symbolic execution applications
play

Symbolic Execution: Applications Symbolic execution is widely used - PowerPoint PPT Presentation

Jan 19, 2024 •321 likes •733 views

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

  1. Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: • Network servers • File systems • Device drivers • Unix utilities • Computer vision code • … 25

  2. Symbolic Execution: Tools • Stanford’s KLEE: – http://klee.llvm.org/ • NASA’s Java PathFinder: – http://javapathfinder.sourceforge.net/ • Microsoft Research’s SAFE • UC Berkeley’s CUTE • EPFL’s S2E – http://dslab.epfl.ch/proj/s2e 26

  3. Symbolic Execution At any point during program execution, symbolic execution keeps two formulas: symbolic store and a path constraint Therefore, at any point in time the symbolic state is described as the conjunction of these two formulas. 27

  4. Symbolic Store • The values of variables at any moment in time are given by a function  s  SymStore = Var  Sym – Var is the set of variables as before – Sym is a set of symbolic values –  s is called a symbolic store • Example:  s : x  x0, y  y0 28

  5. Semantics • Arithmetic expression evaluation simply manipulates the symbolic values. • Let  s : x  x0, y  y0 • Then, z = x + y will produce the symbolic store: x  x0, y  y0, z  x0+y0 That is, we literally keep the symbolic expression x0+y0 29

  6. Path Constraint • The analysis keeps a path constraint (pct) which records the history of all branches taken so far. The path constraint is simply a formula. • The formula is typically in a decidable logical fragment without quantifiers • At the start of the analysis, the path constraint is true • Evaluation of conditionals affects the path constraint , but not the symbolic store. 30

  7. Path Constraint: Example Let  s : x  x0, y  y0 Let pct = x0 > 10 Lets evaluate: if (x > y + 1) {5: … } At label 5, we will get the symbolic store  s . It does not change. But we will get an updated path constraint: pct = x0 > 10  x0 > y0 + 1 31

  8. Symbolic Execution: Example int twice(int v) { return 2 * v; } void test(int x, int y) { z = twice(y); Can you find the inputs that make if (x == z) { the program reach the ERROR? if (x > y + 10) ERROR ; } Lets execute this example } with classic symbolic execution int main() { x = read(); y = read(); test(x,y); } 32

  9. Symbolic Execution: Example int twice(int v) { return 2 * v; } The read() functions read a value from void test(int x, int y) { the input and because we don’t know z = twice(y); what those read values are, we set the if (x == z) { values of x and y to fresh symbolic if (x > y + 10) values called x0 and y0 ERROR ; } pct is true because so far we have not } executed any conditionals int main() { x = read(); y = read();  s : x  x0, pct : true test(x,y); y  y0 } 33

  10. Symbolic Execution: Example int twice(int v) { return 2 * v; }  s : x  x0, pct : true y  y0 void test(int x, int y) { z  2*y0 z = twice(y); if (x == z) { if (x > y + 10) ERROR ; Here, we simply executed the function } twice() and added the new symbolic } value for z. int main() { x = read(); y = read(); test(x,y); } 34

  11. Symbolic Execution: Example We forked the analysis into 2 paths: the true int twice(int v) { and the false path. So we duplicate the state of return 2 * v; the analysis. } void test(int x, int y) { z = twice(y); This is the result if x = z: if (x == z) { if (x > y + 10)  s : x  x0, pct : x0 = 2*y0 ERROR ; y  y0 } z  2*y0 } int main() { This is the result if x != z: x = read();  s : x  x0, pct : x0  2*y0 y = read(); y  y0 test(x,y); z  2*y0 } 35

  12. Symbolic Execution: Example We can avoid further exploring a path if we int twice(int v) { know the constraint pct is unsatisfiable . In this return 2 * v; example, both pct’s are satisfiable so we need } to keep exploring both paths. void test(int x, int y) { z = twice(y); This is the result if x = z: if (x == z) { if (x > y + 10)  s : x  x0, pct : x0 = 2*y0 ERROR ; y  y0 } z  2*y0 } int main() { This is the result if x != z: x = read();  s : x  x0, pct : x0  2*y0 y = read(); y  y0 test(x,y); z  2*y0 } 36

  13. Symbolic Execution: Example Lets explore the path when x == z is true. int twice(int v) { Once again we get 2 more paths. return 2 * v; } This is the result if x > y + 10: void test(int x, int y) {  s : x  x0, pct : x0 = 2*y0 z = twice(y); y  y0  if (x == z) { z  2*y0 x0 > y0+10 if (x > y + 10) ERROR ; } } This is the result if x  y + 10: int main() {  s : x  x0, x = read(); pct : x0 = 2*y0 y  y0  y = read(); z  2*y0 x0  y0+10 test(x,y); } 37

