chapter 6
play

Chapter 6 Symbolic execution Course Model checking Volker Stolz, - PowerPoint PPT Presentation

Jan 11, 2023 •137 likes •621 views

Chapter 6 Symbolic execution Course Model checking Volker Stolz, Martin Steffen Autumn 2019 Section Targets Chapter 6 Symbolic execution Course Model checking Volker Stolz, Martin Steffen Autumn 2019 Chapter 6 Learning

  1. Chapter 6 Symbolic execution Course “Model checking” Volker Stolz, Martin Steffen Autumn 2019

  2. Section Targets Chapter 6 “Symbolic execution” Course “Model checking” Volker Stolz, Martin Steffen Autumn 2019

  3. Chapter 6 Learning Targets of Chapter “Symbolic execu- tion”. The chapter gives an not too deep introduction to symbolic execution and concolic execution.

  4. Chapter 6 Outline of Chapter “Symbolic execution”. Targets Introduction Testing and path coverage Symbolic execution Concolic testing

  5. Section Introduction Testing and path coverage Symbolic execution Concolic testing Chapter 6 “Symbolic execution” Course “Model checking” Volker Stolz, Martin Steffen Autumn 2019

  6. Introduction IN5110 – Verification and specification of parallel systems • symbolic execution: “old” technique [3] Targets • natural also in the context of testing Targets & Outline • concolic execution: extension Introduction Testing and path coverage • used also in compiler Symbolic execution Concolic testing • code generation • optimization 6-6

  7. Code example IN5110 – Verification and specification of parallel systems Targets Targets & Outline Introduction Testing and path coverage Symbolic execution Concolic testing 6-7

  8. How to analyse a (simple) program like that? : IN5110 – Verification and specification of parallel systems • testing Targets Targets & Outline • “verification” (whatever that means) Introduction • could include code review Testing and path coverage Symbolic execution • model-checking? Hm? Concolic testing • symbolic and concolic execution (see later) 6-8

  9. Testing • maybe the most used method for ensuring software (and system) “quality” • broad field IN5110 – Verification and • many different testing goals, techniques specification of parallel systems • also used in combination, in different phases of software engineering cycle • here: focus on Targets Targets & Outline “white-box” testing Introduction Testing and path coverage • AKA structural testing Symbolic execution Concolic testing • program code available (resp. CFG) • also focus: unit testing Goals • detect errors • check corner cases 6-9 • provide high (code) coverage

  10. (Code) coverage • note: typically a non-concurrent setting (unit testing) IN5110 – Verification and • different coverage criteria specification of parallel systems • nodes • edges, conditions • combinations thereof Targets • path coverage Targets & Outline Introduction • defined to answer the question Testing and path coverage Symbolic execution Concolic testing When have I tested “enough”? path coverage • ambitious to impossible (loops) • note: still not all reachable states , i.e., not verified yet 6-10

  11. Path coverage IN5110 – Verification and specification of parallel systems Targets Targets & Outline Introduction Testing and path coverage Symbolic execution Concolic testing 6-11

  12. Path coverage IN5110 – Verification and specification of parallel systems Targets Targets & Outline Introduction Testing and path coverage Symbolic execution Concolic testing 6-11

  13. Path coverage IN5110 – Verification and specification of parallel systems Targets Targets & Outline Introduction Testing and path coverage Symbolic execution Concolic testing 6-11

  14. Path coverage IN5110 – Verification and specification of parallel systems Targets Targets & Outline Introduction Testing and path coverage Symbolic execution Concolic testing 6-11

  15. Path coverage IN5110 – Verification and specification of parallel systems Targets Targets & Outline Introduction Testing and path coverage Symbolic execution Concolic testing 6-11

  16. Path coverage IN5110 – Verification and specification of parallel systems Targets Targets & Outline Introduction Testing and path coverage Symbolic execution Concolic testing • 3 possible exec. path • corresponding path conditions • “optimal”: cover all path • find input set to run program covering all those paths 6-11

  17. Random testing IN5110 – Verification and specification of parallel systems • most naive way of testing • generating random inputs Targets Targets & Outline • concrete input values Introduction • dynamic executions of programs Testing and path coverage Symbolic execution Concolic testing • observe actual behavior and • compare it agains expected behavior 6-12

