FINE-GRAINED MEMORY OBJECT REPRESENTATION IN SYMBOLIC EXECUTION - PowerPoint PPT Presentation

ASE 2019 FINE-GRAINED MEMORY OBJECT REPRESENTATION IN SYMBOLIC EXECUTION MARTIN NOWACK M.NOWACK@IMPERIAL.AC.UK

PROGRAMS MEMORY REPRESENTATION char * a = malloc(1024); int32 i = 10; a[i]++; if (i != 12345) { a[i-2] = a[i] * 2; } else { a[i+2] = a[i] - 2; } SYMBOLIC EXECUTION

char * a = malloc(1024); int32 i = 10; a[i]++; if (i != 12345) { a[i-2] = a[i] * 2; } else { a[i+2] = a[i] - 2; }

char * a = malloc(1024); int32 i = 10; a[i]++; if (i != 12345) { a[i-2] = a[i] * 2; } else { a[i+2] = a[i] - 2; } A I MALLOC(1024)

(DYNAMIC) SYMBOLIC EXECUTION char * a = malloc(1024); char * a = malloc(1024); int32 i = 10; int32 i = symbolic ; a[i]++; a[i]++; if (i != 12345) if (i != 12345) { { a[i-2] = a[i] * 2; a[i-2] = a[i] * 2; } else { } else { a[i+2] = a[i] - 2; a[i+2] = a[i] - 2; } }

STATE - A SIMPLIFIED VIEW ▸ Path Constraints ▸ Registers (i.e., program counter) ▸ Allocated Memory ▸ Stack-local Memory ▸ Heap

THE MANY STATES …

THE MANY STATES …

GOAL •Scale symbolic execution •Avoid premature termination of states •Sort/Reason about states

STATE OF THE ART Copy on Write (CoW) MALLOC(1024)

MALLOC(1024) 0 0 1 1 2 2 3 3 4 4 5 5 6 6 7 7 0 0 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 store(2, 7)

HANDLING SYMBOLICS 0 1 2 3 4 5 6 7 0 0 7 0 0 0 0 0 0 store(2, 7) store(sym, 7) load(5)

FINE-GRAINED MEMORY OBJECT REPRESENTATION

INSIGHT I: CHANGES ARE (OFTEN) SMALL; SHARE COMMON PARTS

INSIGHT II: CHANGES ARE (OFTEN) LOCAL AND OF SIMILAR TYPE

EVERYTHING IS A LAYER BASICS

EXAMPLE SCENARIO MALLOC(1024) ? ? ? ? ? S1 S2 0 0 0 0 0 S3 A Z

OPTIMISATIONS

OPTIMISATION MALLOC(1024) INDEX-BASED ACCESS Oldest ? ? ? ? ? 0 0 0 0 0 A Most recent load(2) -> A load(1) -> 0

OPTIMISATION MALLOC(1024) IN-PLACE UPDATE ? ? ? ? ? 0 0 0 0 0 A B write(2,B)

OPTIMISATION MALLOC(1024) CONDITIONAL UPDATE ? ? ? ? ? 0 0 0 0 0 write(1,0)

TEXT MALLOC(1024) LAYER INVALIDATION 0 0 0 0 0 S3 A A B B 0 D D E E S1 write(2,0)

TEXT HANDLING SYMBOLIC INDICES 3 2 A 5 2 (SYM1, 5); (SYM2; A) Symbolic index layer 7 2 5

IMPLEMENTATION

OPTIMISATION LAYER TYPES Allocated Space MALLOC(1024) ~ 10 byte ? ? ? ? ? Initialised bytes 5 4 3 2 1 sizeof() * 1bit A A Map: index -> value

EVALUATION

BENCHMARKS vs. MEMORY GNU Coreutils Search Breadth-First Depth-First Strategies Random + Target Uncovered

RQ1: CHANGES IN EXECUTION TIME

WALLTIME - DEPTH FIRST SEARCH KLEE Memory 40 30 Walltime (min) 20 10 0 Application

WALLTIME - BREADTH FIRST SEARCH KLEE Memory 40 30 Walltime (min) 20 10 0 Application

RQ2: CHANGES IN MEMORY CONSUMPTION

MEMORY USAGE - DEPTH FIRST SEARCH KLEE Memory 300 Memory Usage (MB) 225 150 75 0 Application

MEMORY USAGE - BREADTH FIRST SEARCH KLEE Memory 5000 Memory Usage (MB) 3750 2500 1250 0 Application

SUMMARY THIS RESEARCH HAS BEEN SUPPORTED BY: UK EPSRC VIA GRANT EP/ N007166/1, EP/R011605/1

TEXT OBJECT STATE HASHING HS := I 1 ⊕ V 1 ⊕ … ⊕ I n ⊕ V n HS prev 0 , 0 , 0 , 0 HS := HS prev ⊕ 0 ⊕ A A DIFFERENT STRUCTURE - SAME SEMANTIC (HS 2 == HS) A , A , A , A HS 2 := … 0 , 0 , , 0