基于逻辑一致性判定的广义不透明谓词检测方法

不透明谓词是一类轻量级的代码混淆方法,能以单向的执行复杂度对抗程序的逆向分析。广义不透明谓词扩展狭义不透明谓词的值恒定属性至逻辑恒定属性,已经应用于部分恶意代码中以提升抗查杀能力。为消除不透明谓词对程序恶意性判定的影响,以广义不透明谓词后趋依赖的属性为依据,结合逻辑恒定判定,提出了基于逻辑一致性的广义不透明谓词检测方法。通过静态分析提取谓词前置条件约束、后趋逻辑约束和谓词判定表达式,以相交基本块搜寻初筛谓词,并依据约束求解方法判定广义不透明谓词。构造原型系统并进行测试,结果表明该方法能精准高效地检测出恶意代码中的不透明谓词。     

谓词抽象技术研究

随着软、硬件系统规模和功能的不断扩充,状态空间爆炸问题严重影响了模型检验的进一步发展与应用,成为验证大规模系统的瓶颈.谓词抽象是解决状态空间爆炸的最有效方法之一,近年来得到迅速发展.介绍了谓词抽象的基本算法并比较了不同的求解支持工具;重点分析了反例指导的抽象求精和基于插值的抽象求精原理;分析了产生新谓词的各种方法的优、缺点;最后指出了谓词抽象技术进一步发展所面临的挑战和发展方向.     

一阶逻辑中约束求解的局部搜索法*

以一阶谓词逻辑为基础,讨论约束满足问题.着重研究一阶逻辑公式可满足性的局部搜索法,并与命题逻辑中的可满足性过程加以比较.以皇后问题和哈密顿回路问题为例,说明基于一阶逻辑的方法能处理较大的问题实例.     

面向HDL描述基于路径覆盖的模拟矢量自动生成方法研究

提出和实现了一种面向HDL描述基于路径覆盖的模拟矢量自动生成方法,该方法在约束生成时只考虑控制语句的条件表达式，可有效避免生成冗余约束；利用扩展的决策图模型解决了中间信号到初始输入的传播问题和信号依赖关系问题，以及处理各种HDL描述风格的问题；采用约束逻辑编程方法解决了由位、位向量和整型变量组成的约束系统的统一处理问题,实验结果表明该方法能加快模拟矢量生成速度，提高路径覆盖率．生成的模拟矢量也能用于低层次设计验证和故障模拟，加快了设计进度,将该方法的原型系统用于一个32位微处理器核RTL级验证，发现了RTL级设计描述中的错误．     

RTL数据通路模拟矢量自动生成方法研究与实现

针对已有的RTL数据通路模拟矢量自动生成方法的不足，提出一种利用约束逻辑编辑(CLP)自动生成数据通路模拟矢量的新方法．该方法首先对给定的Verilog RTL描述采用程序切片进行设计化简，然后对化简后的结果基于位向量算术原理生成CLP约束，并利用CLP求解器GProlog进行约束求解，最终生成满足输出要求的模拟矢量．该方法约束求解速度快，生成的约束是统一的，得到的模拟矢量较完备，能满足模拟验证的要求．实验结果表明，文中方法是一种高效的RTL数据通路模拟矢量自动生成方法．     

角色转授权模型中授权冲突问题的解决方案

针对现有用户-用户的角色转授权模型存在授权冲突问题,基于转授权的组件、相关性质以及约束规则,提出了一种约束转授权模型,该模型满足最小特权和职责分离两安全原则,给出了该模型的体系架构和功能描述;以此模型为背景介绍了一种约束描述语言及其形式化语义描述;通过规约算法和构造算法论证了它与严格形式上的一阶谓词逻辑是等价的,并对该约束语言的合理性和完整性进行了讨论;最后用该约束语言给出了模型的表现能力,较好的解决了转授权冲突问题。     

针对Java语言中间形式的谓词抽象算法

谓词抽象是解决软件模型检查中状态空间爆炸的最有效方法之一,针对Java语言面向对象的特性,描述了一种对Java程序语言中间形式的谓词抽象算法,该算法将Java程序抽象成为布尔程序,抽象过程中处理的Java数据结构包括:赋值语句、条件语句、类对象引用、成员方法和方法调用等.用一个Java程序实例说明了该算法的抽象过程和结果.     

基于概率和条件逻辑的PKI信任模型推理

提出一种基于概率和条件谓词逻辑来表示和推导PKI信任模型的方法．该方法用3个二元条件谓词表示不同个体之间的关系,并给出了实体认证规则、信任规则和信任扩展规则，对信任度定义了一个概率模型，该模型能反映约束条件如何影响信任度．概率模型加条件谓词逻辑能够对一个PKI信任模型进行更精确的描述．     

基于CLP模型的HDL设计可观测性分析

为了提高模拟验证中的可观测性覆盖率,建立了一个逻辑约束编程(CLP)模型,定义了变量之间单步传播的条件.在此基础上,借助通用CLP系统自动地完成路径搜索、冲突发现、回溯和约束求解.实验结果表明,基于CLP的可观测性分析技术一方面可以生成更有效的测试向量,使得特定语句上的错误能够被传播到输出,加快模拟验证发现bug的过程;另一方面可以识别出不可观测的语句,避免盲目追求高覆盖率,节约模拟验证的资源.     