  18. Random testing • different inputs, different paths • maybe IN5110 – Verification and • ( x, y ) = (700 , 500) specification of parallel systems • ( x, y ) = ( − 700 , 500) • . . . Targets Targets & Outline Introduction Testing and path coverage Symbolic execution Concolic testing 6-13

  19. Random testing • different inputs, different paths IN5110 – • maybe Verification and specification of • ( x, y ) = (700 , 500) parallel systems • ( x, y ) = ( − 700 , 500) • . . . Targets Targets & Outline Introduction Testing and path coverage Symbolic execution Concolic testing 6-13

  20. One path so far missed IN5110 – Verification and specification of parallel systems Targets Targets & Outline Introduction Testing and path coverage Symbolic execution Concolic testing 6-14

  21. How to get that path (or others)? IN5110 – Verification and specification of parallel systems Targets Targets & Outline Introduction Testing and path coverage Symbolic execution • maybe: ( x, y ) = (145 , 10) Concolic testing • by chance: very low probability to randomly get y = 10 • path condition 6-15

  22. How to get that path (or others)? IN5110 – Verification and specification of parallel systems Targets Targets & Outline Introduction Testing and path coverage Symbolic execution • maybe: ( x, y ) = (145 , 10) Concolic testing • by chance: very low probability to randomly get y = 10 Symbolic representation x > 0 ∧ y = 10 • path condition 6-15

  23. Symbolic execution IN5110 – Verification and specification of parallel systems • symbols instead of concrete value Targets Targets & Outline • use if path conditions, aka path constraints Introduction • cf. connection to SAT and SMT Testing and path coverage Symbolic execution • constraint solver computes real values Concolic testing 6-16

  24. Simple example IN5110 – Verification and specification of parallel systems Targets Targets & Outline Introduction Testing and path coverage Symbolic execution • in the code: assignments not equations ( y := Concolic testing read() ) • introduce variable s for read() • assignments • y := read() ⇒ y = s • y := 2*y ⇒ y = 2 s • branching point in line 4 • right: 2 s = 12 • left: 2 s � = 12 6-17

  25. Which input leads to the error? IN5110 – Verification and specification of parallel systems Targets Targets & Outline Constraint solver Introduction Testing and path coverage Symbolic execution Concolic testing Solve the path constraint 2 s = 12 • child’s play: the solution is s = 6 • but: requires solver that can do “arithmetic”, including multiplication 6-18

  26. In summary Symbolic execution for dummies IN5110 – Verification and specification of • take the code (resp. the CFG of the code) parallel systems • collect all paths into path conditions • big conjunctions of all conditions along each the path Targets • each condition b will have Targets & Outline • one positive mention b in one continuation of the path Introduction • one negated mention ¬ b in the other continuation Testing and path coverage Symbolic execution • solve the constraints for paths leading to errors with an Concolic testing approriate SMT solver • works best for loop-free program • cf. also SSA • but there is another problem as well (see next) 6-19

  27. How about the program we started with? IN5110 – Verification and specification of parallel systems Targets Targets & Outline Introduction Testing and path coverage Symbolic execution Concolic testing 6-20

  28. Complex condition x 3 IN5110 – Verification and specification of parallel systems Targets Targets & Outline Introduction Testing and path coverage Symbolic execution • non-linear constraint Concolic testing • in general undecidable • most constraint solvers throw the towel • for instance: execution stops, no path covered 6-21

  29. What can one do? IN5110 – Verification and specification of parallel systems what can one do (beyond accepting the SE won’t cover all path)? Targets • “static analysis”: abstracting Targets & Outline • cover both path approximately Introduction • theorem proving? one cannot sell that to testers Testing and path coverage Symbolic execution Concolic testing Concolic testing Concrete & Symbolic = “concolic” 6-22

