heap cloning enabling
play

Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs - PDF document

Aug 01, 2023 •328 likes •558 views

11/27/2011 Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean Harrold Supported by NSF (CCF-0725202, CCF-0541048) and IBM (Software Quality Innovation Award) Symbolic Execution 35 Databases 30

  1. 11/27/2011 Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean Harrold Supported by NSF (CCF-0725202, CCF-0541048) and IBM (Software Quality Innovation Award) Symbolic Execution 35 Databases 30 Systems 25 Verification 20 15 Security 10 Programming Languages 5 Software 0 Engineering 2005 2006 2007 2008 2009 2010 2011 Estimated number of publications related to symbolic execution. The list of papers available at: http://sites.google.com/site/symexbib 1

  2. 11/27/2011 Symbolic Execution 35 Databases 30 Systems 25 Goal of this work is to enable correct Verification 20 symbolic execution of real-world Java 15 Security programs with minimal manual effort. 10 Programming Languages 5 Software 0 Engineering 2005 2006 2007 2008 2009 2010 2011 Estimated number of publications related to symbolic execution. The list of papers available at: http://sites.google.com/site/symexbib Outline • Problem • Heap Cloning • Empirical evaluation • Conclusion 2

  3. 11/27/2011 Outline • Problem • Heap Cloning • Empirical evaluation • Conclusion Symbolic Execution of Real-World Programs P’ not symbolically executed because: To be P’ 1. P’ uses difficult -to- symbolically executed handle Java features Not to be such as native methods. symbolically 2. symbolic execution of P’ P executed is mostly unnecessary. Program 3

  4. 11/27/2011 Symbolic Execution with User-specified Models Replace P’ with user-specified To be models P M P M symbolically executed Impractical! Requires significant P manual effort. Program Dynamic Symbolic Execution Symbolic execution P: to be symbolically executed P’: not to be symbolically executed Concrete execution Call/return P’ No manual effort to write models P Program 4

  5. 11/27/2011 Example class A { void negate() { int f; this.f = -this.f; A(int x) { } this.f = x; Java version of } native method negate native void negate(); } Example class A { int f; Task: A(int x) { Perform dynamic symbolic this.f = x; execution along the path (1-2- } 3-4-5-7) that program takes for concrete input -10. native void negate(); Requirement: void main() { Native method negate() not 1 x = read(); 2 m = new A(x); to be symbolically executed 3 if(m.f < 0) 4 m.negate(); 5 if(m.f < 0) 6 error(); 7 exit(); } } 5

  6. 11/27/2011 Dynamic Symbolic Execution 1 x = read(); 2 m = new A(x); 3 if(m.f < 0) 4 m.negate(); 5 if(m.f < 0) 6 error(); Continued on 7 exit(); next slide -10, X 0 x PC: true state before: m = new A(x) Dynamic Symbolic Execution 1 x = read(); Path Constraint (PC) of a 2 m = new A(x); 3 if(m.f < 0) path is a constraint of input 4 m.negate(); values. 5 if(m.f < 0) 6 error(); Continued on 7 exit(); next slide If PC is unsatisfiable, the path is infeasible. -10, X 0 If PC is satisfiable, any x solution of PC is a program PC: true input that takes the corresponding program path. state before: m = new A(x) 6

  7. 11/27/2011 Dynamic Symbolic Execution 1 x = read(); 2 m = new A(x); 3 if(m.f < 0) 4 m.negate(); 5 if(m.f < 0) 6 error(); Continued on 7 exit(); next slide f -10, X 0 A -10, X 0 x m x PC: true PC: true state before: m = new A(x) state before: if(m.f < 0) Differences between two successive states are shown in Red . Dynamic Symbolic Execution 1 x = read(); 2 m = new A(x); 3 if(m.f < 0) 4 m.negate(); 5 if(m.f < 0) 6 error(); Continued on 7 exit(); next slide f f -10, X 0 -10, X 0 A -10, X 0 A x m x m x PC: true PC: X 0 < 0 PC: true state before: m = new A(x) state before: if(m.f < 0) state before: m.negate() Differences between two successive states are shown in Red . 7

  8. 11/27/2011 Dynamic Symbolic Execution 1 x = read(); 2 m = new A(x); 3 if(m.f < 0) 4 m.negate(); 5 if(m.f < 0) Continued 6 error(); from prev. 7 exit(); slide Without model of negate native method f -10, X 0 A m x PC: X 0 < 0 state before: m.negate() Differences between two successive states are shown in Red . Dynamic Symbolic Execution 1 x = read(); 2 m = new A(x); 3 if(m.f < 0) 4 m.negate(); 5 if(m.f < 0) Continued 6 error(); from prev. 7 exit(); slide Without model of negate native method f f -10, X 0 10, X 0 -10, X 0 A A m x m x PC: X 0 < 0 PC: X 0 < 0 state before: m.negate() states before: if(m.f < 0) Differences between two successive states are shown in Red . 8

