A Survey on Static Analysis and Model Checking

  • Iván García-Ferreira
  • Carlos Laorden
  • Igor Santos
  • Pablo García Bringas
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 299)


The error detection in software is a problem that causes the loss of large amount of money in updates and patches. Many programmers spend their time correcting code instead of programming new features for their applications. This makes early detection of software errors become essential. Both in the fields of static analysis and model checking, great advances are being made to find errors in the software before the products are released. Although model checking techniques are more dedicated to find malware, it can be adapted for errors in the software. In this article we will discuss the techniques used today for the search of patterns and vulnerabilities within the software to know what are the possible solutions to this issue. We examine the problem from the point of view of their algorithms and their effectiveness in finding bugs. Although there are similar surveys, none of them addresses the comparison of best static analysis algorithms against the best mathematical logic languages for model checking, two fields that are becoming very important in the search for errors in software.


Static binary code analysis mathematical logic model checking bugs 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alur, R., de Alfaro, L., Henzinger, T.A., Mang, F.Y.C.: Automating Modular Verification. In: Baeten, J.C.M., Mauw, S. (eds.) CONCUR 1999. LNCS, vol. 1664, p. 82. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  2. 2.
    ARC, (last accessed February 20, 2014)
  3. 3.
    Balakrishnan, G., Reps, T.: Analyzing memory accesses in x86 executables. In: Duesterwald, E. (ed.) CC 2004. LNCS, vol. 2985, pp. 5–23. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    Balakrishnan, G., Reps, T., Melski, D., Teitelbaum, T.: WYSINWYX: What You See Is Not What You eXecute. In: Meyer, B., Woodcock, J. (eds.) VSTTE 2005. LNCS, vol. 4171, pp. 202–213. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. 5.
    Ben-Ari, M., Pnueli, A., Manna, Z.: The temporal logic of branching time. Acta Informatica 20(3), 207–226 (1983)CrossRefMATHMathSciNetGoogle Scholar
  6. 6.
    Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantics-aware malware detection. In: Proc. IEEE Symposium on Security and Privacy, pp. 32–46 (2005)Google Scholar
  7. 7.
    Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. Wisconsin Univ-Madison dept of Computer Sciences (2006)Google Scholar
  8. 8.
    Clarke, E.M., Emerson, E.A.: Design and synthesis of synchronization skeletons using branching time temporal logic. In: Kozen, D. (ed.) Logics of Programs. LNCS, vol. 131, pp. 52–71. Springer, Heidelberg (1982)CrossRefGoogle Scholar
  9. 9.
    Clarke, E.M., Emerson, E.A., Sistla, A.P.: Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Transactions on Programming Languages and Systems 8(2), 244 (1986)CrossRefMATHGoogle Scholar
  10. 10.
    Clarke, E.M., Grumberg, O.: Avoiding the state explosion problem in temporal logic model checking. In: Proceedings of the Sixth Annual ACM Symposium on Principles of Distributed Computing, pp. 294–303. ACM (December 1987)Google Scholar
  11. 11.
    Clarke, E., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Progress on the state explosion problem in model checking. In: Wilhelm, R. (ed.) Informatics: 10 Years Back, 10 Years Ahead. LNCS, vol. 2000, pp. 176–194. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  12. 12.
    CodeSurfer, (last accessed February 20, 2014)
  13. 13.
    Cousot, P.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proceedings of the 4th ACM SIGACT-SIGPLAN, pp. 238–252 (1977)Google Scholar
  14. 14.
    Cousot, P., Cousot, R.: Refining Model Checking by Abstract Interpretation. Automated Software Engineering Journal 6(1), 69–95 (1999)CrossRefGoogle Scholar
  15. 15.
