Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dynamic Symbolic Execution Cristian Cadar Department of Computing Imperial College London Computer Aided Verification (CAV13) St Petersburg, 15 July 2013.

Published byTrevion Scaggs Modified over 10 years ago

Similar presentations

Presentation on theme: "Dynamic Symbolic Execution Cristian Cadar Department of Computing Imperial College London Computer Aided Verification (CAV13) St Petersburg, 15 July 2013."— Presentation transcript:

1 Dynamic Symbolic Execution Cristian Cadar Department of Computing Imperial College London Computer Aided Verification (CAV13) St Petersburg, 15 July 2013 Based on joint work with Paul Marinescu, Peter Collingbourne, Paul Kelly, JaeSeung Song, Peter Pietzuch, Hristina Palikareva (Imperial) & Dawson Engler, Daniel Dunbar, Junfeng Yang, Peter Pawlowski, Can Sar, Paul Twohey, Vijay Ganesh, David Dill, Peter Boonstoppel (Stanford)

2 Dynamic Symbolic Execution Dynamic symbolic execution is a technique for automatically exploring paths through a program Determines the feasibility of each explored path using a constraint solver Checks if there are any values that can cause an error on each explored path For each path, can generate a concrete input triggering the path 2

3 Dynamic Symbolic Execution 3 Received significant interest in the last few years Many dynamic symbolic execution/concolic tools available as open-source: – CREST, KLEE, SYMBOLIC JPF, etc. Started to be adopted/tried out in the industry: –Microsoft ( SAGE, PEX ) –NASA ( SYMBOLIC JPF, KLEE ) –Fujitsu ( SYMBOLIC JPF, KLEE / KLOVER ) –IBM ( APOLLO ) –etc.

4 Dynamic Symbolic Execution Toy example and demo Scalability challenges Path explosion challenges Constraint solving challenges Generic bug finding User-level utilities, kernel code, drivers, libraries, etc. Attack generation against file systems and network servers Patch testing Testing six years of patches in three application suite Semantic errors via crosschecking Server interoperability, SIMD optimizations, etc. 4

5 magic 0xEEEE magic = 0xEEEE img = Toy Example TRUE int main(int argc, char** argv) {... image_t img = read_img(file); if (img.magic != 0xEEEE) return -1; if (img.h > 1024) return -1; w = img.sz / img.h;... } magic 0xEEEE return -1 h > 1024 TRUE h > 1024 return -1 h 1024 w = sz / h struct image_t { unsigned short magic; unsigned short h, sz;...

6 magic 0xEEEE magic = 0xEEEE img = AAAA0000… img1.out TRUE return -1 h > 1024 TRUE h > 1024 return -1 h 1024 EEEE1111… img2.out h = 0 TRUE h = 0 Div by zero! h 0 EEEE0A00… img4.out EEEE0000… img3.out w = sz / h magic 0xEEEE Each path is explored separately! int main(int argc, char** argv) {... image_t img = read_img(file); if (img.magic != 0xEEEE) return -1; if (img.h > 1024) return -1; w = img.sz / img.h;... } struct image_t { unsigned short magic; unsigned short h, sz;... Toy Example

7 Implicit checks before each dangerous operation Pointer dereferences Array indexing Division/modulo operations Assert statements All-Value Checks 0 k< 4 TRUEFALSE int foo(unsigned k) { int a[4] = {3, 1, 0, 4}; k = k % 4; return a[a[k]]; }... { k = * }... All-value checks! Errors are found if any buggy values exist on that path! TRUEFALSE Infeasible... 0 k < 4¬ 0 k < 4 7

8 Implicit checks before each dangerous operation Pointer dereferences Array indexing Division/modulo operations Assert statements All-Value Checks 0 a[k]< 4 TRUEFALSE int foo(unsigned k) { int a[4] = {3, 1, 0, 4}; k = k % 4; return a[a[k]]; }... Buffer overflow! { k = * }... All-value checks! Errors are found if any buggy values exist on that path! FALSE TRUE ¬ 0 a[k] < 4 0 a[k] < 4... k = 3

9 All operations that do not depend on the symbolic inputs are (essentially) executed as in the original code Advantages: –Ability to interact with the outside environment E.g., system calls, uninstrumented libraries –Can partly deal with limitations of constraint solvers E.g., unsupported theories –Only relevant code executed symbolically Without the need to extract it explicitly Mixed Concrete/Symbolic Execution 9

