Exploiting the SAT Revolution for Automated Software Verification: Report from an Industrial Case Study

Abstract

In the last three decades, Boolean Satisfiability (SAT) solvers experienced a dramatic performance revolution; they are now used as the backend of various industrial verification engines. SAT solvers can now check logical formulas that contain millions of propositional variables. In Satisfiability Modulo Theories (SMT) solvers, predicates from various theories are not encoded using propositional variables as in SAT but remain in the problem formulation. Thus, SMT solvers can be used as backends for solving the generated verification conditions to cope with increasing software complexity from industrial applications. This talk will overview automated software verification techniques that rely on sophisticated SMT solvers built over efficient SAT solvers. I will discuss challenges, problems, and recent advances to ensure safety and security in open-source and embedded software applications. I will describe novel algorithms that exploit fuzzing, explicit-state, and SMT-based symbolic model checking for verifying single- and multi-threaded software. These algorithms were the first to verify multi-threaded C/Posix software based on shared-memory synchronization and communication symbolically. They are implemented in industrial-strength software verification tools, now considered state-of-the-art in the software testing and verification community, receiving 28 medals at SV-COMP and Test-COMP. This achievement enabled industrial research collaborations with Intel and Nokia. Software engineers applied these tools to find real security vulnerabilities in large-scale software systems (e.g., memory safety in firmware for Intel and arithmetic overflow in telecommunication software for Nokia, neither of which had been found before).