  9. 11/27/2011 Dynamic Symbolic Execution 1 x = read(); Concrete value of the field 2 m = new A(x); changed from -10 to 10. But, 3 if(m.f < 0) 4 m.negate(); symbolic value X 0 did not 5 if(m.f < 0) change. Continued 6 error(); from prev. 7 exit(); slide Without model of negate native method f f -10, X 0 10, X 0 -10, X 0 A A m x m x PC: X 0 < 0 PC: X 0 < 0 state before: m.negate() states before: if(m.f < 0) Differences between two successive states are shown in Red . Dynamic Symbolic Execution 1 x = read(); 2 m = new A(x); 3 if(m.f < 0) UNSAT Solve PC: X 0 < 0 & X 0 >= 0 4 m.negate(); 5 if(m.f < 0) Continued 6 error(); from prev. 7 exit(); slide Without model of negate native method -10, X 0 10, X 0 -10, X 0 A A m x m x PC: X 0 < 0 PC: X 0 < 0 state before: m.negate() states before: if(m.f < 0) Differences between two successive states are shown in Red . 9

  10. 11/27/2011 Dynamic Symbolic Execution 1 x = read(); 2 m = new A(x); 3 if(m.f < 0) UNSAT Solve PC: X 0 < 0 & X 0 >= 0 4 m.negate(); 5 if(m.f < 0) Continued 6 error(); from prev. 7 exit(); Meaning: there is no slide Without model of negate native method input that takes the path 1-2-3-4-5-7 -10, X 0 10, X 0 -10, X 0 A A Incorrect! m x m x PC: X 0 < 0 PC: X 0 < 0 state before: m.negate() states before: if(m.f < 0) Differences between two successive states are shown in Red . Dynamic Symbolic Execution with Models 1 x = read(); void negate() { 2 m = new A(x); this.f = -this.f; 3 if(m.f < 0) } 4 m.negate(); User-specified 5 if(m.f < 0) model of negate Continued 6 error(); from prev. 7 exit(); slide -10, X 0 A m x PC: X 0 < 0 state before: m.negate() Differences between two successive states are shown in Red . 10

  11. 11/27/2011 Dynamic Symbolic Execution with Models 1 x = read(); void negate() { 2 m = new A(x); this.f = -this.f; 3 if(m.f < 0) } 4 m.negate(); User-specified 5 if(m.f < 0) model of negate Continued 6 error(); from prev. 7 exit(); slide With model of negate native method -10, X 0 10, -X 0 -10, X 0 A A m x m x PC: X 0 < 0 PC: X 0 < 0 state before: m.negate() states before: if(m.f < 0) Differences between two successive states are shown in Red . Dynamic Symbolic Execution with Models 1 x = read(); 2 m = new A(x); 3 if(m.f < 0) X 0 = -1 Solve PC: X 0 < 0 & -X 0 >= 0 4 m.negate(); 5 if(m.f < 0) Continued 6 error(); from prev. 7 exit(); slide With model of negate native method -10, X 0 10, -X 0 -10, X 0 A A m x m x PC: X 0 < 0 PC: X 0 < 0 state before: m.negate() states before: if(m.f < 0) Differences between two successive states are shown in Red . 11

  12. 11/27/2011 But, Models Not Always Needed for Soundness! void negate() { this.f = -this.f; } Modified example Original example 1 x = read(); 1 x = read(); 2 m = new A(x); 2 m = new A(x); 3 if(m.f < 0) 3 if(m.f < 0) 4 m.negate(); 4 m.negate(); 5 if(m.f < 0) 5 if(x < 0) 6 error(); 6 error(); 7 exit(); 7 exit(); But, Models Not Always Needed for Soundness! void negate() { Stmt at line 5 uses the Stmt at line 5 does not Stmt at line 5 uses the Stmt at line 5 does not this.f = -this.f; value defined inside use the value defined value defined inside use the value defined } negate method. inside negate method. inside negate method. negate method . Modified example Original example Thus, negate Thus, negate does not introduces imprecision. introduce imprecision. 1 x = read(); 1 x = read(); Thus, model for negate 2 m = new A(x); 2 m = new A(x); Thus, no need for model for negate . is needed. 3 if(m.f < 0) 3 if(m.f < 0) 4 m.negate(); 4 m.negate(); 5 if(m.f < 0) 5 if(x < 0) 6 error(); 6 error(); 7 exit(); 7 exit(); 12