面向源代码的软件模型检测及其实现

模型检测应用于检测软件可靠性具有重要意义.介绍了一种基于谓词抽象和反例引导抽象求精技术对源程序进行建模和验证的模型检测方法,并结合自行研发的Jchecker工具详细介绍了该软件模型检测技术的运作过程和关键算法.     

Predicate Abstraction of ANSI-C Programs Using SAT

Predicate abstraction is a major method for verification of software. However, the generation of the abstract Boolean program from the set of predicates and the original program suffers from an exponential number of theorem prover calls as well as from soundness issues. This paper presents a novel technique that uses an efficient SAT solver for generating the abstract transition relations of ANSI-C programs. The SAT-based approach computes a more precise and safe abstraction compared to existing predicate abstraction techniques.     

一种基于满足性判定的并发软件验证策略

对线性时态逻辑SE-LTL提出了一种基于SAT的有界模型检测过程,该过程避免了基于BDD方法中状态空间快速增长的问题.在SE-LTL的子集SE-LTL?X的有界模型检测过程中,集成了stuttering等价技术,该集成有效地加速了验证过程.进一步提出了一种组合了基于SAT的有界模型检测、基于反例的抽象求精、组合推理3种状态空间约简技术的并发软件验证策略.该策略中,抽象和求精在每一个构件上独立进行.同时,模型检测的过程是符号化的.实例表明,该策略降低了验证时间和对内存空间的需求.     

一种基于抽象与精化技术的Web服务组合验证方法

模型检测因其自动化程度高、能够提供反例路径等优势,被广泛应用于Web服务组合的兼容性验证。本文针对模型检测过程中存在的状态爆炸问题,在传统的模型检测方法中引入谓词抽象和精化技术,提出了一种针对Web服务组合的抽象精化验证框架。使用谓词抽象技术对原子Web服务抽象建模,将各Web服务抽象模型组合成组合抽象模型;将模型检测后得到的反例在各原子Web服务上做投影操作,对投影反例进行确认;对产生伪反例的Web服务抽象模型进行精化,生成新的组合抽象模型,再次对性质进行验证。最后通过实例分析说明基于抽象精化技术的Web服务组合验证框架在缓解状态爆炸问题上的可行性。     

Efficient Verification of Sequential and Concurrent C Programs

There has been considerable progress in the domain of software verification over the last few years. This advancement has been driven, to a large extent, by the emergence of powerful yet automated abstraction techniques such as predicate abstraction. However, the state-space explosion problem in model checking remains the chief obstacle to the practical verification of real-world distributed systems. Even in the case of purely sequential programs, a crucial requirement to make predicate abstraction effective is to use as few predicates as possible. This is because, in the worst case, the state-space of the abstraction generated (and consequently the time and memory complexity of the abstraction process) is exponential in the number of predicates involved. In addition, for concurrent programs, the number of reachable states could grow exponentially with the number of components. We attempt to address these issues in the context of verifying concurrent (message-passing) C programs against safety specifications. More specifically, we present a fully automated compositional framework which combines two orthogonal abstraction techniques (predicate abstraction for data and action-guided abstraction for events) within a counterexample-guided abstraction refinement scheme. In this way, our algorithm incrementally increases the granularity of the abstractions until the specification is either established or refuted. Additionally, a key feature of our approach is that if a property can be proved to hold or not hold based on a given finite set of predicates $\mathcal{P}$ , the predicate refinement procedure we propose in this article finds automatically a minimal subset of $\mathcal{P}$ that is sufficient for the proof. This, along with our explicit use of compositionality, delays the onset of state-space explosion for as long as possible. We describe our approach in detail, and report on some very encouraging experimental results obtained with our tool MAGIC.     

模型检验中抽象技术研究综述

在模型检验中,抽象技术是解决状态空间爆炸问题的有效方法之一。论文描述了模型检验对抽象模型的基本要求,给出了抽象模型的定义及其评价指标,对抽象技术和自动化的抽象精化技术的主要方法及其研究进展作了比较深入、全面的综述,并讨论了抽象技术今后的发展方向。     

Constructing predicate mappings for goal-dependent abstraction

In theorem proving with abstraction, it is required for system designers to provide a useful abstraction. However, such a task is so difficult that it would be worth studying an automatic construction of abstraction. In this paper, we propose a new framework of Goal-Dependent Abstraction in which an appropriate abstraction is selected according to each goal to be proved. Towards Goal-Dependent Abstraction, we present an algorithm for constructing an appropriate abstraction for a given goal. The appropriateness is defined in terms of Upward-Property and Downward-Property. Since our abstraction is based on predicate mapping, the algorithm in fact computes predicate mappings based on which appropriate abstractions can be constructed. Given a goal, candidate predicate mappings are generated and then tested for their appropriateness for the goal. In order to find appropriate mappings efficiently, we present a property to prune useless candidate generations. The numbers of pruned candidates are evaluated in the best and worst cases. Furthermore some experimental results show that many useless candidates can be pruned with the property and the obtained appropriate predicate mappings (abstractions) fit our intuition. From the experimental results, we could expect our study in this paper to contribute to the fields of analogical reasoning and case-based reasoning as well as theorem-proving. This revised version was published online in June 2006 with corrections to the Cover Date.