cristian cadar
play

Cristian Cadar Department of Computing Imperial College London - PowerPoint PPT Presentation

Oct 11, 2023 •116 likes •397 views

Symbolic Crosschecking of Data-Parallel Code Cristian Cadar Department of Computing Imperial College London Joint work with Peter Collingbourne and Paul Kelly [EuroSys 2011, HVC 2011] Dawson Engler, Daniel Dunbar, Peter Pawlowski, Vijay Ganesh,

  1. Symbolic Crosschecking of Data-Parallel Code Cristian Cadar Department of Computing Imperial College London Joint work with Peter Collingbourne and Paul Kelly [EuroSys 2011, HVC 2011] Dawson Engler, Daniel Dunbar, Peter Pawlowski, Vijay Ganesh, David Dill, Junfeng Yang, Peter Boonstoppel, Can Sar, Paul Twohey, JaeSeung Song, Peter Pietzuch, Paul Marinescu 31 st January 2012 17 th CREST Workshop, London, UK

  2. Dynamic Symbolic Execution • Renewed interest in the last few years: – Software testing : high-coverage test generation – Automatic bug-finding – Security : automatic vulnerability signature generation, security testing • Main enablers: – Recent advances in constraint solving – Mixed concrete and symbolic execution

  3. Dynamic SymEx in Practice • Many dynamic symbolic execution/concolic tools available as open-source: – CREST , KLEE , SYMBOLIC JPF , etc. • Started to be adopted by the industry: – Microsoft ( SAGE , PEX ), IBM ( APOLLO ), Fujitsu ( KLEE / KLOVER , SYMBOLIC JPF ), NASA ( SYMBOLIC JPF ), etc.

  4. Dynamic Symbolic Execution Let the code generate its own (complex) test cases! • Dynamic symbolic execution can automatically explore multiple paths through a program • Determine the feasibility of a particular path by reasoning about all possible values using a constraint solver • Before each dangerous operation, can check if there are any values that can cause an error • For each path, can usually generate a concrete input triggering the path 4

  5. Scalability Challenges Path exploration Constraint solving challenges challenges • Employing search heuristics Exploit the characteristics of constraints generated by symex • Dynamically eliminating redundant paths • Eliminating irrelevant constraints • Statically merging paths • Exploiting similarity • Using existing regression test between constraints suites to prioritize execution • etc. • etc. [Joint work with Engler, Dunbar, Collingbourne, Kelly, Pawlowski, Sar, Twohey, Yang, Boonstoppel, Ganesh, Dill, Song, Pietzuch, Marinescu]

  6. Three tools: EGT, EXE, KLEE x = -2 EGT/EXE/ C code x = 1234 K L E E x = 3 x  0 x = 3 x  1234 Constraint Solver (STP) [Joint work with Dawson Engler, Daniel Dunbar, Peter Pawlowski, Peter Boonstoppel, Vijay Ganesh, David Dill]

  7. EGT, EXE, KLEE Successfully used our tools to: • Automatically generate high-coverage test suites • Find bugs and security vulnerabilities in complex software

  8. Bug Finding with EGT, EXE, KLEE: Focus on Systems and Security Critical Code Applications UNIX utilities Coreutils, Busybox, Minix (over 450 apps) UNIX file systems ext2, ext3, JFS Network servers Bonjour, Avahi, udhcpd, WsMp3 Library code libdwarf, libelf, PCRE, uClibc, Pintos Packet filters FreeBSD BPF, Linux BPF MINIX device drivers pci, lance, sb16 Kernel code HiStar kernel Computer vision code OpenCV (filter, remap, resize, etc.) OpenCL code Parboil, Bullet, OP2 • Most bugs fixed promptly 8