  30. Concolic testing IN5110 – Verification and specification of parallel systems • here following DART • combination of two techniques Targets Targets & Outline Random testing Symbolic execution Introduction Testing and path coverage • concrete values • symbols, variables Symbolic execution Concolic testing • dynamic execution • static analysis • other name: Dynamic symbolic execution (DSE) 6-23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Chapter 13 Chapter 13 1 What is this? Chapter 13 2 What is this? Chapter 13 3 What is

Chapter 13 Chapter 13 1 What is this? Chapter 13 2 What is this? Chapter 13 3 What is

Chapter 13 Chapter 13 1 What is this? Chapter 13 2 What is this? Chapter 13 3 What is this? Uncertainty Chapter 13 4 Outline Uncertainty Probability Syntax and Semantics Inference Independence and Bayes Rule

688 views • 37 slides
Major Themes of 7-12 the horror of human evil, particularly as it is concentrated in the state

Major Themes of 7-12 the horror of human evil, particularly as it is concentrated in the state

Chapter 2Nebuchadnezzars Dream Chapter 3Blazing Furnace Chapter 4Nebuchadnezzar worships God Chapter 5Belshazzar mocks God Chapter 6Lions Chapter 7Daniels Dream Questions: What will we do with

488 views • 13 slides
Topics 11/13/2006 Chapter 11, start Chapter 12 11/20/2006 Chapter 12 11/27/2006 Chapter 13

Topics 11/13/2006 Chapter 11, start Chapter 12 11/20/2006 Chapter 12 11/27/2006 Chapter 13

Date Chapter 11/6/2006 Chapter 10, start Chapter 11 Topics 11/13/2006 Chapter 11, start Chapter 12 11/20/2006 Chapter 12 11/27/2006 Chapter 13 Exception Handling 12/4/2006 Final Exam Using try and catch Blocks 12/11/2006 Project Due

197 views • 18 slides
Understanding 353 & the Chapter 353 Downtown Project What is Chapter 353? Chapter 353 tax

Understanding 353 & the Chapter 353 Downtown Project What is Chapter 353? Chapter 353 tax

Understanding 353 & the Chapter 353 Downtown Project What is Chapter 353? Chapter 353 tax abatement is an incentive allowed by Missouri law to encourage the redevelopment of blighted areas through the abatement of real property taxes.

763 views • 22 slides
Appendix A Chapter 9 versus Chapter 1 1 at a Glance Chapter 9 Chapter 1 1 ( I n) voluntary Cannot

Appendix A Chapter 9 versus Chapter 1 1 at a Glance Chapter 9 Chapter 1 1 ( I n) voluntary Cannot

Appendix A Chapter 9 versus Chapter 1 1 at a Glance Chapter 9 Chapter 1 1 ( I n) voluntary Cannot be involuntary filing. Voluntary or Involuntary. Bankruptcy Chief Judge of the Court of Appeals for the Automatic assignment. Judge Circuit

495 views • 4 slides
THE ENHANCED ER (EER) MODEL CHAPTER 8 (6/E) CHAPTER 4 (5/E) CHAPTER 8 OUTLINE Extending

THE ENHANCED ER (EER) MODEL CHAPTER 8 (6/E) CHAPTER 4 (5/E) CHAPTER 8 OUTLINE Extending

THE ENHANCED ER (EER) MODEL CHAPTER 8 (6/E) CHAPTER 4 (5/E) CHAPTER 8 OUTLINE Extending the ER model Created to design more accurate database schemas Reflect the data properties and constraints more precisely Address more

398 views • 14 slides
Uncertainty Chapter 13 1 Chapter 13 4 What is this? Outline Uncertainty Probability

Uncertainty Chapter 13 1 Chapter 13 4 What is this? Outline Uncertainty Probability

What is this? Chapter 13 Uncertainty Chapter 13 1 Chapter 13 4 What is this? Outline Uncertainty Probability Syntax and Semantics Inference Independence and Bayes Rule Chapter 13 2 Chapter 13 5 What is this?

