Finding Software Vulnerabilities in Large C Projects via Bounded Model Checking

Janislley Oliveira de Sousa; Bruno Carvalho De Farias; Thales Araujo  da Silva; Norbert Tihanyi; Richard A. Dubniczky; Eddie B. De L. Filho; Lucas Cordeiro

doi:10.1007/s10009-026-00838-0

Finding Software Vulnerabilities in Large C Projects via Bounded Model Checking

Janislley Oliveira de Sousa
, Bruno Carvalho De Farias
, Thales Araujo da Silva
, Norbert Tihanyi
, Richard A. Dubniczky
, Eddie B. De L. Filho
, Lucas Cordeiro

Research output: Contribution to journal › Article › peer-review

Abstract

Bounded model checking (BMC) is a widely used technique for detecting security vulnerabilities and verifying the correctness of critical software components. While highly effective on small to medium-sized codebases, its application to large-scale software systems remains difficult due to scalability limitations. In this work, we present a practical methodology to enable the use of BMC in real-world, complex software projects. Our approach includes automated preprocessing of source code and a guided verification process that helps a model checker systematically explore a codebase. We also introduce a function-level prioritization mechanism that focuses verification efforts on the most critical code parts. We evaluated our method on popular open-source C projects, discovering security vulnerabilities that the respective developers confirmed. The results demonstrate that, with appropriate strategies, BMC can effectively scale to verify large software systems while maintaining low memory usage.

Original language	English
Journal	International Journal on Software Tools for Technology Transfer
DOIs	https://doi.org/10.1007/s10009-026-00838-0
Publication status	Published - 20 Feb 2026

Keywords

Bounded Model Checking
Software Verification
Security vulnerabilities
Large Systems
Open-source software verification

Access to Document

10.1007/s10009-026-00838-0

EnnCore: End-to-End Conceptual Guarding of Neural Architectures
Cordeiro, L. (PI), Brown, G. (CoI), Freitas, A. (CoI), Luján, M. (CoI) & Mustafa, M. (CoI)
1/02/21 → 31/12/25
Project: Research
SCorCH: Secure Code for Capability Hardware
Reger, G. (PI), Cordeiro, L. (CoI), Korovin, K. (CoI), Mustafa, M. (CoI) & Olivier, P. (CoI)
1/07/20 → 31/12/23
Project: Research

Cite this

@article{6888635cd1994d1a8fb63aef1d7ab06e,

title = "Finding Software Vulnerabilities in Large C Projects via Bounded Model Checking",

abstract = "Bounded model checking (BMC) is a widely used technique for detecting security vulnerabilities and verifying the correctness of critical software components. While highly effective on small to medium-sized codebases, its application to large-scale software systems remains difficult due to scalability limitations. In this work, we present a practical methodology to enable the use of BMC in real-world, complex software projects. Our approach includes automated preprocessing of source code and a guided verification process that helps a model checker systematically explore a codebase. We also introduce a function-level prioritization mechanism that focuses verification efforts on the most critical code parts. We evaluated our method on popular open-source C projects, discovering security vulnerabilities that the respective developers confirmed. The results demonstrate that, with appropriate strategies, BMC can effectively scale to verify large software systems while maintaining low memory usage.",

keywords = "Bounded Model Checking, Software Verifi cation, Security vulnerabilities, Large Systems, Open-source software verification",

author = "\{de Sousa\}, \{Janislley Oliveira\} and \{Carvalho De Farias\}, Bruno and \{da Silva\}, \{Thales Araujo\} and Norbert Tihanyi and Dubniczky, \{Richard A.\} and \{L. Filho\}, \{Eddie B. De\} and Lucas Cordeiro",

year = "2026",

month = feb,

day = "20",

doi = "10.1007/s10009-026-00838-0",

language = "English",

journal = "International Journal on Software Tools for Technology Transfer",

issn = "1433-2779",

publisher = "Springer Nature",

}

TY - JOUR

T1 - Finding Software Vulnerabilities in Large C Projects via Bounded Model Checking

AU - de Sousa, Janislley Oliveira

AU - Carvalho De Farias, Bruno

AU - da Silva, Thales Araujo

AU - Tihanyi, Norbert

AU - Dubniczky, Richard A.

AU - L. Filho, Eddie B. De

AU - Cordeiro, Lucas

PY - 2026/2/20

Y1 - 2026/2/20

N2 - Bounded model checking (BMC) is a widely used technique for detecting security vulnerabilities and verifying the correctness of critical software components. While highly effective on small to medium-sized codebases, its application to large-scale software systems remains difficult due to scalability limitations. In this work, we present a practical methodology to enable the use of BMC in real-world, complex software projects. Our approach includes automated preprocessing of source code and a guided verification process that helps a model checker systematically explore a codebase. We also introduce a function-level prioritization mechanism that focuses verification efforts on the most critical code parts. We evaluated our method on popular open-source C projects, discovering security vulnerabilities that the respective developers confirmed. The results demonstrate that, with appropriate strategies, BMC can effectively scale to verify large software systems while maintaining low memory usage.

AB - Bounded model checking (BMC) is a widely used technique for detecting security vulnerabilities and verifying the correctness of critical software components. While highly effective on small to medium-sized codebases, its application to large-scale software systems remains difficult due to scalability limitations. In this work, we present a practical methodology to enable the use of BMC in real-world, complex software projects. Our approach includes automated preprocessing of source code and a guided verification process that helps a model checker systematically explore a codebase. We also introduce a function-level prioritization mechanism that focuses verification efforts on the most critical code parts. We evaluated our method on popular open-source C projects, discovering security vulnerabilities that the respective developers confirmed. The results demonstrate that, with appropriate strategies, BMC can effectively scale to verify large software systems while maintaining low memory usage.

KW - Bounded Model Checking

KW - Software Verification

KW - Security vulnerabilities

KW - Large Systems

KW - Open-source software verification

U2 - 10.1007/s10009-026-00838-0

DO - 10.1007/s10009-026-00838-0

M3 - Article

SN - 1433-2779

JO - International Journal on Software Tools for Technology Transfer

JF - International Journal on Software Tools for Technology Transfer

ER -

Finding Software Vulnerabilities in Large C Projects via Bounded Model Checking

Abstract

Keywords

Access to Document

Fingerprint

Projects

EnnCore: End-to-End Conceptual Guarding of Neural Architectures

SCorCH: Secure Code for Capability Hardware

Cite this