  9. JFS, Linux 2.6.10: Disk of death Offset Hex Values 00000 0000 0000 0000 0000 0000 0000 0000 0000 . . . . . . 08000 464A 3135 0000 0000 0000 0000 0000 0000 08010 1000 0000 0000 0000 0000 0000 0000 0000 08020 0000 0000 0100 0000 0000 0000 0000 0000 08030 E004 000F 0000 0000 0002 0000 0000 0000 08040 0000 0000 0000 . . . • 64 th sector of a 64K disk image • Mount it and PANIC your kernel [Joint work with Junfeng Yang, Dawson Engler, Can Sar, Paul Twohey]

  10. Bonjour: Packet of Death Offset Hex Values 0000 0000 0000 0000 0000 0000 0000 0000 0000 003E 0000 4000 FF11 1BB2 7F00 0001 E000 0010 0020 00FB 0000 14E9 002A 0000 0000 0000 0001 0030 0000 0000 0000 055F 6461 6170 045F 7463 0040 7005 6C6F 6361 6C00 000C 0001 • Causes Bonjour to abort, potential DoS attack • Apple confirmed it and released a security update [Joint work with JaeSeung Song and Peter Pietzuch]

  11. Kerberized Telnet: Packet of Death Offset Hex Values 0000 001E 8C97 BBD9 001B FC40 5983 0800 4500 0040 8930 4000 4006 7E39 9BC6 7DE0 9BC6 0010 0020 7DE1 AAA9 0017 7FBE B5A2 494D 6AF4 8018 0030 005C 4FAE 0000 0101 080A 014E 3CCD 1115 0040 029A FFFD 25FF FA25 03FF F0FF F800 • Crashes the telnet daemon • Reported and confirmed by developers [Joint work with JaeSeung Song and Peter Pietzuch]

  12. Semantic Bugs • Bugs shown before were all generic errors • What about semantic bugs? Option 1: Write specifications! • Can find assert() violations (Can verify assert() statements on a per-path basis) 12

  13. Crosschecking (Equivalence Checking) Option 2: Crosschecking! • Successfully used in the past • Great match for symbolic execution Lots of available opportunities: • Different implementations of the same functionality: e.g., libraries, servers, compiler • Optimized versions of a reference implementation • Refactored code • Reverse computations: e.g., compress and uncompress 13

  14. New Platforms, New Code • Recent years have seen the emergence of new computing platforms which provide many opportunities for optimizations • Code is often adapted manually to benefit from these platforms Error-prone , as any manual process 14

  15. SIMD Optimizations Most processors offer support for SIMD instructions • Can operate on multiple data concurrently • Many algorithms can make use of them (e.g., computer vision algorithms) 15

  16. General Purpose GPU Computing (2006) (2008)

  17. General Purpose GPU Computing New programming model: • Large number of threads MEM MEM MEM • Hierarchical execution and memory model MEM PCIe CPU 17

  18. Crosschecking (Equivalence Checking) Reference implementation (written in C) Symbolic execution Mismatches engine Optimized implementation (SIMD / OpenCL) We can find any mismatches in their behavior by: 1. Using symbolic execution to explore multiple paths 2. Comparing the path constraints across implementations 18

  19. Crosschecking: Advantages • No need to write any specifications • Constraint solving queries can be solved faster • Can support constraint types not (efficiently) handled by the underlying solver, e.g., floating-point Many crosschecking queries can be syntactically proved to be equivalent 19

  20. Crosschecking: Advantages * << 2 1 Many crosschecking queries can be syntactically proved to be equivalent 20

  21. OpenCL Optimizations • Parboil: – GPU benchmark suite, originally written in CUDA • OP2 Bullet library – Library for applications on unstructured grids • Bullet open-source physics library – Popular library used movie studios and professional game developers – Analyzed soft body engine 21

  22. OpenCL Benchmarks: Bugs and Mismatches Several bugs and mismatches: • 2 mismatches between C and OpenCL code • Incorrect FP associativity and distributivity assumptions (CP in Parboil) • 3 memory errors • Buffer overflows (MRI-Q&MRI-FHD in Parboil) • Use-after-free: incorrect synchronization between host and kernel code (MRI-Q in Parboil) • Uninitialized memory (MRI-FHD in Parboil) • 1 race condition • Missing synchronization barrier (OP2) • 1 compiler bug • NVidia compiler bug (incorrect optimization) 22