10 Tools: EGT, EXE, KLEE, ZESTI, etc. EGT/EXE/ K L E E/… Constraint Solver magic = 0xEEEE h = 0x1111 C code magic = 0xEEEE h 1024 AAAA0000… EEEE1111… EEEE0000… EEEE0A00… Bug

11 KLEE [http://klee.llvm.org] Symbolic execution tool based on the LLVM compiler infrastructure and the STP constraint solver Works as a mixed concrete/symbolic interpreter for LLVM bitcode Extensible platform, used and extended by many groups in academia and industry 11 DEMO

12 KLEE [http://klee.llvm.org] // #include directives struct image_t { unsigned short magic; unsigned short h, sz; // height, size char pixels[1018]; }; int main(int argc, char** argv) { struct image_t img; int fd = open(argv[1], O_RDONLY); read(fd, &img, 1024); if (img.magic != 0xEEEE) return -1; if (img.h > 1024) return -1; unsigned short w = img.sz / img.h; return w; } 12 $ klee-gcc -c -g image_viewer.c $ klee --posix-runtime –write-pcs image_viewer.o --sym-files 1 1024 A... KLEE: output directory = klee-out-1 (klee-last)... KLEE: ERROR:... divide by zero... KLEE: done: generated tests = 4

13 KLEE [http://klee.llvm.org] 13 $ ls klee-last assembly.ll test000001.ktest test000003.ktest info test000001.pc test000003.pc messages.txt test000002.ktest test000004.ktest run.istats test000002.pc test000004.pc run.stats test000003.div.err warnings.txt $ cat klee-last/test000003.div.err Error: divide by zero... Stack:... #1 00000171 in main (argc=5, argv=28823328) at image_viewer.c:29

14 KLEE [http://klee.llvm.org] 14 $ cat klee-last/test000003.pc... array A-data[1024] : w32 -> w8 = symbolic (query [... (Eq 61166 (ReadLSB w16 0 A-data)) (Eq 0 (ReadLSB w16 2 A-data))... )

15 KLEE [http://klee.llvm.org] 15 $ klee-replay --create-files-only klee-last/test000003.ktest [File A created] $ xxd -g 1 -l 10 A 0000000: ee ee 00 00 00 00 00 00 00 00.......... $ gcc -o image_viewer image_viewer.c [image_viewer created] $./image_viewer A Floating point exception (core dumped)

16 Scalability Challenges Constraint solving challenges Path exploration challenges

17 Path Exploration Challenges Naïve exploration can easily get stuck Employing search heuristics Dynamically eliminating redundant paths Statically merging paths Using existing regression test suites to prioritize execution etc. 17

18 Search Heuristics Coverage-optimized search –Select path closest to an uncovered instruction –Favor paths that recently hit new code Best-first search Random path search etc. 18 [CCS06, OSDI08, ICSE12, etc.]

19 Random Path Selection NOT random state selection NOT BFS Favors paths high in the tree –fewer constraints Avoid starvation –e.g. symbolic loop Maintain a binary tree of active paths Subtrees have equal prob. of being selected, irresp. of size 19

20 Which Search Heuristic? Our latest tool KLEE uses multiple heuristics in a round-robin fashion, to protect against individual heuristics getting stuck in a local maximum. 20

21 Eliminating Redundant Paths If two paths reach the same program point with the same constraint sets, we can prune one of them We can discard from the constraint sets of each path those constraints involving memory which is never read again 21 [TACAS08]

22 ... flag = 1 flag = 0 arg2 > 100 flag = 1 arg2 100 process(data, 1) arg1 > 100 arg1 100 arg2 > 100 arg1 > 100 if arg1, arg2 not read by process(data, 1) data, arg1, arg2 = * flag = 0; if (arg1 > 100) flag = 1; if (arg2 > 100) flag = 1; process(data, flag);

23 Many Redundant Paths PCI driver (MINIX) – 1h runs Non-redundant explored states Generated tests 23

24 Lots of Redundant Paths tcpdump udhcpd sb16lance pcreexpatbpf 24

25 Redundant Path Elimination PCI driver (MINIX) – 1h runs Generated tests Branch coverage (%) 25

26 $ cd lighttpd-1.4.29 $ make check..../cachable.t.......... ok./core-404-handler.t.. ok./core-condition.t.... ok./core-keepalive.t.... ok./core-request.t...... ok./core-response.t..... ok./core-var-include.t.. ok./core.t.............. ok./lowercase.t......... ok./mod-access.t........ ok... Using Existing Regression Suites Most applications come with a manually-written regression test suite [ICSE12]

