Stefan Schmid

Warren Hunt

Philipp Rümmer

Abstract:

Recursive algebraic data types (term algebras, ADTs) are one of the
most well-studied theories in logic, and find application in
contexts including functional programming, modelling languages,
proof assistants, and verification. At this point, several
state-of-the-art theorem provers and SMT solvers include tailor-made
decision procedures for ADTs, and version 2.6 of the SMT-LIB
standard includes support for ADTs. We study a relatively simple
approach to decide satisfiability of ADT constraints, the reduction
of ADT constraints to equisatisfiable constraints over uninterpreted
functions (EUF) and linear integer arithmetic (LIA). We show that
the reduction approach gives rise to both decision and Craig
interpolation procedures in ADTs. As an extension, we then consider
ADTs with size constraints, and give a precise characterisation of
the ADTs for which reduction combined with incremental unfolding is
a decision procedure.

Alexandra Silva

Abstract:

Automata learning is a technique that has successfully been applied in verification, with the automaton type
varying depending on the application domain. Adaptations of automata learning algorithms for increasingly
complex types of automata have to be developed from scratch because there was no abstract theory offering
guidelines. This makes it hard to devise such algorithms, and it obscures their correctness proofs.
We introduce a simple category-theoretic formalism that provides an appropriately abstract foundation for
studying automata learning. Furthermore, our framework establishes formal relations between algorithms for
learning, testing, and minimization. We illustrate its generality with two examples: deterministic and weighted
automata.

RiSE Invited Lecture – Tom van Dijk

Abstract:
Parity games are deceptively simple two-player games on directed graphs
labeled with numbers.
Parity games have important practical applications in formal
verification and synthesis, especially to solve the model-checking problem
of the modal mu-calculus. They are also interesting from the theory
perspective, because they are widely believed to admit a polynomial
solution, but so far no such algorithm is known. In recent years, a number
of new algorithms and improvements to existing algorithms have been
proposed.
In this talk, we introduce parity games in an accessible way and discuss
why they are so interesting. We present various solutions that have been
proposed over the years. We also present a comprehensive empirical evaluation
of modern parity game algorithms and solvers, both on real world benchmarks
and randomly generated games.

Anthony Widjaja Lin

Abstract:
Symbolic executions (and their recent variants called dynamic symbolic
executions) are an important technique in automated testing. Instead
of analysing only concrete executions of a program, one could treat
such executions symbolically (i.e. with some variables that are not
bound to concrete values) and use constraint solvers to determine this
(symbolic) path feasibility so as to guide the path explorations of
the system under test, which in combination with dynamic analysis
gives the best possible path coverage. For string-manipulating
programs, solvers need to be able to handle constraints over the
string domain. This gives rise to the following natural question: what
is an ideal decidable logic over strings for reasoning about path
feasibility in a program with strings? This is a question that is
connected to a number of difficult results in theoretical computer
science (decidability of the theory of strings with concatenations,
a.k.a., word equations) and long-standing open problems (e.g.
decidability of word equations with length constraints). Worse yet,
recent examples from cross-site scripting vulnerabilities suggest that
more powerful string operations (e.g. finite-state transducers) might
be required as first class citizens in string constraints. Even though
putting all these string operations in a string logic leads to
undecidability, recent results show that there might be a way to
recover decidability while retaining expressivity for applications in
symbolic execution. In this talk, I will present one such result from
my POPL’16 paper (with P. Barcelo). The string logic admits
concatenations, regular constraints, finite-state transductions,
letter-counting and length constraints (which can consequently express
charAt operator, and string disequality). I will provide a number of
examples from the cross-site scripting literature that shows how a
string logic can, for the first time, be used to discover a bug in or
prove correctness of the programs. I will conclude by commenting on a
new decision procedure for the logic that leads to an efficient
implementation (POPL’18 with L. Holik, P. Janku, P. Ruemmer, and T.
Vojnar) and a recent attempt to incorporate the fully-fledged
replace-all operator into a string logic (POPL’18 with T. Chen, Y.
Chen, M. Hague, and Z. Wu).

Anthony Widjaja Lin

Abstract:
Buggy and insecure software could have serious consequences including
the loss of human lives, financial losses, and confidential
information leakage, to name a few. Program analysis is a field that
concerns the problem of analysing the behaviour of programs especially
with respect to the issue of correctness. Over the years computational
logic has played an important role in program analysis particularly in
the development of precise automatic methods for verifying the
correctness and optimising the performance of programs. In this talk I
will illustrate how logic can help program analysis, drawing examples
from my own research inspired by challenges in web security (e.g. how
to detect/prevent cross-site scripting vulnerabilities), web
performance optimisation (e.g. how to remove code redundancies in web
pages), and verification of distributed protocols. A theme that will
emerge during the talk is that there is often a tight connection
between logic and automata that can be exploited when designing (often
theoretically optimal) algorithms.

RiSE Invited Lecture – Michael I. Jordan

Abstract:

The rapid growth in the size and scope of datasets in science and technology has created a need for novel foundational perspectives on data analysis that blendthe inferential and computational sciences. That classical perspectives from these fields are not adequate to address emerging problems in Data Science is apparent from their sharply divergent nature at an elementary level—in computer science, the growth of the number of data points is a source of “complexity” that must be tamed via algorithms or hardware, whereas in statistics, the growth of the number of data points is a source of “simplicity” in that inferences are generally stronger and asymptotic results can be invoked. On a formal level, the gap is made evident by the lack of a role for computational concepts such as “runtime” in core statistical theory and the lack of a role for statistical concepts such as “risk” in core computational theory. I present several research vignettes aimed at bridging computation and statistics, including the problem of inference under privacy and communication constraints, and including a surprising cameo role for symplectic geometry.

Somesh Jha

Abstract:

Machine learning (ML) models, e.g., deep neural networks
(DNNs), are vulnerable to adversarial examples: malicious inputs
modified to yield erroneous model outputs, while appearing unmodified
to human observers. Potential attacks include having malicious content
like malware identified as legitimate or controlling vehicle
behavior. Yet, most existing adversarial example attacks require
knowledge of either the model internals or its training data.  We will
describe a black-box attack on ML models. These algorithms yield
adversarial examples misclassified by Amazon and Google at rates of
96.19% and 88.94%. We also find that this black-box attack strategy is
capable of evading defense strategies previously found to make
adversarial example crafting harder.

Jean-Pierre Talpin

Abstract:

We consider distributed timed systems that implement leader election
protocols which are at the heart of clock synchronization protocols. We
develop abstraction techniques for parameterized model checking of such
protocols under arbitrary network topologies, where nodes have independently
evolving clocks. We apply our technique for model checking the root election
part of the flooding time synchronisation protocol (FTSP), and obtain
improved results compared to previous work. We model check the protocol for
all topologies in which the distance to the node to be elected leader is
bounded by a given parameter.