  23. SIMD Optimizations OpenCV : popular computer vision [Corner er detec ection ion algor orit ithm] library from Intel and Willow Garage 23

  24. OpenCV Results • Crosschecked 51 SIMD-optimized versions against their reference scalar implementations • Proved the bounded equivalence of 41 • Found mismatches in 10 • Most mismatches due to tricky FP-related issues: • Precision • Rounding • Associativity • Distributivity • NaN values 24

  25. OpenCV Results Surprising find: min/max not commutative nor associative! min(a,b) = a < b ? a : b a < b (ordered)  always returns false if one of the operands is NaN min(NaN, 5) = 5 min(5, NaN) = NaN min(min(5, NaN), 100) = min(NaN, 100) = 100 min(5, min(NaN, 100)) = min(5, 100) = 5 25

  26. Integrating Crosschecking into Development Process Semantic mismatches not always errors – Underspecified behavior Two (anecdotal) insights: 1. Provide developers the ability ¡to ¡add ¡“assumptions” eg: – Floating-point associativity holds: • A+(B+C) = (A+B)+C – Disregard the difference between 0 - and 0 + : • A+0 = A 2. All things being equal, developers prefer to keep the behavior of the reference implementation – Particularly if we can provide some guarantees • bounded equivalence 26

  27. KLEE: Freely Available as Open-Source http://klee.llvm.org • Over 200 subscribers to the klee-dev mailing list • Extended in many interesting ways by several research groups, in the areas of: • wireless sensor networks • schedule memoization in multithreaded code • automated debugging • exploit generation • online gaming, etc. 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A crash course on some recent bug finding tricks. Junfeng Yang, Can Sar, Cristian Cadar, Paul

A crash course on some recent bug finding tricks. Junfeng Yang, Can Sar, Cristian Cadar, Paul

A crash course on some recent bug finding tricks. Junfeng Yang, Can Sar, Cristian Cadar, Paul Twohey Dawson Engler Stanford Background Lineage Thesis work at MIT building a new OS (exokernel) Spent last 7 years developing methods to

1.02k views • 70 slides
Symbolic Crosschecking of Floating-Point and SIMD Code Peter Collingbourne, Cristian Cadar, Paul

Symbolic Crosschecking of Floating-Point and SIMD Code Peter Collingbourne, Cristian Cadar, Paul

Symbolic Crosschecking of Floating-Point and SIMD Code Peter Collingbourne, Cristian Cadar, Paul H J Kelly Department of Computing, Imperial College London 13 April, 2011 1 SIMD Single Instruction Multiple Data A popular means of

905 views • 51 slides
Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in industry IntelliTest, SAGE Angr KLOVER 2 Why symbolic execution? No

916 views • 73 slides
Symbolic Execution for Evolving Software Cristian Cadar Department of Computing Imperial College

Symbolic Execution for Evolving Software Cristian Cadar Department of Computing Imperial College

Symbolic Execution for Evolving Software Cristian Cadar Department of Computing Imperial College London Joint work with Peter Collingbourne, Paul Kelly, Tomek Kuchta, Paul Marinescu, Hristina Palikareva CREST Open Workshop UCL, London, UK,

362 views • 34 slides
An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar Department of Computing Imperial College London 14 th TAROT Summer School UCL, London, 3 July 2018 Dynamic Symbolic Execution Dynamic symbolic

856 views • 56 slides
Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014,

Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014,

Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014, Vienna, 17 July 2014 Dynamic Symbolic Execution Automated program analysis technique that employs an SMT solver to systematically explore paths

503 views • 39 slides
Qemu code fault automatic discovery with symbolic search Paul Marinescu, Cristian Cadar, Chunjie

