Differential Assertion Checking Shuvendu Lahiri Kenneth Mc Millan

Differential Assertion Checking Shuvendu Lahiri Kenneth Mc. Millan Rahul Sharma Chris Hawblitzel

Assertion Checking void strcopy (char* dst, char*src, int size) { int i=0; for(; i<size-1 && *src; i++) *dst++ = *src++; *dst = 0; } assert(Valid(x)) before every *x �

Assertion Checking is Hard void strcopy � (char* dst, char*src, int size) { int i=0; for(; i<size-1 && *src; i++) *dst++ = *src++; *dst = 0; }

Correctness -> Relative Correctness � Practical and useful

Relative Correctnesss (Bug) void strcopy_correct (char* dst, char*src, int size) { int i = 0; for(; i<size-1 && *src; i++) *dst++ = *src++; *dst = 0; } void strcopy_buggy (char* dst, char*src, int size) { int i = 0; for(; *src && i<size-1; i++) *dst++ = *src++; *dst = 0; } CEX: size=0, src =0, dst= some valid location

Relative Correctness (Proof) void strcopy_buggy (char* dst, char*src, int size) { int i=0; for(; *src && i<size-1; i++) *dst++ = *src++; *dst = 0; } void strcopy_correct (char* dst, char*src, int size) { int i=0; for(; i<size-1 && *src; i++) *dst++ = *src++; *dtmp = 0; } No need to constrain the inputs Invariants: src. 1=src. 2, dst. 1=dst. 2, size. 1=size. 2, i. 1=i. 2

Differential Assertion Checking �

bool ok 1; bool ok 2; ok 1: =ok 2: =true; main 1 main 2 n 1 n 2 main 1 main 2 assert ok 1=>ok 2 n 1 n 2 assert b ok 1: =ok 1 && b assert b ok 2: =ok 2 && b

Composed Program proc f 1(x 1): r 1 modifies g 1 { s 1; L 1: w 1 : = call h 1(e 1); t 1 } proc f 2(x 2): r 2 modifies g 2 { s 2; L 2: w 2 : = call h 2(e 2); t 2 }

Main Result � Holds even in the presence of loops and recursion

Implementation Workflow P 1. bpl Sym. Diff P 1 P 2. bpl Houdini annotated P 1 P 2. bpl �Verifying bug fixes �Filtering alarms Boogie SMT Z 3

Verifying Bug Fixes �Did a fix inadvertently introduce new bugs �Verisec suite: “snippets of open source programs which contain buffer overflow vulnerabilities, as well as corresponding patched versions. ” �Relative buffer overflow checking �Examples include apache, madwifi, sendmail, …

Example int main_buggy() int main_patched() { { … … fb : = 0; while(c 1=read()!=EOF) { { fbuf[fb] = c 1; fb++; if(fb >= MAX) Buffer fb = 0; Overflow } } … … } } Invariant: fb. 2<=fb. 1

Filtering Warnings �

WDK results

Related Work �Joshi et al. ‘ 12: Differential errors for bounded programs �Relative properties of approx. program transformations (Carbin et al. ‘ 12, ‘ 13) �No automatic tool for checking these �Equivalence checking: �Translation validation, validating program refactorings �Product programs (Barthe et al. ‘ 11, Pnueli et al. ‘ 08)

Conclusion �A new form of relative correctness, from assertions �Complementary to equivalence and refinement �A modular composition procedure �Enables decomposition of the proof �Use off-the-shelf verifiers for differential checking �Implementation inside Sym. Diff for automated proofs �Applications: bug fixes and filtering warnings

Syntax and Semantics �

Invariant Inference �

Composing Procedures proc f 1(x 1) modifies g 1 { w 1 : = call h 1(e 1); } proc f 2(x 2) modifies g 2 { w 2 : = call h 2(e 2); }

Composed Procedure proc MS_f 1_f 2(x 1, x 2) modifies g 1, g 2 { i 1, g_i 1 : = e 1, g 1; w 1 : = call h 1(e 1); o 1 : = w 1; g_o 1 : = g 1; … g 1, g 2 : = g_i 1, g_i 2; k 1, k 2 : = call MS_h 1_h 2(i 1, i 2); assume(k 1==o 1 && g 1==g_o 1); assume(k 2==o 2 && g 2==g_o 2); }