optimization with SMT solvers. In Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’14). ACM, New York, NY, USA. 607–618. isbn:978-1-4503-2544-8Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. Junghee Lim and Thomas Reps. 2013. TSL: A System for Generating Abstract Interpreters and Its Application to Machine-Code Analysis. ACM Trans. Program. Lang. Syst., 35, 1 (2013), Article 4, April, 59 pages. issn:0164-0925Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. Fangzhen Lin. 2001. On strongest necessary and weakest sufficient conditions. Artif. Intell., 128, 1-2 (2001), 143–159.Google ScholarGoogle Scholar
  53. Fangzhen Lin and Ray Reiter. 1994. Forget it. In Working Notes of AAAI Fall Symposium on Relevance. 154–159.Google ScholarGoogle Scholar
  54. Björn Lisper. 2003. Fully Automatic, Parametric Worst-Case Execution Time Analysis. In Proceedings of the 3rd International Workshop on Worst-Case Execution Time Analysis, WCET 2003 - a Satellite Event to ECRTS 2003, Polytechnic Institute of Porto, Portugal, July 1, 2003, Jan Gustafsson (Ed.). MDH-MRTC-116/2003-1-SE, Department of Computer Science and Engineering, Mälardalen University, Box 883, 721 23 Västerås, Sweden, 99–102.Google ScholarGoogle Scholar
  55. Francesco Logozzo and Manuel Fähndrich. 2008. On the Relative Completeness of Bytecode Analysis Versus Source Code Analysis. In Compiler Construction, 17th International Conference, CC 2008, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2008, Budapest, Hungary, March 29 - April 6, 2008. Proceedings, Laurie J. Hendren (Ed.) (Lecture Notes in Computer Science, Vol. 4959). Springer, 197–212.Google ScholarGoogle ScholarCross RefCross Ref
  56. Rüdiger Loos and Volker Weispfenning. 1993. Applying Linear Quantifier Elimination. Comput. J., 36, 5 (1993), 450–462.Google ScholarGoogle ScholarCross RefCross Ref
  57. Kuldeep S. Meel and S. Akshay. 2020. Sparse Hashing for Scalable Approximate Model Counting: Theory and Practice. In Proceedings of the 35th Annual ACM/IEEE Symposium on Logic in Computer Science (LICS ’20). Association for Computing Machinery, New York, NY, USA. 728–741. isbn:9781450371049Google ScholarGoogle Scholar
  58. Antoine Miné. 2001. A New Numerical Abstract Domain Based on Difference-Bound Matrices. In Proceedings of the Second Symposium on Programs As Data Objects (PADO ’01). Springer-Verlag, London, UK, UK. 155–172. isbn:3-540-42068-1Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. Antoine Miné. 2006. The octagon abstract domain. High. Order Symb. Comput., 19, 1 (2006), 31–100.Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. David Monniaux. 2009. Automatic Modular Abstractions for Linear Constraints. In Proceedings of the 36th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’09). ACM, New York, NY, USA. 140–151. isbn:978-1-60558-379-2Google ScholarGoogle ScholarDigital LibraryDigital Library
  61. David Monniaux. 2010. Quantifier Elimination by Lazy Model Enumeration. In Proceedings of the 22nd International Conference on Computer Aided Verification (CAV’10). Springer-Verlag, Berlin, Heidelberg. 585–599. isbn:364214294XGoogle ScholarGoogle ScholarDigital LibraryDigital Library
  62. Alexander Nadel and Vadim Ryvchin. 2016. Bit-vector optimization. In Proceedings of the 22Nd International Conference on Tools and Algorithms for the Construction and Analysis of Systems - Volume 9636 (TACAS’16). Springer-Verlag New York, Inc., New York, NY, USA. 851–867. isbn:978-3-662-49673-2Google ScholarGoogle ScholarDigital LibraryDigital Library
  63. Nina Narodytska and Fahiem Bacchus. 2014. Maximum satisfiability using core-guided MaxSAT resolution. In Proceedings of the Twenty-Eighth AAAI Conference on Artificial Intelligence (AAAI’14). AAAI Press, 2717–2723.Google ScholarGoogle ScholarDigital LibraryDigital Library
  64. Reuven Naveh and Amit Metodi. [n. d.]. Beyond Feasibility: CP Usage in Constrained-Random Functional Hardware Verification. In Principles and Practice of Constraint Programming - 19th International Conference, CP 2013, Uppsala, Sweden, September 16-20, 2013. Proceedings, Christian Schulte (Ed.) (Lecture Notes in Computer Science, Vol. 8124).Google ScholarGoogle Scholar
