Symbolic Automata: The Toolkit

The symbolic automata toolkit lifts classical automata analysis to work modulo rich alphabet theories. It uses the power of stateof-the-art constraint solvers for automata analysis that is both expressive and efficient, even for automata over large finite alphabets. The toolkit supports analysis of finite symbolic automata and transducers over strings. It also handles transducers with registers. Constraint solving is used when composing and minimizing automata, and a much deeper and powerful integration is also obtained by internalizing automata as theories. The toolkit, freely available from Microsoft Research, has recently been used in the context of web security for analysis of potentially malicious data over Unicode characters. Introduction. The distinguishing feature of the toolkit is the use and operations with symbolic labels. This is unlike classical automata algorithms that mostly work assuming a finite alphabet. Adtantages of a symbolic representation are examined in [4], where it is shown that the symbolic algorithms consistently outperform classical algorithms (often by orders of magnitude) when alphabets are large. Moreover, symbolic automata can also work with infinite alphabets. Typical alphabet theories can be arithmetic (over integers, rationals, bit-vectors), algebraic data-types (for tuples, lists, trees, finite enumerations), and arrays. Tuples are used for handling alphabets that are cross-products of multiple sorts. In the following we describe the core components and functionality of the tool. The main components are Automaton〈T 〉, basic automata operations modulo a Boolean algebra T ; SFA〈T 〉, symbolic finite automata as theories modulo T ; and SFT〈T 〉, symbolic finite transducers as theories modulo T . We illustrate the tool’s API using code samples from the distribution. Automaton〈T 〉. The main building block of the toolkit, that is also defined as a corresponding generic class, is a (symbolic) automaton over T : Automaton〈T 〉. The type T is assumed to be equipped with effective Boolean operations over T : ∧, ∨, ¬, ⊥, is⊥ that satisfy the standard axioms of Boolean algebras, where is⊥(φ) checks if a term φ is false (thus, to check if φ is true, check is⊥(¬φ)). The main operations over Automaton〈T 〉 are ∩ (intersection), ∪ (union) { (complementation), A ≡ ∅ (emptiness check). As an example of a simple symbolic operation consider products: when A,B are of type Automaton〈T 〉, then A ∩ B has the transitions 〈(p, q), φ∧ψ, (p′, q′)〉 for each transition 〈p, φ, p′〉 ∈ A, and 1 The binary release is available from http://research.microsoft.com/automata. 〈q, ψ, q′〉 ∈ B. Infeasible and unreachable transitions are pruned by using the is⊥ tester. Note that Automaton〈T 〉 is also a Boolean algebra (using the operations ∩,∪, {,≡ ∅). Consequently, the tool supports building and analyzing nested automata Automaton〈Automaton〈T 〉〉. The tool provides a Boolean algebra solver CharSetSolver that uses specialized BDDs (see [4]) of type CharSet. This solver is used to efficiently analyze .Net regexes with Unicode character encoding. The following code snippet illustrates its use, as well as some other features like visualization. CharSetSolver solver = new CharSetSolver(CharacterEncoding.Unicode); // charset solver string a = @"^[A-Za-z0-9]+@(([A-Za-z0-9\-])+\.)+([A-Za-z\-])+$"; // .Net regex string b = @"^\d.*$"; // .Net regex Automaton A = solver.Convert(a); // create the equivalent automata Automaton B = solver.Convert(b); Automaton C = A.Minus(B, solver); // construct the difference var M = C.Determinize(solver).Minimize(solver); // determinize then minimize the automaton solver.ShowGraph(M, "M.dgml"); // save and visualize string s = solver.GenerateMember(M); //generate some member, e.g. "[email protected]" The resulting graph from line 8 is shown below.