532 views • 7 slides
For Tuesday Read chapter 7 Homework: Chapter 4, exercise 1 Chapter 5, exercise 9

For Tuesday Read chapter 7 Homework: Chapter 4, exercise 1 Chapter 5, exercise 9

For Tuesday Read chapter 7 Homework: Chapter 4, exercise 1 Chapter 5, exercise 9 Program 1 Any questions? Discussion Assignment Local Beam Search Variant of hill-climbing where multiple states and successors are

363 views • 22 slides
Chapter: 14 14 14 14 Chapter: Chapter: Chapter: LTE radio access: LTE radio access: An

Chapter: 14 14 14 14 Chapter: Chapter: Chapter: LTE radio access: LTE radio access: An

3G Evolution 3G Evolution 3G Evolution 3G Evolution Chapter: 14 14 14 14 Chapter: Chapter: Chapter: LTE radio access: LTE radio access: An overview Deepak Dasalukunte Department of Electrical and Information Technology 29-Apr-2009 3G

262 views • 11 slides
OWASP London Chapter Meeting 23rd November 2017 London Chapter Chapter Leaders: Sam

OWASP London Chapter Meeting 23rd November 2017 London Chapter Chapter Leaders: Sam

OWASP London Chapter Meeting 23rd November 2017 London Chapter Chapter Leaders: Sam Stepanyan (@securestep9) Sherif Mansour (@kerberosmansour) Chapter Events: Chapter Meetings at least once every 2 months Hackathon

424 views • 29 slides
OWASP London Chapter Meeting 27th July 2017 London Chapter Chapter Leaders: Sam

OWASP London Chapter Meeting 27th July 2017 London Chapter Chapter Leaders: Sam

OWASP London Chapter Meeting 27th July 2017 London Chapter Chapter Leaders: Sam Stepanyan (@securestep9) Sherif Mansour (@kerberosmansour) Chapter Events: Chapter Meetings at least once every 2 months Hackathon &

564 views • 32 slides
OWASP London Chapter Meeting 28th September 2017 London Chapter Chapter Leaders: Sam

OWASP London Chapter Meeting 28th September 2017 London Chapter Chapter Leaders: Sam

OWASP London Chapter Meeting 28th September 2017 London Chapter Chapter Leaders: Sam Stepanyan (@securestep9) Sherif Mansour (@kerberosmansour) Chapter Events: Chapter Meetings at least once every 2 months Hackathon

381 views • 35 slides
For Tuesday Read chapter 12, sections 1-4 Homework: Chapter 10, exercise 9 Chapter

For Tuesday Read chapter 12, sections 1-4 Homework: Chapter 10, exercise 9 Chapter

For Tuesday Read chapter 12, sections 1-4 Homework: Chapter 10, exercise 9 Chapter 13, exercise 8 Program 2 Any questions? Due Friday night Constructing the planning graph Level P 1 : all literals from the initial state

844 views • 41 slides
Efficient Capital Markets (ECM) (Welch, Chapter 12) Ivo Welch Excursion Chapter This chapter

Efficient Capital Markets (ECM) (Welch, Chapter 12) Ivo Welch Excursion Chapter This chapter

Efficient Capital Markets (ECM) (Welch, Chapter 12) Ivo Welch Excursion Chapter This chapter covers a lot of closely related phenomena, . . . but only briefly for lack of time. Making Sense All reasonable financial models impose the belief

982 views • 80 slides
Introduction 1.1 Legal background This series of lectures lecture has been prepared using the

Introduction 1.1 Legal background This series of lectures lecture has been prepared using the

AAT Tax Update 2014 Chapter 1 Introduction Chapter 2 Budget round-up - overview of key announcements - particular interest/ importance Personal tax Income tax, NICs, tax allowances etc Chapter 3 Chapter 4 Business tax review - MIP/SME

1.23k views • 74 slides
A.I.S. Class 17: Outline Learning Objectives for Chapter 10 Chapter 10 Quiz Chapter 10

A.I.S. Class 17: Outline Learning Objectives for Chapter 10 Chapter 10 Quiz Chapter 10

A.I.S. Class 17: Outline Learning Objectives for Chapter 10 Chapter 10 Quiz Chapter 10 Highlights Group Projects Group Work for Chapter 10 College Computing Dr. Peter R Gillett November 1, 2006 1 Learning Objectives for

564 views • 21 slides
Conference Opening Remarks David Bradford Co-Founder & Chief Strategy Officer Advisen

