Optimization techniques for craig interpolant compaction in unbounded model checking

Cabodi, Gianpiero; Loiacono, Carmelo; Vendraminetto, Danilo

doi:10.1007/s10703-015-0229-0

Cited by 7 publications

(5 citation statements)

References 40 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The processor was described in Verilog, then converted into the AIGER format [41] and verified using PdTRAV [42], a state-of-the-art academic model-checking tool we developed. Both Bounded and Unbounded Model-Checking (interpolation-based UMC) algorithms were used, with a peculiar focus on model reductions and transformations [43,44], multiple properties manipulations [45] and interpolants-based engines [46,47].…”

Section: Resultsmentioning

confidence: 99%

Model-Checking Speculation-Dependent Security Properties: Abstracting and Reducing Processor Models for Sound and Complete Verification

et al. 2019

Self Cite

View full text Add to dashboard Cite

Spectre and Meltdown attacks in modern microprocessors represent a new class of attacks that have been difficult to deal with. They underline vulnerabilities in hardware design that have been going unnoticed for years. This shows the weakness of the state-of-the-art verification process and design practices. These attacks are OS-independent, and they do not exploit any software vulnerabilities. Moreover, they violate all security assumptions ensured by standard security procedures, (e.g., address space isolation), and, as a result, every security mechanism built upon these guarantees. These vulnerabilities allow the attacker to retrieve leaked data without accessing the secret directly. Indeed, they make use of covert channels, which are mechanisms of hidden communication that convey sensitive information without any visible information flow between the malicious party and the victim. The root cause of this type of side-channel attacks lies within the speculative and out-of-order execution of modern high-performance microarchitectures. Since modern processors are hard to verify with standard formal verification techniques, we present a methodology that shows how to transform a realistic model of a speculative and out-of-order processor into an abstract one. Following related formal verification approaches, we simplify the model under consideration by abstraction and refinement steps. We also present an approach to formally verify the abstract model using a standard model checker. The theoretical flow, reliant on established formal verification results, is introduced and a sketch of proof is provided for soundness and correctness. Finally, we demonstrate the feasibility of our approach, by applying it on a pipelined DLX RISC-inspired processor architecture. We show preliminary experimental results to support our claim, performing Bounded Model-Checking with a state-of-the-art model checker.

show abstract

Section: Resultsmentioning

confidence: 99%

Model-Checking Speculation-Dependent Security Properties: Abstracting and Reducing Processor Models for Sound and Complete Verification

et al. 2019

Self Cite

View full text Add to dashboard Cite

show abstract

“…We performed an extensive experimentation on a selected subset of interpolants used in [11]. These interpolants are extracted from publicly available benchmarks from the past HWMCC [20] suites and are represented as AIGs.…”

Section: Resultsmentioning

confidence: 99%

“…Figures 5 and 6 show the results obtained for compaction with logic synthesis (section III) and GLA-based weakening (section IV), respectively. Compaction techniques are applied incrementally, i.e., we always apply simplifications described in [11] 4 , followed by the techniques described in this paper. 3 The interpolant circuits are available at http://fmgroup.polito.it/index.php/download.…”

Section: Resultsmentioning

confidence: 99%

See 1 more Smart Citation

Reducing interpolant circuit size by ad-hoc logic synthesis and SAT-based weakening

Cabodi

Camurati

Palena

et al. 2016

2016 Formal Methods in Computer-Aided Design (FMCAD)

View full text Add to dashboard Cite

We address the problem of reducing the size of Craig interpolants used in SAT-based Model Checking. Craig interpolants are AND-OR circuits, generated by post-processing refutation proofs of SAT solvers. Whereas it is well known that interpolants are highly redundant, their compaction is typically tackled by reducing the proof graph and/or by exploiting standard logic synthesis techniques. Furthermore, strengthening and weakening have been studied as an option to control interpolant quality.In this paper we propose two interpolant compaction techniques: (1) A set of ad-hoc logic synthesis functions that, revisiting known logic synthesis approaches, specifically address speed and scalability. Though general and not restricted to interpolants, these techniques target the main sources of redundancy in interpolant circuits. (2) An interpolant weakening technique, where the UNSAT core extracted from an additional SAT query is used to obtain a gate-level abstraction of the interpolant. The abstraction introduces fresh new variables at gate cuts that must be quantified out in order to obtain a valid interpolant. We show how to efficiently quantify them out, by working on an NNF representation of the circuit.The paper includes an experimental evaluation, showing the benefits of the proposed techniques, on a set of benchmark interpolants arising from both hardware and software model checking problems.

show abstract

“…• BDD-based representations and traversals (BDD), including forward, backward, combined (approximate) forward/ (exact) backward reachability algorithms [14], [15] partitioned BDDs and/or image computation procedures [16], [17] • Interpolant-based verification (ITP), with ad-hoc abstraction and tightening techniques [18], [19], integrated SAT-based approaches [20], [21], Interpolant reduction techniques [22] and Guided Refinement [23] • Property Directed Reachability (PDR) verification strategies [24] Figures 4 and 5 show verification results considering three different unbounded model checking strategies: interpolation (ITP), binary decision diagram reachability (BDD) and Property Directed Reachability strategy (PDR). Results show that the most suitable strategy for the presented security properties verification is PDR.…”

Section: B Verification Strategiesmentioning

confidence: 99%

Secure embedded architectures: Taint properties verification

Cabodi

Camurati

Finocchiaro

et al. 2016

2016 International Conference on Development and Application Systems (DAS)

View full text Add to dashboard Cite

Nowadays embedded devices collect various kinds of information and provide it to communication networks for further processing. These devices often provide critical functionalities that could be exploited by malicious parties. Using formal techniques is a natural way to increase the confidence in the overall embedded system security. However, the major research focus is on verifying only the correctness of encryption algorithms and their implementation in software and hardware and not the whole security process. Following novel research studies, many security requirements of an embedded architecture can be specified as Taint Properties, expressing properties related to information flow and access control. In this paper we define Taint Properties as a way to find out whether there is a path from src to dest, where src is an RTL signal seeded with the Taint and dest is a signal not to be reached by the Taint in order to satisfy the security requirements. In our scenario a Taint is an untrusted code following an illegal path from src to dest. We present a systematic approach to formalize generic security requirements, referring to a model abstraction, and their related Taint Properties of an embedded architecture. First, we present our model abstraction of two selected embedded secure architectures, then we define a portfolio of Taint Properties to verify key secrecy, isolation, attestation, confidentiality and availability features. We finally perform verification of previously defined formal security properties, hence presenting results on two selected embedded architectures proving the effectiveness of our approach.

show abstract

Optimization techniques for craig interpolant compaction in unbounded model checking

Cited by 7 publications

References 40 publications

Model-Checking Speculation-Dependent Security Properties: Abstracting and Reducing Processor Models for Sound and Complete Verification

Model-Checking Speculation-Dependent Security Properties: Abstracting and Reducing Processor Models for Sound and Complete Verification

Reducing interpolant circuit size by ad-hoc logic synthesis and SAT-based weakening

Secure embedded architectures: Taint properties verification

Contact Info

Product

Resources

About