research-article

Constraint normalization and parameterized caching for quantitative program analysis

Authors:

Nestan Tsiskaridze,

Nicolás Rosner,

Abdulbaki Aydin,

Tevfik BultanAuthors Info & Claims

ESEC/FSE 2017: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering

Pages 535 - 546

https://doi.org/10.1145/3106237.3106303

Published: 21 August 2017 Publication History

Abstract

Symbolic program analysis techniques rely on satisfiability-checking constraint solvers, while quantitative program analysis techniques rely on model-counting constraint solvers. Hence, the efficiency of satisfiability checking and model counting is crucial for efficiency of modern program analysis techniques. In this paper, we present a constraint caching framework to expedite potentially expensive satisfiability and model-counting queries. Integral to this framework is our new constraint normalization procedure under which the cardinality of the solution set of a constraint, but not necessarily the solution set itself, is preserved. We extend these constraint normalization techniques to string constraints in order to support analysis of string-manipulating code. A group-theoretic framework which generalizes earlier results on constraint normalization is used to express our normalization techniques. We also present a parameterized caching approach where, in addition to storing the result of a model-counting query, we also store a model-counter object in the constraint store that allows us to efficiently recount the number of satisfying models for different maximum bounds. We implement our caching framework in our tool Cashew, which is built as an extension of the Green caching framework, and integrate it with the symbolic execution tool Symbolic PathFinder (SPF) and the model-counting constraint solver ABC. Our experiments show that constraint caching can significantly improve the performance of symbolic and quantitative program analyses. For instance, Cashew can normalize the 10,104 unique constraints in the SMC/Kaluza benchmark down to 394 normal forms, achieve a 10x speedup on the SMC/Kaluza-Big dataset, and an average 3x speedup in our SPF-based side-channel analysis experiments.

References

[1]

Redis. https://redis.io/.

[2]

P. A. Abdulla, M. F. Atig, Y. Chen, L. Holík, A. Rezine, P. Rümmer, and J. Stenman. String constraints for verification. In Proceedings of the 26th International Conference on Computer Aided Verification (CAV), pages 150–166, 2014.

Digital Library

[3]

F. A. Aloul, K. A. Sakallah, and I. L. Markov. Efficient symmetry breaking for boolean satisfiability. IEEE Transactions on Computers, 55(5):549–558, 2006.

Digital Library

[4]

A. Aquino, F. A. Bianchi, M. Chen, G. Denaro, and M. Pezzè. Reusing constraint proofs in program analysis. In Proceedings of the 2015 International Symposium on Software Testing and Analysis, pages 305–315. ACM, 2015.

Digital Library

[5]

A. Aquino, G. Denaro, and M. Pezzè. Heuristically matching solution spaces of arithmetic formulas to efficiently reuse solutions. In Proceedings of the 39th International Conference on Software Engineering, pages 427–437. IEEE Press, 2017.

Digital Library

[6]

A. Aydin, L. Bang, and T. Bultan. Automata-based model counting for string constraints. In Computer Aided Verification - 27th International Conference, CAV 2015, San Francisco, CA, USA, Proceedings, Part I, pages 255–272, 2015.

[7]

M. Backes, B. Köpf, and A. Rybalchenko. Automatic discovery and quantification of information leaks. In 30th IEEE Symposium on Security and Privacy (S&P 2009), 17-20 May 2009, Oakland, California, USA, pages 141–153, 2009.

Digital Library

[8]

V. Baldoni, N. Berline, J. D. Loera, B. Dutra, M. Köppe, S. Moreinis, G. Pinto, M. Vergne, and J. Wu. Latte integrale v1.7.2. http://www.math.ucdavis.edu/ latte/, 2004.

[9]

L. Bang, A. Aydin, Q.-S. Phan, C. S. Păsăreanu, and T. Bultan. String analysis for side channels with segmented oracles. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 193–204. ACM, 2016.

Digital Library

[10]

C. Barrett, L. de Moura, S. Ranise, A. Stump, and C. Tinelli. The smt-lib initiative and the rise of smt. In Haifa Verification Conference, pages 3–3. Springer, 2010.

