efficient symbolic execution for software testing
play

Efficient Symbolic Execution for Software Testing Johannes Kinder - PowerPoint PPT Presentation

Dec 01, 2023 •333 likes •2.34k views

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of London Joint work with: Stefan Bucur, George Candea, Volodymyr Kuznetsov @ EPFL Symbolic Execution Automatically explore program paths

  1. Problem: Path Explosion void main( int argc, char **argv) { int r = 1, i = 1; if (i < argc) { if (argv[i][0] == 'n') { r = 0; ++i; } } for (; i < argc; ++i) { for ( int j = 0; argv[i][j] != 0; ++j) { putchar(argv[i][j]); } } if (r) { putchar('\n'); } } 83

  2. Solution (?): State Merging then else if (argv[i][0] == 'n') { r = 0; ++i; } 84

  3. Solution (?): State Merging then else if (argv[i][0] == 'n') { r = 0; ++i; } • Use disjunctions to represent state at join points • ite( x , y , z ) : if x then y else z 85

  4. Solution (?): State Merging then else if (argv[i][0] == 'n') { r = 0; ++i; } • Use disjunctions to represent state at join points • ite( x , y , z ) : if x then y else z 86

  5. Solution (?): State Merging then else if (argv[i][0] == 'n') { r = 0; ++i; } • Use disjunctions to represent state at join points • ite( x , y , z ) : if x then y else z • SE tree becomes a DAG • Whole program can be turned into one verification condition (BMC) 87

  6. Symbolic Execution vs. BMC • Complexity does not disappear • Work moved from the SE engine to the solver • SE: set of conjunctive queries, BMC: 1 query with nested disjunctions • Complete merging sacrifices advantages of SE • No dynamic mode • No continuous progress • No quick reaching of coverage goals • Try to get the best of both worlds

  7. Symbolic Execution Verification Condition Generation EXE (KLEE) F-Soft [Cadar et al., CCS’06] [Ivancic et al., CAV’05] DART (SAGE) CBMC [Godefroid , PLDI’05] [Clarke et al., TACAS’04] 1 formula / path 1 formula / CFG

  8. Symbolic Execution Verification Condition Generation Boogie [Barnett et al., FMCO’05] EXE (KLEE) F-Soft [Cadar et al., CCS’06] [Ivancic et al., CAV’05] DART (SAGE) CBMC [Godefroid , PLDI’05] [Clarke et al., TACAS’04] 1 formula / path 1 formula / CFG

  9. Symbolic Execution Verification Condition Generation Compositional SE / Summaries Boogie [Godefroid , POPL’07] [Barnett et al., FMCO’05] EXE (KLEE) F-Soft [Cadar et al., CCS’06] [Ivancic et al., CAV’05] DART (SAGE) CBMC [Godefroid , PLDI’05] [Clarke et al., TACAS’04] 1 formula / path 1 formula / CFG

  10. Symbolic Execution Verification Condition Generation BMC slicing [Ganai&Gupta , DAC’08] Compositional SE / Summaries Boogie [Godefroid , POPL’07] [Barnett et al., FMCO’05] EXE (KLEE) F-Soft [Cadar et al., CCS’06] [Ivancic et al., CAV’05] DART (SAGE) CBMC [Godefroid , PLDI’05] [Clarke et al., TACAS’04] 1 formula / path 1 formula / CFG

  11. Symbolic Execution Verification Condition Generation State joining [Hansen et al., RV’09] BMC slicing [Ganai&Gupta , DAC’08] Compositional SE / Summaries Boogie [Godefroid , POPL’07] [Barnett et al., FMCO’05] EXE (KLEE) F-Soft [Cadar et al., CCS’06] [Ivancic et al., CAV’05] DART (SAGE) CBMC [Godefroid , PLDI’05] [Clarke et al., TACAS’04] 1 formula / path 1 formula / CFG

  12. Symbolic Execution Verification Condition Generation Dynamic State Merging State joining [Hansen et al., RV’09] BMC slicing [Ganai&Gupta , DAC’08] Compositional SE / Summaries Boogie [Godefroid , POPL’07] [Barnett et al., FMCO’05] EXE (KLEE) F-Soft [Cadar et al., CCS’06] [Ivancic et al., CAV’05] DART (SAGE) CBMC [Godefroid , PLDI’05] [Clarke et al., TACAS’04] 1 formula / path 1 formula / CFG

  13. Symbolic Execution Verification Condition Generation Dynamic State Merging Query Count Estimation [KKBC PLDI ’12] State joining [Hansen et al., RV’09] BMC slicing [Ganai&Gupta , DAC’08] Compositional SE / Summaries Boogie [Godefroid , POPL’07] [Barnett et al., FMCO’05] EXE (KLEE) F-Soft [Cadar et al., CCS’06] [Ivancic et al., CAV’05] DART (SAGE) CBMC [Godefroid , PLDI’05] [Clarke et al., TACAS’04] 1 formula / path 1 formula / CFG

