building a symbolic execution engine for haskell
play

Building a Symbolic Execution Engine for Haskell William Hallahan - PowerPoint PPT Presentation

Oct 26, 2022 •108 likes •171 views

Building a Symbolic Execution Engine for Haskell William Hallahan Anton Xue Ruzica Piskac Functional languages - why? A different way of problem solving Pattern matching, Higher Order Functions, Algebraic Data Types Functional

  1. Building a Symbolic Execution Engine for Haskell William Hallahan Anton Xue Ruzica Piskac

  2. Functional languages - why? ● A different way of problem solving ○ Pattern matching, Higher Order Functions, Algebraic Data Types … ● Functional languages allow for easier equational reasoning ○ Objects are described by what they are rather than how they are constructed ● Strong static type system catches many errors at compile time ○ Many safeguards (e.g. null pointer checks) can be encoded as types

  3. Extraction from source code ● Use Glasgow Haskell Compiler API to extract Core Haskell from source ○ GHC Pipeline: Source → AST → Core Haskell → … Full Language AST Core Haskell Traceable from Source Yes Somewhat Concise Representation No Yes Easily Manipulatable No Yes ● Further translate Core Haskell to custom language (G2 Core) ○ Close one-to-one representation of Core Haskell ○ Simplifies and discards extraneous data present in Core Haskell annotations

  4. Execution ● General functional language: run reductions until a normal form is reached ● Challenge : symbolic execution requires symbolic variables ○ Augment Haskell lazy evaluation semantics with reduction rules for symbolic variables ○ Semantics: Making a Fast Curry: Push/Enter vs Eval/Apply ... [SPJ, SM 2004] ● Approach : treat symbolic execution as a bounded model-checking problem ○ Implement reduce function that applies augmented reduction execution rules one at a time ○ Apply reduction rules repeatedly to perform execution ■ Regular Haskell: apply until normal form is reached ■ Symbolic execution: apply until normal form is reached or we hit a counter limit

  5. Constraint solving ● Most basic feature of symbolic execution is reachability testing ○ Can convert many problems such as assertion violation into state reachability problems ● Constraint solving: interface with SMT solver ○ Convert path constraints from execution to SMT-LIB2 files ■ SMT-LIB2 format supports all the constructs necessary ● Equivalents for primitives such as Int, Float, Rational, etc ● Can declare new algebraic data types ○ Run a SMT solver on these files

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin & Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
6.009: Fundamentals of Programming Tutorial 10: Symbolic Algebra Engine With special guests:

6.009: Fundamentals of Programming Tutorial 10: Symbolic Algebra Engine With special guests:

6.009: Fundamentals of Programming Tutorial 10: Symbolic Algebra Engine With special guests: Inheritance Recursive-Descent Parsing 22 April 2020 Symbolic Algebra Today well implement a symbolic algebra engine , designed to represent

811 views • 19 slides
Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav Nodar Petar Martin He Balunovic Ambroladze Tsankov Vechev Random Fuzzing vs. Symbolic Execution Random Fuzzing Symbolic Execution Fast Slow

633 views • 29 slides
Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College London Invited talk at SMT 2015 18 July, San Francisco, CA, USA Dynamic Symbolic Execution Dynamic symbolic execution is a technique for

660 views • 53 slides
Bringing Haskell to the World www.fpcomplete.com Experience Report Building Haskell Development

Bringing Haskell to the World www.fpcomplete.com Experience Report Building Haskell Development

Bringing Haskell to the World www.fpcomplete.com Experience Report Building Haskell Development and Deployment tools Gregg Lebovitz Director, Product Management FP Complete Company Goals Increase Haskell Adoption Make Haskell More

344 views • 21 slides
Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths Symbolic Execution and Proof of Effects of the execution on program state Properties Bridges program behavior to logic Finds important

309 views • 6 slides
Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides
An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar Department of Computing Imperial College London 14 th TAROT Summer School UCL, London, 3 July 2018 Dynamic Symbolic Execution Dynamic symbolic

856 views • 56 slides
Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank Busse Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in

1.04k views • 70 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson, "Applications of Symbolic Evaluation," Journal of Systems and Software, 5 (1), January 1985, pp.15-35. Symbolic Evaluation/Execution

1.07k views • 60 slides
Declarative Multi-Paradigm Programming in Michael Hanus Christian-Albrechts-Universit at Kiel

Declarative Multi-Paradigm Programming in Michael Hanus Christian-Albrechts-Universit at Kiel

Link oping, 11.2003 Declarative Multi-Paradigm Programming in Michael Hanus Christian-Albrechts-Universit at Kiel D ECLARATIVE P ROGRAMMING General idea: no coding of algorithms description of logical relationships powerful

921 views • 77 slides
Naive validity David Ripley University of Connecticut http://davewripley.rocks A base system A

Naive validity David Ripley University of Connecticut http://davewripley.rocks A base system A

Naive validity David Ripley University of Connecticut http://davewripley.rocks A base system A formal language A base system A formal language Distinguish two unary predicates: T and V . L is a usual first-order language with equality, and

867 views • 59 slides
Class 23: tons of fun! Currying Records Quiz on types Equality testing A little big-O Trees

Class 23: tons of fun! Currying Records Quiz on types Equality testing A little big-O Trees

Class 23: tons of fun! Currying Records Quiz on types Equality testing A little big-O Trees Announcement Tuesday office hours, normally 1-2 PM, will be 1 1:40 tomorrow. Currying A transformation on functions Named for

284 views • 24 slides
More on the Curry Howard Isomorphism Curtis Millar CSE, UNSW (and Data61) 29 July 2020 1

More on the Curry Howard Isomorphism Curtis Millar CSE, UNSW (and Data61) 29 July 2020 1

Intuitionistic Logic Correction Administrivia Software System Design and Implementation More on the Curry Howard Isomorphism Curtis Millar CSE, UNSW (and Data61) 29 July 2020 1 Intuitionistic Logic Correction Administrivia What is

668 views • 29 slides
A Fine-Grained Intensional First-Order Logic with Flexible Curry Typing Chris Fox Shalom Lappin

A Fine-Grained Intensional First-Order Logic with Flexible Curry Typing Chris Fox Shalom Lappin

A Fine-Grained Intensional First-Order Logic with Flexible Curry Typing Chris Fox Shalom Lappin Dept. of Computer Science Dept. of Computer Science University of Essex Kings College London foxcj@essex.ac.uk lappin@dcs.kcl.ac.uk

582 views • 44 slides
A short history of small machines This operation is so simple that it becomes laborious to

A short history of small machines This operation is so simple that it becomes laborious to

A short history of small machines L. De Mol and M. Bullynck A short history of small machines This operation is so simple that it becomes laborious to apply (Lehmer, 1933) L. De Mol 1 and M. Bullynck 2 1 Universiteit Gent,

566 views • 22 slides
References Propositions as Types [1] Chapter 6 of: Basic Simple Type Theory , J. Roger Hindley,

References Propositions as Types [1] Chapter 6 of: Basic Simple Type Theory , J. Roger Hindley,

References Propositions as Types [1] Chapter 6 of: Basic Simple Type Theory , J. Roger Hindley, Cambridge, 1997. The Curry-Howard Correspondence [2] The formulae-as-types notion of construction, Howard, William A. (1980) in [4], 479490.

534 views • 4 slides
Development of the Integrated Care Competency Assessment Tool (ICCAT) APNA 30 th Annual

Development of the Integrated Care Competency Assessment Tool (ICCAT) APNA 30 th Annual

APNA 30th Annual Conference Session 3017: October 21, 2016 Development of the Integrated Care Competency Assessment Tool (ICCAT) APNA 30 th Annual Conference Hartford, CT Session #3017.2 October 21, 2016 Presenter Joyce Shea, DNSc, PMHCNS

382 views • 5 slides

More recommend