automatic testing of symbolic execution engines via
play

Automatic Testing of Symbolic Execution Engines via Program - PowerPoint PPT Presentation

Oct 24, 2022 •611 likes •1.08k views

Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing Timotej Kapus, Cristian Cadar Department of Computing Imperial College London if (x > 2294967295) { assert(false); } printf("x:

  1. Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing Timotej Kapus, Cristian Cadar Department of Computing Imperial College London

  2. if (x > 2294967295) { assert(false); } printf("x: %u\n", x); 2

  3. Symbolic execution ● Used in industry: ○ IntelliTest ○ SAGE ○ KLOVER ○ SPF ○ Apollo ● Active research field 3

  4. Symbolic execution 1 unsigned int x = 5; 2 int main() { 3 if (x > 2294967295) { 4 assert(false); 5 } 6 printf("x: %u\n",x); 7 } 4

  5. Symbolic execution x = * 1 unsigned int x = 5; 2 int main() { TRUE FALSE x > 2294967295 3 make_symbolic(&x); 4 if (x > 2294967295) { 5 assert(false); x ≤ 2294967295 x > 2294967295 6 } 7 printf("x: %u\n",x); assert(false); printf("x: %d", x); 8 } Assertion x: 2 5 fail

  6. Symbolic executors ● Many available open source ● Complex pieces of software ○ Accurate interpreter or precise instrumentation ○ Accurate constraint solving ○ Constraint gathering ○ Scheduling Angr ○ Effective optimizations such as caching, fast solving, etc. 6

  7. Symbolic executors ● Many available open source ● Complex pieces of software ○ Accurate interpreter or precise instrumentation ○ Accurate constraint solving ○ Constraint gathering ○ Scheduling Angr ○ Effective optimizations such as caching, fast solving, etc. 7

  8. Bugs in symbolic executors 1 unsigned int x = 5; ● Particularly bad 2 int main() { ● Lead to false sense of security 3 make_symbolic(&x); ● Examples: 4 if(x > 2294967295) { ○ Missing a branch 5 assert(false); ○ Exploring spurious branches 6 } 7 printf("x: %u\n",x); 8 } 8

  9. Differential testing of symbolic execution Randomly generated program Compile Compile Execute Symbolically execute Compare 9

  10. Testing symbolic executors ● Compare two executions (native/symbolic) in 3 different modes: ○ Concrete - tests interpretation/instrumentation ○ Single Path - tests constraint gathering and solving ○ Multi Path - tests scheduling, test case generation 10

  11. Concrete mode x: 5 1 unsigned int x = 5; 2 int main() { 3 if (x > 2294967295) { 4 assert(false); 5 } 6 printf("x: %u\n",x); 7 } x: 343 11

  12. Single-Path mode 1 unsigned int x = 5; x: 5 2 int main() { 3 make_symbolic(&x); 4 CONSTRAIN(x, 5); 5 if(x > 2294967295) { 6 assert(false); 7 } 8 printf("x: %u\n",x); 9 } Assertion fail 12

  13. Single-Path mode: Constrainers 1 unsigned int x = 5; x: 5 2 int main() { 3 make_symbolic(&x); 4 CONSTRAIN(x, 5); CONSTRAIN(x, 5); 5 if(x > 2294967295) { 6 assert(false); if(x < 5) silent_exit(0); 7 } 8 printf("x: %u\n",x); if(x > 5) silent_exit(0); 9 } Assertion fail 13

  14. Single-Path mode: Constrainers 1 unsigned int x = 5; x: 5 2 int main() { 3 make_symbolic(&x); 4 CONSTRAIN(x, 5); CONSTRAIN(x, 5); 5 if(x > 2294967295) { 6 assert(false); 7 } if(x != 5) silent_exit(0); 8 printf("x: %u\n",x); 9 } Assertion fail 14

  15. Multi-Path mode Test case: Test case: 1 unsigned int x = 5; x = 7 x = 23 2 int main() { 3 make_symbolic(&x); 4 if(x > 2294967295) { 5 assert(false); 6 } 7 printf("x: %u\n",x); 8 } x: 7 x: 7 x: 23 x: 23 15 MATCH!

