previous day
all days

View: session overviewtalk overview

09:00-10:00 Session 15: Keynote: An Increasing Need for Formality, Martin Dixon, Fellow, Intel

Abstract:  The talk will touch on a number of practical opportunities for formal modeling and methods that Intel sees in HW security research including: instruction sets; the proliferation of programmable agents within SoC’s; and negative space testing.

Bio: Martin G. Dixon is an Intel Fellow. He is responsible for guiding future research and architecture decisions to secure Intel's platforms. He defined and holds patents on new instruction set features for many of the Core(r) Processor ISA features. His early years at Intel included performance and floating-point architecture development on the Pentium (r) 4 Processor family.

10:30-12:00 Session 16: Reasoning about Relational Constraints
Property Directed Inference of Relational Invariants

ABSTRACT. Property Directed Reachability (PDR) is an efficient and scalable approach for solving systems of symbolic constraints, also known as Constrained Horn Clauses (CHC). In the case of non-linear CHCs, which may arise, e.g., from relational verification tasks, PDR aims to infer an inductive invariant for each uninterpreted predicate. However, in many practical cases, this reasoning is not successful, as invariants need to be discovered for groups of predicates, as opposed to individual predicates. We contribute a novel algorithm that identifies such groups automatically and complements the existing PDR technique. The key feature of the algorithm is that it does not require a possibly expensive synchronization transformation over the system of CHCs. We have implemented the algorithm on top of a state-of-the-art CHC solver Spacer. Our experimental evaluation shows that for some CHC systems, on which existing solvers diverge, our tool is able to discover relational invariants.

Knowledge Compilation for Boolean Functional Synthesis

ABSTRACT. A Boolean relational specification is a Boolean formula F (X, Y), where X is a vector of outputs, Y is a vector of inputs, that specifies admissible values of X for every value of Y. The Boolean functional synthesis problem asks for a function vector G(Y), of the same dimension as X, such that for all Y, there is an X such that F(X,Y) holds iff F(G(Y),Y) holds. This problem is at the heart several varied applications and hence has resulted in significant interest and design of practically efficient algorithms to solve it. Empirical evidence from applying these algorithms shows that some specifications, despite having a large representation, admit efficient synthesis, while others with a much smaller representation are notoriously hard to synthesize.

In this paper, we investigate the relation between the representation form of the specification F (X, Y) and the complexity of synthesis. We introduce a new normal form for Boolean formulas, called SynNNF, and show that for specifications in SynNNF, synthesis can be accomplished in time quadratic in the size of the specification. We show that several normal forms studied in the knowledge compilation literature (viz. ROBDD/FBDDs, DNNF and dDNNF) are either already in SynNNF or can be efficiently converted to SynNNF, thereby admitting efficient synthesis. We also show that SynNNF can be exponentially more succinct than these other representation forms. Motivated by these results, we propose an algorithm to convert a Boolean relational specification in CNF to SynNNF, with the intent of solving the Boolean functional synthesis problem. Experiments with a prototype implementation show that this approach solves several benchmarks from the QBFEVAL18 suite that state-of-the-art synthesis tools aren’t able to solve.

Verifying Relational Properties using Trace Logic

ABSTRACT. We present a logical framework for the verification of relational properties in imperative programs. Our work is motivated by relational properties which come from security applications and often require reasoning about formulas with quantifier-alternations. Our framework reduces verification of relational properties of imperative programs to a validity problem into trace logic, an expressive instance of first-order predicate logic. Trace logic draws its expressiveness from its syntax, which allows expressing properties over computation traces. Its axiomatization supports fine-grained reasoning about intermediate steps in program execution, notably loop iterations. We present an algorithm to encode the semantics of programs as well as their relational properties in trace logic, and then show how first-order theorem proving can be used to reason about the resulting trace logic formulas. Our work is implemented in the tool \rapid{} and evaluated with examples coming from the security field.

13:00-14:30 Session 17: Quantifiers and SAT
Autarkies for DQCNF

ABSTRACT. Autarkies for SAT can be used for theoretical studies, preprocessing and inprocessing. They generalise satisfying assignments by allowing to leave some clauses "untouched" (no variable assigned). We introduce the natural generalisation to DQCNF (dependency-quantified boolean CNF), and prove basic results on autarky reduction and autarky normal forms.

