Abstract
Model counting is of central importance in quantitative reasoning about systems. Examples include computing the probability that a system successfully accomplishes its task without errors, and measuring the number of bits leaked by a system to an adversary in Shannon entropy. Most previous work in those areas demonstrated their analysis on programs with linear constraints, in which cases model counting is polynomial time. Model counting for nonlinear constraints is notoriously hard, and thus programs with nonlinear constraints are not well-studied. This paper surveys state-of-the-art techniques and tools for model counting with respect to SMT constraints, modulo the bitvector theory, since this theory is decidable, and it can express nonlinear constraints that arise from the analysis of computer programs. We integrate these techniques within the Symbolic Pathfinder platform and evaluate them on difficult nonlinear constraints generated from the analysis of cryptographic functions.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
ISSTAC: Integrated Symbolic Execution for Space-Time Analysis of Code. http://www.cmu.edu/silicon-valley/research/isstac
Backes, M., Kopf, B., Rybalchenko, A.: Automatic discovery and quantification of information leaks. In: SP 2009, pp. 141–153 (2009)
Bang, L., Aydin, A., Phan, Q.S., Păsăreanu, C.S., Bultan, T.: String analysis for side channels with segmented oracles. In: FSE 2016, pp. 193–204. ACM (2016)
Borges, M., Filieri, A., d’Amorim, M., Păsăreanu, C.S., Visser, W.: Compositional solution space quantification for probabilistic software analysis. In: PLDI, pp. 123–132. ACM (2014)
Brickenstein, M., Dreyer, A.: PolyBoRi: a framework for gröbner-basis computations with boolean polynomials. J. Symb. Comput. 44(9), 1326–1345 (2009)
Brumley, D., Boneh, D.: Remote timing attacks are practical. In: SSYM 2003, pp. 1–1. USENIX Association (2003)
Chakraborty, S., Meel, K.S., Mistry, R., Vardi, M.Y.: Approximate probabilistic inference via word-level counting. In: AAAI 2016, pp. 3218–3224 (2016)
Chistikov, D., Dimitrova, R., Majumdar, R.: Approximate counting in SMT and value estimation for probabilistic programs. In: Baier, C., Tinelli, C. (eds.) TACAS 2015. LNCS, vol. 9035, pp. 320–334. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46681-0_26
Cimatti, A., Griggio, A., Schaafsma, B.J., Sebastiani, R.: The MathSAT5 SMT solver. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013. LNCS, vol. 7795, pp. 93–107. Springer, Heidelberg (2013). doi:10.1007/978-3-642-36742-7_7
Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). doi:10.1007/978-3-540-78800-3_24
Filieri, A., Păsăreanu, C.S., Visser, W.: Reliability analysis in symbolic pathfinder. In: ICSE, pp. 622–631. IEEE Press (2013)
Gao, S.: Counting zeros over finite fields using Gröbner bases. Master’s thesis, Carnegie Mellon University (2009)
Grumberg, O., Schuster, A., Yadgar, A.: Memory efficient all-solutions SAT solver and its application for reachability analysis. In: Hu, A.J., Martin, A.K. (eds.) FMCAD 2004. LNCS, vol. 3312, pp. 275–289. Springer, Heidelberg (2004). doi:10.1007/978-3-540-30494-4_20
King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)
Klebanov, V., Manthey, N., Muise, C.: SAT-based analysis and quantification of information flow in programs. In: Joshi, K., Siegle, M., Stoelinga, M., D’Argenio, P.R. (eds.) QEST 2013. LNCS, vol. 8054, pp. 177–192. Springer, Heidelberg (2013). doi:10.1007/978-3-642-40196-1_16
Klebanov, V., Weigl, A., Weisbarth, J.: Sound probabilistic #SAT with projection. In: QAPL 2016, pp. 15–29 (2016)
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). doi:10.1007/3-540-68697-5_9
Loera, J.A.D., Hemmecke, R., Tauzer, J., Yoshida, R.: Effective lattice point counting in rational convex polytopes. J. Symb. Comput. 38(4), 1273–1302 (2004)
Malacaria, P.: Algebraic foundations for quantitative information flow. Math. Struct. Comput. Sci. 25, 404–428 (2015)
Muise, C., McIlraith, S.A., Beck, J.C., Hsu, E.I.: Dsharp: fast d-DNNF compilation with sharpSAT. In: Kosseim, L., Inkpen, D. (eds.) AI 2012. LNCS (LNAI), vol. 7310, pp. 356–361. Springer, Heidelberg (2012). doi:10.1007/978-3-642-30353-1_36
Phan, Q.S.: Model counting modulo theories. Ph.D. thesis, Queen Mary University of London (2015)
Phan, Q.S., Malacaria, P.: All-solution satisfiability modulo theories: applications, algorithms and benchmarks. In: ARES 2015, pp. 100–109 (2015)
Phan, Q.S., Malacaria, P., Păsăreanu, C.S., d’Amorim, M.: Quantifying information leaks using reliability analysis. In: SPIN 2014, pp. 105–108. ACM (2014)
Păsăreanu, C.S., Phan, Q.S., Malacaria, P.: Multi-run side-channel analysis using Symbolic Execution and Max-SMT. In: CSF 2016, pp. 387–400, June 2016
Păsăreanu, C.S., Visser, W., Bushnell, D., Geldenhuys, J., Mehlitz, P., Rungta, N.: Symbolic PathFinder: integrating symbolic execution with model checking for Java bytecode analysis. Autom. Softw. Eng. 20, 1–35 (2013)
Rubinstein, R.: Stochastic enumeration method for counting NP-hard problems. Methodol. Comput. Appl. Probab. 15(2), 249–291 (2013)
Somenzi, F.: CUDD: CU decision diagram package release 3.0.0 (2015)
Thurley, M.: sharpSAT – Counting models with advanced component caching and implicit BCP. In: Biere, A., Gomes, C.P. (eds.) SAT 2006. LNCS, vol. 4121, pp. 424–429. Springer, Heidelberg (2006). doi:10.1007/11814948_38
Tran, Q., Vardi, M.Y.: Groebner bases computation in boolean rings for symbolic model checking. In: MOAS, pp. 440–445. ACTA Press (2007)
Tseitin, G.S.: On the complexity of derivation in propositional calculus. In: Siekmann, J.H., Wrightson, G. (eds.) Automation of Reasoning: 2: Classical Papers on Computational Logic, pp. 466–483. Springer, Heidelberg (1983)
Wei, W., Selman, B.: A new approach to model counting. In: Bacchus, F., Walsh, T. (eds.) SAT 2005. LNCS, vol. 3569, pp. 324–339. Springer, Heidelberg (2005). doi:10.1007/11499107_24
Acknowledgement
This work was funded in part by the National Science Foundation (NSF Grant Nos. CCF-1319858, CCF-1549161) and also by DARPA under agreement number FA8750-15-2-0087. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. Mateus Borges is funded by an Imperial College PhD Scholarship.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Borges, M., Phan, QS., Filieri, A., Păsăreanu, C.S. (2017). Model-Counting Approaches for Nonlinear Numerical Constraints. In: Barrett, C., Davies, M., Kahsai, T. (eds) NASA Formal Methods. NFM 2017. Lecture Notes in Computer Science(), vol 10227. Springer, Cham. https://doi.org/10.1007/978-3-319-57288-8_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-57288-8_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-57287-1
Online ISBN: 978-3-319-57288-8
eBook Packages: Computer ScienceComputer Science (R0)