an introduction to dynamic symbolic execution and the
play

An Introduction to Dynamic Symbolic Execution and the KLEE - PowerPoint PPT Presentation

Jan 10, 2024 •289 likes •856 views

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar Department of Computing Imperial College London 14 th TAROT Summer School UCL, London, 3 July 2018 Dynamic Symbolic Execution Dynamic symbolic

  1. An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar Department of Computing Imperial College London 14 th TAROT Summer School UCL, London, 3 July 2018

  2. Dynamic Symbolic Execution • Dynamic symbolic execution is a technique for automatically exploring paths through a program 2

  3. Dynamic Symbolic Execution • Received significant interest in the last few years • Many dynamic symbolic execution/concolic tools available as open-source: – CREST , KLEE , SYMBOLIC JPF , etc. • Started to be adopted by industry: – Microsoft ( SAGE , PEX ) – NASA ( SYMBOLIC JPF , KLEE ) – Fujitsu ( SYMBOLIC JPF , KLEE / KLOVER ) – IBM ( APOLLO ) – etc. 3

  4. Toy Example img = * struct image_t { unsigned short magic; magic ≠ TRUE unsigned short h, sz; return -1 0xEEEE magic ≠ ... 0xEEEE magic = 0xEEEE int main(int argc, char** argv) { ... TRUE h > 1024 h > 1024 return -1 image_t img = read_img(file); if (img.magic != 0xEEEE) h ≤ 1024 return -1; if (img.h > 1024) w = sz / h return -1; w = img.sz / img.h; ... } 4

  5. Toy Example img = * struct image_t { unsigned short magic; TRUE return -1 magic ≠ unsigned short h, sz; AAAA0000… 0xEEEE magic ≠ ... img1.out 0xEEEE magic = 0xEEEE int main(int argc, char** argv) { ... TRUE h > 1024 h > 1024 return -1 EEEE1111… image_t img = read_img(file); if (img.magic != 0xEEEE) img2.out h ≤ 1024 return -1; if (img.h > 1024) Div by TRUE return -1; EEEE0000… h = 0 zero! h = 0 w = img.sz / img.h; img3.out ... h ≠ 0 } EEEE0A00… img4.out w = sz / h 5

  6. All-Value Checks Implicit checks before each dangerous operation All-value checks! • Pointer dereferences • Errors are found if any buggy • Array indexing values exist on that path! { k = * } • Division/modulo operations • Assert statements . . . TRUE FALSE TRUE FALSE int foo(unsigned k) { 0 ≤ k< 4 int a[4] = {3, 1, 0, 4}; 0 ≤ k < 4 ¬ 0 ≤ k < 4 k = k % 4; return a[a[k]]; . . . . . . } Infeasible 6

  7. All-Value Checks Implicit checks before each dangerous operation All-value checks! • Pointer dereferences • Errors are found if any buggy • Array indexing values exist on that path! { k = * } • Division/modulo operations • Assert statements . . . TRUE FALSE TRUE FALSE int foo(unsigned k) { 0 ≤ a[k]< 4 int a[4] = {3, 1, 0, 4}; 0 ≤ a[k] < 4 ¬ 0 ≤ a[k] < 4 k = k % 4; return a[a[k]]; . . . . . . k = 3 } Buffer overflow!

  8. Mixed Concrete/Symbolic Execution All operations that do not depend on the symbolic inputs are (essentially) executed as in the original code Advantages: – Ability to interact with the outside environment • E.g., system calls, uninstrumented libraries – Can partly deal with limitations of constraint solvers • E.g., unsupported theories – Only relevant code executed symbolically • Without the need to extract it explicitly 8

  9. KLEE • Symbolic execution tool started as a successor to EXE • Based on the LLVM compiler, primarily targeting C code • Open-sourced in June 2009, now available on GitHub • Active user base with over 300 subscribers on the mailing list and over 50 contributors listed on GitHub • KLEE workshop this April had >80 people from academia, industry and government, w/ registration closed early Webpage: http://klee.github.io/ Code: https://github.com/klee/ Web version: http://klee.doc.ic.ac.uk/ 9

  10. KLEE • Extensible platform, used and extended by many groups in academia and industry, in the areas such as: • bug finding • high-coverage test input generation • exploit generation • automated debugging • wireless sensor networks/distributed systems • schedule memoization in multithreaded code • client-behavior verification in online gaming • GPU testing and verification, etc. An incomplete list of publications and extensions available at: klee.github.io/Publications.html 10

  11. High Line Coverage (Coreutils, non-lib, 1h/utility = 89 h) Avg/utility KLEE 91% 100% Manual 68% Coverage (ELOC %) 80% 60% 40% 20% 0% 1 12 23 34 45 56 67 78 89 Apps sorted by KLEE coverage [Cadar, Dunbar, Engler OSDI 2008]