  65. Nicholas Nethercote and Julian Seward. 2007. Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation. In Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’07). Association for Computing Machinery, New York, NY, USA. 89–100. isbn:9781595936332Google ScholarGoogle ScholarDigital LibraryDigital Library
  66. Aina Niemetz, Mathias Preiner, Andrew Reynolds, Clark W. Barrett, and Cesare Tinelli. 2018. Solving Quantified Bit-Vectors Using Invertibility Conditions. In Computer Aided Verification - 30th International Conference, CAV 2018, Held as Part of the Federated Logic Conference, FloC 2018, Oxford, UK, July 14-17, 2018, Proceedings, Part II, Hana Chockler and Georg Weissenbacher (Eds.) (Lecture Notes in Computer Science, Vol. 10982). Springer, 236–255.Google ScholarGoogle Scholar
  67. Aina Niemetz, Mathias Preiner, Andrew Reynolds, Clark W. Barrett, and Cesare Tinelli. 2021. Syntax-Guided Quantifier Instantiation. In Tools and Algorithms for the Construction and Analysis of Systems - 27th International Conference, TACAS 2021, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2021, Luxembourg City, Luxembourg, March 27 - April 1, 2021, Proceedings, Part II, Jan Friso Groote and Kim Guldstrand Larsen (Eds.) (Lecture Notes in Computer Science, Vol. 12652). Springer, 145–163.Google ScholarGoogle ScholarCross RefCross Ref
  68. Robert Nieuwenhuis and Albert Oliveras. 2006. On SAT modulo theories and optimization problems. In Proceedings of the 9th International Conference on Theory and Applications of Satisfiability Testing (SAT’06). Springer-Verlag, Berlin, Heidelberg. 156–169. isbn:3-540-37206-7, 978-3-540-37206-6Google ScholarGoogle ScholarDigital LibraryDigital Library
  69. Sebastian Poeplau and Aurélien Francillon. 2020. Symbolic execution with SymCC: Don’t interpret, compile!. In 29th USENIX Security Symposium, USENIX Security 2020, August 12-14, 2020, Srdjan Capkun and Franziska Roesner (Eds.). USENIX Association, 181–198.Google ScholarGoogle Scholar
  70. Mathias Preiner, Aina Niemetz, and Armin Biere. 2017. Counterexample-Guided Model Synthesis. In Tools and Algorithms for the Construction and Analysis of Systems - 23rd International Conference, TACAS 2017, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2017, Uppsala, Sweden, April 22-29, 2017, Proceedings, Part I, Axel Legay and Tiziana Margaria (Eds.) (Lecture Notes in Computer Science, Vol. 10205). 264–280.Google ScholarGoogle ScholarCross RefCross Ref
  71. John Regehr and Alastair Reid. 2004. HOIST: A System for Automatically Deriving Static Analyzers for Embedded Systems. In Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS XI). ACM, New York, NY, USA. 133–143. isbn:1-58113-804-0Google ScholarGoogle ScholarDigital LibraryDigital Library
  72. Thomas Reps and Gogul Balakrishnan. 2008. Improved Memory-access Analysis for x86 Executables. In Proceedings of the Joint European Conferences on Theory and Practice of Software 17th International Conference on Compiler Construction (CC’08/ETAPS’08). Springer-Verlag, Berlin, Heidelberg. 16–35. isbn:3-540-78790-9, 978-3-540-78790-7Google ScholarGoogle ScholarDigital LibraryDigital Library
  73. Thomas W. Reps, Shmuel Sagiv, and Greta Yorsh. 2004. Symbolic Implementation of the Best Transformer. In Verification, Model Checking, and Abstract Interpretation, 5th International Conference, VMCAI 2004, Venice, Italy, January 11-13, 2004, Proceedings, Bernhard Steffen and Giorgio Levi (Eds.) (Lecture Notes in Computer Science, Vol. 2937). Springer, 252–266.Google ScholarGoogle Scholar
  74. Thomas W. Reps and Aditya V. Thakur. 2016. Automating Abstract Interpretation. In Verification, Model Checking, and Abstract Interpretation - 17th International Conference, VMCAI 2016, St. Petersburg, FL, USA, January 17-19, 2016. Proceedings, Barbara Jobstmann and K. Rustan M. Leino (Eds.) (Lecture Notes in Computer Science, Vol. 9583). Springer, 3–40.Google ScholarGoogle Scholar
  75. Fabian Ritter. 2015. Compiler Optimizations using Symbolic Abstraction. Ph. D. Dissertation. Saarland University.Google ScholarGoogle Scholar