  16. Multi-Path mode int x = 5; Test case: Test case: x = -7 x = 23 void main() { make_symbolic(&x); if(x < 0) printf("x: %d", -x); else printf("x: %d", x); } x: 7 x: 7 x: 23 x: -23 16

  17. Testing symbolic executors ● Built a pipeline ● Run experiments in batches ● Avoid bugs found in previous batches 17

  18. Instrumentation supports ● Csmith ○ Random program generator ○ Found many bugs in compilers ○ Doesn’t generate programs with undefined behaviour ● Instrumentation supports: ○ Marking variables as symbolic ○ Oracles ○ Constraining 18

  19. Versions correspond to mode: ● Concrete mode - native version ● Single path mode - single path version ● Multi path mode - multi path version 19

  20. Oracles can check: 1. Executor doesn’t crash 2. Function call chain 3. Output (values of all global variables) matches 4. Coverage achieved on the random program 20

  21. Finally: ● Gather mismatches ● Reduce interesting ones ● Report bugs 21

  22. CREST Case Studies ● Concolic execution KLEE ● Instrumentation instead of interpretation ● Main case study ● Doesn’t generate test cases ○ Familiarity ○ Flexibility ● Built on top of LLVM FuzzBALL ● Keeps all paths in memory ● Binary level executor ● Doesn’t generate test cases 22

  23. 23

  24. 1 24

  25. 25

  26. 26

  27. 3 27

  28. 0 0 0 0 28

  29. Example bug: Crest Expected output Actual output 1 unsigned int a; 2 int main() { a: 6 a: 6 3 make_symbolic(&a); Assertion fail a: 23 4 if(a > 2294967295) { 5 assert(false); 6 } 7 printf("a: %d\n",a); 8 } 29

  30. Example bug: KLEE Expected Actual output output 1 int g_10 = 0; loop loop 2 int main() { loop 3 make_symbolic(&g_10); loop loop 4 do { loop loop 5 printf("loop\n"); loop 6 g_10 &= 2; ... 7 } while(!((3 ^ g_10) / 1)); 8 } 30

  31. Example bug: FuzzBALL Expected Actual output output 1 unsigned int g_54 = 0; 2 unsigned int g_56 = 0; g_56: 0 Strange term cast (cast(t2:reg32t)L:reg8t)U: 3 reg32t ^ 0xbc84814c:reg32t 4 void main ( void ) { 5 make_symbolic(&g_54); 6 CONSTRAIN(g_54, 0); 7 g_56 ^= 0 < g_54; 8 printf("g_56: %u\n", *(&g_56)); 9 } 31

  32. Conclusions ● Developed techniques that test many aspects of symbolic executors ● Applied them to 3 different symbolic executors ● Total bugs found: ○ 14 in KLEE ○ 3 in Crest ○ 3 in FuzzBALL 32

  33. 33

  34. Constrainers 34

  35. 35

  36. 36

  37. CREST bug ● 14 in KLEE (9 fixed) ● 3 in Crest (1 fixed) ● 3 in FuzzBALL (3 fixed) ● found within first 5000 runs of a batch 37

  38. Single-Path Mode Compare native execution, with symbolic execution constrained to the exact same path as native execution. 38

  39. Symbolic execution ● Mark some inputs as symbolic ● Runs the program, while gathering constraints on the symbolic data ● Forks at branch points when both sides are feasible ● Upon hitting a terminal state (ie. error), solves the gathered constraints, to produce an input leading the program to the same state 39

  40. Configuration includes: ● Program generation options ○ size/complexity of the program ○ language features to use ● Compilation options ● Mode ● Oracles to use 40

  41. Instrumentation supports ● Marking variables as symbolic ● Oracles ● Constraining 41

  42. V ersions correspond to mode used: ● Concrete mode - native version ● Single path mode - single path version ● Multi path mode - multi path version 42

