symbolic evaluation execution today s reading material l
play

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke - PowerPoint PPT Presentation

Aug 30, 2022 •468 likes •1.07k views

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson, "Applications of Symbolic Evaluation," Journal of Systems and Software, 5 (1), January 1985, pp.15-35. Symbolic Evaluation/Execution

  1. Symbolic Evaluation/Execution

  2. Today’s Reading Material • L. A. Clarke and D. J. Richardson, "Applications of Symbolic Evaluation," Journal of Systems and Software, 5 (1), January 1985, pp.15-35.

  3. Symbolic Evaluation/Execution • Creates a functional representation of a path of an executable component • For a path Pi • D[Pi] is the domain for path Pi • C[Pi] is the computation for path Pi

  4. Functional Representation of an Executable Component P : X → Y P P is composed of partial functions corresponding to the executable paths P = {P 1 ,...,P r } P i : X i → Y

  5. Functional Representation of an Executable Component X i is the domain of path P i Denoted D[ P i ] P i P j X i X j P k X k X l P l X = D[P 1 ] ∪ ... ∪ D[P r ] = D[P] D[P i ] ∩ D[P j ] = Ø, i ≠ j

  6. Representing Computation • Symbolic names represent the input values • the path value PV of a variable for a path describes the value of that variable in terms of those symbolic names • the computation of the path C[P] is described by the path values of the outputs for the path

  7. Representing Conditionals • an interpreted branch condition or interpreted predicate is represented as an inequality or equality condition • the path condition PC describes the domain of the path and is the conjunction of the interpreted branch conditions • the domain of the path D[P] is the set of imput values that satisfy the PC for the path

  8. Example program procedure Contrived is Stmt PV PC X, Y, Z : integer; 1 read X, Y; 1 X ← x true 2 if X ≥ 3 then 3 Z := X+Y; Y ← y else 4 Z := 0; 2,3 Z ← x+y true ∧ x ≥ 3 = x ≥ 3 endif; 5 if Y > 0 then 6 Y := Y + 5; 5,6 Y ← y+5 x ≥ 3 ∧ y>0 endif; 7 if X - Y < 0 then 8 write Z; x ≥ 3 ∧ y>0 ∧ x-(y+5) ≥ 0 7,9 else = x ≥ 3 ∧ y>0 ∧ (x-y) ≥ 5 9 write Y; endif; end Contrived;

  9. Presenting the results Statements PV PC procedure Contrived is X ← x 1 true X, Y, Z : integer; Y ← y 1 read X, Y; 2 if X ≥ 3 then 3 Z := X+Y; else 2,3 Z ← x+y true ∧ x ≥ 3 = x ≥ 3 4 Z := 0; endif; 5 if Y > 0 then 6 Y := Y + 5; endif; 5,6 Y ← y+5 x ≥ 3 ∧ y>0 7 if X - Y < 0 then 8 write Z; else 9 write Y; x ≥ 3 ∧ y>0 ∧ x-(y+5) ≥ 0 = 7,9 endif x ≥ 3 ∧ y>0 ∧ (x-y) ≥ 5 end Contrived P = 1, 2, 3, 5, 6, 7, 9 D[P] = { (x,y) | x ≥ 3 ∧ y>0 ∧ x-y ≥ 5} C[P] = PV.Y = y +5

  10. Results (feasible path) (x-y) ≥ 5 x ≥ 3 y y>0 x P = 1, 2, 3, 5, 6, 7, 9 D[P] = { (x,y)|x ≥ 3 ∧ y>0 ∧ x-y ≥ 5} C[P] = PV.Y = y +5

  11. Evaluating another path procedure Contrived is Stmts PV PC X, Y, Z : integer; 1 read X, Y; X ← x 1 true 2 if X ≥ 3 then 3 Z := X+Y; Y ← y else 4 Z := 0; 2,3 Z ← x+y true ∧ x ≥ 3 = x ≥ 3 endif; 5 if Y > 0 then 6 Y := Y + 5; 5,7 x ≥ 3 ∧ y ≤ 0 endif; 7 if X - Y < 0 then 8 write Z; x ≥ 3 ∧ y ≤ 0 ∧ x-y < 0 7,8 else 9 write Y; endif; end Contrived;

