Introduction to algorithms
A decision procedure for bit-vector arithmetic
DAC '98 Proceedings of the 35th annual Design Automation Conference
Assertion checking by combined word-level ATPG and modular arithmetic constraint-solving techniques
Proceedings of the 37th Annual Design Automation Conference
Simplification by Cooperating Decision Procedures
ACM Transactions on Programming Languages and Systems (TOPLAS)
Validity Checking for Combinations of Theories with Equality
FMCAD '96 Proceedings of the First International Conference on Formal Methods in Computer-Aided Design
CVC: A Cooperating Validity Checker
CAV '02 Proceedings of the 14th International Conference on Computer Aided Verification
A Decision Procedure for an Extensional Theory of Arrays
LICS '01 Proceedings of the 16th Annual IEEE Symposium on Logic in Computer Science
Replayer: automatic protocol replay by binary analysis
Proceedings of the 13th ACM conference on Computer and communications security
EXE: automatically generating inputs of death
Proceedings of the 13th ACM conference on Computer and communications security
Deciding bit-vector arithmetic with abstraction
TACAS'07 Proceedings of the 13th international conference on Tools and algorithms for the construction and analysis of systems
A fast linear-arithmetic solver for DPLL(T)
CAV'06 Proceedings of the 18th international conference on Computer Aided Verification
Formal verification at higher levels of abstraction
Proceedings of the 2007 IEEE/ACM international conference on Computer-aided design
Proceedings of the 35th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Testing for buffer overflows with length abstraction
ISSTA '08 Proceedings of the 2008 international symposium on Software testing and analysis
Formal Modeling and Analysis of a Flash Filesystem in Alloy
ABZ '08 Proceedings of the 1st international conference on Abstract State Machines, B and Z
BinHunt: Automatically Finding Semantic Differences in Binary Programs
ICICS '08 Proceedings of the 10th International Conference on Information and Communications Security
Valigator: A Verification Tool with Bound and Invariant Generation
LPAR '08 Proceedings of the 15th International Conference on Logic for Programming, Artificial Intelligence, and Reasoning
BitBlaze: A New Approach to Computer Security via Binary Analysis
ICISS '08 Proceedings of the 4th International Conference on Information Systems Security
Verification of arithmetic datapaths using polynomial function models and congruence solving
Proceedings of the 2008 IEEE/ACM International Conference on Computer-Aided Design
Lemmas on demand for the extensional theory of arrays
SMT '08/BPR '08 Proceedings of the Joint Workshops of the 6th International Workshop on Satisfiability Modulo Theories and 1st International Workshop on Bit-Precise Reasoning
Automatic formal verification of block cipher implementations
Proceedings of the 2008 International Conference on Formal Methods in Computer-Aided Design
A write-based solver for SAT modulo the theory of arrays
Proceedings of the 2008 International Conference on Formal Methods in Computer-Aided Design
Efficient Decision Procedure for Bounded Integer Non-linear Operations Using SMT($\mathcal{LIA}$)
HVC '08 Proceedings of the 4th International Haifa Verification Conference on Hardware and Software: Verification and Testing
Towards device emulation code generation
Proceedings of the 2009 ACM SIGPLAN/SIGBED conference on Languages, compilers, and tools for embedded systems
A decision procedure for subset constraints over regular languages
Proceedings of the 2009 ACM SIGPLAN conference on Programming language design and implementation
Measuring channel capacity to distinguish undue influence
Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security
HAMPI: a solver for string constraints
Proceedings of the eighteenth international symposium on Software testing and analysis
Loop-extended symbolic execution on binary programs
Proceedings of the eighteenth international symposium on Software testing and analysis
Beaver: Engineering an Efficient SMT Solver for Bit-Vector Arithmetic
CAV '09 Proceedings of the 21st International Conference on Computer Aided Verification
Symbolic Analysis via Semantic Reinterpretation
Proceedings of the 16th International SPIN Workshop on Model Checking Software
Darwin: an approach for debugging evolving programs
Proceedings of the the 7th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
ODR: output-deterministic replay for multicore debugging
Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles
Fuzzing and delta-debugging SMT solvers
Proceedings of the 7th International Workshop on Satisfiability Modulo Theories
A scalable decision procedure for fixed-width bit-vectors
Proceedings of the 2009 International Conference on Computer-Aided Design
RWset: attacking path explosion in constraint-based test generation
TACAS'08/ETAPS'08 Proceedings of the Theory and practice of software, 14th international conference on Tools and algorithms for the construction and analysis of systems
Mixing type checking and symbolic execution
PLDI '10 Proceedings of the 2010 ACM SIGPLAN conference on Programming language design and implementation
Using symbolic evaluation to understand behavior in configurable software systems
Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering - Volume 1
KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs
OSDI'08 Proceedings of the 8th USENIX conference on Operating systems design and implementation
Dynamic test generation to find integer bugs in x86 binary linux programs
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Solving string constraints lazily
Proceedings of the IEEE/ACM international conference on Automated software engineering
Programming and Computing Software
Debugging as a Science, that too, when your Program is Changing
Electronic Notes in Theoretical Computer Science (ENTCS)
DIFC programs by automatic instrumentation
Proceedings of the 17th ACM conference on Computer and communications security
Input generation via decomposition and re-stitching: finding bugs in Malware
Proceedings of the 17th ACM conference on Computer and communications security
Solver technology for system-level to RTL equivalence checking
Proceedings of the Conference on Design, Automation and Test in Europe
Small formulas for large programs: on-line constraint simplification in scalable static analysis
SAS'10 Proceedings of the 17th international conference on Static analysis
Golden implementation driven software debugging
Proceedings of the eighteenth ACM SIGSOFT international symposium on Foundations of software engineering
Symbolic automata constraint solving
LPAR'10 Proceedings of the 17th international conference on Logic for programming, artificial intelligence, and reasoning
Symbolic crosschecking of floating-point and SIMD code
Proceedings of the sixth conference on Computer systems
Symbolic execution for software testing in practice: preliminary assessment
Proceedings of the 33rd International Conference on Software Engineering
vlogsl: a strategy language for simulation-based verification of hardware
HVC'10 Proceedings of the 6th international conference on Hardware and software: verification and testing
Efficiently solving quantified bit-vector formulas
Proceedings of the 2010 Conference on Formal Methods in Computer-Aided Design
Q: exploit hardening made easy
SEC'11 Proceedings of the 20th USENIX conference on Security
HAMPI: a string solver for testing, analysis and vulnerability detection
CAV'11 Proceedings of the 23rd international conference on Computer aided verification
BAP: a binary analysis platform
CAV'11 Proceedings of the 23rd international conference on Computer aided verification
A quantifier elimination algorithm for linear modular equations and disequations
CAV'11 Proceedings of the 23rd international conference on Computer aided verification
SAS'11 Proceedings of the 18th international conference on Static analysis
Server-side verification of client behavior in online games
ACM Transactions on Information and System Security (TISSEC)
Automatic error finding in access-control policies
Proceedings of the 18th ACM conference on Computer and communications security
Data races vs. data race bugs: telling the difference with portend
ASPLOS XVII Proceedings of the seventeenth international conference on Architectural Support for Programming Languages and Operating Systems
Path-exploration lifting: hi-fi tests for lo-fi emulators
ASPLOS XVII Proceedings of the seventeenth international conference on Architectural Support for Programming Languages and Operating Systems
Effective word-level interpolation for software verification
Proceedings of the International Conference on Formal Methods in Computer-Aided Design
Pseudo-Boolean Solving by incremental translation to SAT
Proceedings of the International Conference on Formal Methods in Computer-Aided Design
Calculating bounds on information leakage using two-bit patterns
Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security
An alternative to SAT-Based approaches for bit-vectors
TACAS'10 Proceedings of the 16th international conference on Tools and Algorithms for the Construction and Analysis of Systems
LLBMC: bounded model checking of C and C++ programs using a compiler IR
VSTTE'12 Proceedings of the 4th international conference on Verified Software: theories, tools, experiments
DARWIN: An approach to debugging evolving programs
ACM Transactions on Software Engineering and Methodology (TOSEM)
A NICE way to test openflow applications
NSDI'12 Proceedings of the 9th USENIX conference on Networked Systems Design and Implementation
Efficient state merging in symbolic execution
Proceedings of the 33rd ACM SIGPLAN conference on Programming Language Design and Implementation
LLBMC: a bounded model checker for LLVM's intermediate representation
TACAS'12 Proceedings of the 18th international conference on Tools and Algorithms for the Construction and Analysis of Systems
Proceedings of the 34th International Conference on Software Engineering
Lynx: a programmatic SAT solver for the RNA-folding problem
SAT'12 Proceedings of the 15th international conference on Theory and Applications of Satisfiability Testing
An SMT-Based discovery algorithm for c-nets
PETRI NETS'12 Proceedings of the 33rd international conference on Application and Theory of Petri Nets
HAMPI: A solver for word equations over strings, regular expressions, and context-free grammars
ACM Transactions on Software Engineering and Methodology (TOSEM)
XEMU: an efficient QEMU based binary mutation testing framework for embedded software
Proceedings of the tenth ACM international conference on Embedded software
Detecting problematic message sequences and frequencies in distributed systems
Proceedings of the ACM international conference on Object oriented programming systems languages and applications
