Helmut Veith

Progress on the State Explosion Problem in Model Checking

Model checking is an automatic verification technique for finite state concurrent systems. In this approach to verification, temporal logic specifications are checked by an exhaustive search of the state space of the concurrent system. Since the size of the state space grows exponentially with the number of processes, model checking techniques based on explicit state enumeration can only handle relatively small examples. This phenomenon is commonly called the State Explosion Problem. Over the past ten years considerable progress has been made on this problem by (1) representing the state space symbolically using BDDs and by (2) using abstraction to reduce the size of the state space that must be searched. As a result model checking has been used successfully to find extremely subtle errors in hardware controllers and communication protocols. In spite of these successes, however, additional research is needed to handle large designs of industrial complexity. This aim of this paper is to give a succinct survey of symbolic model checking and to introduce the reader to recent advances in abstraction.

Detecting malicious code by model checking

The ease of compiling malicious code from source code in higher programming languages has increased the volatility of malicious programs: The first appearance of a new worm in the wild is usually followed by modified versions in quick succession. As demonstrated by Christodorescu and Jha, however, classical detection software relies on static patterns, and is easily outsmarted. In this paper, we present a flexible method to detect malicious code patterns in executables by model checking. While model checking was originally developed to verify the correctness of systems against specifications, we argue that it lends itself equally well to the specification of malicious code patterns. To this end, we introduce the specification language CTPL (Computation Tree Predicate Logic) which extends the well-known logic CTL, and describe an efficient model checking algorithm. Our practical experiments demonstrate that we are able to detect a large number of worm variants with a single specification.

Environment abstraction for parameterized verification

Many aspects of computer systems are naturally modeled as parameterized systems which renders their automatic verification difficult. In well-known examples such as cache coherence protocols and mutual exclusion protocols, the unbounded parameter is the number of concurrent processes which run the same distributed algorithm. In this paper, we introduce environment abstraction as a tool for the verification of such concurrent parameterized systems. Environment abstraction enriches predicate abstraction by ideas from counter abstraction; it enables us to reduce concurrent parameterized systems with unbounded variables to precise abstract finite state transition systems which can be verified by a finite state model checker. We demonstrate the feasibility of our approach by verifying the safety and liveness properties of Lamports bakery algorithm and Szymanskis mutual exclusion algorithm. To the best of our knowledge, this is the first time both safety and liveness properties of the bakery algorithm have been verified at this level of automation.

Verification by Network Decomposition

We describe a new method to verify networks of homogeneous processes which communicate by token passing. Given an arbitrary network graph and an indexed LTL ∖ X property, we show how to decompose the network graph into multiple constant size networks, thereby reducing one model checking call on a large network to several calls on small networks. We thus obtain cut-offs for arbitrary classes of networks, adding to previous work by Emerson and Namjoshi on the ring topology. Our results on LTL ∖ X are complemented by a negative result which precludes the existence of reductions for CTL ∖ X on general networks.

Succinct representation, leaf languages, and projection reductions

Abstract In this article, the following results are shown: 1. For succinctly encoded problems s ( A ), completeness under polynomial time reductions is equivalent to completeness under projection reductions, an extremely weak reduction defined by a quantifier-free projective formula. 2. The succinct version s ( A of a computational problem A is complete under projection reductions for the class of problems characterizable with leaf language A , but not complete under monotone projections. 3. A strong conversion lemma: If A is reducible to B in polylogarithmic time, then the succinct version of A is monotone projection reducible to the succinct version of B . This result strengthens previous results by Papadimitriou and Yannakakis, and Balcazar and Lozano. It allows iterated application for multiple succinct problems. 4. For all syntactic complexity classes there exist complete problems under monotone projection reductions. This positively answers a question by Stewart for a large number of complexity classes.

Languages represented by Boolean formulas

A propositional problem is a problem whose instances are defined by Boolean formulas. Using quantifier free logical reductions, we give a sufficient condition under which a large class of propositional problems becomes exponentially harder than their ordinary encodings. This result extends former upgrading results which hold only for representation by Boolean circuits. It follows that all succinct circuit problems proved complete by Papadimitriou (1994) remain complete under representation by Boolean formulas.

Using verification technology to specify and detect malware

Computer viruses and worms are major threats for our computer infrastructure, and thus, for economy and society at large. Recent work has demonstrated that a model checking based approach to malware detection can capture the semantics of security exploits more accurately than traditional approaches, and consequently achieve higher detection rates. In this approach, malicious behavior is formalized using the expressive specification language CTPL based on classic CTL. This paper gives an overview of our toolchain for malware detection and presents our new system for computer assisted generation of malicious code specifications.

Software transformations to improve malware detection

Malware is code designed for a malicious purpose, such as obtaining root privilege on a host. A malware detector identifies malware and thus prevents it from adversely affecting a host. In order to evade detection, malware writers use various obfuscation techniques to transform their malware. There is strong evidence that commercial malware detectors are susceptible to these evasion tactics. In this paper, we describe the design and implementation of a malware transformer that reverses the obfuscations performed by a malware writer. Our experimental evaluation demonstrates that this malware transformer can drastically improve the detection rates of commercial malware detectors.

State/Event software verification for branching-time specifications

In the domain of concurrent software verification, there is an evident need for specification formalisms and efficient algorithms to verify branching-time properties that involve both data and communication. We address this problem by defining a new branching-time temporal logic SE-A

On the notion of vacuous truth

{it Omega}