27 Regression Suites 27 Execute each path with a single set of inputs Often exercise the general case of a program feature, missing corner cases CONS Designed to execute interesting program paths Often achieve good coverage of different program features PROS

28 ZESTI: SymEx+Regression Suites 28 1.Use the paths executed by the regression suite to bootstrap the exploration process (to benefit from the coverage of the manual test suite and find additional errors on those paths) 2.Incrementally explore paths around the dangerous operations on these paths, in increasing distance from the dangerous operations (to test all possible corner cases of the program features exercised by the test suite) [ICSE12]

29 Multipath Analysis main(argv, argc) exit(0) dangerous operations divergence point Bounded symbolic execution

30 Scalability Challenges Constraint solving challenges Path exploration challenges Constraint solving challenges 30

31 Constraint Solving Challenges 1. Accuracy: need bit-level modeling of memory: Systems code often observes the same bytes in different ways: e.g., using pointer casting to treat an array of chars as a network packet, inode, etc. Bugs (in systems code) are often triggered by corner cases related to pointer/integer casting and arithmetic overflows 2. Performance: real programs generate many expensive constraints 31

32 STP Constraint Solver [Ganesh, Dill] Modern constraint solver, based on eager translation to SAT (uses MiniSAT) Developed at Stanford by Ganesh and Dill, initially targeted to (and driven by) EXE Two data types: bitvectors (BVs) and arrays of BVs We model each memory block as an array of 8-bit BVs We can translate all C expressions into STP constraints with bit-level accuracy –Main exception: floating-point 32

33 Constraint Solving: Accuracy Mirror the (lack of) type system in C –Model each memory block as an array of 8-bit BVs –Bind types to expressions, not bits char buf[N]; // symbolic struct pkt1 { char x, y, v, w; int z; } *pa = (struct pkt1*) buf; struct pkt2 { unsigned i, j; } *pb = (struct pkt2*) buf; if (pa[2].v = 1<<23); } buf: ARRAY BITVECTOR(32)OF BITVECTOR(8) SBVLT(buf[18], 0x00) BVGE(buf[19]@buf[18]@buf[17]@buf[16], 0x00800000)

34 Constraint Solving: Performance Inherently expensive Invoked at every branch Key insight: exploit the characteristics of constraints generated by symex 34

35 Some Constraint Solving Statistics [after optimizations] UNIX utilites (and many other benchmarks) Large number of queries Most queries <0.1s Most time spent in the solver (before and after optimizations!) ApplicationInstrs/sQueries/sSolver % [6957.997.8 base6420,52042.297.0 chmod5,36012.697.2 comm222,113305.088.4 csplit19,13263.598.3 dircolors1,019,7954,251.798.6 echo524.598.8 env13,24626.397.2 factor12,11922.699.7 join1,033,0223,401.298.1 ln2,98624.597.0 mkdir3,8957.296.6 Avg:196,078675.597.1 1h runs using KLEE with DFS and no caching [CAV13]

36 Constraint Solving Optimizations Implemented at several different levels: SAT solvers SMT solvers Symbolic execution tools 36

37 Higher-Level Constraint Solving Optimizations Two simple and effective optimizations –Eliminating irrelevant constraints –Caching solutions 37

38 Eliminating Irrelevant Constraints In practice, each branch usually depends on a small number of variables w+z > 100 2 * w – 1 < 12345 x + y > 10 z & -z = z x < 10 ? … if (x < 10) { … } 38 [CCS06]

39 Caching Solutions 2 y < 100 x > 3 x + y > 10 x = 5 y = 15 2 y < 100 x + y > 10 2 y < 100 x > 3 x + y > 10 x < 10 Static set of branches: lots of similar constraint sets Eliminating constraints cannot invalidate solution Adding constraints often does not invalidate solution x = 5 y = 15 x = 5 y = 15 39 [OSDI08]