  12. Stmts PV PC procedure EXAMPLE is X, Y, Z : integer; 1 read X, Y; X ← x 1 true 2 if X ≥ 3 then Y ← y 3 Z := X+Y; else 4 Z := 0; 2,3 Z ← x+y true ∧ x ≥ 3 = x ≥ 3 endif ; 5 if Y > 0 then 6 Y := Y + 5; endif ; 7 if X - Y < 0 then x ≥ 3 ∧ y ≤ 0 5,7 8 write Z; else 9 write Y; endif end EXAMPLE x ≥ 3 ∧ y ≤ 0 ∧ x-y < 0 7,8 P = 1, 2, 3, 5, 7, 8 D[P] = { (x,y) | x ≥ 3 ∧ y ≤ 0 ∧ x-y<0} infeasible path!

  13. Results (infeasible path) (x-y) < 0 x ≥ 3 y x y ≤ 0

  14. what about loops? • Symbolic evaluation requires a full path description • Example Paths 1 • P= 1, 2, 3, 5 • P= 1, 2, 3, 4, 2, 3, 5 2 • P= 1, 2, 3, 4, 2, 3, 4, 2, 3, 5 4 • Etc. 3 5

  15. Symbolic Testing • Path Computation provides [concise] functional representation of behavior for entire Path Domain • Examination of Path Domain and Computation often useful for detecting program errors • Particularly beneficial for scientific applications or applications w/o oracles •

  16. Simple Symbolic Evaluation • Provides symbolic representations given path Pi • path condition PC = • path domain D[Pi] ={(x1, x1, ... ,x1)|pc true } • path values PV.X1= • path computation C[Pi] = P = 1, 2, 3, 5, 6, 7, 9 D[P] = { (x,y) | x ≥ 3 ∧ y>0 ∧ x-y ≥ 5} C[P] = PV.Y = y +5

  17. Additional Features: • Simplification • Path Condition Consistency • Fault Detection • Path Selection • Test Data Generation

  18. Simplification • Reduces path condition to a canonical form • Simplifier often determines consistency PC = ( x >= 5 ) and ( x < 0 ) • May want to display path computation in simplified and unsimplified form PV.X = x + (x +1) + (x + 2) + (x + 3) = 4 * x + 6

  19. Path Condition Consistency • strategy = solve a system of constraints • theorem prover • consistency • algebraic, e.g., linear programming • consistency and find solutions • solution is an example of automatically generated test data ... but, in general we cannot solve an arbitrary system of constraints!

  20. Fault Detection • Implicit fault conditions • E.g. Subscript value out of bounds • E.g. Division by zero e.g., Q:=N/D • Create assertion to represent the fault and conjoin with the pc • Division by zero assert(divisor ≠ 0) • Determine consistency PC P and (PV.divisor = 0) • if consistent then error possible • Must check the assertion at the point in the path where the construct occurs

  21. Checking user-defined assertions • example • Assert (A > B) • PC and (PV.A) ≤ PV.B) • if consistent then assertion not valid

  22. Comparing Fault Detection Approaches • assertions can be inserted as executable instructions and checked during execution • dependent on test data selected ( dynamic testing ) • use symbolic evaluation to evaluate consistency • dependent on path, but not on the test data • looks for violating data in the path domain

  23. Additional Features: • Simplification • Path Condition Consistency • Fault Detection • Path Selection • Test Data Generation

  24. Path Selection • User selected • Automated selection to satisfy some criteria • e.g., exercise all statements at least once • Because of infeasible paths, best if path selection done incrementally

  25. Incremental Path Selection • PC and PV maintained for partial path • Inconsistent partial path can often be salvaged PC • • • ↓ F T X>0 pc’ = pc and (x ≤ 0) F T X>3 pc’’’= pc’ and (x>3) = pc and (x ≤ 0) and (x>3) INCONSISTENT! pc” = pc’ and (x ≤ 3) = pc and (x ≤ 0) and (x ≤ 3) infeasible path CONSISTENT [if pc’ is consistent]