  76. Sriram Sankaranarayanan, Franjo Ivančić, Ilya Shlyakhter, and Aarti Gupta. 2006. Static Analysis in Disjunctive Numerical Domains. In Proceedings of the 13th International Conference on Static Analysis (SAS’06). Springer-Verlag, Berlin, Heidelberg. 3–17. isbn:3-540-37756-5, 978-3-540-37756-6Google ScholarGoogle ScholarDigital LibraryDigital Library
  77. Roberto Sebastiani and Silvia Tomasi. 2015. Optimization Modulo Theories with Linear Rational Costs. ACM Trans. Comput. Logic, 16, 2 (2015), Article 12, Feb., 43 pages. issn:1529-3785Google ScholarGoogle ScholarDigital LibraryDigital Library
  78. Roberto Sebastiani and Silvia Tomasi. 2015. Optimization modulo theories with linear rational costs. ACM Trans. Comput. Logic, 16, 2 (2015), Article 12, Feb., 43 pages. issn:1529-3785Google ScholarGoogle ScholarDigital LibraryDigital Library
  79. Roberto Sebastiani and Patrick Trentin. 2015. OptiMathSAT: A Tool for Optimization Modulo Theories. In Computer Aided Verification - 27th International Conference, CAV 2015, San Francisco, CA, USA, July 18-24, 2015, Proceedings, Part I, Daniel Kroening and Corina S. Pasareanu (Eds.) (Lecture Notes in Computer Science, Vol. 9206). Springer, 447–454.Google ScholarGoogle Scholar
  80. Roberto Sebastiani and Patrick Trentin. 2015. Pushing the envelope of optimization modulo theories with linear-arithmetic cost functions. In Proceedings of the 21st International Conference on Tools and Algorithms for the Construction and Analysis of Systems - Volume 9035. Springer-Verlag, Berlin, Heidelberg. 335–349. isbn:978-3-662-46680-3Google ScholarGoogle ScholarDigital LibraryDigital Library
  81. Tushar Sharma, Thomas Reps, and Aditya Thakur. 2013. An Abstract Domain for Bit-Vector Inequalities. University of Wisconsin-Madison Department of Computer Sciences.Google ScholarGoogle Scholar
  82. Tushar Sharma and Thomas W. Reps. 2017. Sound Bit-Precise Numerical Domains. In Verification, Model Checking, and Abstract Interpretation - 18th International Conference, VMCAI 2017, Paris, France, January 15-17, 2017, Proceedings, Ahmed Bouajjani and David Monniaux (Eds.) (Lecture Notes in Computer Science, Vol. 10145). Springer, 500–520.Google ScholarGoogle Scholar
  83. Yan Shoshitaishvili, Ruoyu Wang, Christopher Salls, Nick Stephens, Mario Polino, Andrew Dutcher, John Grosen, Siji Feng, Christophe Hauser, Christopher Krügel, and Giovanni Vigna. 2016. SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis. In IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, May 22-26, 2016. IEEE Computer Society, 138–157.Google ScholarGoogle Scholar
  84. Axel Simon and Andy King. 2007. Taming the Wrapping of Integer Arithmetic. In Static Analysis, 14th International Symposium, SAS 2007, Kongens Lyngby, Denmark, August 22-24, 2007, Proceedings, Hanne Riis Nielson and Gilberto Filé (Eds.) (Lecture Notes in Computer Science, Vol. 4634). Springer, 121–136.Google ScholarGoogle Scholar
  85. Gagandeep Singh, Markus Püschel, and Martin Vechev. 2017. Fast Polyhedra Abstract Domain. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages (POPL 2017). ACM, New York, NY, USA. 46–59. isbn:978-1-4503-4660-3Google ScholarGoogle ScholarDigital LibraryDigital Library
  86. Gagandeep Singh, Markus Püschel, and Martin Vechev. 2017. A Practical Construction for Decomposing Numerical Abstract Domains. Proc. ACM Program. Lang., 2, POPL (2017), Article 55, Dec., 28 pages. issn:2475-1421Google ScholarGoogle Scholar
  87. Gagandeep Singh, Markus Püschel, and Martin Vechev. 2017. A Practical Construction for Decomposing Numerical Abstract Domains. Proc. ACM Program. Lang., 2, POPL (2017), Article 55, Dec., 28 pages. issn:2475-1421Google ScholarGoogle Scholar
  88. Gagandeep Singh, Markus Püschel, and Martin T. Vechev. 2015. Making numerical program analysis fast. In Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation, Portland, OR, USA, June 15-17, 2015, David Grove and Steve Blackburn (Eds.). ACM, 303–313.Google ScholarGoogle ScholarDigital LibraryDigital Library
  89. Gagandeep Singh, Markus Püschel, and Martin T. Vechev. 2018. Fast Numerical Program Analysis with Reinforcement Learning. In Computer Aided Verification - 30th International Conference, CAV 2018, Held as Part of the Federated Logic Conference, FloC 2018, Oxford, UK, July 14-17, 2018, Proceedings, Part I, Hana Chockler and Georg Weissenbacher (Eds.) (Lecture Notes in Computer Science, Vol. 10981). Springer, 211–229.Google ScholarGoogle Scholar