40 Speedup Aggregated data over 73 applications Time (s) Executed instructions (normalized) 40

41 More on Caching: Instrs/Sec 41 ApplicationNo cachingCachingSpeedup [3,9146950.17 base6418,84020,5201.08 chmod12,0605,3600.44 comm73,064222,1133.03 csplit10,68219,1321.79 dircolors8,0901,019,795126.05 echo227520.22 env21,99513,2460.60 factor1,89712,1196.38 join12,6491,033,02281.66 ln13,4202,9860.22 mkdir25,3313,8950.15 Avg:16,847196,07811.63x Instrs/sec on ~1h runs, using DFS, w/ and w/o caching Need for better, more adaptive caching algorithms! [CAV13]

42 Portfolio of SMT Solvers KLEE metaSMT x = 3 x = -2 x = 1234 x = 3 C code x 0 x 1234 STPBoolectorZ3 [CAV13]

43 Usage Scenarios Successfully used our tools to: Automatically generate high-coverage test suites Discover generic bugs and security vulnerabilities in complex software Perform comprehensive patch testing Flag potential semantic bugs via crosschecking Perform bounded verification 43

44 Bug Finding with EGT, EXE, KLEE: Focus on Systems and Security Critical Code Applications UNIX utilities ext2, ext3, JFS UNIX file systems Coreutils, Busybox, Minix (over 450 apps) Network servers pci, lance, sb16 Library code libdwarf, libelf, PCRE, uClibc, etc. Packet filters FreeBSD BPF, Linux BPF MINIX device drivers Bonjour, Avahi, udhcpd, lighttpd, etc. Kernel code HiStar kernel Most bugs fixed promptly OpenCV (filter, remap, resize, etc.) Computer vision code OpenCL code Parboil, Bullet, OP2 44

45 md5sum -c t1.txt mkdir -Z a b mkfifo -Z a b mknod -Z a b p seq -f %0 1 printf %d pr -e t2.txt tac -r t3.txt t3.txt paste -d \\ abcdefghijklmnopqrstuvwxyz ptx -F \\ abcdefghijklmnopqrstuvwxyz ptx x t4.txt cut –c3-5,8000000- --output-d: file Coreutils Commands of Death [OSDI 2008, ICSE 2012] t1.txt: \ t \ tMD5( t2.txt: \ b \ b \ b \ b \ b \ b \ b \ t t3.txt: \ n t4.txt: A

46 Some modern operating systems allow untrusted users to mount regular files as disk images! Attack Generation: File Systems 46

47 Attack Generation – File Systems Mount code is executed by the kernel! Attackers may create malicious disk images to attack a system 47

48 Attack Generation – File Systems ext2ext3 JFS 1011100101011100 = * EXE mount( ) ext2 / ext3 / JFS 01010110110101000101011100110101... [Oakland 2006]

49 Disk of death (JFS, Linux 2.6.10) OffsetHex Values 000000000... 08000464A31350000 0801010000000 080200000 01000000 08030E004000F0000 00020000 080400000... 64 th sector of a 64K disk image Mount it and PANIC your kernel 64 th sector of a 64K disk image Mount it and PANIC your kernel

50 1 1 test 4 KATCH: High-Coverage Symbolic Patch Testing commit KATCH test 1 test 4 --- klee/trunk/lib/Core/Executor.cpp2009/08/01 22:31:44 77819 +++ klee/trunk/lib/Core/Executor.cpp2009/08/02 23:09:31 77922 @@ -2422,8 +2424,11 @@ info << "none\n"; } else { const MemoryObject *mo = lower->first; + std::string alloc_info; + mo->getAllocInfo(alloc_info); info address - size << "\n"; + size << "\n" + << "\t\t" << alloc_info << "\n; test 3 test 4 bug test 4 bug test 4 [SPIN 2012, ESEC/FSE 2013]

51 Symbolic Patch Testing Input Patch + if (errno == ECHILD) + { log_error_write(srv, __FILE__, __LINE__, "s",..."); + cgi_pid_del(srv, p, p- >cgi_pid.ptr[ndx]); Program 1. Select the regression input closest to the patch (or partially covering it) 1 1 test 4 test 1 test 4 test 3 test 4 bug test 4 bug test 4 KATCH

52 Symbolic Patch Testing Program Input Patch 2. Greedily drive exploration toward uncovered statements in the patch 1 1 test 4 test 1 test 4 test 3 test 4 bug test 4 bug test 4 KATCH

53 Symbolic Patch Testing Input 3. If stuck, identify the constraints/bytes that disallow execution to reach the patch, and backtrack 1 1 test 4 test 1 test 4 test 3 test 4 bug test 4 bug test 4 KATCH Program Patch

54 Symbolic Patch Testing Input Combines symbolic execution with various program analyses such as weakest preconditions for input selection, and definition switching for backtracking 1 1 test 4 test 1 test 4 test 3 test 4 bug test 4 bug test 4 KATCH Program Patch [ESEC/FSE 2013]

55 55 void log(char input) { int le = open(access.log…); if (input >= && input <= ~) { // printable characters write(le, &input, 1); + } else { + char escinput = escape(input); + write(le, &escinput, 1); + } close(le); } lighttpd r2660: patch modifies log() to escape sensitive characters Greedy Exploration Step

56 56 void log(char input) { int le = open(access.log…); if (input >= && input <= ~) { // printable characters write(le, &input, 1); + } else { + char escinput = escape(input); + write(le, &escinput, 1); + } close(le); } Available input: t (or any printable char) Available input: t (or any printable char) 1.Greedy step: choose the symbolic branch point whose unexplored side is closest to the patch. 2.Explore this side! 1.Greedy step: choose the symbolic branch point whose unexplored side is closest to the patch. 2.Explore this side! Greedy Exploration Step

57 57 void log(char input) { if (input >= && input <= ~) {... } else { +... } if (0 == strcmp(request, GET)... for (char* p = request; *p; p++) log(*p); Available input: GET 1.Backtrack to the last symbolic branch that disallows this side to be executed 2.Explore the other side of that branch 1.Backtrack to the last symbolic branch that disallows this side to be executed 2.Explore the other side of that branch Informed Path Regeneration Greedy step fails! req[2] T

58 enum escape_t escape; void log(char input) { if (escape == ESCAPE_ALL) { +... } opt = getopt_long(argc, argv,...); switch (opt) { case a: escape = ESCAPE_SPACE; break; case b: escape = ESCAPE_ALL;... log(…); Available test: opt = a 1.Find all reaching definitions for the variables involved and try to cover another one. 2.Favors definitions that can be statically shown to satisfy target, or unexecuted definitions 1.Find all reaching definitions for the variables involved and try to cover another one. 2.Favors definitions that can be statically shown to satisfy target, or unexecuted definitions Definition Switching Backtracking step fails! Patch guarded by concrete branch

59 Input Selection Naïve solution: calculate the context-sensitive static distance between the path executed by an input and the patch code if (x < 100) f(x); else if (x > 200) f(x+1); void f(int x) { if (x % 2 == 0) PATCH;... x < 100 x%2 == 0 x > 200 x%2 == 0 x < 100 x%2 == 0 x > 200 x%2 == 0 x = 55 x = 155 1 2

60 Input Selection Naïve solution: calculate the context-sensitive static distance between the path executed by an input and the patch code if (x < 100) f(x); else if (x > 200) f(x+1); void f(int x) { if (x == 999) PATCH;... x < 100 x == 999 x > 200 x == 999 x < 100 x == 999 x > 200 x == 999 x = 55 1 x = 155 2

61 Input Selection: Weakest Preconditions For which basic block in the program, compute a necessary condition for reaching the target. Prune CFG edges which make the target unreachable. if (x < 100) f(x); else if (x > 200) f(x+1); void f(int x) { if (x == 999) PATCH;... x < 100 x == 999 x > 200 x == 999 x = 55 3 x < 100 x == 999 x > 200 x == 999 x = 155 2

62 Example: Lighttpd r2631 62 Powers several popular sites such as YouTube and Wikipedia [SPIN 2012] RevisionELOCCovered ELOC Regression KATCH 26312015 (75%)20 (100%) https://zz.example.com/http://zzz.example.com/ KATCH

63 Lighttpd r2660 63 RevisionELOCCovered ELOC Regression KATCH 2660339 (27%)24 (72%) 165 if (str>ptr[i] >= && str>ptr[i] <= ~) { 166 /* printable chars */ 167 buffer_append_string_len(dest,&str >ptr[i],1); 168 } else switch (str>ptr[i]) { 169 case ": 170 BUFFER_APPEND_STRING_CONST(dest, "\\\""); 171 break; Bug reported and fixed promptly by developers