Digital Library

[11]

ESEC/FSE’17, September 4–8, 2017, Paderborn, Germany T. Brennan, N. Tsiskaridze, N. Rosner, S. Aydin, and T. Bultan

[12]

C. Barrett, C. L. Conway, M. Deters, L. Hadarean, D. Jovanović, T. King, A. Reynolds, and C. Tinelli. Cvc4. In International Conference on Computer Aided Verification, pages 171–177. Springer, 2011.

Digital Library

[13]

C. Barrett, M. Deters, L. De Moura, A. Oliveras, and A. Stump. 6 years of smt-comp. Journal of Automated Reasoning, 50(3):243–277, 2013.

Digital Library

[14]

C. Barrett, P. Fontaine, and C. Tinelli. The SMT-LIB Standard: Version 2.5. Technical report, Department of Computer Science, The University of Iowa, 2015. Available at www.smt-lib.org.

[15]

M. Borges, A. Filieri, M. d’Amorim, and C. S. Pasareanu. Iterative distributionaware sampling for probabilistic symbolic execution. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, ESEC/FSE 2015, Bergamo, Italy, August 30 - September 4, 2015, pages 866–877, 2015.

Digital Library

[16]

C. Cadar, D. Dunbar, and D. R. Engler. KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In 8th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2008, December 8-10, 2008, San Diego, California, USA, Proceedings, pages 209–224, 2008.

Digital Library

[17]

S. Chakraborty, K. S. Meel, R. Mistry, and M. Y. Vardi. Approximate probabilistic inference via word-level counting. arXiv preprint arXiv:1511.07663, 2015.

Digital Library

[18]

D. Clark, S. Hunt, and P. Malacaria. A static analysis for quantifying information flow in a simple imperative language. Journal of Computer Security, 15(3):321–371, 2007.

Digital Library

[19]

J. Crawford. A theoretical analysis of reasoning by symmetry in first-order logic. In AAAI Workshop on Tractable Reasoning. Citeseer, 1992.

[20]

J. Crawford, M. Ginsberg, E. Luks, and A. Roy. Symmetry-breaking predicates for search problems. KR, 96:148–159, 1996.

Digital Library

[21]

L. De Moura and N. Bjørner. Z3: An efficient smt solver. In International conference on Tools and Algorithms for the Construction and Analysis of Systems, pages 337– 340. Springer, 2008.

Digital Library

[22]

B. Dutertre. Yices 2.2. In International Conference on Computer Aided Verification, pages 737–744. Springer, 2014.

Digital Library

[23]

A. Filieri, C. S. Pasareanu, and W. Visser. Reliability analysis in symbolic pathfinder. In 35th International Conference on Software Engineering, ICSE ’13, San Francisco, CA, USA, May 18-26, 2013, pages 622–631, 2013.

Digital Library

[24]

V. Ganesh, M. Minnes, A. Solar-Lezama, and M. C. Rinard. Word equations with length constraints: What’s decidable? In Proceedings of the 8th International Haifa Verification Conference (HVC), pages 209–226, 2012.

Digital Library

[25]

J. Geldenhuys, M. B. Dwyer, and W. Visser. Probabilistic symbolic execution. In International Symposium on Software Testing and Analysis, ISSTA 2012, Minneapolis, MN, USA, July 15-20, 2012, pages 166–176, 2012.

Digital Library

[26]

I. P. Gent and B. Smith. Symmetry breaking during search in constraint programming. Citeseer, 1999.

[27]

I. P. Gent, K. E. Petrie, and J.-F. Puget. Symmetry in constraint programming. Foundations of Artificial Intelligence, 2:329–376, 2006.

[28]

P. Godefroid, N. Klarlund, and K. Sen. DART: directed automated random testing. In Proceedings of the ACM SIGPLAN 2005 Conference on Programming Language Design and Implementation, Chicago, IL, USA, June 12-15, 2005, pages 213–223, 2005.

Digital Library

[29]

J. Heusser and P. Malacaria. Quantifying information leaks in software. In Twenty-Sixth Annual Computer Security Applications Conference, ACSAC 2010, Austin, Texas, USA, 6-10 December 2010, pages 261–269, 2010.

