Presentation is loading. Please wait.

Presentation is loading. Please wait.

Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261.

Published byPhilippa Perry Modified over 8 years ago

Similar presentations

Presentation on theme: "Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261."— Presentation transcript:

1 Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261

2 Reading for this lecture Symbolic execution and program testing - James King Symbolic execution and program testing KLEE: Unassisted and Automatic Generation of High- Coverage Tests for Complex Systems Programs - Cadar et. al. KLEE: Unassisted and Automatic Generation of High- Coverage Tests for Complex Systems Programs Symbolic Execution for Software Testing: Three Decades Later - Cadar and Sen Symbolic Execution for Software Testing: Three Decades Later A Few Billion Lines of Code Later Using Static Analysis to Find Bugs in the Real World - Engler et. al. A Few Billion Lines of Code Later Using Static Analysis to Find Bugs in the Real World DART: Directed Automated Random Testing - Godefroid et. al. DART: Directed Automated Random Testing CUTE: A Concolic Unit Testing Engine for C - Sen et. al. CUTE: A Concolic Unit Testing Engine for C 10/7/2015Information Security2

3 What is the goal? 10/7/2015Information Security3

4 Testing Majority of the testing approaches are manual Time consuming process Error-prone Incomplete Depends on the quality of the test cases or inputs Provides little in terms of coverage 10/7/2015Information Security4

5 Obvious Questions? 10/7/2015Information Security5 Can we do better in terms of test generation? Can we some how make it automatic? Yes, we can.

6 Background: SAT 10/7/2015Information Security6 SATisfying assignment! Given a propositional formula in CNF, find if there exists an assignment to Boolean variables that makes the formula true:  1 = (b c)  2 = (  a  d)  3 = (  b d)  =  1  2  3 A = {a=0, b=1, c=0, d=1}  1 = (b c)  2 = (  a  d)  3 = (  b d)  =  1  2  3 A = {a=0, b=1, c=0, d=1} clauses literals

7 Background: SMT SMT: Satisfiability Modulo Theories Input: a first-order formula  over background theory Output: is  satisfiable? does  have a model? Is there a refutation of  = proof of  ? For most SMT solvers:  is a ground formula Background theories: Arithmetic, Arrays, Bit-vectors, Algebraic Datatypes Most SMT solvers support simple first-order sorts 10/7/2015Information Security7

8 Background: SMT b + 2 = c and f(read(write(a,b,3), c-2)) ≠ f(c-b+1) 10/7/2015Information Security8 Array Theory Arithmetic Uninterpreted Function

9 Example SMT Solving b + 2 = c and f(read(write(a,b,3), c-2)) ≠ f(c-b+1) [Substituting c by b+2] b + 2 = c and f(read(write(a,b,3), b+2-2)) ≠ f(b+2- b+1) [Arithmetic simplification] b + 2 = c and f(read(write(a,b,3), b)) ≠ f(3) [Applying array theory axiom– forall a,i,v:read(write(a,i,v), i) = v] b+2 = c and f(3) ≠ f(3) [NOT SATISFIABLE] 10/7/2015Information Security9

10 Program Validation Approaches 10/7/2015Information Security10 Cost (programmer effort, time, expertise) Confidence Static Analysis Verification Extended Static Analysis Symbolic Execution Concolic Execution & White-box Fuzzing Ad-hoc testing

11 Automatic Test Generation Symbolic & Concolic Execution How do we automatically generate test inputs that induce the program to go in different paths? Intuition: Divide the whole possible input space of the program into equivalent classes of input. For each equivalence class, all inputs in that equivalence class will induce the same program path. Test one input from each equivalence class. 10/7/2015Information Security11

12 Symbolic Execution --- History 1976: A system to generate test data and symbolically execute programs (Lori Clarke) 1976: Symbolic execution and program testing (James King) 2005-present: practical symbolic execution Using SMT solvers Heuristics to control exponential explosion Heap modeling and reasoning about pointers Environment modeling Dealing with solver limitations 10/7/2015Information Security12