  90. Jia Song and Jim Alves-Foss. 2016. The DARPA Cyber Grand Challenge: A Competitor’s Perspective, Part 2. IEEE Secur. Priv., 14, 1 (2016), 76–81.Google ScholarGoogle ScholarDigital LibraryDigital Library
  91. Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2016. Driller: Augmenting Fuzzing Through Selective Symbolic Execution. In 23rd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21-24, 2016. The Internet Society.Google ScholarGoogle Scholar
  92. Allison Sullivan, Darko Marinov, and Sarfraz Khurshid. 2019. Solution Enumeration Abstraction: A Modeling Idiom to Enhance a Lightweight Formal Method. In Formal Methods and Software Engineering - 21st International Conference on Formal Engineering Methods, ICFEM 2019, Shenzhen, China, November 5-9, 2019, Proceedings, Yamine Aït Ameur and Shengchao Qin (Eds.) (Lecture Notes in Computer Science, Vol. 11852). Springer, 336–352.Google ScholarGoogle Scholar
  93. Aditya V Thakur, Matt Elder, and Thomas W Reps. 2012. Bilateral Algorithms for Symbolic Abstraction.. In Proceedings of the 19th International Conference on Static Analysis (SAS’12). Springer-Verlag, Berlin, Heidelberg. 111–128. isbn:978-3-642-33124-4Google ScholarGoogle ScholarDigital LibraryDigital Library
  94. Aditya V. Thakur, Akash Lal, Junghee Lim, and Thomas W. Reps. 2015. PostHat and All That: Automating Abstract Interpretation. Electron. Notes Theor. Comput. Sci., 311 (2015), 15–32.Google ScholarGoogle ScholarDigital LibraryDigital Library
  95. Aditya V. Thakur and Thomas W. Reps. 2012. A Method for Symbolic Computation of Abstract Operations. In Computer Aided Verification - 24th International Conference, CAV 2012, Berkeley, CA, USA, July 7-13, 2012 Proceedings, P. Madhusudan and Sanjit A. Seshia (Eds.) (Lecture Notes in Computer Science, Vol. 7358). Springer, 174–192.Google ScholarGoogle Scholar
  96. Shiyi Wei, Piotr Mardziel, Andrew Ruef, Jeffrey S. Foster, and Michael Hicks. 2018. Evaluating Design Tradeoffs in Numeric Static Analysis for Java. In Programming Languages and Systems - 27th European Symposium on Programming, ESOP 2018, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2018, Thessaloniki, Greece, April 14-20, 2018, Proceedings, Amal Ahmed (Ed.) (Lecture Notes in Computer Science, Vol. 10801). Springer, 653–682.Google ScholarGoogle ScholarCross RefCross Ref
  97. Christoph M Wintersteiger, Youssef Hamadi, and Leonardo De Moura. 2013. Efficiently solving quantified bit-vector formulas. Form. Methods Syst. Des., 42, 1 (2013), Feb., 3–23. issn:0925-9856Google ScholarGoogle ScholarDigital LibraryDigital Library
  98. Bo-Han Wu and Chung-Yang (Ric) Huang. 2013. A robust constraint solving framework for multiple constraint sets in constrained random verification. In The 50th Annual Design Automation Conference 2013, DAC ’13, Austin, TX, USA, May 29 - June 07, 2013. ACM, 119:1–119:7.Google ScholarGoogle ScholarDigital LibraryDigital Library
  99. Greta Yorsh, Thomas W. Reps, and Shmuel Sagiv. 2004. Symbolically Computing Most-Precise Abstract Operations for Shape Analysis. In Tools and Algorithms for the Construction and Analysis of Systems, 10th International Conference, TACAS 2004, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2004, Barcelona, Spain, March 29 - April 2, 2004, Proceedings, Kurt Jensen and Andreas Podelski (Eds.) (Lecture Notes in Computer Science, Vol. 2988). Springer, 530–545.Google ScholarGoogle ScholarCross RefCross Ref
  100. Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang, and Taesoo Kim. 2018. QSYM : A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing. In Proceedings of the 27th USENIX Conference on Security Symposium (SEC’18). USENIX Association, Berkeley, CA, USA. 745–761. isbn:978-1-931971-46-1Google ScholarGoogle Scholar

Index Terms

  1. Program analysis via efficient symbolic abstraction

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Article Metrics

        • Downloads (Last 12 months)213
        • Downloads (Last 6 weeks)13

        Other Metrics

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!