CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE.

Slides:

Advertisements

Similar presentations

Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.

Advertisements

KLEE: Effective Testing of Systems Programs

1 Symbolic Execution Kevin Wallace, CSE

A Survey of Approaches for Automated Unit Testing

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008

1 Lecture 3: MIPS Instruction Set Today’s topic:  More MIPS instructions  Procedure call/return Reminder: Assignment 1 is on the class web-page (due.

P3 / 2004 Register Allocation. Kostis Sagonas 2 Spring 2004 Outline What is register allocation Webs Interference Graphs Graph coloring Spilling Live-Range.

Symbolic Execution with Mixed Concrete-Symbolic Solving

Intermediate Code Generation

PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)

1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.

1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.

ECE 454 Computer Systems Programming Compiler and Optimization (I) Ding Yuan ECE Dept., University of Toronto

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.

Symbolic execution © Marcelo d’Amorim 2010.

OS Fall’02 Virtual Memory Operating Systems Fall 2002.

Limits on ILP. Achieving Parallelism Techniques – Scoreboarding / Tomasulo’s Algorithm – Pipelining – Speculation – Branch Prediction But how much more.

CPSC Compiler Tutorial 8 Code Generator (unoptimized)

Automatic Generation of Inputs of Death and High-Coverage Tests Presented by Yoni Leibowitz EXE & KLEE.

CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.

Intermediate code generation. Code Generation Create linear representation of program Result can be machine code, assembly code, code for an abstract.

Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.

DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.

Dynamic Test Generation To Find Integer Bugs in x86 Binary Linux Programs David Molnar Xue Cong Li David Wagner.

CREST Internal Yunho Kim Provable Software Laboratory CS Dept. KAIST.

DART: Directed Automated Random Testing Koushik Sen University of Illinois Urbana-Champaign Joint work with Patrice Godefroid and Nils Klarlund.

CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.

Automatic Generation of Inputs of Death and High-Coverage Tests Presented by Yoni Leibowitz EXE & KLEE.

MIPS coding. SPIM Some links can be found such as:

DEPARTMENT OF COMPUTER SCIENCE & TECHNOLOGY FACULTY OF SCIENCE & TECHNOLOGY UNIVERSITY OF UWA WELLASSA 1 CST 221 OBJECT ORIENTED PROGRAMMING(OOP) ( 2 CREDITS.

1 Introduction to JVM Based on material produced by Bill Venners.

Automated Whitebox Fuzz Testing (NDSS 2008) Presented by: Edmund Warner University of Central Florida April 7, 2011 David Molnar UC Berkeley

The Daikon system for dynamic detection of likely invariants MIT Computer Science and Artificial Intelligence Lab. 16 January 2007 Presented by Chervet.

1 CS 201 Compiler Construction Introduction. 2 Instructor Information Rajiv Gupta Office: WCH Room Tel: (951) Office.

CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Symbolic Execution.

Convergence of Model Checking & Program Analysis Philippe Giabbanelli CMPT 894 – Spring 2008.

Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.

EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on.

Lecture Topics: 11/24 Sharing Pages Demand Paging (and alternative) Page Replacement –optimal algorithm –implementable algorithms.

Department of Computer Science and Software Engineering

Processes and Virtual Memory

Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261.

CS307 Operating Systems Virtual Memory Fan Wu Department of Computer Science and Engineering Shanghai Jiao Tong University Spring 2012.

CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi State merging, Concolic Execution.

SOFTWARE TESTING. Introduction Software Testing is the process of executing a program or system with the intent of finding errors. It involves any activity.

CUTE: A Concolic Unit Testing Engine for C Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.

CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Relaxed Memory Effects and its Verification.

/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.

Lazy Annotation for Program Testing and Verification (Supplementary Materials) Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang December 3,

Dynamic Symbolic Execution (aka, directed automated random testing, aka concolic execution) Slides by Koushik Sen.

Random Test Generation of Unit Tests: Randoop Experience

Week 6 MondayTuesdayWednesdayThursdayFriday Testing III Reading due Group meetings Testing IVSection ZFR due ZFR demos Progress report due Readings out.

CSE 331 SOFTWARE DESIGN & IMPLEMENTATION SYMBOLIC TESTING Autumn 2011.