  14. Merging Increases Solving Cost void main( int argc, char **argv) { int r = 1, i = 1; if (i < argc) { if (argv[i][0] == 'n') { r = 0; ++i; } } for (; i < argc; ++i) { for ( int j = 0; argv[i][j] != 0; ++j) { putchar(argv[i][j]); } } if (r) { putchar('\n'); } } 96

  15. Merging Increases Solving Cost void main( int argc, char **argv) { int r = 1, i = 1; if (i < argc) { if (argv[i][0] == 'n') { r = 0; ++i; } } for (; i < argc; ++i) { for ( int j = 0; argv[i][j] != 0; ++j) { putchar(argv[i][j]); } } if (r) { putchar('\n'); } } 97

  16. Merging Increases Solving Cost void main( int argc, char **argv) { int r = 1, i = 1; if (i < argc) { if (argv[i][0] == 'n') { r = 0; ++i; } } for (; i < argc; ++i) { for ( int j = 0; argv[i][j] != 0; ++j) { putchar(argv[i][j]); } Condition becomes symbolic, extra check required. } if (r) { putchar('\n'); } } 98

  17. Merging Increases Solving Cost void main( int argc, char **argv) { int r = 1, i = 1; if (i < argc) { if (argv[i][0] == 'n') { r = 0; ++i; } ✓ } for (; i < argc; ++i) { for ( int j = 0; argv[i][j] != 0; ++j) { putchar(argv[i][j]); } Condition becomes symbolic, extra check required. } if (r) { putchar('\n'); } } 99

  18. Merging Increases Solving Cost void main( int argc, char **argv) { int r = 1, i = 1; if (i < argc) { if (argv[i][0] == 'n') { r = 0; ++i; } } for (; i < argc; ++i) { for ( int j = 0; argv[i][j] != 0; ++j) { putchar(argv[i][j]); } } if (r) { putchar('\n'); } } 100

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Enhancing Symbolic Execution for Coverage-Oriented Testing S ebastien Bardin, Nikolai

Enhancing Symbolic Execution for Coverage-Oriented Testing S ebastien Bardin, Nikolai

Enhancing Symbolic Execution for Coverage-Oriented Testing S ebastien Bardin, Nikolai Kosmatov, Micka el Delahaye CEA LIST, Software Safety Lab (Paris-Saclay, France) Bardin et al. CFV 2015 1/ 40 Context : white-box software testing

1.43k views • 74 slides
Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad Ureche, Cristian Zamfir, George Candea School of Computer and Communication Sciences Automated Software Testing Automated Industrial Techniques

1.25k views • 59 slides
Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing

Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing

Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing Timotej Kapus, Cristian Cadar Department of Computing Imperial College London if (x &gt; 2294967295) { assert(false); } printf(&quot;x:

1.08k views • 45 slides
Efficient Concolic Testing of MPI Applications Hongbo Li Zizhong Chen Rajiv Gupta CC19,

Efficient Concolic Testing of MPI Applications Hongbo Li Zizhong Chen Rajiv Gupta CC19,

Efficient Concolic Testing of MPI Applications Hongbo Li Zizhong Chen Rajiv Gupta CC19, Washington DC, USA Feb. 17, 2019 Concolic Testing Symbolic Execution Concrete Execution It Is Popular Programming languages: Binary machine

769 views • 37 slides
Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Concolic Testing Dynamic Symbolic Execution Marco Probst Albert-Ludwigs-Universitt Freiburg

Concolic Testing Dynamic Symbolic Execution Marco Probst Albert-Ludwigs-Universitt Freiburg

Concolic Testing Dynamic Symbolic Execution Marco Probst Albert-Ludwigs-Universitt Freiburg January 25th, 2016 Marco Probst Concolic Testing 1 / 22 Overview Code Example 1 Unit Testing 2 Random Testing Symbolic Execution Concolic

919 views • 89 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security Ahmed Rezine IDA, Linkpings Universitet Hsttermin 2020 Outline Overview Symbolic Execution Hoare Triples and Deductive Reasoning Outline

767 views • 33 slides
Interoperability-Guided Testing of QUIC Implementations using Symbolic Execution Felix Rath ,

Interoperability-Guided Testing of QUIC Implementations using Symbolic Execution Felix Rath ,

Interoperability-Guided Testing of QUIC Implementations using Symbolic Execution Felix Rath , Daniel Schemmel, Klaus Wehrle https://comsys.rwth-aachen.de EPIQ Workshop, Heraklion, Greece, 2018-12-04 QUANT ? Mozquic ? mvfst ? picoquic ?

