CREST Internal Yunho Kim Provable Software Laboratory CS Dept. KAIST

CREST Yunho Kim Provable SW Lab 2/20 CREST is a concolic testing tool for C programs – Generate test inputs automatically – Execute target under test on generated test inputs – Explore all possible execution paths of a target systematically CREST is a open-source re-implementation of CUTE – mainly written in C++ CREST’s instrumentation is implemented as a module of CIL(C Intermetiate Language) written in Ocaml

Overview of CREST code Yunho Kim Provable SW Lab C source code Instrumented code CIL GCC yicesrun_crest cil/src/ext/crestInstrument.ml src/libcrest/crest.cc src/base/symbolic_interpreter.cc src/base/symbolic_execution.cc src/base/symbolic_expression.cc src/base/symbolic_path.cc src/base/symbolic_predicate.cc CREST symbolic execution library src/run_crest/run_crest.cc src/run_crest/concolic_search.cc src/base/yices_solver.cc src/base/symbolic_execution.cc src/base/symbolic_expression.cc src/base/symbolic_path.cc src/base/symbolic_predicate.cc src/base/basic_types.cc constraint next input Source code External tool CREST Legend 3/20 EXT

Directory Structure Yunho Kim Provable SW Lab 4/20 src/ base/ libcrest/ process_cfg/ run_crest/ tools/ cil/src/ext/crestInstrument.ml – A CIL module for instrumentation : Base libraries for symbolic execution : Probe code for collecting symbolic states : CFG generator for CFG-based search heuristic : Main function of run_crest and search algorithms : A tool for printing execution path from szd_execution

CREST Code Metrics Yunho Kim Provable SW Lab 5/20 NameValue # of files.h9.cc12 Total21 # of lines Code2,210 Others1,595 Total3,805 # of classes14 # of functions147

Symbolic Execution Component Yunho Kim Provable SW Lab 6/20 Symbolic execution component collects symbolic states during concrete execution and manages symbolic execution paths Related files FileContent src/libcrest/crest.ccProbe functions inserted into instrumented target src/base/symbolic_interpreter.ccMain symbolic execution engine for CREST src/base/symbolic_execution.ccA class for a symbolic execution which consists of symbolic path and inputs src/base/symbolic_path.ccA class for a symbolic path which is a sequence of symbolic predicates at taken branches src/base/symbolic_predicate.ccA class for a symbolic predicate which consists of a symbolic expression and a comparator src/base/symbolic_expression.ccA class for a symbolic expression

Symbolic Interpreter Yunho Kim Provable SW Lab 7/20 Symbolic interpreter performs dynamic symbolic execution during execution of a target program Symbolic interpreter implements a symbolic machine which has stack-architecture 4 types of statements – Symbolic variable initialization – Assignments – Applying operators – Branches

Symbolic Machine Yunho Kim Provable SW Lab 8/20 Symbolic machine has a symbolic stack, symbolic memory and a symbolic predicate register – Symbolic memory stores symbolic expressions – Symbolic stack element: – If the top of the stack is a predicate, the predicate is stored in the symbolic predicate register Address Symbolic expression Symbolic memorySymbolic stack Symbolic predicate register

Example Revisited Yunho Kim Provable SW Lab 9/20 1 #include 2 main() { 3 int a,b,c, match=0; 4 CREST_int(a); \ CREST_int(b); \ CREST_int(c); 5~9 … omitted… 10 if(a==b) match=match+1; 10~32 … omitted … 33 } int a, b, c; #line 4 /* Initializes symbolic variables a, b, c */ __CrestInt(& a); __CrestInt(& b); __CrestInt(& c); … omitted … #line 10 { /* Creates symbolic expression a==b */ __CrestLoad(36, (unsigned long )(& a), (long long )a); __CrestLoad(35, (unsigned long )(& b), (long long )b); __CrestApply2(34, 12, (long long )(a == b)); if (a == b) { //extern void __CrestBranch(int id, int bid, unsigned char b ) __CrestBranch(37, 11, 1); /* Creates symbolic expression match = match = 1; */ __CrestLoad(41, (unsigned long )(& match), (long long )matc h); __CrestLoad(40, (unsigned long )0, (long long )1); __CrestApply2(39, 0, (long long )(match + 1)); __CrestStore(42, (unsigned long )(& match)); match ++; } else { __CrestBranch(38, 12, 0); } }

Symbolic Variable Initialization Yunho Kim Provable SW Lab 10/20 Creates a symbolic memory element in symbolic memory – A concrete address of a variable is used as a symbolic address Suppose that we start with the input a = b = c = 0; Address Symbolic expression &aa &bb &cc Symbolic memory Symbolic stack Symbolic variable initialization int a, b, c; #line 4 /* Initializes symbolic variables a, b, c */ __CrestInt(& a); __CrestInt(& b); __CrestInt(& c); Symbolic predicate register

Symbolic Compare Operator(1/4) Yunho Kim Provable SW Lab 11/20 Symbolic compare operator is used for a branch condition and results in a symbolic predicate – The predicate is store in a symbolic predicate register Address Symbolic expression &aa &bb &cc Symbolic memory Symbolic stack #line 10 { /* Creates symbolic expression a==b */ __CrestLoad(36, (unsigned long)(&a), (long long )a); __CrestLoad(35, (unsigned long)(&b), (long long )b); __CrestApply2(34, 12, (long long )(a == b)); if (a == b) { Symbolic predicate register Symbolic PC