Digital Library

[30]

P. Hooimeijer and W. Weimer. A decision procedure for subset constraints over regular languages. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 188–198, 2009.

Digital Library

[31]

P. Hooimeijer and W. Weimer. Solving string constraints lazily. In Proceedings of the 25th IEEE/ACM International Conference on Automated Software Engineering (ASE), pages 377–386, 2010.

Digital Library

[32]

X. Jia, C. Ghezzi, and S. Ying. Enhancing reuse of constraint solutions to improve symbolic execution. In Proceedings of the 2015 International Symposium on Software Testing and Analysis, pages 177–187. ACM, 2015.

Digital Library

[33]

S. Khurshid, C. S. Pasareanu, and W. Visser. Generalized symbolic execution for model checking and testing. In Tools and Algorithms for the Construction and Analysis of Systems, 9th International Conference, TACAS 2003, Warsaw, Poland, April 7-11, 2003, Proceedings, pages 553–568, 2003.

Digital Library

[34]

A. Kiezun, V. Ganesh, P. J. Guo, P. Hooimeijer, and M. D. Ernst. Hampi: a solver for string constraints. In Proceedings of the 18th International Symposium on Software Testing and Analysis (ISSTA), pages 105–116, 2009.

Digital Library

[35]

G. Li and I. Ghosh. PASS: string solving with parameterized array and interval automaton. In Proceedings of the 9th International Haifa Verification Conference (HVC), pages 15–31, 2013.

[36]

T. Liang, N. Tsiskaridze, A. Reynolds, C. Tinelli, and C. Barrett. A decision procedure for regular membership and length constraints over unbounded strings. In C. Lutz and S. Ranise, editors, Proceedings of the 10th International Symposium on Frontiers of Combining Systems, volume 9322 of Lecture Notes in Computer Science, pages 135–150. Springer, 2015.

Digital Library

[37]

T. Liang, A. Reynolds, N. Tsiskaridze, C. Tinelli, C. Barrett, and M. Deters. An efficient smt solver for string constraints. Formal Methods in System Design, 48 (3):206–234, 2016.

Digital Library

[38]

J. A. D. Loera, R. Hemmecke, J. Tauzer, and R. Yoshida. Effective lattice point counting in rational convex polytopes. Journal of Symbolic Computation, 38(4): 1273 – 1302, 2004. ISSN 0747-7171.

[39]

K. Luckow, C. S. Păsăreanu, M. B. Dwyer, A. Filieri, and W. Visser. Exact and approximate probabilistic symbolic execution for nondeterministic programs. In Proceedings of the 29th ACM/IEEE international conference on Automated software engineering, pages 575–586. ACM, 2014.

Digital Library

[40]

L. Luu, S. Shinde, P. Saxena, and B. Demsky. A model counter for constraints over unbounded strings. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), page 57, 2014.

Digital Library

[41]

B. Mao, W. Hu, A. Althoff, J. Matai, J. Oberg, D. Mu, T. Sherwood, and R. Kastner. Quantifying timing-based information flow in cryptographic hardware. In Proceedings of the IEEE/ACM International Conference on Computer-Aided Design, pages 552–559. IEEE Press, 2015.

Digital Library

[42]

S. McCamant and M. D. Ernst. Quantitative information flow as network flow capacity. In Proceedings of the ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation, Tucson, AZ, USA, June 7-13, 2008, pages 193–205, 2008.

Digital Library

[43]

C. S. Pasareanu, W. Visser, D. H. Bushnell, J. Geldenhuys, P. C. Mehlitz, and N. Rungta. Symbolic pathfinder: integrating symbolic execution with model checking for java bytecode analysis. Autom. Softw. Eng., 20(3):391–425, 2013.

[44]

Q. Phan, P. Malacaria, O. Tkachuk, and C. S. Pasareanu. Symbolic quantitative information flow. ACM SIGSOFT Software Engineering Notes, 37(6):1–5, 2012.

Digital Library

[45]

Q. Phan, P. Malacaria, C. S. Pasareanu, and M. d’Amorim. Quantifying information leaks using reliability analysis. In Proceedings of the International Symposium on Model Checking of Software, SPIN 2014, San Jose, CA, USA, pages 105–108, 2014.

