cmpsc 497 symbolic execution
play

CMPSC 497: Symbolic Execution Trent Jaeger Systems and Internet - PowerPoint PPT Presentation

May 28, 2023 •270 likes •735 views

CMPSC 497: Symbolic Execution Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security Laboratory (SIIS) Page

  1. CMPSC 497: � Symbolic Execution Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security Laboratory (SIIS) Page 1

  2. Our Goal • In this course, we want to develop techniques to detect vulnerabilities before they are exploited automatically ‣ What ’ s a vulnerability? ‣ How to find them? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 2

  3. Static vs. Dynamic • Dynamic ‣ Depends on concrete inputs ‣ Must run the program ‣ Impractical to run all possible executions in most cases • Static ‣ Overapproximates possible input values (sound) ‣ Assesses all possible runs of the program at once ‣ Setting up static analysis is somewhat of an art form • Is there something that combines best of both? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 3

  4. Best of Both? • What would be the best of both? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 4

  5. Best of Both? • What would be the best of both? ‣ Run over lots of inputs at once (static) ‣ Easy to setup (dynamic) ‣ Run all paths (static) ‣ Identify concrete values that lead to problems (dynamic) • Can’t quite achieve all these, but can come closer Systems and Internet Infrastructure Security Laboratory (SIIS) Page 5

  6. Symbolic Execution • Symbolic execution is a method for emulating the execution of a program to learn constraints ‣ Assign variables to symbolic values instead of concrete values ‣ Symbolic execution tells you what values are possible for symbolic variables at any particular point in your program • Like dynamic analysis (fuzzing) in that the program is executed in a way – albeit on symbolic inputs • Like static analysis in that one start of the program tells you what values may reach a particular state Systems and Internet Infrastructure Security Laboratory (SIIS) Page 6

  7. Symbolic Execution • What’s a symbolic value? • Remember in AFL fuzzing, you provide a candidate concrete input to identify the format ‣ And the fuzzer produces lots of variants of this input • In symbolic execution, you don’t provide a concrete input, but rather identify which value(s) you want to assess – just say an input is “symbolic” ‣ Then the symbolic execution tells you the possible values of that input to reach particular points in the program Systems and Internet Infrastructure Security Laboratory (SIIS) Page 7

  8. Automatic Generation of EXE & KLEE Inputs of Death 
 and High-Coverage Tests Slides by Yoni Leibowitz Systems and Internet Infrastructure Security Laboratory (SIIS) Page

  9. Example int main(void) { unsigned int i, t, a[4] = { 1, 3, 5, 2 }; if (i >= 4) exit(0); char *p = (char *)a + i * 4; *p = *p − 1 t = a[*p]; t = t / a[i]; if (t == 2) assert(i == 1); else assert(i == 3); return 0; } Systems and Internet Infrastructure Security Laboratory (SIIS) Page

  10. Marking Symbolic Data int main(void) { unsigned int i, t, a[4] = { 1, 3, 5, 2 }; make_symbolic(&i); Marks the 4 bytes associated with if (i >= 4) 32-bit variable ‘i’ exit(0); as symbolic char *p = (char *)a + i * 4; *p = *p − 1 t = a[*p]; t = t / a[i]; if (t == 2) assert(i == 1); else assert(i == 3); return 0; } Systems and Internet Infrastructure Security Laboratory (SIIS) Page

  11. Compiling... example.c int main(void) { unsigned int i, t, a[4] = { 1, 3, 5, 2 }; make_symbolic(&i); EXE compiler if (i >= 4) exit(0); char *p = (char *)a + i * 4; example.out *p = *p − 1 t = a[*p]; t = t / a[i]; Executable if (t == 2) assert(i == 1); else assert(i == 3); return 0; } Inserts checks around every assignment , expression & branch , to determine if its operands are concrete or symbolic unsigned int a[4] = {1,3,5,2} if (i >= 4) Systems and Internet Infrastructure Security Laboratory (SIIS) Page

  12. Compiling... example.c int main(void) { unsigned int i, t, a[4] = { 1, 3, 5, 2 }; make_symbolic(&i); EXE compiler if (i >= 4) exit(0); char *p = (char *)a + i * 4; example.out *p = *p − 1 t = a[*p]; t = t / a[i]; Executable if (t == 2) assert(i == 1); else assert(i == 3); return 0; } Inserts checks around every assignment , expression & branch , to determine if its operands are concrete or symbolic If any operand is symbolic , the operation is not performed, but is added as a constraint for the current path Systems and Internet Infrastructure Security Laboratory (SIIS) Page

