FINE-GRAINED MEMORY OBJECT REPRESENTATION IN SYMBOLIC EXECUTION - - PowerPoint PPT Presentation

▶

Dec 07, 2023 42 likes •418 views

ASE 2019 FINE-GRAINED MEMORY OBJECT REPRESENTATION IN SYMBOLIC EXECUTION MARTIN NOWACK M.NOWACK@IMPERIAL.AC.UK PROGRAMS MEMORY REPRESENTATION char * a = malloc(1024); int32 i = 10; a[i]++; if (i != 12345) { a[i-2] = a[i] * 2; } else {

SLIDE 1

FINE-GRAINED MEMORY OBJECT REPRESENTATION IN SYMBOLIC EXECUTION

MARTIN NOWACK M.NOWACK@IMPERIAL.AC.UK

ASE 2019

SLIDE 2

char * a = malloc(1024); int32 i = 10; a[i]++; if (i != 12345) { a[i-2] = a[i] * 2; } else { a[i+2] = a[i] - 2; }

PROGRAMS MEMORY REPRESENTATION SYMBOLIC EXECUTION

SLIDE 3

char * a = malloc(1024); int32 i = 10; a[i]++; if (i != 12345) { a[i-2] = a[i] * 2; } else { a[i+2] = a[i] - 2; }

SLIDE 4

char * a = malloc(1024); int32 i = 10; a[i]++; if (i != 12345) { a[i-2] = a[i] * 2; } else { a[i+2] = a[i] - 2; } A I MALLOC(1024)

SLIDE 5

(DYNAMIC) SYMBOLIC EXECUTION

char * a = malloc(1024); int32 i = 10; a[i]++; if (i != 12345) { a[i-2] = a[i] * 2; } else { a[i+2] = a[i] - 2; } char * a = malloc(1024); int32 i = symbolic; a[i]++; if (i != 12345) { a[i-2] = a[i] * 2; } else { a[i+2] = a[i] - 2; }

SLIDE 6

STATE - A SIMPLIFIED VIEW

▸ Path Constraints ▸ Registers (i.e., program counter) ▸ Allocated Memory ▸ Stack-local ▸ Heap

Memory

SLIDE 7

THE MANY STATES …

SLIDE 8

THE MANY STATES …

SLIDE 9

SLIDE 10

GOAL

Scale symbolic execution
Avoid premature

termination of states

Sort/Reason about states

SLIDE 11

STATE OF THE ART

Copy on Write (CoW)

MALLOC(1024)

SLIDE 12

MALLOC(1024)

1 2 3 4 5 6 7

0 0 0 0 0 0 0 0 0

store(2, 7)

1 2 3 4 5 6 7

0 0 7 0 0 0 0 0 0

SLIDE 13

HANDLING SYMBOLICS

store(2, 7)

1 2 3 4 5 6 7

0 0 7 0 0 0 0 0 0

store(sym, 7) load(5)

SLIDE 14

FINE-GRAINED MEMORY OBJECT REPRESENTATION

SLIDE 15

INSIGHT I: CHANGES ARE (OFTEN) SMALL; SHARE COMMON PARTS

SLIDE 16

INSIGHT II: CHANGES ARE (OFTEN) LOCAL AND OF SIMILAR TYPE

SLIDE 17

BASICS

EVERYTHING IS A LAYER

SLIDE 18

EXAMPLE SCENARIO

MALLOC(1024)

? ? ? ? ? A Z

S1 S2 S3

SLIDE 19

OPTIMISATIONS

SLIDE 20

OPTIMISATION

INDEX-BASED ACCESS

MALLOC(1024)

? ? ? ? ? A

load(2) -> A load(1) -> 0

Oldest Most recent

SLIDE 21

OPTIMISATION

IN-PLACE UPDATE

MALLOC(1024)

? ? ? ? ? A

write(2,B)

SLIDE 22

OPTIMISATION

CONDITIONAL UPDATE

MALLOC(1024)

? ? ? ? ?

write(1,0)

SLIDE 23

TEXT

LAYER INVALIDATION

MALLOC(1024)

A B D E

S1 S3

write(2,0)

A B D E

SLIDE 24

TEXT

HANDLING SYMBOLIC INDICES

7 2 5 3 2 A 5 2

(SYM1, 5); (SYM2; A)

Symbolic index layer

SLIDE 25

IMPLEMENTATION

SLIDE 26

OPTIMISATION

LAYER TYPES

MALLOC(1024)

? ? ? ? ? 5 4 3 2 1 A A

Allocated Space

~ 10 byte Initialised bytes sizeof() * 1bit Map: index -> value

SLIDE 27

EVALUATION

SLIDE 28

BENCHMARKS

GNU Coreutils Search Strategies Depth-First Breadth-First Random + Target Uncovered vs.

MEMORY

SLIDE 29

RQ1: CHANGES IN EXECUTION TIME

SLIDE 30

WALLTIME - DEPTH FIRST SEARCH

Walltime (min)

10 20 30 40

Application KLEE Memory

SLIDE 31

WALLTIME - BREADTH FIRST SEARCH

Walltime (min)

10 20 30 40

Application KLEE Memory

SLIDE 32

RQ2: CHANGES IN MEMORY CONSUMPTION

SLIDE 33

MEMORY USAGE - DEPTH FIRST SEARCH

Memory Usage (MB)

75 150 225 300

Application KLEE Memory

SLIDE 34

MEMORY USAGE - BREADTH FIRST SEARCH

Memory Usage (MB)

1250 2500 3750 5000

Application KLEE Memory

SLIDE 35

THIS RESEARCH HAS BEEN SUPPORTED BY: UK EPSRC VIA GRANT EP/ N007166/1, EP/R011605/1

SUMMARY

SLIDE 36

SLIDE 37

TEXT

OBJECT STATE HASHING

A 0 , 0 , 0 , 0

HS := I1 ⊕ V1 ⊕ … ⊕ In ⊕ Vn HSprev HS := HSprev ⊕ 0 ⊕ A

0 , 0 , , 0 A , A , A , A

HS2 := …

DIFFERENT STRUCTURE - SAME SEMANTIC (HS2 == HS)