  13. 11/27/2011 Goal and Approach Goal: Identify where imprecision is introduced and report to user. User then provides models for only a subset methods in P’ to eliminate imprecision. Approach : 1. Transform the program using Heap Cloning. 2. Perform dynamic symbolic execution of the transformed program without any models 3. Detect and report where imprecision might be introduced. Outline • Problem • Heap Cloning • Empirical evaluation • Conclusion 13

  14. 11/27/2011 Heap Cloning Heap Cloning Original Transformed Program P Program P T Transformation 1. Symbolic execution of P T generates same results as symbolic execution of P. 2. However, if imprecision is introduced during symbolic execution of P T , it can be detected and reported to user. Heap Cloning For every class A, Heap class HC.java.lang.Object { … Cloning generates HC.A. } For each field (method) class HC.A extends of A, HC.A has a HC.java.lang.Object { corresponding field (method). If class A extends class HC.A m = new HC.A(); B, HC.A extends HC.B Almost all references to } A are changed to HC.A 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Making Context-sensitive Points-to Analysis with Heap Cloning Practical For The Real World Chris

Making Context-sensitive Points-to Analysis with Heap Cloning Practical For The Real World Chris

Making Context-sensitive Points-to Analysis with Heap Cloning Practical For The Real World Chris Lattner Andrew Lenharth Vikram Adve Apple UIUC UIUC What is Heap Cloning? Distinguish objects by acyclic call path void foo() { list*

556 views • 28 slides
PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low

PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low

ERIE COUNTY DEPARTMENT OF SOCIAL SERVICES Program Overview PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low income households to reduce energy expense s. HEAP PROGRAMS Regular HEAP Available

531 views • 14 slides
Cloning Tools Photoshop Tutorials Introduction In a skilled and experienced hand, the cloning

Cloning Tools Photoshop Tutorials Introduction In a skilled and experienced hand, the cloning

Cloning Tools Photoshop Tutorials Introduction In a skilled and experienced hand, the cloning tools lead to phenomenal results. In the hands of a careless artist, Photoshop cloning can be disastrous to the credibility of the result. This

266 views • 25 slides
Datalog. by Franois Gauthier It all began with a qualifying exam Among the heap of papers I

Datalog. by Franois Gauthier It all began with a qualifying exam Among the heap of papers I

Simplified data-flow analysis with Datalog. by Franois Gauthier It all began with a qualifying exam Among the heap of papers I had to read, there was this one: Cloning-based context-sensitive pointer alias analysis using binary decision

578 views • 28 slides
Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A)

Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A)

Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A) for i = floor( A.length/2 ) to 1 Max-Heapify(A, i) Build-Max-Heap Red part is already Heapified Build-Max-Heap Correctness: Base: Each alone

429 views • 23 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
Looking for someone to do presentation on cloning &gt;&gt;&gt;CLICK HERE&lt;&lt;&lt; Looking for

Looking for someone to do presentation on cloning &gt;&gt;&gt;CLICK HERE&lt;&lt;&lt; Looking for

Looking for someone to do presentation on cloning. Trust the best User Feed back Thank you so much for the essay. Moreover, we never resell our papers. Looking for someone to do presentation on cloning &gt;&gt;&gt;CLICK HERE&lt;&lt;&lt;

192 views • 3 slides
SHEEP CLONING Paley Li, Nicholas Cameron, and James Noble 2 Object cloning How do you do

SHEEP CLONING Paley Li, Nicholas Cameron, and James Noble 2 Object cloning How do you do

1 SHEEP CLONING Paley Li, Nicholas Cameron, and James Noble 2 Object cloning How do you do object cloning? 3 Shallow cloning Copies an object and alias the references in that object. 3 Shallow cloning Copies an object and alias

833 views • 79 slides
Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The

Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The

Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The binomial heap allows for efficient union, which can not be done efficiently in the binary heap. The extra cost paid is the minimum operation, which

560 views • 24 slides
ENZYMES IN CLONING PART I Dr.Sarookhani / / Cloning Cloning -

ENZYMES IN CLONING PART I Dr.Sarookhani / / Cloning Cloning -

/ / ENZYMES IN CLONING PART I Dr.Sarookhani / / Cloning Cloning - - a definition a definition From the Greek From the Greek - - klon, a twig klon, a twig An

856 views • 61 slides
When Testing in Production is a Good Idea Dan Robinson CTO, Heap whoami Joined as Heap's

When Testing in Production is a Good Idea Dan Robinson CTO, Heap whoami Joined as Heap's

When Testing in Production is a Good Idea Dan Robinson CTO, Heap whoami Joined as Heap's first hire in July, 2013. Previously an engineer at Palantir. Studied Math &amp; CS at Stanford. What we'll talk about: 1. What is Heap? 2.