Conference Opening Remarks David Bradford Co-Founder & Chief Strategy Officer Advisen

Welcome to Advisens Predictive Modeling Insights Conference Opening Remarks David Bradford Co-Founder & Chief Strategy Officer Advisen Thank you to our Sponsors! Keynote Address Richard Clarke Head of Insurance Advanced Analytics

1.15k views • 86 slides
www.drupaleurope.org Government TRACK SUPPORTED BY 17/3/2018 Developing for privacy and data

www.drupaleurope.org Government TRACK SUPPORTED BY 17/3/2018 Developing for privacy and data

www.drupaleurope.org Government TRACK SUPPORTED BY 17/3/2018 Developing for privacy and data protection Heather Burns Government track // @webdevlaw // not legal advice Heather Burns Tech policy and regulation specialist @webdevlaw What

1.31k views • 104 slides
IDoT: Why We Need an Identity Layer IoT Slam 2016 April 28, 2016 Marc-Anthony Signorino, IDESG

IDoT: Why We Need an Identity Layer IoT Slam 2016 April 28, 2016 Marc-Anthony Signorino, IDESG

IDoT: Why We Need an Identity Layer IoT Slam 2016 April 28, 2016 Marc-Anthony Signorino, IDESG Executive Director Welcome to the Identity Ecosystem The Identity Ecosystem Steering Group (IDESG) is the source of expertise, guidance, best

521 views • 30 slides
INTERESTING TIMES Will Business Survive? Ben Tomhave, MS, CISSP DISCLAIMER The views expressed

INTERESTING TIMES Will Business Survive? Ben Tomhave, MS, CISSP DISCLAIMER The views expressed

INTERESTING TIMES Will Business Survive? Ben Tomhave, MS, CISSP DISCLAIMER The views expressed during this talk are not representative of any employers, whether past, present, or future. Society of Information Risk Analysts SciTech

530 views • 29 slides
Internet Law Update: 2008 William J. Cook June 27, 2008 Bill Cook First 2008 Partner,

Internet Law Update: 2008 William J. Cook June 27, 2008 Bill Cook First 2008 Partner,

Internet Law Update: 2008 William J. Cook June 27, 2008 Bill Cook First 2008 Partner, Wildman Harrold, Chicago IMNA Board Chicago Member, Immediate Past President Intellectual Property, Internet Former Head of US DOJ and Web

521 views • 25 slides
Input-Sensitive Profiling Emilio Coppa Camil Demetrescu Irene Finocchi June 11, 2012 PLDI 2012

Input-Sensitive Profiling Emilio Coppa Camil Demetrescu Irene Finocchi June 11, 2012 PLDI 2012

Intro RMS Case study Alg. Implem. Experiments Input-Sensitive Profiling Emilio Coppa Camil Demetrescu Irene Finocchi June 11, 2012 PLDI 2012 1 / 23 E. Coppa, C. Demetrescu, I. Finocchi Input-Sensitive Profiling, PLDI 2012 Intro RMS

999 views • 50 slides
OUTCOME-BASED EDUCATION Assoc. Prof. Ir. Dr. Hayati Abdullah PEng CEng CMarEng ASEAN Eng REEM M.

OUTCOME-BASED EDUCATION Assoc. Prof. Ir. Dr. Hayati Abdullah PEng CEng CMarEng ASEAN Eng REEM M.

OUTCOME-BASED EDUCATION Assoc. Prof. Ir. Dr. Hayati Abdullah PEng CEng CMarEng ASEAN Eng REEM M. AFEO FIMarEST FIEM MIEEE UTMLead The Outcome At the end of this module, participants are expected to be able to: Explain correctly the concept

513 views • 34 slides
Healthcare Privacy Privacy Policy Hospital Auditor Patient Patient Patient information

Healthcare Privacy Privacy Policy Hospital Auditor Patient Patient Patient information

Healthcare Privacy Privacy Policy Hospital Auditor Patient Patient Patient information information information Drug Company Patient Nurse Physician 2 20/02/15 PARCOMTECH, Bengaluru Why is it being formalized? A patient goes to

622 views • 45 slides

More recommend