Qualifiable Model Checkers

1
Qualifiable Model Checkers

• Songtao Xia and Ben Di Vito

2
Outline

• Model checkers add functionality and flexibility
  to software certification
• Proof-carrying Code
• New applications
• Structure of model checkers
• Solution reuse of transition information
• Plan

3
Terminology

• Server software developer obligated to show the
  correctness of the software
• Client the regulatory authority responsible to
  independently verify a servers claim
• Certificate artifacts that the server presents
  to help prove the correctness
• Reverification clients activity to
  independently check the servers claim
• Trust base set of tools the client must trust to
  achieve reverification

4
Software Certification

• Peer review/testing
• Advantage easy to learn/understand process
• Disadvantage we dont know how much is enough
• Proof-carrying code
• Advantage indisputable mathematical facts as
  certifcates, automation in tool support (for
  certain properties), small trust base
• Disadvantage expressive power/automation trade
  off

5
Proof-carrying code
Server Side
Client Side
Program
VCGen
VCGen
Verification Conditions
Theorem Prover
ProofChecker
Proof
6
Proof-carrying Code

• Automatic for certain properties
• Memory safety and type safety
• Other domain-specific properties
• Proof property specific
• VCGen often tied to class of properties
• Not flexible

7
Model Checker

• Software model checking with predicate
  abstraction
• For safety properties
• For engineering programs
• Protocol verification

8
Using model checker

• Automation
• Functionality
• Flexibility
• But qualification issue
• Model checkers are more complicated than a
  proof-checker

9
New Application 1
Server Side
Client Side
Program
ModelValidator
ModelAbstraction
Spin Model
Model Checker
ModelChecker
10
New Application 2Abstraction-carrying Code (ACC)
Server Side
Client Side
Program
ModelValidator
PredicateAbstraction
Boolean Program
Model Checker
ModelChecker
11
Predicate Abstraction

• Observe the programs behavior over value changes
  of a set of predicates
• Example consider x over xgt0corresponding BP
  if b then b true else b unknown, where b
  represents xgt0
• Reduce state space

12
BP Validator

• Validation of Hoare Triples
• xgt0 x xgt0
• Implemented in ACCEPT (ACC Evaluation Prototype
  System) as dependent typed assembly language type
  checking

13
Complexity of Model Checkers

• General purpose model checkers
• Explicit state model checkers
• Symbolic model checkers
• Spin, JPF, SMV,
• Special purpose model checkers
• For an often simplified model
• Moped, Bebop

14
Cost of software qualification

• Expensive

15
Cost of software qualification

• More expensive
• for larger, more complicated programs
• Programs in the trust base must be qualified

16
Structure of Model Checkers
Relatively Simple Search
Search Engine
Next state ?
State Management
PathManagement
17
Run Model Checker Twice
Relatively Simple Search
Search Engine
Next state ?
State Management
PathManagement
Chance to reuse information from previous run
18
Run Model Checker Twice
Instead of computation, we verify the results
Relatively Simple Search
Search Engine
Is Next State x?
Coverage Testing
Optimization conditionverification
19
Example BP model checker

• BP statement if (b1) then b2 b1 b3
• If we know nextState((1,1,0)) (1,0,0))
• We can use a Boolean evaluator, very efficient, a
  few lines of code
• Result we can save ourselves a BDD library from
  the trust base!

20
Research Plan

• Moped a model checker for push-down systems
• Model checks BP
• BDD library is large than the source code itself
• Reduce the size of moped to a few thousands lines
  of code

21
Evaluation Plan

• To watch performance should not be severely
  affected
• ACCEPT/C
• A prototype we have built to evaluate
  Abstraction-carrying code
• Plug modified moped back to ACCEPT/C, evaluates
  its performance and compare it to the original
  Moped

22
Related Work

• Proof-emitting model checkers
• Software model checking
• Model-carrying code