Digital Library

[46]

Q.-S. Phan and P. Malacaria. Abstract model counting: a novel approach for quantification of information leaks. In Proceedings of the 9th ACM symposium on Information, computer and communications security, pages 283–292. ACM, 2014.

Digital Library

[47]

J. Rizzo and T. Duong. The crime attack. Ekoparty Security Conference, 2012.

[48]

P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A symbolic execution framework for javascript. In Proceedings of the 31st IEEE Symposium on Security and Privacy, 2010.

Digital Library

[49]

K. Sen, D. Marinov, and G. Agha. CUTE: a concolic unit testing engine for C. In Proceedings of the 10th European Software Engineering Conference held jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering, 2005, Lisbon, Portugal, September 5-9, 2005, pages 263–272, 2005.

Digital Library

[50]

I. Shlyakhter. Generating effective symmetry-breaking predicates for search problems. Electronic Notes in Discrete Mathematics, 9:19–35, 2001.

[51]

G. Smith. On the foundations of quantitative information flow. In Foundations of Software Science and Computational Structures, 12th International Conference, FOSSACS 2009, York, UK, March 22-29, 2009. Proceedings, pages 288–302, 2009.

[52]

M. Thurley. sharpsat–counting models with advanced component caching and implicit bcp. In International Conference on Theory and Applications of Satisfiability Testing, pages 424–429. Springer, 2006.

Digital Library

[53]

M. Trinh, D. Chu, and J. Jaffar. S3: A symbolic string solver for vulnerability detection in web applications. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 1232–1243, 2014.

Digital Library

[54]

C. G. Val, M. A. Enescu, S. Bayless, W. Aiello, and A. J. Hu. Precisely measuring quantitative information flow: 10k lines of code and beyond. In Security and Privacy (EuroS&P), 2016 IEEE European Symposium on, pages 31–46. IEEE, 2016.

[55]

S. Verdoolaege. barvinok: User guide. Version 0.23), Electronically available at http://www. kotnet. org/˜ skimo/barvinok, 2007.

[56]

W. Visser, J. Geldenhuys, and M. B. Dwyer. Green: reducing, reusing and recycling constraints in program analysis. In Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering, page 58. ACM, 2012.

Digital Library

[57]

M. Weir, S. Aggarwal, M. P. Collins, and H. Stern. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, Chicago, Illinois, USA, October 4-8, 2010, pages 162–175, 2010.

Digital Library

[58]

Y. Zheng, X. Zhang, and V. Ganesh. Z3-str: A z3-based string solver for web application analysis. In Proceedings of the 9th Joint Meeting on Foundations of Software Engineering (ESEC/FSE), pages 114–124, 2013.

Digital Library

Cited By

Shuai ZChen ZMa KLiu KZhang YSun JWang J(2024)Partial Solution Based Constraint Solving Cache in Symbolic ExecutionProceedings of the ACM on Software Engineering10.1145/36608171:FSE(2493-2514)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3660817
Bousy IBarr EClark D(2023)PopArt: Ranked Testing EfficiencyIEEE Transactions on Software Engineering10.1109/TSE.2022.321479649:4(2221-2238)Online publication date: 1-Apr-2023
https://doi.org/10.1109/TSE.2022.3214796
Amadini R(2021)A Survey on String Constraint SolvingACM Computing Surveys10.1145/348419855:1(1-38)Online publication date: 23-Nov-2021
https://dl.acm.org/doi/10.1145/3484198
Show More Cited By

Index Terms

Constraint normalization and parameterized caching for quantitative program analysis
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Formal software verification

Recommendations

Parameterized model counting for string and numeric constraints
ESEC/FSE 2018: Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

Recently, symbolic program analysis techniques have been extended to quantitative analyses using model counting constraint solvers. Given a constraint and a bound, a model counting constraint solver computes the number of solutions for the constraint ...
Subformula caching for model counting and quantitative program analysis
ASE '19: Proceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering

Quantitative program analysis is an emerging area with applications to software reliability, quantitative information flow, side-channel detection and attack synthesis. Most quantitative program analysis techniques rely on model counting constraint ...
Variable and clause ordering in an FSA approach to propositional satisfiability
CIAA'11: Proceedings of the 16th international conference on Implementation and application of automata