Qemu code fault automatic discovery with symbolic search Paul Marinescu, Cristian Cadar, Chunjie

Qemu code fault automatic discovery with symbolic search Paul Marinescu, Cristian Cadar, Chunjie Zhu, Philippe Gabriel Goals of this presentation Introduction of KLEE (symbolic execution tool) Qemu fault/patch retrospective Understand

283 views • 13 slides
Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College London Invited talk at SMT 2015 18 July, San Francisco, CA, USA Dynamic Symbolic Execution Dynamic symbolic execution is a technique for

660 views • 53 slides
SAFE SOFTWARE UPDATES VIA MULTI-VERSION EXECUTION PETR HOSEK CRISTIAN CADAR Petr Hosek is a

SAFE SOFTWARE UPDATES VIA MULTI-VERSION EXECUTION PETR HOSEK CRISTIAN CADAR Petr Hosek is a

SAFE SOFTWARE UPDATES VIA MULTI-VERSION EXECUTION PETR HOSEK CRISTIAN CADAR Petr Hosek is a recipient of the Google European Fellowship in Software Engineering and this research is supported in part by this Google Fellowship 2009 2010 10 11

923 views • 61 slides
Leveraging bloom filters on Redis Cristian Castiblanco me@cristian.io | cristian@scopely.com

Leveraging bloom filters on Redis Cristian Castiblanco me@cristian.io | cristian@scopely.com

Leveraging bloom filters on Redis Cristian Castiblanco me@cristian.io | cristian@scopely.com https://cristian.io Stream processing at Scopely Stream processing at Scopely Idempotence An operation is said to be idempotent when applying it

1.17k views • 90 slides
Compiler Fuzzing: How Much Does It Matter? ~ research published at the SPLASH19 OOPSLA

Compiler Fuzzing: How Much Does It Matter? ~ research published at the SPLASH19 OOPSLA

Sminaire VERIMAG Grenoble, 21/02/2020 Compiler Fuzzing: How Much Does It Matter? ~ research published at the SPLASH19 OOPSLA conference ~ *Michal Marcozzi 1 *Qiyi Tang 2 Alastair F. Donaldson 3,1 Cristian Cadar 1 * The presented experimental

894 views • 73 slides
Co Compiler er Fuzzi zzing: g: Ho How Much Does It Matter? Michal Marcozzi, Qiyi Tang,

Co Compiler er Fuzzi zzing: g: Ho How Much Does It Matter? Michal Marcozzi, Qiyi Tang,

Co Compiler er Fuzzi zzing: g: Ho How Much Does It Matter? Michal Marcozzi, Qiyi Tang, Cristian Cadar, Alastair Donaldson 10th South of England Regional Programming Language Seminar (S-REPLS 10) Bi Birk rkbeck, , Un University of of

317 views • 11 slides
Shadow of a Doubt: Testing for Divergences Between Software Versions Hristina Palikareva

Shadow of a Doubt: Testing for Divergences Between Software Versions Hristina Palikareva

Shadow of a Doubt: Testing for Divergences Between Software Versions Hristina Palikareva Tomasz Kuchta Cristian Cadar ICSE16, 20 th May 2016 This work is supported by EPSRC and Microsoft Research Motivation Software patches

724 views • 60 slides
Multiplicity Computing Engineering Software for Reliability, Performance, and Security Alexander

Multiplicity Computing Engineering Software for Reliability, Performance, and Security Alexander

Multiplicity Computing Engineering Software for Reliability, Performance, and Security Alexander Wolf Department of Computing Imperial College London in collaboration with Cristian Cadar, Paolo Costa, and Peter Pietzuch An inspiring example

243 views • 13 slides
Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing

Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing

Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing Timotej Kapus, Cristian Cadar Department of Computing Imperial College London if (x &gt; 2294967295) { assert(false); } printf(&quot;x:

1.08k views • 45 slides
Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank Busse Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in