13 Symbolic Execution (contd.) 10/7/2015Information Security13 Void func(int x, int y){ int z = 2 * y; if(z == x){ if (x > y + 10) ERROR } int main(){ int x = sym_input(); int y = sym_input(); func(x, y); return 0; } Symbolic Execution Engine SMT solver Path constraint Satisfying Assignment High coverage test inputs Symbolic Execution

14 Symbolic Execution --- Description Execute the program with symbolic valued inputs (Goal: good path coverage) Represents equivalence class of inputs with first order logic formulas (path constraints) One path constraint abstractly represent all inputs that induces the program execution to go down a specific path Solve the path constraint to obtain one representative input that exercises the program to go down that specific path 10/7/2015Information Security14

15 More details on Symbolic Execution Instead of concrete state, the program maintains symbolic states, each of which maps variables to symbolic values Path condition is a quantifier-free formula over the symbolic inputs that encodes all branch decisions taken so far All paths in the program form its execution tree, in which some paths are feasible and some are infeasible 10/7/2015Information Security15

16 Symbolic Execution (contd.) 10/7/2015Information Security16 Void func(int x, int y){ int z = 2 * y; if(z == x){ if (x > y + 10) ERROR } int main(){ int x = sym_input(); int y = sym_input(); func(x, y); return 0; } x = a = 0 y = b = 1 2b != a2b == a 2b == a && a <= b + 10 2b == a && a > b + 10 func(x = a, y = b) x = a = 2 y = b = 1 x = a = 30 y = b =15 ERROR Path constraint z = 2b Note: Require inputs to be marked as symbolic Generated Test inputs for this path How does symbolic execution work?

17 Symbolic Execution (contd.) 10/7/2015Information Security17 x = a = 0 y = b = 1 2b != a2b == a 2b == a && a <= b + 10 2b == a && a > b + 10 func(x = a, y = b) x = a = 2 y = b = 1 x = a = 30 y = b =15 ERROR z = 2b How does symbolic execution work? x = a = 0 y = b = 1 x = a = 2 y = b = 3 x = a = 5 y = b = 4 ……………… ……………… x = a = 2 y = b = 1 x = a = 4 y = b = 2 x = a = -6 y = b = -3 x = a = 40 y = b = 20 x = a = 30 y = b = 15 x = a = 48 y = b = 24 ……………… Path constraints represent equivalence classes of inputs

18 SMT Queries Counterexample queries (generate a test case) Branch queries (whether a branch is valid) 10/7/2015Information Security18 If K Path Constraints = {C 1, C 2, …, C n }; SAT then else Use queries to determine validity of a branch else path is impossible: C 1 ∧ C 2 ∧ … ∧ C n ∧ ¬K is UNSAT then path is impossible: C 1 ∧ C 2 ∧ … ∧ C n ∧ K is UNSAT

19 Optimizing SMT Queries Expression rewriting Simple arithmetic simplifications (x * 0 = 0) Strength reduction (x * 2 n = x << n) Linear simplification (2 * x - x = x) Constraint set simplification x x = 5 Implied Value Concretization x + 1 = 10 --> x = 9 Constraint Independence i 0; new constraint i = 20 10/7/2015Information Security19

20 Optimizing SMT Queries (contd.) Counter-example Cache i < 10 && i = 10 (no solution) i < 10 && j = 8 (satisfiable, with variable assignments i → 5, j → 8) Superset of unsatisfiable constraints {i < 10, i = 10, j = 12} (unsatisfiable) Subset of satisfiable constraints i → 5, j → 8, satisfies i < 10 Superset of satisfiable constraints Same variable assignments might works 10/7/2015Information Security20

21 How does Symbolic Execution Find bugs? It is possible to extend symbolic execution to help us catch bugs How: Dedicated checkers Divide by zero example --- y = x / z where x and z are symbolic variables and assume current PC is f Even though we only fork in branches we will now fork in the division operator One branch in which z = 0 and another where z !=0 We will get two paths with the following constraints: z = 0 && f, z != 0 && f Solving the constraint z = 0 && f will give us concrete input values that will trigger the divide by zero error. 10/7/2015Information Security21 Write a dedicated checker for each kind of bug (e.g., buffer overflow, integer overflow, integer underflow)