We use a finite state (FSA) construction approach to address the problem of propositional satisfiability (SAT). We use a very simple translation from formulas in conjunctive normal form (CNF) to regular expressions and use regular expressions to ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ESEC/FSE 2017: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering

August 2017

1073 pages

ISBN:9781450351058

DOI:10.1145/3106237

General Chairs:
Eric Bodden
Paderborn University, Germany / Fraunhofer IEM, Germany
,
Wilhelm Schäfer
Paderborn University, Germany
,
Program Chairs:
Arie van Deursen
Delft University of Technology, Netherlands
,
Andrea Zisman
Open University, UK

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 August 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Artifacts Evaluated & Reusable

Author Tags

Qualifiers

Research-article

Conference

ESEC/FSE'17

Sponsor:

SIGSOFT

ESEC/FSE'17: Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering

September 4 - 8, 2017

Paderborn, Germany

Acceptance Rates

Overall Acceptance Rate 112 of 543 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
295
Total Downloads

Downloads (Last 12 months)13
Downloads (Last 6 weeks)1

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Shuai ZChen ZMa KLiu KZhang YSun JWang J(2024)Partial Solution Based Constraint Solving Cache in Symbolic ExecutionProceedings of the ACM on Software Engineering10.1145/36608171:FSE(2493-2514)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3660817
Bousy IBarr EClark D(2023)PopArt: Ranked Testing EfficiencyIEEE Transactions on Software Engineering10.1109/TSE.2022.321479649:4(2221-2238)Online publication date: 1-Apr-2023
https://doi.org/10.1109/TSE.2022.3214796
Amadini R(2021)A Survey on String Constraint SolvingACM Computing Surveys10.1145/348419855:1(1-38)Online publication date: 23-Nov-2021
https://dl.acm.org/doi/10.1145/3484198
Trabish DItzhaky SRinetzky N(2021)Address-Aware Query Caching for Symbolic Execution2021 14th IEEE Conference on Software Testing, Verification and Validation (ICST)10.1109/ICST49551.2021.00023(116-126)Online publication date: Apr-2021
https://doi.org/10.1109/ICST49551.2021.00023
Mues MHowar F(2021)Data-Driven Design and Evaluation of SMT Meta-Solving Strategies: Balancing Performance, Accuracy, and Cost2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE)10.1109/ASE51524.2021.9678881(179-190)Online publication date: Nov-2021
https://doi.org/10.1109/ASE51524.2021.9678881
Kulczynski MManea FNowotka DPoulsen D(2021)ZaligVinder: A generic test framework for string solversJournal of Software: Evolution and Process10.1002/smr.240035:4Online publication date: 28-Oct-2021
https://doi.org/10.1002/smr.2400
Brennan TRothermel GBae D(2020)Detection and mitigation of JIT-induced side channelsProceedings of the ACM/IEEE 42nd International Conference on Software Engineering: Companion Proceedings10.1145/3377812.3382174(143-145)Online publication date: 27-Jun-2020
https://dl.acm.org/doi/10.1145/3377812.3382174
Thome JShar LBianculli DBriand L(2020)An Integrated Approach for Effective Injection Vulnerability Analysis of Web Applications Through Security Slicing and Hybrid Constraint SolvingIEEE Transactions on Software Engineering10.1109/TSE.2018.284434346:2(163-195)Online publication date: 1-Feb-2020
https://doi.org/10.1109/TSE.2018.2844343
Bultan T(2020)Quantifying Information Leakage Using Model Counting Constraint SolversVerified Software. Theories, Tools, and Experiments10.1007/978-3-030-41600-3_3(30-35)Online publication date: 14-Mar-2020
https://doi.org/10.1007/978-3-030-41600-3_3
Fowze FTian DHernandez GButler KYavuz T(2019)ProXray: Protocol Model Learning and Guided Firmware AnalysisIEEE Transactions on Software Engineering10.1109/TSE.2019.2939526(1-1)Online publication date: 2019
https://doi.org/10.1109/TSE.2019.2939526
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten