Week 10 Software Validation and Verification

Question 1

What is validation?

Answer 1

Making sure the software is doing the right thing. It is measured against the users needs.

Question 2

What is verification?

Answer 2

Ensuring the software is doing things right, it is measured against the SRS and source code implementation.

Question 3

What are the two types of analysis you can perform?

Answer 3

Dynamic analysis (testing/execution)
Static analysis (verification/code)

Question 4

What is formal verification? What are its 3 components

Answer 4

1. Framework for modelling systems.
2. A specification language.
3. A verification method.

Question 5

What are the classifications of approaches to verification?

Answer 5

1. Proof based or model based?
2. The degree of automation.
3. Full vs property verification.
4. Intended domain of the application.
5. Pre vs post development.

Question 6

What is Automated theorem proving?

Answer 6

A formal proof based verification.
The system description is a set of formula called the theory.
The specification is another formula called the theorem.
You need to prove that theorem conforms to the theory.

Question 7

Is ATP fully automated?

Answer 7

No, it is very difficult and so requires manual human performance.

Question 8

What is model checking?

Answer 8

A model based formal verification.
System is represented by a model.
Verification involves showing if M satisfies the specification.

Question 9

Is model checking automatic?

Answer 9

Yes, usually for finite models.

Question 10

What does the specification describe within ATP and Model checking

Answer 10

Whole behaviour or a single property.

Question 11

What is the intended domain of formal verification?

Answer 11

Hardware/software/sequential/concurrent/reactive and terminating systems.

Question 12

(ATP) What is decidability?

Answer 12

A verification is decidable if there is an effective procedure that decides whether the theorem is a member of the theory.

Question 13

(ATP) What is decidability?

Answer 13

A verification is decidable if there is an effective procedure that decides whether the theorem is a member of the theory.

Question 14

(ATP) What is semi-deciability?

Answer 14

When a verification is semi-decidable, it means that the procedure can always tell when the theorem is in the theory, however it cannot tell if the theorem is not in the theory.

Question 15

How is a system described in ATP?

Answer 15

Utilising formal logic.

Question 16

How do logical formalisms affect ATP.

Answer 16

It is a cost/benefit decision between automation/expressiveness/validity.

Question 17

What is a shortcoming of ATP?

Answer 17

Logical proofs are unwieldy and time consuming, it must be done manually.

Question 18

How is model checking implemented?

Answer 18

The system is modeled as a state machine, the specification is again written using logic.
Using logic you traverse the state machine to see if your specification holds.
This will result in either an OK or error trace.

Question 19

What approach towards finding bugs does Model Checking use?

Answer 19

A systematic approach.

Question 20

Where is Model Checking primarily used?

Answer 20

1. Verification of control oriented properties.
2. Hardware verification.
3. Checking data oriented properties.
4. Software checking

Question 21

How are properties represented in Model Checking, what about the system?

Answer 21

Properties usually use temporal logic.

System is a reachability graph.

Question 22

What is Linear Time (LTL) vs Branching Time (CTL) logic?

Answer 22

LT: Every moment has a unique successor,
-Infinite sequences (words)
CTL: Every moment has several succesors.
- Infinite tree.

Question 23

How does LTL work?

Answer 23

• Uses connectives referring to the future
• Models time as an infinite sequence of states. (computation path)
• The future is not determined, we should several paths for different futures
• Ultimately, only one path is realised.

Question 24

What is a transition system?

Answer 24

It is composed of 3 things.

• A set of states.
• A binary relation between states
• Labelling function, each state has a set of propositions which are true for that state.

Question 25

What are reachable states?

Answer 25

Obtained from the initial state through a sequence of enabled transitions.

Question 26

What are executions in a transition system?

Answer 26

The set of maximal paths.

Question 27

Why is it hard to test embedded systems

Answer 27

Because if the input space becomes very large it is very hard to model and test these inputs.

Question 28

What is the problem with model checking?

Answer 28

State explosion.

Question 29

What is static analysis?

Answer 29

Static program analysis is the analysis of software without actually executing programs. Usually performed on the source code by an automated tool. Static analysis generally catches errors which result from inconsistent adherence to simple mechanical design rules.

Question 30

What is human analysis of a program called?

Answer 30

Program comprehension or code review.

Question 31

What are the key defect types that static analysis can catch?

Answer 31

Issues with:
Security,
Memory safety
Resoure leaks
API protocols,
Exceptions
Encapsulation
Data races

Question 32

How does SAT work?

Answer 32

Passes a bunch of CNF propositional clauses AND’d into the SAT.

Question 33

What is SMT?

Answer 33

SMT recieves the propositional formula phi (also used in SAT) it then returns whether or not phi is satisfiable.
SMT can go beyond typical propositional logic can work with functions and arrays.
SMT is used by SE

Question 34

How does symbolic execution work?

Answer 34

Rather then provide concrete values to parameters, we give them symbolic values and now the various control flow branchs that exist add extra constraints to these symbolic values. Ultimately we can solve for what values are necessary at any point in the CFG.

Question 35

What are the benefits of Symbolic Execution?

Answer 35

It allows you to find which value or property will lead you to a certain path. This creates high test coverage.

Question 36

What does a path constraint represent in symbolic execution?

Answer 36

All the inputs that induce program execution to go down a specific path. Solving this will give you a representative input which causes the program to go down that specific path.

Question 37

What do all paths within a program form?

Answer 37

The programs execution tree.

Question 38

What state does symbolic execution maintain instead of concrete state?

Answer 38

Symbolic state where each variable maps to symbolic values.

Question 39

What is a path condition?

Answer 39

A quantifier free formula which encodes all branch decisions taken so far.

Question 40

Draw the path constraints for this image.

Answer 40

Question 41

How can you check for x/y when y = 0 using symbolic execution.

Answer 41

Create a branch when y = 0 and another when y != 0.

Question 42

What are some issues with classic symbolic execution?

Answer 42

• Loops, recursion.
• Path explosion
• Heap modelling.
• SMT solver limitations.
• Environment problems/
• Coverage issue, complexity of execution tree makes it difficult to penetrate deeper.

Question 43

What is concolic execution?

Answer 43

Concolic = Concrete + symbolic
It combines classical testing with automatic program analysis.
Also called dynamic symbolic execution.

Question 44

What does DSE do?

Answer 44

The intention is to visit deep into the program execution tree.
Program is executed with both concrete and symbolic inputs.
Start off the execution with a random input.
Especially useful for remote procedure call.

Question 45

Steps of DSE

Answer 45

1. Generate a random input.
2. Execute the program concretely and simultaneously whilst collecting all path constraints on the way.
3. Negate the last conjuct.
4. Solve the resulting constraint to get the concrete input for the alternative path.

Question 46

How does DSE actually work?

Answer 46

The concrete input will explore paths randomly the symbolic execution will generate the input which will lead you down the alternative path.

Question 47

Why is DSE so powerful?

Answer 47

It is an example of hybrid analysis,
Concrete execution guides symbolic execution, overcoming the incompleteness of the theorem prover.
Whilst symbolic execution guides concrete execution, this ultimately increases program code coverage.

Question 48

How/when can ATP used in systems?

Answer 48

ATP is best used where there are not many changes introduced.
Best used for kernel and OS.
To sum up: Machine critical, don’t change that much ATP.

Question 49

How/when can model checking be used?

Answer 49

To sum up, machine critical, properties to check and not many lines of code,
Use model checking.

Question 50

How/when should static analysis be used?

Answer 50

To sum up, modules which scale very quickly or change much and which also require further testing use static analysis and particularly DSE.