  13. Compiling... example.c int main(void) { unsigned int i, t, a[4] = { 1, 3, 5, 2 }; make_symbolic(&i); EXE compiler if (i >= 4) exit(0); char *p = (char *)a + i * 4; example.out *p = *p − 1 t = a[*p]; t = t / a[i]; Executable if (t == 2) assert(i == 1); else assert(i == 3); return 0; } Inserts code to fork program execution when it reaches a symbolic branch point , so that it can explore each possibility if (i >= 4) (i ≥ 4) (i < 4) Systems and Internet Infrastructure Security Laboratory (SIIS) Page

  14. Compiling... example.c int main(void) { unsigned int i, t, a[4] = { 1, 3, 5, 2 }; make_symbolic(&i); EXE compiler if (i >= 4) exit(0); char *p = (char *)a + i * 4; example.out *p = *p − 1 t = a[*p]; t = t / a[i]; Executable if (t == 2) assert(i == 1); else assert(i == 3); return 0; } Inserts code to fork program execution when it reaches a symbolic branch point , so that it can explore each possibility For each branch constraint , queries constraint solver for existence of at least one solution for the current path . If not – stops executing path Systems and Internet Infrastructure Security Laboratory (SIIS) Page

  15. Compiling... example.c int main(void) { unsigned int i, t, a[4] = { 1, 3, 5, 2 }; make_symbolic(&i); EXE compiler if (i >= 4) exit(0); char *p = (char *)a + i * 4; example.out *p = *p − 1 t = a[*p]; t = t / a[i]; Executable if (t == 2) assert(i == 1); else assert(i == 3); return 0; } Inserts code for checking if a symbolic expression could have any possible value that could cause errors t = t / a[i] Division by Zero? Systems and Internet Infrastructure Security Laboratory (SIIS) Page

  16. Compiling... example.c int main(void) { unsigned int i, t, a[4] = { 1, 3, 5, 2 }; make_symbolic(&i); EXE compiler if (i >= 4) exit(0); char *p = (char *)a + i * 4; example.out *p = *p − 1 t = a[*p]; t = t / a[i]; Executable if (t == 2) assert(i == 1); else assert(i == 3); return 0; } Inserts code for checking if a symbolic expression could have any possible value that could cause errors If the check passes – the path has been verified as safe under all possible input values (relative to those checks) Systems and Internet Infrastructure Security Laboratory (SIIS) Page

  17. Running... int main(void) { unsigned int i, t, a[4] = { 1, 3, 5, 2 }; make_symbolic(&i); if (i >= 4) exit(0); 4 ≤ i char *p = (char *)a + i * 4; *p = *p − 1 e.g. i = 8 t = a[*p]; t = t / a[i]; EXE generates a if (t == 2) test case assert(i == 1); else assert(i == 3); return 0; } Systems and Internet Infrastructure Security Laboratory (SIIS) Page

  18. Running... int main(void) { unsigned int i, t, a[4] = { 1, 3, 5, 2 }; make_symbolic(&i); 0 ≤ i ≤ 4 if (i >= 4) e.g. i = 2 exit(0); char *p = (char *)a + i * 4; p → a[2] = 5 *p = *p − 1 t = a[*p]; a[2] = 5 – 1 = 4 t = t / a[i]; if (t == 2) t = a[4] assert(i == 1); else assert(i == 3); Out of bounds return 0; } EXE generates a test case Systems and Internet Infrastructure Security Laboratory (SIIS) Page

  19. Running... int main(void) { 0≤ i ≤ 4 , i ≠ 2 unsigned int i, t, a[4] = { 1, 3, 5, 2 }; make_symbolic(&i); e.g. i = 0 if (i >= 4) p → a[0] = 1 exit(0); char *p = (char *)a + i * 4; a[0] = 1 – 1 = 0 *p = *p − 1 t = a[*p]; t = a[0] t = t / a[i]; if (t == 2) t = t / 0 assert(i == 1); else Division by 0 assert(i == 3); return 0; } EXE generates a test case Systems and Internet Infrastructure Security Laboratory (SIIS) Page

  20. Running... 0≤ i ≤ 4 , i ≠ 2 , i ≠ 0 int main(void) { unsigned int i, t, a[4] = { 1, 3, 5, 2 }; i = 3 i = 1 make_symbolic(&i); p → a[3] p → a[1] if (i >= 4) exit(0); a[3] = 1 a[1] = 2 char *p = (char *)a + i * 4; *p = *p − 1 t = a[1] t = a[2] t = a[*p]; t = t / a[i]; t ≠ 2 t = 2 if (t == 2) assert(i == 1); else EXE determines assert(i == 3); neither ‘assert’ fails return 0; } 2 valid test cases Systems and Internet Infrastructure Security Laboratory (SIIS) Page