  43. Oracles can check: 1. Executor doesn’t crash 2. Function call chain 3. Output (values of all global variables) matches 4. Coverage achieved on the program 43

  44. Finally: ● Gather mismatches ● Reduce interesting ones ● Report bugs 44

  45. Expected output Actual output 1 void foo(unsigned int x) { x: 6 x: 6 2 if( x > 2294967295) { Assertion fail x: 23 3 assert(false); 4 } 5 printf("x: %u\n", x); 6 } 45

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of London Joint work with: Stefan Bucur, George Candea, Volodymyr Kuznetsov @ EPFL Symbolic Execution Automatically explore program paths

2.34k views • 200 slides
Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Concolic Testing Dynamic Symbolic Execution Marco Probst Albert-Ludwigs-Universitt Freiburg

Concolic Testing Dynamic Symbolic Execution Marco Probst Albert-Ludwigs-Universitt Freiburg

Concolic Testing Dynamic Symbolic Execution Marco Probst Albert-Ludwigs-Universitt Freiburg January 25th, 2016 Marco Probst Concolic Testing 1 / 22 Overview Code Example 1 Unit Testing 2 Random Testing Symbolic Execution Concolic

919 views • 89 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Enhancing Symbolic Execution for Coverage-Oriented Testing S ebastien Bardin, Nikolai

Enhancing Symbolic Execution for Coverage-Oriented Testing S ebastien Bardin, Nikolai

Enhancing Symbolic Execution for Coverage-Oriented Testing S ebastien Bardin, Nikolai Kosmatov, Micka el Delahaye CEA LIST, Software Safety Lab (Paris-Saclay, France) Bardin et al. CFV 2015 1/ 40 Context : white-box software testing

1.43k views • 74 slides
Interoperability-Guided Testing of QUIC Implementations using Symbolic Execution Felix Rath ,

Interoperability-Guided Testing of QUIC Implementations using Symbolic Execution Felix Rath ,

Interoperability-Guided Testing of QUIC Implementations using Symbolic Execution Felix Rath , Daniel Schemmel, Klaus Wehrle https://comsys.rwth-aachen.de EPIQ Workshop, Heraklion, Greece, 2018-12-04 QUANT ? Mozquic ? mvfst ? picoquic ?

1.45k views • 97 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin &amp; Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad Ureche, Cristian Zamfir, George Candea School of Computer and Communication Sciences Automated Software Testing Automated Industrial Techniques

1.25k views • 59 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
Testing Query Execution Engines with Mutations Xinyue Chen 1 , Chenglong Wang 1 , Alvin Cheung 2 1

Testing Query Execution Engines with Mutations Xinyue Chen 1 , Chenglong Wang 1 , Alvin Cheung 2 1

Testing Query Execution Engines with Mutations Xinyue Chen 1 , Chenglong Wang 1 , Alvin Cheung 2 1 University of Washington 2 University of California, Berkeley Motivation Query optimizers and executors are core to all modern relational

446 views • 27 slides
Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav Nodar Petar Martin He Balunovic Ambroladze Tsankov Vechev Random Fuzzing vs. Symbolic Execution Random Fuzzing Symbolic Execution Fast Slow

633 views • 29 slides
Qemu code fault automatic discovery with symbolic search Paul Marinescu, Cristian Cadar, Chunjie

Qemu code fault automatic discovery with symbolic search Paul Marinescu, Cristian Cadar, Chunjie

Qemu code fault automatic discovery with symbolic search Paul Marinescu, Cristian Cadar, Chunjie Zhu, Philippe Gabriel Goals of this presentation Introduction of KLEE (symbolic execution tool) Qemu fault/patch retrospective Understand

283 views • 13 slides
Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College London Invited talk at SMT 2015 18 July, San Francisco, CA, USA Dynamic Symbolic Execution Dynamic symbolic execution is a technique for

660 views • 53 slides
Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths Symbolic Execution and Proof of Effects of the execution on program state Properties Bridges program behavior to logic Finds important

309 views • 6 slides
Thermodynamic Geometry of Yang-Mills Gauge Theory Bhupendra Nath Tiwari University of Information

Thermodynamic Geometry of Yang-Mills Gauge Theory Bhupendra Nath Tiwari University of Information

Thermodynamic Geometry of Yang-Mills Gauge Theory Bhupendra Nath Tiwari University of Information Science and Technology, St. Paul the Apostle, Partizanska Str. bb 6000 Ohrid, Republic of Macedonia a INFN-Laboratori Nazionali di Frascati,

920 views • 44 slides
Recent Developments in The Black Hole Microstate Geometry Program Masaki Shigemori Strings and

Recent Developments in The Black Hole Microstate Geometry Program Masaki Shigemori Strings and

Recent Developments in The Black Hole Microstate Geometry Program Masaki Shigemori Strings and Fields YITP, Kyoto U August 2017 Based on 1607.03908, 170x.xxxxx with I. Bena, S. Giusto, E. Martinec, R. Russo, D. Turton, N. P. Warner

537 views • 21 slides
A Potential Astrophysical Test of Quantum Gravity Ue-Li Pen CITA November 12, 2013 U. Pen A

A Potential Astrophysical Test of Quantum Gravity Ue-Li Pen CITA November 12, 2013 U. Pen A

Introduction Pulsar-Black Hole Binaries Lensing Summary A Potential Astrophysical Test of Quantum Gravity Ue-Li Pen CITA November 12, 2013 U. Pen A Potential Astrophysical Test of Quantum Gravity Introduction Pulsar-Black Hole Binaries

488 views • 14 slides
Describing the interior of a black hole using holography Marika Taylor Mathematical Sciences and

Describing the interior of a black hole using holography Marika Taylor Mathematical Sciences and

Describing the interior of a black hole using holography Marika Taylor Mathematical Sciences and STAG research centre, Southampton March 25, 2014 STAG R RESEARCH E S E A R C H C E CENTER N CENTER T E R Marika Taylor Black

920 views • 35 slides
SimuVEX Using VEX in Symbolic Analysis Yan Shoshitaishvili yans@cs.ucsb.edu 2014 Who am I? My

SimuVEX Using VEX in Symbolic Analysis Yan Shoshitaishvili yans@cs.ucsb.edu 2014 Who am I? My

SimuVEX Using VEX in Symbolic Analysis Yan Shoshitaishvili yans@cs.ucsb.edu 2014 Who am I? My name is Yan Shoshitaishvili, and I am a PhD student in the Seclab at UC Santa Barbara. Email: yans@cs.ucsb.edu Twitter: @Zardus Github:

918 views • 36 slides
Doing the unexpected with binary black holes ICERM Brown University Steve Liebling Work

Doing the unexpected with binary black holes ICERM Brown University Steve Liebling Work

Motivation Charged BBH Einstein-Maxwell-Dilaton BBH w/QG BBH w/axions mPBHs Doing the unexpected with binary black holes ICERM Brown University Steve Liebling Work mentioned here with: John Estes (SUNY Westbury) Eric Hirschmann (BYU)

290 views • 27 slides
Running a Stress (ish) -Free Company Thanks for joining todays talk and Ill be explaining

Running a Stress (ish) -Free Company Thanks for joining todays talk and Ill be explaining

Running a Stress (ish) -Free Company Thanks for joining todays talk and Ill be explaining how you can run a stress(ish) free company - yes, such a thing is possible! Me: Owen Lansbury Co-Founder - PreviousNext Sydney, Australia

875 views • 46 slides
The bright side of black holes Vtor Cardoso [Tcnico &amp; CERN] Fundamental questions a.

The bright side of black holes Vtor Cardoso [Tcnico &amp; CERN] Fundamental questions a.

The bright side of black holes Vtor Cardoso [Tcnico &amp; CERN] Fundamental questions a. BH seeds, BH demography, galaxy co-evolution (how many, where, how?) Barack+ arXiv:1806.05195 b. What is graviton mass or speed? See review Barack+

513 views • 33 slides

More recommend