1.04k views • 70 slides
Relational Interfaces Relational Interfaces Stavros Tripakis UC Berkeley Joint work with Ben

Relational Interfaces Relational Interfaces Stavros Tripakis UC Berkeley Joint work with Ben

Relational Interfaces Relational Interfaces Stavros Tripakis UC Berkeley Joint work with Ben Lickly, Joint work with Ben Lickly, Tom Henzinger and Edward Lee UC Berkeley, Feb 2010 Component Based Design Component Based Design How can we

736 views • 49 slides
Analysis of Timing Constraints in Heterogeneous Middleware Interactions Ajay Kattepur 1 , Nikolaos

Analysis of Timing Constraints in Heterogeneous Middleware Interactions Ajay Kattepur 1 , Nikolaos

Analysis of Timing Constraints in Heterogeneous Middleware Interactions Ajay Kattepur 1 , Nikolaos Georgantas 2 , Georgios Bouloukakis 2 &amp; Valrie Issarny 2 1 PERC, TCS Innovation Labs, Mumbai, India 2 MiMove Team, Inria Paris-Rocquencourt,

575 views • 38 slides
Topics in Timed Automata B. Srivathsan RWTH-Aachen Software modeling and Verification group

Topics in Timed Automata B. Srivathsan RWTH-Aachen Software modeling and Verification group

Topics in Timed Automata B. Srivathsan RWTH-Aachen Software modeling and Verification group 1/25 Reachability: Does something bad happen? The gate is still open when the train is 2 minutes away from the crossing This problem is

1.38k views • 96 slides
Automated Verification of Automated Verification of asynchronous CIRCUITS USING CIRCUIT

Automated Verification of Automated Verification of asynchronous CIRCUITS USING CIRCUIT

ASYNC08 Automated Verification of Automated Verification of asynchronous CIRCUITS USING CIRCUIT asynchronous CIRCUITS USING CIRCUIT Petri nets Petri nets Iva n Polia kov, Andre y Mokhov, Da nil Sokolov, Ashur Ra fie v, Ale x Ya kovle v

474 views • 25 slides
Hac k- a- Vote : Studying Se c ur ity Issue s with E - Voting Da n Wa lla c h Ric e Unive

Hac k- a- Vote : Studying Se c ur ity Issue s with E - Voting Da n Wa lla c h Ric e Unive

Hac k- a- Vote : Studying Se c ur ity Issue s with E - Voting Da n Wa lla c h Ric e Unive rsity Collabor ator s: Jo na tha n Ba nne t Da vid W. Pric e Alg is Rudys Justin Sing e r Pe r c e ption vs. r e ality Pe r c e ption vs. r

542 views • 25 slides
CEE 772: Instrumental Methods in Environmental Analysis Lecture #24 Special Applications:

CEE 772: Instrumental Methods in Environmental Analysis Lecture #24 Special Applications:

Updated: 10 December 2014 Print version CEE 772: Instrumental Methods in Environmental Analysis Lecture #24 Special Applications: Chromatographic Retention Time and Environmental Properties (Skoog, nothing) (Harris, Nothing) () CEE 772

845 views • 26 slides
Multi Language Support for Virtual Assistants Sierra Kaplan-Nelson, Max Farr Mentor: Mehrad

Multi Language Support for Virtual Assistants Sierra Kaplan-Nelson, Max Farr Mentor: Mehrad

Multi Language Support for Virtual Assistants Sierra Kaplan-Nelson, Max Farr Mentor: Mehrad Moradshahi Broad Topic (everything we do now in many other languages) Speech

315 views • 28 slides
http://cs246.stanford.edu Often, our data can be represented by an -by- matrix And

http://cs246.stanford.edu Often, our data can be represented by an -by- matrix And

Note to other teachers and users of these slides: We would be delighted if you found our material useful for giving your own lectures. Feel free to use these slides verbatim, or to modify them to fit your own needs. If you make use of a

741 views • 61 slides

More recommend