  21. Output test3.err ERROR: simple.c:16 Division/modulo by zero! # concrete byte values: test3.out i = 0 0 # i[0], 0 # i[1], 0 # i[2], 0 # i[3] # take these choices to follow path 0 # false branch (line 5) test3.forks 0 # false (implicit: pointer overflow check on line 9) 1 # true (implicit: div − by − 0 check on line 16) Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin &amp; Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav Nodar Petar Martin He Balunovic Ambroladze Tsankov Vechev Random Fuzzing vs. Symbolic Execution Random Fuzzing Symbolic Execution Fast Slow

633 views • 29 slides
Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College London Invited talk at SMT 2015 18 July, San Francisco, CA, USA Dynamic Symbolic Execution Dynamic symbolic execution is a technique for

660 views • 53 slides
Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths Symbolic Execution and Proof of Effects of the execution on program state Properties Bridges program behavior to logic Finds important

309 views • 6 slides
Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides
An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar Department of Computing Imperial College London 14 th TAROT Summer School UCL, London, 3 July 2018 Dynamic Symbolic Execution Dynamic symbolic

856 views • 56 slides
Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank Busse Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in

1.04k views • 70 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson, &quot;Applications of Symbolic Evaluation,&quot; Journal of Systems and Software, 5 (1), January 1985, pp.15-35. Symbolic Evaluation/Execution

1.07k views • 60 slides
Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of London Joint work with: Stefan Bucur, George Candea, Volodymyr Kuznetsov @ EPFL Symbolic Execution Automatically explore program paths

2.34k views • 200 slides
Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in industry IntelliTest, SAGE Angr KLOVER 2 Why symbolic execution? No

916 views • 73 slides
Non-uniform Concrete security: an example cracks in the concrete: What is the best NIST P-256

Non-uniform Concrete security: an example cracks in the concrete: What is the best NIST P-256

Non-uniform Concrete security: an example cracks in the concrete: What is the best NIST P-256 the power of free precomputation discrete-log attack algorithm? D. J. Bernstein ECDL input: P-256 points P , University of Illinois at

1.13k views • 86 slides
1 How far can a Contract Serve as a Justification for Permanent Storage on a Blockchain?

1 How far can a Contract Serve as a Justification for Permanent Storage on a Blockchain?

1 How far can a Contract Serve as a Justification for Permanent Storage on a Blockchain? Philipp Quiel 2 Agenda General scope of the legal basis in Art. 6 (1) b GDPR Possibilities of concluding contracts in blockchain systems

553 views • 19 slides
Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo

Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo

Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo Jonathan Katz Xiao Wang Chenkai Weng Yu Yu Yaos garbled circuits Two-party computation (2PC) Multiple optimizations

376 views • 20 slides
On the use of semantic features for the semantic indexing task Bahjat Safadi, Nadia Derbas,

On the use of semantic features for the semantic indexing task Bahjat Safadi, Nadia Derbas,

On the use of semantic features for the semantic indexing task Bahjat Safadi, Nadia Derbas, Abdelkader Hamadi, Mateusz Budnik, Philippe Mulhem and Georges Qunot UJF-LIG and many other people from the IRIM group of GDR 720 ISIS 10 November

450 views • 24 slides
Information Technology Is Creating A New Social Fabric Definition

Information Technology Is Creating A New Social Fabric Definition

Information Technology Is Creating A New Social Fabric Definition Social Fabric Information Technology Speakers: Niall Conroy Examples Derek Foley Television Email Andrew Anderson

384 views • 3 slides
Math 8001: Groupwork (School of Mathematics) Math 8001 UMN 1 / 12 Any current issues in your

Math 8001: Groupwork (School of Mathematics) Math 8001 UMN 1 / 12 Any current issues in your

Math 8001: Groupwork (School of Mathematics) Math 8001 UMN 1 / 12 Any current issues in your own teaching? (School of Mathematics) Math 8001 UMN 2 / 12 Your assignment Pick a section covered in your class next week (modulo special

296 views • 16 slides
Two principles of dynamic constructivism Giovanni Sambin Logic Colloquium, special session on

Two principles of dynamic constructivism Giovanni Sambin Logic Colloquium, special session on

Two principles of dynamic constructivism Giovanni Sambin Logic Colloquium, special session on Philosophy of Mathematics and Computer Science Manchester, 17 July 2012 preamble - declaration of intents the classical foundation can be

315 views • 20 slides
Is Constructive Logic relevant for Computer Science? Thorsten Altenkirch University of

Is Constructive Logic relevant for Computer Science? Thorsten Altenkirch University of

Is Constructive Logic relevant for Computer Science? Thorsten Altenkirch University of Nottingham BCTCS 05 p.1/16 Birth of Modern Mathematics BCTCS 05 p.2/16 Birth of Modern Mathematics Isaac Newton (1642 - 1727) BCTCS 05 p.2/16

827 views • 57 slides

More recommend