Symbolic Compare Operator(2/4) Yunho Kim Provable SW Lab 12/20 __CrestLoad(int id, unsigned long *ptr, long long val) function loads a symbolic expression which ptr points to and pushes to the stack – If *ptr is a concrete variable, the function pushes to the stack Address Symbolic expression &aa &bb &cc Symbolic memory Symbolic stack #line 10 { /* Creates symbolic expression a==b */ __CrestLoad(36, (unsigned long)(&a), (long long )a); __CrestLoad(35, (unsigned long)(&b), (long long )b); __CrestApply2(34, 12, (long long )(a == b)); if (a == b) { Symbolic predicate register Symbolic PC

Symbolic Compare Operator(3/4) Yunho Kim Provable SW Lab 13/20 Address Symbolic expression &aa &bb &cc Symbolic memory Symbolic stack #line 10 { /* Creates symbolic expression a==b */ __CrestLoad(36, (unsigned long)(&a), (long long )a); __CrestLoad(35, (unsigned long)(&b), (long long )b); __CrestApply2(34, 12, (long long )(a == b)); if (a == b) { Symbolic predicate registerSymbolic PC

Symbolic Compare Operator(4/4) Yunho Kim Provable SW Lab 14/20 __CrestApply2(int ID, int op_type, long long val) 1. pops two elements from the stack, 2. applies a binary operator corresponding to op_type to the popped elements, 3. pushes a result to the stack if the result is not a predicate – A predicate is stored in the register Address Symbolic expression &aa &bb &cc Symbolic memory Symbolic stack #line 10 { /* Creates symbolic expression a==b */ __CrestLoad(36, (unsigned long)(&a), (long long )a); __CrestLoad(35, (unsigned long)(&b), (long long )b); __CrestApply2(34, 12, (long long )(a == b)); if (a == b) {//extern void __CrestBranch(int id, int bid, unsigned char b ) __CrestBranch(37, 11, 1); Symbolic predicate register Symbolic PC

Symbolic Branch(1/2) Yunho Kim Provable SW Lab 15/20 Whenever a branch statement is executed, CREST stores which branch is taken by calling __CrestBranch() function. Address Symbolic expression &aa &bb &cc Symbolic memorySymbolic stack #line 10 { /* Creates symbolic expression a==b */ __CrestLoad(36, (unsigned long)(&a), (long long )a); __CrestLoad(35, (unsigned long)(&b), (long long )b); __CrestApply2(34, 12, (long long )(a == b)); if (a == b) { //extern void __CrestBranch(int id, int bid, unsigned char b ) __CrestBranch(37, 11, 1); Symbolic predicate register Symbolic PC

Symbolic Branch(2/2) Yunho Kim Provable SW Lab 16/20 Symbolic path is a sequence of __CrestBranch(int id, int bid, unsigned char b) function appends a new element to the current symbolic path – Symbolic pred comes from the register – If b == 0, negated predicate is appended Address Symbolic expression &aa &bb &cc Symbolic memory Symbolic stack if (a == b) { //extern void __CrestBranch(int id, int bid, unsigned char b ) __CrestBranch(37, 11, 1); /* Creates symbolic expression match = match = 1; */ __CrestLoad(41, (unsigned long )(& match), (long long )match); Symbolic predicate register Symbolic PC Symbolic path:

Symbolic Arithmetic Operator (1/2) Yunho Kim Provable SW Lab 17/20 Symbolic arithmetic operator is similar to symbolic compare operator – Pops operands from the stack, applies operator to the operands, and pushes the result to the stack Address Symbolic expression &aa &bb &cc Symbolic memory Symbolic stack if (a == b) { __CrestBranch(37, 11, 1); /* Creates symbolic expression match = match = 1; */ __CrestLoad(41, (unsigned long )(& match), (long long )match); __CrestLoad(40, (unsigned long )0, (long long )1); __CrestApply2(39, 0, (long long )(match + 1)); __CrestStore(42, (unsigned long )(& match)); match ++; Symbolic predicate register Symbolic PC Symbolic path:

Symbolic Arithmetic Operator (2/2) Yunho Kim Provable SW Lab 18/20 If at least one of operands is symbolic, the result is also symbolic – Otherwise, the result is concrete Address Symbolic expression &aa &bb &cc Symbolic memory Symbolic stack if (a == b) { __CrestBranch(37, 11, 1); /* Creates symbolic expression match = match = 1; */ __CrestLoad(41, (unsigned long )(& match), (long long )match); __CrestLoad(40, (unsigned long )0, (long long )1); __CrestApply2(39, 0, (long long )(match + 1)); __CrestStore(42, (unsigned long )(& match)); match ++; Symbolic predicate register Symbolic PC Symbolic path:

Symbolic Assignment (1/1) Yunho Kim Provable SW Lab 19/20 __CrestStore(int id, unsigned long *ptr) function pops one element from the stack and update symbolic memory – If the popped element is concrete, just ignore it – If the element is symbolic If ptr has an entry in symbolic memory, the corresponding symbolic expression is updated Otherwise, a new entry is added to symbolic memory Address Symbolic expression &aa &bb &cc Symbolic memory Symbolic stack __CrestApply2(39, 0, (long long )(match + 1)); __CrestStore(42, (unsigned long )(& match)); match ++; Symbolic predicate register Symbolic PC Symbolic path:

Conclusion Yunho Kim Provable SW Lab 20/20 CREST does not support full ANSI-C semantics – No symbolic pointer dereference – Only linear integer arithmetic – No bit-wise operator – And so on To support them, we need to improve CREST’s dynamic symbolic interpreter engine I hope this presentation will be a good starting point