RealTimeSystems Lab Jong-Koo, Lim

SOFTWARE TESTING LECTURE 9. OBSERVATIONS ABOUT TESTING “ Testing is the process of executing a program with the intention of finding errors. ” – Myers.

Software Dataplane Verification Mihai Dobrescu and Katerina Argyraki EPFL, Switzerland Awarded Best NSDI, 2014 Presented by YH.

Symbolic Execution Suman Jana

RDE: Replay DEbugging for Diagnosing Production Site Failures

White-Box Testing Using Pex

Optimizing Malloc and Free

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.

Automatic Test Generation SymCrete

CUTE: A Concolic Unit Testing Engine for C

Presentation transcript:

CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE

Acknowledgement C. Cadar, D. Dunbar, D. Engler: KLEE, OSDI’08 Godefroid, Klarlund, Sen: DART, PLDI ‘05 Sen, Markov, Agha: CUTE, FSE’05

Three Concerns Path explosion Handling the environment Hard constraints

KLEE: Architecture Hybrid between OS for sym proc and interpreter Each Sym proc has a register file, stack, heap, program counter and path condition – register file, stack, heap are expressions here Sym process represented as a state in KLEE

KLEE Architecture LLVM bytecode K L E E SYMBOLIC ENVIRONMENT Constraint Solver (STP) x = 3 x = -2 x = 1234 x = 3 C code x  0 x  1234 LLVMLLVM

KLEE: Architecture Program is converted to LLVM bytecode KLEE interprets bytecode directly and maps to constraints – w/o approximation – bit level accuracy

KLEE: Architecture Before building sym expr, check if operands are concrete – if so, perform them natively! example: %dst = add i32 %src0, %src1

KLEE: Architecture Conditional branches: – boolean expr – change instruction pointer whether provably true or false along the current path – if both are feasible then clone states and accordingly change respective instruction pointers

KLEE: Architecture Potentially dangerous instructions – act as branches ex. division instruction generates a branch to check div-by- zero if error is generated then constraint falsified and alternated path is explored test case generated to trigger the error and terminates the state. Some dangerous operations: – ld/st – out of bound checks – pointer dereference – assertions, etc.

KLEE: Architecture Problem with ld/st – Modeling memory! – if flat byte array then solvers never return – every memory object as a separate solver array essentially segmented memory ignores all other locations not reference by the ld/st

KLEE: Architecture Problem with pointers – KLEE clones the state N times at pointer dereference – a pointer can have a large points-to set – in-bounds check for respective points-to object – This solution is expensive – Works for KLEE as their benchmarks had pointers with singleton points-to sets.

Compact State Representation Implements copy-on-write at the object level – rather than at the page level Heaps as immutable maps – therefore portions of heap can also be shared among states

Query Optimization Queries are NP-complete Expression re-writing: – x + 0 = x – x* 2^n = x<<n – 2*x – x = x

Query Optimization Constraint Simplification: – x True ∧ x = 5 propagate equality constraints Implied value concretization – x = 5 makes x concrete and written to memory – subsequent accesses returns cheap constants

Query Optimization Constraint Independence – Constraints do not overlap in terms of memory they refer Eg: i 0 Query: i = 20? – remove irrelevant subset of constraints

Query Optimization Counterexample Caching – Redundant queries are frequent – simple cache is effective – counterexample cache: maps set of constraints to counter-examples sentinels if there is no solution

Query Optimization Counterexample Caching Eg: {i < 10, i = 10} – no solution – If subset has no solution then larger set they appear in has also no solution Eg: {i < 10, j = 8} – If superset has a solution then so does the subset

Effectiveness of Optimizations

State Scheduling Random path selection – helps avoid starvation when loops creating fork- bombs Coverage-optimized search – heuristics to compute weight of each node min dist to the uncovered node – choose states with higher probability to explore uncovered code Round robin among the first two !

Environment Modeling If all arguments concrete, execute natively Otherwise, provide models on symbolic files int fd = open(“t.txt”, O_RDONLY);

Concolic Execution Works well on interprocedural bugs, use of library calls

Concolic Execution Falls back on concrete values when – Non linear arithmetic – pointers pointing to input values

Concolic execution with dynamic data Static alias analysis is required! -- since no way to know whether a->c is overwritten.

Nonlinear arithmetic