695 views • 47 slides
heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O (

heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O (

heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O ( n ) analysis via picture (learn) or using summations (know result) data structures and algorithms building a heap one-by-one in O ( n log n ) 2020

672 views • 7 slides
Ligase-Independent Cloning Ligase-Independent Cloning for BioBrick Preparation for BioBrick

Ligase-Independent Cloning Ligase-Independent Cloning for BioBrick Preparation for BioBrick

Ligase-Independent Cloning Ligase-Independent Cloning for BioBrick Preparation for BioBrick Preparation Calvin Christian School Lethbridge, Alberta, Canada November 2008 Lethbridge CCS Team Lethbridge Edmonton Calgary Lethbridge, Alberta,

700 views • 36 slides
Initializing A Max Heap Initializing A Max Heap 1 1 3 3 2 2 4 5 6 7 4 5 6 7 8 9 7

Initializing A Max Heap Initializing A Max Heap 1 1 3 3 2 2 4 5 6 7 4 5 6 7 8 9 7

Initializing A Max Heap Initializing A Max Heap 1 1 3 3 2 2 4 5 6 7 4 5 6 7 8 9 7 7 11 8 8 9 7 7 11 8 10 10 input array = [-, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11] Start at rightmost array position that has a child.

522 views • 9 slides
Understanding the heap by breaking it A case study of the heap as a persistent data structure

Understanding the heap by breaking it A case study of the heap as a persistent data structure

Understanding the heap by breaking it A case study of the heap as a persistent data structure through non-traditional exploitation techniques Justin N. Ferguson // BH2007 The heap, what is it? Globally scoped data structure

906 views • 58 slides
CSC2621 Topics in Robotics Reinforcement Learning in Robotics Week 2: Behavioral Cloning from

CSC2621 Topics in Robotics Reinforcement Learning in Robotics Week 2: Behavioral Cloning from

CSC2621 Topics in Robotics Reinforcement Learning in Robotics Week 2: Behavioral Cloning from Observation Tingwu Wang, Dylan Turpin, Animesh Garg Agenda Background Problem Setting Behavior Cloning / Dagger Generative Adversarial

411 views • 12 slides
QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee,

QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee,

QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang and Taesoo Kim, FINDING SECURITY BUGS Fuzzing Automated test to monitor exceptions (crashes &amp; memory leaks)

417 views • 17 slides
Lec09: Fuzzing and Symbolic Execution Taesoo Kim 2 Administrivia Three more labs!

Lec09: Fuzzing and Symbolic Execution Taesoo Kim 2 Administrivia Three more labs!

1 Lec09: Fuzzing and Symbolic Execution Taesoo Kim 2 Administrivia Three more labs! including NSA code-breaking challenge! Please submit your working exploits for previous weeks! New recitations: Monday:

293 views • 28 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security Ahmed Rezine IDA, Linkpings Universitet Hsttermin 2020 Outline Overview Symbolic Execution Hoare Triples and Deductive Reasoning Outline

767 views • 33 slides
symbolic deobfuscation Sbastien Bardin (CEA LIST) Sbastien Bardin GreHack 2017 | 1 ABOUT

symbolic deobfuscation Sbastien Bardin (CEA LIST) Sbastien Bardin GreHack 2017 | 1 ABOUT

CODE PROTECTION: the promises and limits of symbolic deobfuscation Sbastien Bardin (CEA LIST) Sbastien Bardin GreHack 2017 | 1 ABOUT MY LAB @CEA [Paris-Saclay, France] Sbastien Bardin GreHack 2017 | 2 IN A NUTSHELL

664 views • 40 slides
Using Unfoldings in Automated Testing of Multithreaded Programs Kari Khknen, Olli Saarikivi,

Using Unfoldings in Automated Testing of Multithreaded Programs Kari Khknen, Olli Saarikivi,

Using Unfoldings in Automated Testing of Multithreaded Programs Kari Khknen, Olli Saarikivi, Keijo Heljanko (firstname.lastname@aalto.fi) Department of Computer Science and Engineering, Aalto University &amp; Helsinki Institute for

522 views • 41 slides
Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad Ureche, Cristian Zamfir, George Candea School of Computer and Communication Sciences Automated Software Testing Automated Industrial Techniques

1.25k views • 59 slides
Loop Analysis in KeY Tobias Gedell gedell@cs.chalmers.se 4th KeY Workshop - L okeberg June

Loop Analysis in KeY Tobias Gedell gedell@cs.chalmers.se 4th KeY Workshop - L okeberg June

Loop Analysis in KeY Tobias Gedell gedell@cs.chalmers.se 4th KeY Workshop - L okeberg June 9th, 2005 p. 1/29 Introduction There are currently two ways of handling loops in KeY: Symbolic execution - repeated unwinding of loops Can be

434 views • 29 slides

More recommend