Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

SMT abstraction

See original GitHub issue

Description

Currently we are directly using z3 objects in laser, and are often directly using the z3 api. This has a few downsides.

Firstly this makes most of the code dependent on z3, which makes it difficult to plug in another SMT solver which might work better on the specific queries we have in mythril.
Secondly, at some point we want to start tracking taint in “run time” this would be easy to do if we can add a record to a BitVec object, which is impossible using z3 objects directly. How this could look:

> x = BitVector("x")
> x.has_taint()
false
> x.taint()
> x.has_taint()
true

Details

Abstraction layer

To solve this problem we should build abstraction around SMT solving logic, which would provide an interface along the lines of https://github.com/angr/claripy.

Taint analysis

For the dynamic taint analysis we’d need to be able to taint a bitvector multiple times, and to distinguish the different taints. This is required because different analysis modules will run at the same time, and the integer overflow detection should not look for tainted variables from another module.

Issue Analytics

State:
Created 5 years ago
Comments:10

Top GitHub Comments

2reactions

ghostcommented, Sep 27, 2018

For the abstraction layer, how is about pysmt (https://github.com/pysmt/pysmt)? It uses SMT-Lib format to interact with SMT/SAT solvers and has supported many popular solvers, including Z3 and CVC4.

0reactions

JoranHonigcommented, Nov 27, 2018

I’ve looked into the following three options:

Roll our own abstraction layer Possible, and it would allow us to build a solution that exactly fits our needs. But would take more time than the other two options
Extend pySMT This is the approach that hzzang took. In the pr we see that a symbol manager can be used to store properties for each symbol. However, this doesn’t allow us to taint or annotate expressions, therefore it doesn’t fully fit our needs yet.
Use claripy

Has nice annotation system that already works.
However, it doesn’t support arrays. Some of mythril’s current logic is based on z3 arrays so we will need to refactor this.

Top Results From Across the Web

SMT Techniques for Fast Predicate Abstraction

Abstract. Predicate abstraction is a technique for automatically ex- tracting finite-state abstractions for systems with potentially infinite state space.

An Incremental Abstraction Scheme for Solving Hard SMT ...

Abstract : Decision procedures for SMT problems based on the theory of bit-vectors are a fundamental component in state-of-the-art software ...

SMT 2021 - The SMT Workshop

We combine this mechanism with a counterexample-guided abstraction refinement scheme for the theory of arrays. Our framework can thus, in many ...

SMT Techniques for Fast Predicate Abstraction | SpringerLink

Predicate abstraction is a technique for automatically extracting finite-state abstractions for systems with potentially infinite state space.

Automatic Term-Level Abstraction - eScholarship.org

Recent advances in decision procedures for Boolean satisfiability (SAT) and Satisfiability Modulo Theories (SMT) have increased the performance and capacity ...