  26. Path Selection (continued) Can be used in conjunction with other static analysis techniques to determine path feasibility • Testing criteria generates a path that needs to be tested • Symbolic evaluation determines if the path is feasible • Can eliminate some paths from consideration

  27. Additional Features: • Simplification • Path Condition Consistency • Fault Detection • Path Selection • Test Data Generation

  28. Test Data Generation • Simple test date selection: Select test data that satisfies the path condition pc • Error based test date selection • Try to select test cases that will help reveal faults • Use information about the path domain and path values to select test data • e.g., PV.X = a * (b + 2); a = 1 combined with min and max values of b b = -1 combined with min and max values for a

  29. Enhanced Symbolic Evaluation Capabilities • Creates symbolic representations of the Path Domains and Computations • “Symbolic Testing” • Determine if paths are feasible • Automatic fault detection • system defined • user assertions • Automatic path selection • Automatic Test Data Generation

  30. An Enhanced Symbolic Evaluation System User input component Path Selection Symbolic Execution fault path path conditions condition values Simplifier Detect inconsistency simplified Detect inconsistency Inequality path values Solver fault path test path report computation data domain

  31. Problems • Information explosion • Impracticality of all paths • Path condition consistency • Aliasing • elements of a compound type e.g., arrays and records • pointers

  32. Alias Problem A(2) := 5 read I, A(I) Indeterminate subscript X := A(2) I > 2 constraints on subscript value due Z:=A(I) Y:=A(I) to path condition

  33. Escalating problem • Read I • X := A[I] PV.X = unknown • Y := X + Z PV.Y = unknown + PV.Z = unknown

  34. Can often determine array element I:= 0 I ≤ 3 . subscript value Y:=A(I) . is constant . I:= I+1

  35. Symbolic Evaluation Approaches • symbolic evaluation • With some enhancements • Data independent • Path dependent • dynamic symbolic evaluation • Data dependent--> path dependent • global symbolic evaluation • Data independent • Path independent

  36. Dynamic Symbolic Execution = • Data dependent • Provided information • Actual value: * (25.5) X X := 25.5 • Symbolic expression: X := Y * (A + 1.9); (5.1) + Y • Derived expression: 1.9 A (3.1)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin &amp; Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav Nodar Petar Martin He Balunovic Ambroladze Tsankov Vechev Random Fuzzing vs. Symbolic Execution Random Fuzzing Symbolic Execution Fast Slow

633 views • 29 slides
Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College London Invited talk at SMT 2015 18 July, San Francisco, CA, USA Dynamic Symbolic Execution Dynamic symbolic execution is a technique for

660 views • 53 slides
Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths Symbolic Execution and Proof of Effects of the execution on program state Properties Bridges program behavior to logic Finds important

309 views • 6 slides
COMBINING PARTIAL EVALUATION AND SYMBOLIC EXECUTION Reiner Hhnle &amp; Richard Bubel Chalmers

COMBINING PARTIAL EVALUATION AND SYMBOLIC EXECUTION Reiner Hhnle &amp; Richard Bubel Chalmers

COMBINING PARTIAL EVALUATION AND SYMBOLIC EXECUTION Reiner Hhnle &amp; Richard Bubel Chalmers University Symposium09 Speyer CONTROL CIRCUIT y = 80; threshold = 100; if (y &gt; threshold) { decrease = true; } else { decrease = false;

598 views • 23 slides
Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides
CSE507 Computer-Aided Reasoning for Software Symbolic Execution

CSE507 Computer-Aided Reasoning for Software Symbolic Execution

CSE507 Computer-Aided Reasoning for Software Symbolic Execution courses.cs.washington.edu/courses/cse507/14au/ Emina Torlak emina@cs.washington.edu Today 2 Today Last lecture Bounded verification: forward VCG for finitized programs 2

851 views • 45 slides
An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar Department of Computing Imperial College London 14 th TAROT Summer School UCL, London, 3 July 2018 Dynamic Symbolic Execution Dynamic symbolic

856 views • 56 slides
Generating High Coverage Tests for SystemC Designs Using Symbolic Execution Bin Lin Department

