Advertisement

Model Counting for Recursively-Defined Strings

  • Minh-Thai TrinhEmail author
  • Duc-Hiep Chu
  • Joxan Jaffar
Conference paper
First Online:
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10427)

Abstract

We present a new algorithm for model counting of a class of string constraints. In addition to the classic operation of concatenation, our class includes some recursively defined operations such as Kleene closure, and replacement of substrings. Additionally, our class also includes length constraints on the string expressions, which means, by requiring reasoning about numbers, that we face a multi-sorted logic. In the end, our string constraints are motivated by their use in programming for web applications.

Our algorithm comprises two novel features: the ability to use a technique of (1) partial derivatives for constraints that are already in a solved form, i.e. a form where its (string) satisfiability is clearly displayed, and (2) non-progression, where cyclic reasoning in the reduction process may be terminated (thus allowing for the algorithm to look elsewhere). Finally, we experimentally compare our model counter with two recent works on model counting of similar constraints, SMC [18] and ABC [5], to demonstrate its superior performance.

This is a preview of subscription content, log in to check access.

Notes

Acknowledgement

This research was supported by the Singapore MOE under Tier-2 grant R-252-000-591-112. It was also supported in part by the Austrian Science Fund (FWF) under grants S11402-N23 (RiSE/SHiNE) and Z211-N23 (Wittgenstein Award).