1.45k views • 97 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin &amp; Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson, &quot;Applications of Symbolic Evaluation,&quot; Journal of Systems and Software, 5 (1), January 1985, pp.15-35. Symbolic Evaluation/Execution

1.07k views • 60 slides
Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90: Software Security Symbolic Execution Ahmed Rezine Hoare Triples and Deductive Reasoning IDA, Linkpings Universitet Hsttermin 2014 Static

373 views • 6 slides
Badger : Complexity Analysis with Fuzzing and Symbolic Execution Yannic Noller Rody Kersten

Badger : Complexity Analysis with Fuzzing and Symbolic Execution Yannic Noller Rody Kersten

Badger : Complexity Analysis with Fuzzing and Symbolic Execution Yannic Noller Rody Kersten Corina S. Pasareanu yannic.noller@hu-berlin.de International Symposium on Software Testing and Analysis (ISSTA) 2018 ! 1 Problem Solution Example

403 views • 17 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
Intro Concurrency Mutual Exclusion Condition Variables Reentrant Read / Write Locks CS 2112 Lab

Intro Concurrency Mutual Exclusion Condition Variables Reentrant Read / Write Locks CS 2112 Lab

Intro Concurrency Mutual Exclusion Condition Variables Reentrant Read / Write Locks CS 2112 Lab 11: Monitors Intro Concurrency Mutual Exclusion Condition Variables Reentrant Read / Write Locks CS 2112 Lab 11: Monitors November 18 / 20,

195 views • 16 slides
JUST THE MATHS SLIDES NUMBER 8.4 VECTORS 4 (Triple products) by A.J.Hobson 8.4.1 The

JUST THE MATHS SLIDES NUMBER 8.4 VECTORS 4 (Triple products) by A.J.Hobson 8.4.1 The

JUST THE MATHS SLIDES NUMBER 8.4 VECTORS 4 (Triple products) by A.J.Hobson 8.4.1 The triple scalar product 8.4.2 The triple vector product UNIT 8.4 - VECTORS 4 TRIPLE PRODUCTS 8.4.1 THE TRIPLE SCALAR PRODUCT DEFINITION 1 Given

375 views • 8 slides
Katalyst: Boosting Convex Katayusha for Non-Convex Problems with a Large Condition Number Zaiyi

Katalyst: Boosting Convex Katayusha for Non-Convex Problems with a Large Condition Number Zaiyi

Katalyst: Boosting Convex Katayusha for Non-Convex Problems with a Large Condition Number Zaiyi Chen, Yi Xu, Haoyuan Hu, Tianbao Yang zaiyi.czy@alibaba-inc.com 2019-06-10 Chen Z., et al. (CAINIAO.AI&amp;USTC&amp;UIowa) Katalyst 2019-06-10 1

559 views • 21 slides
IV and IV-GMM Christopher F Baum EC 823: Applied Econometrics Boston College, Spring 2014

IV and IV-GMM Christopher F Baum EC 823: Applied Econometrics Boston College, Spring 2014

IV and IV-GMM Christopher F Baum EC 823: Applied Econometrics Boston College, Spring 2014 Christopher F Baum (BC / DIW) IV and IV-GMM Boston College, Spring 2014 1 / 1 Instrumental variables estimators The IVGMM estimator To discuss the

1.2k views • 45 slides
Driller: Augmenting Fuzzing through Symbolic Execution Nick Stephens , John Grosen, Christopher

Driller: Augmenting Fuzzing through Symbolic Execution Nick Stephens , John Grosen, Christopher

Driller: Augmenting Fuzzing through Symbolic Execution Nick Stephens , John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, Giovanni Vigna Motivation - Large number of memory

1.15k views • 35 slides
Statement 27 February 2019 OSU CSE 1 BL Compiler Structure Code Tokenizer Parser Generator

Statement 27 February 2019 OSU CSE 1 BL Compiler Structure Code Tokenizer Parser Generator

Statement 27 February 2019 OSU CSE 1 BL Compiler Structure Code Tokenizer Parser Generator string of string of abstract string of characters tokens program integers (source code) (words) (object code) A BL program consists

756 views • 50 slides
Some sufficient condition for the ergodicity of the L evy transform Vilmos Prokaj E otv

Some sufficient condition for the ergodicity of the L evy transform Vilmos Prokaj E otv

Some sufficient condition for the ergodicity of the L evy transform Vilmos Prokaj E otv os Lor and University, Hungary Probability, Control and Finance A Conference in Honor of Ioannis Karatzas 2012, New York L evy

748 views • 56 slides
The condition number of a randomly perturbed matrix STOC 07 Terence Tao (UCLA) Van Vu

The condition number of a randomly perturbed matrix STOC 07 Terence Tao (UCLA) Van Vu

The condition number of a randomly perturbed matrix STOC 07 Terence Tao (UCLA) Van Vu (Rutgers) 1 Well-conditioned matrices Suppose one wants to solve the matrix equation Mx = b , where M is an n n matrix and the vector b is given. In

170 views • 15 slides

More recommend