Finding an autarky for DQCNF is as hard as finding a satisfying assignment. Fortunately there are (many) natural autarky-systems, which allow restricting the range of autarkies to a more feasible domain, while still maintaining the good general properties of arbitrary autarkies (most important here the unique normalform).

We discuss what seems the most fundamental autarky systems, and how the related reductions can be found by SAT solvers.

Localizing Quantifiers for DQBF

ABSTRACT. Dependency quantified Boolean formulas (DQBFs) are a powerful formalism, which subsumes quantified Boolean formulas (QBFs) and allows an explicit specification of dependencies of existential variables on universal variables. Driven by the needs of various applications which can be encoded by DQBFs in a natural, compact, and elegant way, research on DQBF solving has emerged in the past few years. However, research focused on closed DQBFs in prenex form (where all quantifiers are placed in front of a propositional formula) and non-prenex DQBFs have almost not been studied in the literature. In this paper we provide a formal definition for syntax and semantics of non-closed non-prenex DQBFs and prove useful properties enabling quantifier localization. Moreover, we make use of our theory by integrating quantifier localization into a state-of-the-art DQBF solver. Experiments with prenex DQBF benchmarks including those from the QBFEVAL’18 competition clearly show that quantifier localization pays off in this context.

Anytime Weighted MaxSAT with Improved Polarity Selection and Bit-Vector Optimization

ABSTRACT. This paper introduces a new incremental anytime algorithm for Weighted MaxSAT consisting of two main algorithmic components. First, we propose a new efficient polarity selection heuristic and an enhancement to the variable decision heuristic for SAT-based anytime Weighted MaxSAT solving (and, more generally, for solving any optimization problem with a SAT-based anytime algorithm). Second, we enhance an existing Bit-vector Optimization-based algorithm for solving Unweighted MaxSAT and generalize it to Weighted MaxSAT. Our resulting Weighted MaxSAT solver outscores the state-of-the-art solvers in the settings of both the 60-second and 300-second weighted incomplete tracks of MaxSAT Evaluation 2018. In addition, we describe a new application of anytime incremental Weighted MaxSAT solving: placing at the physical design stage of Computer-aided Design (CAD).

15:00-16:30 Session 18: SMT-based Verification
GuidedSampler: Coverage-guided Sampling of SMT Solutions

ABSTRACT. The problem of sampling a large number of random solutions to SAT and SMT constraints is essential for constrained-random verification and testing. However, most current sampling techniques lack a problem-specific notion of coverage, considering only general goals such uniform distribution. We have developed a new technique for coverage-guided sampling that allows the user to specify the desired coverage points in order to shape the distribution of solutions. Our tool GuidedSampler can efficiently generate high-quality stimuli for constrained-random verification, by sampling valid solutions to a SMT constraint that also cover a large number of user-defined coverage classes.

Extending enumerative function synthesis via SMT-driven classification

ABSTRACT. Many relevant problems in formal methods can be tackled using enumerative syntax-guided synthesis (SyGuS). Algorithms for enumerative SyGuS range from universally applicable techniques based on counterexample-guided inductive synthesis (CEGIS), to more scalable but specialized techniques based on divide and conquer. This paper presents a novel algorithm for enumerative SyGuS, Unif+PI, which reaps the benefits of scalability based on divide and conquer without sacrificing generality. In this algorithm, an instance of an SMT solver is used as both a classifier and an attribute generator. Logical constraints in the form of test cases for the function-to-synthesize and failed classification attempts guide its search for new candidate solutions. We implement our approach as an extension of the CVC4Sy solver and evaluate it on standard SyGuS benchmarks from different applications. We show that the new algorithm leads to significant gains in invariant synthesis with respect to state-of-the-art SyGuS solvers, and is competitive with state-of-the-art k-induction based model checking.

Proving Non-Termination via Loop Acceleration

ABSTRACT. We present the first approach to prove non-termination of integer programs that is based on loop acceleration. Whenever our technique cannot show non-termination of a loop, it tries to accelerate it instead. Our novel acceleration technique is applicable if the loop's guard satisfies a certain monotonicity condition. As this condition generalizes a simple yet effective non-termination criterion, we can use the same program transformations to facilitate both loop acceleration and non-termination proving. In particular, we present a novel invariant inference technique that is tailored to our approach. An extensive evaluation of our fully automated tool LoAT shows that it is competitive with state-of-the-art termination analyzers.