References

  1. 1.
    Abdulla, P.A., Atig, M.F., Chen, Y.-F., Holk, L., Rezine, A., Rümmer, P., Stenman, J.: String constraints for verification. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 150–166. Springer, Cham (2014). doi: 10.1007/978-3-319-08867-9_10 Google Scholar
  2. 2.
    Abdulla, P.A., Atig, M.F., Chen, Y.-F., Holk, L., Rezine, A., Rümmer, P., Stenman, J.: Norn: an SMT solver for string constraints. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 462–469. Springer, Cham (2015). doi: 10.1007/978-3-319-21690-4_29 CrossRefGoogle Scholar
  3. 3.
    Alvim, M.S., Andrés, M.E., Chatzikokolakis, K., Palamidessi, C.: Quantitative information flow and applications to differential privacy. In: Aldini, A., Gorrieri, R. (eds.) FOSAD 2011. LNCS, vol. 6858, pp. 211–230. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-23082-0_8 CrossRefGoogle Scholar
  4. 4.
    Antimirov, V.: Partial derivatives of regular expressions and finite automaton constructions. Theoret. Comput. Sci. 155(2), 291–319 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Aydin, A., Bang, L., Bultan, T.: Automata-based model counting for string constraints. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 255–272. Springer, Cham (2015). doi: 10.1007/978-3-319-21690-4_15 CrossRefGoogle Scholar
  6. 6.
    Backes, M., Köpf, B., Rybalchenko, A.: Automatic discovery and quantification of information leaks. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 141–153, May 2009Google Scholar
  7. 7.
    Bang, L., Aydin, A., Phan, Q.-S., Pasareanu, C.S., Bultan, T.: String analysis for side channels with segmented oracles. In: FSE, pp. 193–204 (2016)Google Scholar
  8. 8.
    Biondi, F., Legay, A., Traonouez, L.-M., Wąsowski, A.: QUAIL: a quantitative security analyzer for imperative code. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 702–707. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-39799-8_49 CrossRefGoogle Scholar
  9. 9.
    Borges, M., Filieri, A., d’Amorim, M., Păsăreanu, C.S., Visser, W.: Compositional solution space quantification for probabilistic software analysis. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2014, pp. 123–132. ACM, New York (2014)Google Scholar
  10. 10.
    Chatzikokolakis, K., Palamidessi, C., Panangaden, P.: Anonymity protocols as noisy channels. Inf. Comput. 206(2–4), 378–401 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Clark, D., Hunt, S., Malacaria, P.: A static analysis for quantifying information flow in a simple imperative language. J. Comput. Secur. 15(3), 321–371 (2007)CrossRefGoogle Scholar
  12. 12.
    De Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-78800-3_24 CrossRefGoogle Scholar
  13. 13.
    Filieri, A., Păsăreanu, C.S., Visser, W.: Reliability analysis in symbolic pathfinder. In: Proceedings of the 2013 International Conference on Software Engineering, ICSE 2013, Piscataway, NJ, USA, pp. 622–631. IEEE Press (2013)Google Scholar
  14. 14.
    Kausler, S., Sherman, E.: Evaluation of string constraint solvers in the context of symbolic execution. In: ASE, pp. 259–270 (2014)Google Scholar
  15. 15.
    Kiezun, A., Ganesh, V., Guo, P.J., Hooimeijer, P., Ernst, M.D.: Hampi: a solver for string constraints. In: ISSTA, pp. 105–116. ACM (2009)Google Scholar
  16. 16.
    Köpf, B., Basin, D.: An information-theoretic model for adaptive side-channel attacks. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2007, pp. 286–296. ACM, New York (2007)Google Scholar
  17. 17.
    Liang, T., Reynolds, A., Tinelli, C., Barrett, C., Deters, M.: A DPLL(T) theory solver for a theory of strings and regular expressions. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 646–662. Springer, Cham (2014). doi: 10.1007/978-3-319-08867-9_43 Google Scholar
  18. 18.
    Luu, L., Shinde, S., Saxena, P., Demsky, B.: A model counter for constraints over unbounded strings. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2014, pp. 565–576. ACM, New York (2014)Google Scholar
  19. 19.
    Morgado, A., Matos, P., Manquinho, V., Marques-Silva, J.: Counting models in integer domains. In: Biere, A., Gomes, C.P. (eds.) SAT 2006. LNCS, vol. 4121, pp. 410–423. Springer, Heidelberg (2006). doi: 10.1007/11814948_37 CrossRefGoogle Scholar
  20. 20.
    OWASP: Top ten project, May 2013. http://www.owasp.org/
  21. 21.
    Phan, Q.-S., Malacaria, P., Tkachuk, O., Păsăreanu, C.S.: Symbolic quantitative information flow. SIGSOFT Softw. Eng. Notes 37(6), 1–5 (2012)CrossRefGoogle Scholar
  22. 22.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. A. Commun. 21(1), 5–19 (2006)CrossRefGoogle Scholar
  23. 23.
    Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for JavaScript. In: SP, pp. 513–528 (2010)Google Scholar
  24. 24.
    Smith, G.: On the foundations of quantitative information flow. In: Alfaro, L. (ed.) FoSSaCS 2009. LNCS, vol. 5504, pp. 288–302. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-00596-1_21 CrossRefGoogle Scholar
  25. 25.
    Trinh, M.-T., Chu, D.-H., Jaffar, J.: S3: a symbolic string solver for vulnerability detection in web applications. In: ACM-CCS, pp. 1232–1243. ACM (2014)Google Scholar
  26. 26.
    Trinh, M.-T., Chu, D.-H., Jaffar, J.: Progressive reasoning over recursively-defined strings. In: Chaudhuri, S., Farzan, A. (eds.) CAV 2016. LNCS, vol. 9779, pp. 218–240. Springer, Cham (2016). doi: 10.1007/978-3-319-41528-4_12 Google Scholar
  27. 27.
    Trinh, M.-T., Chu, D.-H., Jaffar, J.: Technical report (2017). http://www.comp.nus.edu.sg/~trinhmt/
  28. 28.
    Yu, S., Zhuang, Q., Salomaa, K.: The state complexities of some basic operations on regular languages. Theor. Comput. Sci. 125, 315–328 (1994)MathSciNetCrossRefzbMATHGoogle Scholar
  29. 29.
    Zheng, Y., Ganesh, V., Subramanian, S., Tripp, O., Dolby, J., Zhang, X.: Effective search-space pruning for solvers of string equations, regular expressions and length constraints. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 235–254. Springer, Cham (2015). doi: 10.1007/978-3-319-21690-4_14 CrossRefGoogle Scholar
  30. 30.
    Zheng, Y., Zhang, X., Ganesh, V.: Z3-str: a z3-based string solver for web application analysis. In: ESEC/FSE, pp. 114–124 (2013)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.National University of SingaporeSingaporeSingapore
  2. 2.Institute of Science and TechnologyKlosterneuburgAustria

Personalised recommendations

Cite paper

Buy options