Bounded model checking of high-integrity software

Abstract

Model checking [5] is an automated algorithmic technique for exhaustive verification of systems, described as finite state machines, against temporal logic [9] specifications. It has been used successfully to verify hardware at an industrial scale [6]. One of the most successful variants of model checking is Bounded Model Checking (BMC) [2] which leverages the power of state-of-the-art satisfiability (SAT) 1 and satisfiability-modulo-theory (SMT) 2 to push the boundaries of automated verification. Like model checking, BMC was developed originally for hardware, but has since been extended and applied successfully to verify sequential [4], multi-threaded [1, 10], as well as real-time software [3]. A key benefit of BMC-based software model checkers, such as CBMC [4], is that they are able to handle bit-level semantics of programs precisely. Thus, they are able to detect errors due to integer overflows, and prove correctness of programs that use bit-level operations, without reporting false warnings, or missing bugs. This makes BMC ideal for verifying high-integrity software, where the cost of failure is substantial. Indeed, CBMC has been used to verify a wide variety of low-level safety and security-critical systems, such as co-pilots [8], OS schedulers [7], and hypervisors [11] (see url{http://www.cprover.org/cbmc/applications.shtml} for a more expansive list). This tutorial will provide an introduction to BMC, its underlying technical principles, and applications to verifying sequential, multi-threaded, and real-time software. The tutorial will be hands-on, with live demonstrations of using BMC tools for verifying sample programs written in C.