    Dijkstra, E.W.: Guarded commands, nondeterminacy and formal derivation of program. Communications of the ACM, 453–457 (1975)Google Scholar
  16. 16.
    D’Silva, V., Kroening, D., Weissenbacher, G.: A survey of automated techniques for formal software verification. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 27(7), 1165–1178 (2008)CrossRefGoogle Scholar
  17. 17.
    Emerson, E.A., Clarke, E.M.: Characterizing correctness properties of parallel programs using fixpoints. In: de Bakker, J., van Leeuwen, J. (eds.) Automata, Languages and Programming. LNCS, vol. 85, pp. 169–181. Springer, Heidelberg (1980)CrossRefGoogle Scholar
  18. 18.
    Emerson, E.A., Halpern, J.Y.: Decisions procedures and expressiveness in the temporal logic of branching time. In: Handbook of Theorical Computer Science, vol. B: Formal models and Semantics. Elsevier (1985)Google Scholar
  19. 19.
    Emerson, E.A., Halpern, J.Y.: Sometimes and not never revisited: on branching versus linear time temporal logic. Journal of the ACM (JACM) 33(1), 151–178 (1986)CrossRefMATHMathSciNetGoogle Scholar
  20. 20.
    Engler, D., Musuvathi, M.: Static analysis versus software model checking for bug finding. In: Steffen, B., Levi, G. (eds.) VMCAI 2004. LNCS, vol. 2937, pp. 191–210. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  21. 21.
    F.L.I.R.T., (last accessed February 20, 2014)
  22. 22.
    Frama-C, (last accessed February 20, 2014)
  23. 23.
    Hoare, C.A.R.: An Axiomatic Basis for Computer Programming. Commun. ACM 12 (1969)Google Scholar
  24. 24.
    Holzman, G.J.: Design and validation of computer protocols. Prentice-Hall (1990)Google Scholar
  25. 25.
    IDA Pro, (last accessed February 20, 2014)
  26. 26.
    Java+ITP, (last accessed February 20, 2014)
  27. 27.
    Kinder, J., Katzenbeisser, S., Schallhart, C., Veith, H.: Detecting malicious code by model checking. In: Julisch, K., Kruegel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 174–187. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  28. 28.
    Konur, S.: A survey on temporal logics. arXiv preprint (2010)Google Scholar
  29. 29.
    Kozen, D.: Result on the Propositional μ-calculus. Journal of Theoretical Computer Science 27, 333–354 (1983)CrossRefMATHMathSciNetGoogle Scholar
  30. 30.
    Leveson, N.: An Investigation of the Therac-25 Accidents. IEEE Computer 26, 18–41 (1993)CrossRefGoogle Scholar
  31. 31.
    Lions, J.L.: ARIANE 5, Flight 501 Failure (1993), (last accessed February 20, 2014)
  32. 32.
    Manna, Z., Pnueli, A.: The Temporal Logic of Reactive and Concurrent Systems. Springer (1991)Google Scholar
  33. 33.
    mCRL2, (last accessed February 20, 2014)
  34. 34.
    NuSMV, (last accessed February 20, 2014)
  35. 35.
    Pnueli, A.: The temporal logic of programs. In: Foundations of Computer Science 18th (1977)Google Scholar
  36. 36.
    Predator, (last accessed February 20, 2014)
  37. 37.
    Queille, J.P., Sifakis, J.: Specification and verification of concurrent systems in CESAR. In: Dezani-Ciancaglini, M., Montanari, U. (eds.) International Symposium on Programming. LNCS, vol. 137, pp. 337–351. Springer, Heidelberg (1982)CrossRefGoogle Scholar
  38. 38.
    Reynolds, J.: Automatic computation of data set definitions. Science (1967)Google Scholar
  39. 39.
    Song, F., Touili, T.: Efficient malware detection using model-checking. In: Giannakopoulou, D., Méry, D. (eds.) FM 2012. LNCS, vol. 7436, pp. 418–433. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  40. 40.
    Song, F., Touili, T.: PoMMaDe: pushdown model-checking for malware detection. In: Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, pp. 607–610. ACM (August 2013)Google Scholar
  41. 41.
    SPIN, (last accessed February 20, 2014)
  42. 42.
    The First Computer Bug, (last accessed February 20, 2014)

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Iván García-Ferreira
    • 1
  • Carlos Laorden
    • 1
  • Igor Santos
    • 1
  • Pablo García Bringas
    • 1
  1. 1.Deustotech ComputingUniversity of DeustoBilbaoSpain

Personalised recommendations