64 Extended Evaluation (WiP) Key evaluation criteria: no cherry picking! choose all patches for an application over a contiguous time period FindUtils suite (FU) find, xargs, locate 12,648 ELOC125 patches written over ~26 months DiffUtils suite (DU) s/diff, diff3, cmp 55,655 ELOC + 280,000 in libs 175 patches written over ~30 months BinUtils suite (BU) ar, elfedit, nm, etc. 81,933 ELOC + 800,000 in libs 181 patches written over ~16 months [ESEC/FSE 2013]

65 GNU DiffUtils 65 A set of utilities for finding differences between files diff, sdiff, diff3, cmp Mature programs, evolving relatively slowly DiffUtils suite (diff, sdiff, diff3, cmp) All patches (175) written in ~the last 2.5 years (11/09 – 05/12) A total of 166 targets (basic blocks)

66 Patch Coverage (basic block level) TESTUncovered 100%63% 0% FU: TEST 100% 0% BU: Uncovered 18% Standard symbolic execution (30min/BB) only added +1.2% to FU TEST Uncovered 100%35% 0% DU:

67 Patch Coverage (basic block level) TEST + KATCH Un 87%100%63% 0% FU: 10min/BB Standard symbolic execution (30min/BB) only added +1.2% to FU TEST+ KATCH Uncovered 73%100%35% 0% DU: 10min/BB TEST 100%33% 0% BU: +KUncovered 18% 15min/BB

68 DiffUtils: Distribution of minimum distances for the 108 targets 68 Over 50% at distance < 5 Only two targets > 30

69 DiffUtils: Distribution of execution times for successful targets 69 59 targets unreachable within the allowed 10 minutes per patch

70 Binutils Bugs 70 Found 14 distinct crash bugs Unreachable by standard symbolic execution given similar time budget 12 bugs still present in latest version of BU Reported and fixed by developers 10 bugs found in the patch code itself or in code affected by patch code TEST 100%33% 0% BU: +KUncovered 18% 15min/BB

71 Semantic Errors via Crosschecking (Equivalence Checking) Lots of available opportunities as code is: Optimized frequently Refactored frequently Different implementations of the same interface 71 We can find any mismatches in their behavior by: 1.Using symbolic execution to explore multiple paths 2.Comparing the (symbolic) input/output pairs across implementations Unoptimized version Optimized version Symbolic execution engine Mismatches

72 Crosschecking: Advantages Can find semantic errors without the need for specifications! Constraint solving queries can be solved faster Can support constraint types not (efficiently) handled by the underlying solver, e.g., floating-point Many crosschecking queries can be syntactically proven to be equivalent 72

73 1 << 2 * Crosschecking: Advantages Many crosschecking queries can be syntactically proven to be equivalent 73

74 ZeroConf Protocol Enables devices to automatically configure themselves and their services and be discovered without manual intervention Two popular implementations: Avahi (open- source), and Bonjour (open-sourced by Apple) Symbolic execution engine Mismatches Bonjour Avahi [ICCCN 2011]

75 Server Interoperability Bonjour vs. Avahi OffsetHex Values 0000 0010 002000FB000014E9002A0000 00020001 00300000 055F64616170045F7463 004070056C6F63616C00000C0001 003E00004000FF111BB27F000001E000 mDNS specification (§18.11): Multicast DNS messages received with non-zero Response Codes MUST be silently ignored. Avahi ignores this packet, Bonjour does NOT mDNS specification (§18.11): Multicast DNS messages received with non-zero Response Codes MUST be silently ignored. Avahi ignores this packet, Bonjour does NOT 75

76 New Platforms, New Code Recent years have seen the emergence of new computing platforms which provide many opportunities for optimizations Code is often adapted manually to benefit from these platforms 76 Error-prone, as any manual process

77 SIMD Optimizations Most processors offer support for SIMD instructions Can operate on multiple data concurrently Many algorithms can make use of them (e.g., computer vision algorithms) [EuroSys 2011]

78 OpenCV Popular computer vision library from Intel and Willow Garage [Corner detection algorithm] 78 Computer vision algorithms were optimized to make use of SIMD

79 OpenCV Results Crosschecked 51 SIMD-optimized versions against their reference scalar implementations Proved the bounded equivalence of 41 Found mismatches in 10 Most mismatches due to tricky FP-related issues: Precision Rounding Associativity Distributivity NaN values 79