Constraint satisfaction over bit-vectors
CP'12 Proceedings of the 18th international conference on Principles and Practice of Constraint Programming
Symbolic execution for software testing: three decades later
Communications of the ACM
A SOFT way for openflow switch interoperability testing
Proceedings of the 8th international conference on Emerging networking experiments and technologies
Taint analysis of security code in the KLEE symbolic execution engine
ICICS'12 Proceedings of the 14th international conference on Information and Communications Security
Sigma*: symbolic learning of input-output specifications
POPL '13 Proceedings of the 40th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Automatic detection of floating-point exceptions
POPL '13 Proceedings of the 40th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Efficiently solving quantified bit-vector formulas
Formal Methods in System Design
Mohawk: Abstraction-Refinement and Bound-Estimation for Verifying Access Control Policies
ACM Transactions on Information and System Security (TISSEC)
Extending quantifier elimination to linear inequalities on bit-vectors
TACAS'13 Proceedings of the 19th international conference on Tools and Algorithms for the Construction and Analysis of Systems
LLBMC: improved bounded model checking of c programs using LLVM
TACAS'13 Proceedings of the 19th international conference on Tools and Algorithms for the Construction and Analysis of Systems
Symbiotic: synergy of instrumentation, slicing, and symbolic execution
TACAS'13 Proceedings of the 19th international conference on Tools and Algorithms for the Construction and Analysis of Systems
Proceedings of the eighteenth international conference on Architectural support for programming languages and operating systems
Verifying systems rules using rule-directed symbolic execution
Proceedings of the eighteenth international conference on Architectural support for programming languages and operating systems
CLAP: recording local executions to reproduce concurrency failures
Proceedings of the 34th ACM SIGPLAN conference on Programming language design and implementation
Knowledge inference for optimizing secure multi-party computation
Proceedings of the Eighth ACM SIGPLAN workshop on Programming languages and analysis for security
iBinHunt: binary hunting with inter-procedural control flow
ICISC'12 Proceedings of the 15th international conference on Information Security and Cryptology
Z3-str: a z3-based string solver for web application analysis
Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering
An orchestrated survey of methodologies for automated software test case generation
Journal of Systems and Software
Input-covering schedules for multithreaded programs
Proceedings of the 2013 ACM SIGPLAN international conference on Object oriented programming systems languages & applications
Formal verification of information flow security for a simple arm-based separation kernel
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Machine code verification of a tiny ARM hypervisor
Proceedings of the 3rd international workshop on Trustworthy embedded devices
Path exploration based on symbolic output
ACM Transactions on Software Engineering and Methodology (TOSEM) - Testing, debugging, and error handling, formal methods, lifecycle concerns, evolution and maintenance
Solving difference constraints over modular arithmetic
CADE'13 Proceedings of the 24th international conference on Automated Deduction
Multi-solver support in symbolic execution
CAV'13 Proceedings of the 25th international conference on Computer Aided Verification
Smten: automatic translation of high-level symbolic computations into SMT queries
CAV'13 Proceedings of the 25th international conference on Computer Aided Verification
Prototyping symbolic execution engines for interpreted languages
Proceedings of the 19th international conference on Architectural support for programming languages and operating systems
Finding trojan message vulnerabilities in distributed systems
Proceedings of the 19th international conference on Architectural support for programming languages and operating systems
Array Theory of Bounded Elements and its Applications
Journal of Automated Reasoning
Hi-index | 0.02 |
STP is a decision procedure for the satisfiability of quantifier-free formulas in the theory of bit-vectors and arrays that has been optimized for large problems encountered in software analysis applications. The basic architecture of the procedure consists of word-level pre-processing algorithms followed by translation to SAT. The primary bottlenecks in software verification and bug finding applications are large arrays and linear bit-vector arithmetic. New algorithms based on the abstraction-refinement paradigm are presented for reasoning about large arrays. A solver for bit-vector linear arithmetic is presented that eliminates variables and parts of variables to enable other transformations, and reduce the size of the problem that is eventually received by the SAT solver. These and other algorithms have been implemented in STP, which has been heavily tested over thousands of examples obtained from several real-world applications. Experimental results indicate that the above mix of algorithms along with the overall architecture is far more effective, for a variety of applications, than a direct translation of the original formula to SAT or other comparable decision procedures.