22 Classic Symbolic Execution --- Practical Issues Loops and recursions --- infinite execution tree Path explosion --- exponentially many paths Heap modeling --- symbolic data structures and pointers SMT solver limitations --- dealing with complex path constraints Environment modeling --- dealing with native / system/library calls/file operations/network events 10/7/2015Information Security22

23 Classic Symbolic Execution --- Practical Issues (possible solutions) Infinite execution tree Finitize paths by limiting the PC size (bounded verification) Use loop invariants (verification) Path explosion Select next branch at random Select next branch based on coverage Interleave symbolic execution with random testing Heap modeling Segmented address space via the theory of arrays (Klee) Lazy concretization (JPF) Concolic lazy concretization (CUTE) 10/7/2015Information Security23 Path Constraints

24 Classic Symbolic Execution --- Practical Issues (possible solutions) SMT solver limitations On-the-fly expression simplification Incremental solving Solution caching Counterexample caching Substituting concrete values for symbolic in complex PCs (CUTE) Environment modeling Partial state concretization Manual models of the environment (Klee) 10/7/2015Information Security24

25 Symbolic Execution Coverage Problem 10/7/2015Information Security25 Symbolic execution may not reach deep into the execution tree. Specially when encountering loops.

26 Solution: Concolic Execution Concolic = Concrete + Symbolic Sometimes called dynamic symbolic execution The intention is to visit deep into the program execution tree Program is simultaneously executed with concrete and symbolic inputs Start off the execution with a random input Specially useful in cases of remote procedure call 10/7/2015Information Security26

27 Concolic Execution Steps Generate a random seed input to start execution Concretely execute the program with the random seed input and collect the path constraint Example: a && b && c In the next iteration, negate the last conjunct to obtain the constraint a && b && !c Solve it to get input to the path which matches all the branch decisions except the last one 10/7/2015Information Security27 Why not from the first?

28 Concolic Execution 10/7/2015Information Security28 Void func(int x, int y){ int z = 2 * y; if(z == x){ if (x > y + 10) ERROR } int main(){ int x = input(); int y = input(); func(x, y); return 0; } 2b != a 2b == a 2b == a && a <= b + 10 2b == a && a > b + 10 func(x = a, y = b) x = a = 30 y = b =15 ERROR Path constraint z = 2b x = 2, y = 1 Random seed

29 Acknowledgement Some of the content are derived from the slides of Endadul Haque, Emina Torlak, Nikolaj Bjørner, Bruno Dutertre, and Leonardo de Moura 10/7/2015Information Security29

Download ppt "Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261."

Similar presentations

Exploiting SAT solvers in unbounded model checking

Exploiting SAT solvers in unbounded model checking
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
Amal Khalil & Juergen Dingel

Amal Khalil & Juergen Dingel
50.530: Software Engineering

50.530: Software Engineering
Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.

Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.
Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008
Symbolic Execution with Mixed Concrete-Symbolic Solving

Symbolic Execution with Mixed Concrete-Symbolic Solving
Satisfiability Modulo Theories (An introduction)

Satisfiability Modulo Theories (An introduction)
SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀

SMT Solvers (an extension of SAT) Kenneth Roe. Slide thanks to C. Barrett & S. A. Seshia, ICCAD 2009 Tutorial 2 Boolean Satisfiability (SAT) ⋁ ⋀ ¬ ⋁ ⋀
PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)

PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Proofs from SAT Solvers Yeting Ge ACSys NYU Nov 20 2007.

Proofs from SAT Solvers Yeting Ge ACSys NYU Nov
Programming with Constraint Solvers CS294: Program Synthesis for Everyone Ras Bodik Emina Torlak Division of Computer Science University of California,

Programming with Constraint Solvers CS294: Program Synthesis for Everyone Ras Bodik Emina Torlak Division of Computer Science University of California,
Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.

Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Symbolic execution © Marcelo d’Amorim 2010.

Symbolic execution © Marcelo d’Amorim 2010.
Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.

Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.
Leonardo de Moura and Nikolaj Bjørner Microsoft Research.

Leonardo de Moura and Nikolaj Bjørner Microsoft Research.

Similar presentations

Ads by Google