  12. Bug Finding with KLEE (incl. EGT/EXE): Focus on Systems and Security Critical Code Applications UNIX utilities Coreutils, Busybox, Minix (over 450 apps) UNIX file systems ext2, ext3, JFS Network servers Bonjour, Avahi, udhcpd, lighttpd, etc. Library code libdwarf, libelf, PCRE, uClibc, etc. Packet filters FreeBSD BPF, Linux BPF MINIX device drivers pci, lance, sb16 Kernel code HiStar kernel Computer vision code OpenCV (filter, remap, resize, etc.) OpenCL code Parboil, Bullet, OP2 • Most bugs fixed promptly 13

  13. Coreutils Commands of Death md5sum -c t1.txt pr -e t2.txt mkdir -Z a b tac -r t3.txt t3.txt paste -d \\ abcdefghijklmnopqrstuvwxyz mkfifo -Z a b ptx -F \\ abcdefghijklmnopqrstuvwxyz mknod -Z a b p seq -f %0 1 ptx x t4.txt printf %d ‘ cut –c3-5,8000000- --output-d: file t1.txt: \ t \ tMD5( t3.txt: \ n t2.txt: \ b \ b \ b \ b \ b \ b \ b \ t t4.txt: A [Cadar, Dunbar, Engler OSDI 2008] [Marinescu, Cadar ICSE 2012]

  14. Packet of Death (Bonjour) Offset Hex Values 0000 0000 0000 0000 0000 0000 0000 0000 0000 003E 0000 4000 FF11 1BB2 7F00 0001 E000 0010 0020 00FB 0000 14E9 002A 0000 0000 0000 0001 0030 0000 0000 0000 055F 6461 6170 045F 7463 0040 7005 6C6F 6361 6C00 000C 0001 • Causes Bonjour to abort, potential DoS attack • Confirmed by Apple, security update released [Song, Cadar, Pietzuch IEEE TSE 2014]

  15. KLEE Architecture L LLVM L C code bitcode V M AAAA0000… EEEE1111… ENVIRONMENT Core Engine EEEE0000… BUG MODELS EEEE0A00… x ³ 0 x = 3 x ¹ 1234 Constraint Solver 16

  16. Running KLEE inside a Docker container Step 1: Install Docker for Linux/MacOS/Windows Step 2: docker pull klee/klee Step 3: docker run --rm -ti --ulimit='stack=-1:-1' klee/klee http://klee.github.io/docker/ 17

  17. KLEE Demo: Toy Image Viewer // #include directives $ clang –emit-llvm -c -g image_viewer.c struct image_t { $ klee --posix-runtime –write-pcs unsigned short magic; image_viewer.bc --sym-files 1 1024 A unsigned short h, sz; // height, size char pixels[1018]; ... }; KLEE: output directory = klee-out-1 int main(int argc, char** argv) { (klee-last) struct image_t img; ... int fd = open(argv[1], O_RDONLY); KLEE: ERROR: ... divide by zero read(fd, &img, 1024); ... if (img.magic != 0xEEEE) KLEE: done: generated tests = 4 return -1; if (img.h > 1024) return -1; unsigned short w = img.sz / img.h; return w; } 18

  18. KLEE Demo: Toy Image Viewer $ cat klee-last/test000003.pc ... array A-data[1024] : w32 -> w8 = symbolic (query [ ... (Eq 61166 (ReadLSB w16 0 A-data)) (Eq 0 (ReadLSB w16 2 A-data)) ... ) 19

  19. KLEE Demo: Toy Image Viewer $ klee-replay --create-files-only klee-last/test000003.ktest [File A created] $ xxd -g 1 -l 10 A 0000000: ee ee 00 00 00 00 00 00 00 00 .......... $ gcc -o image_viewer image_viewer.c [image_viewer created] $ ./image_viewer A Floating point exception 20

  20. KLEE Demo: All-Values Checks int foo(unsigned k) { $ clang –emit-llvm -c -g all-values.c int a[4] = {3, 1, 0, 4}; $ klee all-values.bc k = k % 4; ... return a[a[k]]; KLEE: ERROR: /home/klee/all-values/all- } values.c:4: memory error: out of bound pointer ... int main() { KLEE: done: completed paths = 2 int k; KLEE: done: generated tests = 2 klee_make_symbolic(&k, sizeof(k), "k"); return foo(k); } 21

  21. KLEE Architecture L LLVM L C code bitcode V M AAAA0000… EEEE1111… ENVIRONMENT Core Engine EEEE0000… BUG MODELS EEEE0A00… x ³ 0 x = 3 x ¹ 1234 Constraint Solver 22

  22. L KLEE Architecture: L V M LLVM advantages: • Mature framework, incorporated into commercial products by Apple, Google, Intel, etc. • Elegant design patterns: analysis passes, visitors, etc. • Single Static-Assignment (SSA) form with infinite registers (nice fit for symbolic execution) • Lots of useful program analyses • Well documented • Several different front-ends, so KLEE could be extended to work with languages other than C 23

  23. L KLEE Architecture: L V M LLVM disadvantages • Fast changing, not-backward compatible API! • KLEE is currently many LLVM versions behind! • Compiling to LLVM bitcode still tricky sometimes, but it’s getting better: • make CC=“clang –emit-llvm” • LLVM Gold Plugin http://llvm.org/docs/GoldPlugin.html • Whole-Program LLVM https://github.com/travitch/whole-program-llvm 24

  24. L KLEE Architecture: L V M KLEE runs LLVM, not C code! #include <stdio.h> $ clang –emit-llvm -c -g code.c int main () { $ klee code.bc int x; klee_make_symbolic(&x, sizeof (x), "x"); ... x if (x > 0) printf("x\n"); KLEE: done: total instructions = 6 else printf("x\n"); KLEE: done: completed paths = 1 KLEE: done: generated tests = 1 return 0; } 25

  25. KLEE Architecture: Core Engine The core engine implements symbolic execution exploration. … Interpreter … Memory Core Engine Stats … Searchers … 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outline Introduction Dynamic Symbolic Execution Binsec/SE Demo CEA - - 2/11 Introduction The

Outline Introduction Dynamic Symbolic Execution Binsec/SE Demo CEA - - 2/11 Introduction The

BINSEC/SE: A Dynamic Symbolic Execution Toolkit for Binary-level Analysis Robin David S ebastien Bardin Thanh Dinh Ta Josselin Feist Laurent Mounier Marie-Laure Potet Jean-Yves Marion SANER 2016, Osaka, Japan, March 16th Outline

467 views • 22 slides
Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College London Invited talk at SMT 2015 18 July, San Francisco, CA, USA Dynamic Symbolic Execution Dynamic symbolic execution is a technique for

660 views • 53 slides
Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean

Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean

11/27/2011 Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean Harrold Supported by NSF (CCF-0725202, CCF-0541048) and IBM (Software Quality Innovation Award) Symbolic Execution 35 Databases 30

558 views • 22 slides
All You Ever Wanted to Know About Dynamic Taint Analysis &amp; Forward Symbolic Execution (but

All You Ever Wanted to Know About Dynamic Taint Analysis &amp; Forward Symbolic Execution (but

All You Ever Wanted to Know About Dynamic Taint Analysis &amp; Forward Symbolic Execution (but might have been afraid to ask) (Yes, we were trying to overflow the title length field on the submission server) Edward J. Schwartz, Thanassis

738 views • 25 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Practical Dynamic Symbolic Execution of Standalone JavaScript Johannes Kinder Royal Holloway,

Practical Dynamic Symbolic Execution of Standalone JavaScript Johannes Kinder Royal Holloway,

Practical Dynamic Symbolic Execution of Standalone JavaScript Johannes Kinder Royal Holloway, University of London Joint work with Blake Loring and Duncan Mitchell Mission Statement Help find bugs in Node.js applications and libraries

360 views • 19 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin &amp; Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Concolic Testing Dynamic Symbolic Execution Marco Probst Albert-Ludwigs-Universitt Freiburg

Concolic Testing Dynamic Symbolic Execution Marco Probst Albert-Ludwigs-Universitt Freiburg

Concolic Testing Dynamic Symbolic Execution Marco Probst Albert-Ludwigs-Universitt Freiburg January 25th, 2016 Marco Probst Concolic Testing 1 / 22 Overview Code Example 1 Unit Testing 2 Random Testing Symbolic Execution Concolic

919 views • 89 slides
Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides
DySy Dynamic Symbolic Execution for Invariant Inference April 28th 2009 Lukas Schwab

DySy Dynamic Symbolic Execution for Invariant Inference April 28th 2009 Lukas Schwab

Seminar in Software Engineering DySy Dynamic Symbolic Execution for Invariant Inference April 28th 2009 Lukas Schwab lschwab@student.ethz.ch The authors Christoph Csallner - College of Computing, Georgia Tech Nikolai Tillmann -

750 views • 25 slides
Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014,

Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014,

Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014, Vienna, 17 July 2014 Dynamic Symbolic Execution Automated program analysis technique that employs an SMT solver to systematically explore paths

503 views • 39 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
DySy: Dynamic Symbolic Execution for Invariant Inference C. Csallner N. Tillmann Y.

DySy: Dynamic Symbolic Execution for Invariant Inference C. Csallner N. Tillmann Y.

DySy: Dynamic Symbolic Execution for Invariant Inference C. Csallner N. Tillmann Y. Smaragdakis Marc Egg Invariant Inference Object top() { if(Empty) return null; return theArray[topOfStack]; } Invariant Inference Tool

465 views • 20 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
@RootCauseCo @RootCauseCoalition company/root-cause-coalition/ How to Design a Multifaceted CBO

@RootCauseCo @RootCauseCoalition company/root-cause-coalition/ How to Design a Multifaceted CBO

@RootCauseCo @RootCauseCoalition company/root-cause-coalition/ How to Design a Multifaceted CBO Capacity Building Initiative to Meet the Rising Demand for Social FEBRUARY 24 TH , 2020 Services Shirin Vakharia, MA Marin Community Foundation

621 views • 32 slides
ICANNs NEW gTLD PROGRAM: Could Africa Have Participated More? By Katim S. Touray

ICANNs NEW gTLD PROGRAM: Could Africa Have Participated More? By Katim S. Touray

ICANNs NEW gTLD PROGRAM: Could Africa Have Participated More? By Katim S. Touray (kstouray@gmail.com) International Development Consultant, and former ICANN Board Member Presented at the AfriNIC 17 Meeting Khartoum, Sudan, November 24-29,

190 views • 16 slides
Exiting the Eurozone Crisis Advantage Financial Conference Milan, May 12, 2013 Prof. Harald

Exiting the Eurozone Crisis Advantage Financial Conference Milan, May 12, 2013 Prof. Harald

Exiting the Eurozone Crisis Advantage Financial Conference Milan, May 12, 2013 Prof. Harald Uhlig University of Chicago Department of Economics Three Problems 1. Unemployment 2. Debt 3. Banks but there is an even bigger problem. 25.0

299 views • 13 slides
Google Web Toolkit Stephen Bilston Stuart Johnson Eric Fath-Kolmes Ai Ci Lin Andrew Nisbet

Google Web Toolkit Stephen Bilston Stuart Johnson Eric Fath-Kolmes Ai Ci Lin Andrew Nisbet

Google Web Toolkit Stephen Bilston Stuart Johnson Eric Fath-Kolmes Ai Ci Lin Andrew Nisbet Presentation Goals What is GWT? An overview of GWT's features. When should I use GWT? Who's using it? Finally what you can do with it? What are

279 views • 25 slides
THE CLOSED CIRCLE THE CLOSED CIRCLE REFRACTORIES REFRACTORIES SUPPLIED D D I I E N M S

THE CLOSED CIRCLE THE CLOSED CIRCLE REFRACTORIES REFRACTORIES SUPPLIED D D I I E N M S

R E ADJUST STOCKHOLDING R E ADJUST STOCKHOLDING E QUIPMENT FOR INSTALLATION INSTALLATION F AILURE ANALYSIS R ESPONSIBLE MANAGEMENT A LTERATIONS TO STEELWORK C HECK INCOMING MATERIALS T OTAL COST STRUCTURE O PERATIONAL VARIABLES R E-EXAMINE

527 views • 15 slides
I O N I A 1.1 Media (land of the Medes), Persia (land of the Persians), Phoenicia, Persian

I O N I A 1.1 Media (land of the Medes), Persia (land of the Persians), Phoenicia, Persian

I O N I A 1.1 Media (land of the Medes), Persia (land of the Persians), Phoenicia, Persian Gulf (=&quot;Red Sea&quot;), Egypt, Argos, Crete, Tyre, Colchis, Troy LYDIA I O N I A Corinth Miletus 1.2 Lydia, the river Halys, Delphi,

296 views • 11 slides
Sara Swenson St. Olaf College, Northfield, MN Odele

Sara Swenson St. Olaf College, Northfield, MN Odele

Sara Swenson St. Olaf College, Northfield, MN Odele Coddington, Martin Snow Laboratory for Atmospheric and Space Physics, Boulder, CO Outline What is the Mg

410 views • 20 slides
Optical Pumping Simulations of Copper and Magnesium Isotopes Julie Hammond Boston University

Optical Pumping Simulations of Copper and Magnesium Isotopes Julie Hammond Boston University

Optical Pumping Simulations of Copper and Magnesium Isotopes Julie Hammond Boston University ISOLDE CERN 11.5.14 31Mg s1/2 to p1/2 (Asymmetry factor in red; other lines correspond to populations.) 31Mg S 1/2 to P 1/2 negatively circularly

408 views • 14 slides

More recommend