Generating High Coverage Tests for SystemC Designs Using Symbolic Execution Bin Lin Department

Generating High Coverage Tests for SystemC Designs Using Symbolic Execution Bin Lin Department of Computer Science Portland State University 1 Agenda Introduction Related work and Background Our Approach Evaluation

717 views • 32 slides
Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank Busse Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in

1.04k views • 70 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
Occam : Automated Software Winnowing Gregory Malecha 1 Ashish Gehani 2 Natarajan Shankar 2 1

Occam : Automated Software Winnowing Gregory Malecha 1 Ashish Gehani 2 Natarajan Shankar 2 1

Occam : Automated Software Winnowing Gregory Malecha 1 Ashish Gehani 2 Natarajan Shankar 2 1 Harvard 2 SRI Malecha, Gehani, Shankar Occam : Automated Software Winnowing 1 / 18 A story of success... Software engineering has been so successful

1.25k views • 27 slides
tr t Prt

tr t Prt

tr t Prt t ss r P

873 views • 62 slides
Generic Programming, Partial Evaluation, and a New Programming Paradigm Dr. Christopher Landauer

Generic Programming, Partial Evaluation, and a New Programming Paradigm Dr. Christopher Landauer

vg-gppe.txt Sun Jan 3 20:59:22 1999 1 Generic Programming, Partial Evaluation, and a New Programming Paradigm Dr. Christopher Landauer Aerospace Integration Science Center The Aerospace Corporation cal@aero.org Dr. Kirstie L.

515 views • 22 slides
Normalization by Evaluation for Martin-Lf Type Theory with One Universe Peter Dybjer,

Normalization by Evaluation for Martin-Lf Type Theory with One Universe Peter Dybjer,

Normalization Martin-Lf type theory Normalization algorithm Decidability of equality Normalization by Evaluation for Martin-Lf Type Theory with One Universe Peter Dybjer, Gteborg (with Andreas Abel, Munich, and Klaus Aehlig, Swansea)

616 views • 28 slides
Towards a Formal Semantics for FHM: Part 2 Joey Capper and Henrik Nilsson School of Computer

Towards a Formal Semantics for FHM: Part 2 Joey Capper and Henrik Nilsson School of Computer

Towards a Formal Semantics for FHM: Part 2 Joey Capper and Henrik Nilsson School of Computer Science, University of Nottingham FPLab Away Day, Buxton, 8th of July 2011 Joey Capper and Henrik Nilsson (UoN) Verified FHM Semantics FPLab Away Day

544 views • 30 slides
Verifying Bit-Manipulations of Floating-P oint Wonyeol Lee Rahul Sharma Alex Aiken

Verifying Bit-Manipulations of Floating-P oint Wonyeol Lee Rahul Sharma Alex Aiken

Verifying Bit-Manipulations of Floating-P oint Wonyeol Lee Rahul Sharma Alex Aiken Stanford University PLDI 2016 This Talk Example: mathematical specification Goal: Bound the difference between spec and implementation

1.22k views • 111 slides
Fold-Based Fusion as a Library A Generative Programming Pearl Manohar Jonnalagedda, Sandro

Fold-Based Fusion as a Library A Generative Programming Pearl Manohar Jonnalagedda, Sandro

Fold-Based Fusion as a Library A Generative Programming Pearl Manohar Jonnalagedda, Sandro Stucki, EPFL Scala 15, Portland, June 13 2015 An Example val people2Movies: List[( String , List[ String ])] = List( (Sbastien, List(Hunger

631 views • 50 slides
December 5, 2019 Zach Tatlock OctoML Lets Get in the Wayback Machine 2018 Lets Get in

December 5, 2019 Zach Tatlock OctoML Lets Get in the Wayback Machine 2018 Lets Get in

2nd TVM and Deep Learning Compilation Conference December 5, 2019 Zach Tatlock OctoML Lets Get in the Wayback Machine 2018 Lets Get in the Wayback Machine 2018 Challenges for Deep Learning IRs State-of-the-art models increasingly

483 views • 17 slides

More recommend