80 OpenCV Results min/max not commutative nor associative! min(a,b) = a < b ? a : b a < b (ordered) always returns false if one of the operands is NaN min(NaN, 5) = 5 min(5, NaN) = NaN min(min(5, NaN), 100) = min(NaN, 100) = 100 min(5, min(NaN, 100)) = min(5, 100) = 5 80

81 Other Crosschecking Studies 81 UNIX utilities: desktop vs. embedded [OSDI 2008] SIMD/GPU Optimizations: Scalar vs. SIMD/GPGPU code [EuroSys 2011, HVC 2011] uDHCPD DHCP servers: reference vs. embedded [WiP]

82 Integrating Crosschecking into Development Process Semantic mismatches not always errors –Underspecified behavior Two (anecdotal) insights: 1.Provide developers the ability to add assumptions eg: –Floating-point associativity holds: A+(B+C) = (A+B)+C –Disregard the difference between 0 - and 0 + : A+0 = A 2.All things being equal, developers prefer to keep the behavior of the reference implementation –Particularly if we can provide some guarantees bounded equivalence 82

83 Automatically reasons about program behavior and the interaction with users and environment Can generate inputs exposing both generic and semantic bugs in complex software Including file systems, library code, utility applications, network servers, device drivers, computer vision code Dynamic Symbolic Execution 83

84 KLEE: Freely Available as Open-Source http://klee.llvm.org Over 250 subscribers to the klee-dev mailing list Extended in many interesting ways by several research groups, in the areas of: wireless sensor networks/distributed systems schedule memoization in multithreaded code automated debugging exploit generation client-behavior verification in online gaming GPU testing and verification etc.

Download ppt "Dynamic Symbolic Execution Cristian Cadar Department of Computing Imperial College London Computer Aided Verification (CAV13) St Petersburg, 15 July 2013."

Similar presentations

ALAK ROY. Assistant Professor Dept. of CSE NIT Agartala

ALAK ROY. Assistant Professor Dept. of CSE NIT Agartala
EE384y: Packet Switch Architectures

EE384y: Packet Switch Architectures
Copyright © 2003 Pearson Education, Inc. Slide 1.

Copyright © 2003 Pearson Education, Inc. Slide 1.
Chapter 7 Constructors and Other Tools. Copyright © 2006 Pearson Addison-Wesley. All rights reserved. 7-2 Learning Objectives Constructors Definitions.

Chapter 7 Constructors and Other Tools. Copyright © 2006 Pearson Addison-Wesley. All rights reserved. 7-2 Learning Objectives Constructors Definitions.
Sequential Logic Design

Sequential Logic Design
Processes and Operating Systems

Processes and Operating Systems
Copyright © 2013 Elsevier Inc. All rights reserved.

Copyright © 2013 Elsevier Inc. All rights reserved.
Copyright © 2013 Elsevier Inc. All rights reserved.

Copyright © 2013 Elsevier Inc. All rights reserved.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
Add Governors Discretionary (1G) Grants Chapter 6.

Add Governors Discretionary (1G) Grants Chapter 6.
CALENDAR.

CALENDAR.
Chapter 6 File Systems 6.1 Files 6.2 Directories

Chapter 6 File Systems 6.1 Files 6.2 Directories
1 Chapter 12 File Management Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

1 Chapter 12 File Management Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
1 Automating the Generation of Mutation Tests Mike Papadakis and Nicos Malevris Department of Informatics Athens University of Economics and Business.

1 Automating the Generation of Mutation Tests Mike Papadakis and Nicos Malevris Department of Informatics Athens University of Economics and Business.
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,
The 5S numbers game..

The 5S numbers game..
Photo Slideshow Instructions (delete before presenting or this page will show when slideshow loops) 1.Set PowerPoint to work in Outline. View/Normal click.

Photo Slideshow Instructions (delete before presenting or this page will show when slideshow loops) 1.Set PowerPoint to work in Outline. View/Normal click.
A Fractional Order (Proportional and Derivative) Motion Controller Design for A Class of Second-order Systems Center for Self-Organizing Intelligent.

A Fractional Order (Proportional and Derivative) Motion Controller Design for A Class of Second-order Systems Center for Self-Organizing Intelligent.
Break Time Remaining 10:00.

Break Time Remaining 10:00.
The basics for simulations

The basics for simulations

Similar presentations

Ads by Google