  14. Symbolic Execution: Example So the following path reaches “ ERROR ”. int twice(int v) { return 2 * v; } This is the result if x > y + 10: void test(int x, int y) {  s : x  x0, pct : x0 = 2*y0 z = twice(y); y  y0  if (x == z) { z  2*y0 x0 > y0+10 if (x > y + 10) ERROR ; } } We can now ask the SMT solver for a satisfying assignment to the pct formula. int main() { x = read(); For instance, x0 = 40, y0 = 20 is a y = read(); satisfying assignment. That is, running the test(x,y); program with those concrete inputs triggers the } error. 38

  15. Handling Loops: a limitation int F(unsigned int k) { int sum = 0; int i = 0; for ( ; i < k ; i++) sum += i; return sum; } A serious limitation of symbolic execution is handling unbounded loops. Symbolic execution runs the program for a finite number of paths. But what if we do not know the bound on a loop ? The symbolic execution will keep running forever ! 39

  16. Handling Loops: bound loops int F(unsigned int k) { int sum = 0; int i = 0; for ( ; i < 2 ; i++) sum += i; return sum; } A common solution in practice is to provide some loop bound. In this example, we can bound k, to say 2. This is an example of an under- approximation. Practical symbolic analyzers usually under-approximate as most programs have unknown loop bounds. 40

  17. Handling Loops: loop invariants int F(unsigned int k) { loop invariant int sum = 0; int i = 0; for ( ; i < k; i++) sum += i; return sum; } Another solution is to provide a loop invariant , but this technique is rarely used for large programs because it is difficult to provide such invariants manually and it can also lead to over-approximation. This is where a combination with static program analysis is useful (static analysis can infer loop invariants). We will not study this approach in our treatment, but we note that the approach is used in program verification. 41

  18. Constraint Solving: challenges Constraint solving is fundamental to symbolic execution as a constraint solver is continuously invoked during analysis. Often, the main roadblock to performance of symbolic execution engines is the time spent in constraint solving. Therefore, it is important that: 1. The SMT solver supports as many decidable logical fragments as possible. Some tools use more than one SMT solver. 2. The SMT solver can solve large formulas quickly. 3. The symbolic execution engines tries to reduce the burden in calling the SMT solver by exploring domain specific insights. 42

  19. Key Optimization: Caching The basic insight here is that often, the analysis will invoke the SMT solver with similar formulas. Therefore, the symbolic execution system can keep a map (cache) of formulas to a satisfying assignment for the formula. Then, when the engine builds a new formula and would like to find a satisfying assignment for that formula, it can first access the cache, before calling the SMT solver. 43

  20. Key Optimization: Caching Suppose the cache contains the mapping: Formula: Solution: (x + y < 10)  (x > 5)  {x = 6, y = 3} If we get a weaker formula as a query, say (x + y < 10) , then we can immediately reuse the solution already found in the cache, without calling the SMT solver. If we get a stronger formula as a query, say (x + y < 10)  (x > 5)  (y  0) , then we can quickly try the solution in the cache and see if it works, without calling the solver (in this example, it works). 44

  21. When Constraint Solving Fails Despite best efforts, the program may be using constraints in a fragment which the SMT solver does not handle well. For instance, suppose the SMT solver does not handle non-linear constraints well. Let us consider a modification of our running example. 45

  22. Modified Example Here, we changed the twice() int twice(int v) { return v * v; function to contain a non-linear } result. void test(int x, int y) { z = twice(y); Let us see what happens when we if (x == z) { symbolically execute the program if (x > y + 10) now… ERROR ; } } int main() { x = read(); y = read(); test(x,y); } 46

  23. Modified Example int twice(int v) { return v * v; This is the result if x = z: }  s : x  x0, pct : x0 = y0*y0 void test(int x, int y) { y  y0 z = twice(y); z  y0*y0 if (x == z) { if (x > y + 10) ERROR ; Now, if we are to invoke the SMT solver with the } pct formula, it would be unable to compute } satisfying assignments, precluding us from knowing whether the path is feasible or not. int main() { x = read(); y = read(); test(x,y); } 47

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin &amp; Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson, &quot;Applications of Symbolic Evaluation,&quot; Journal of Systems and Software, 5 (1), January 1985, pp.15-35. Symbolic Evaluation/Execution

1.07k views • 60 slides
Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel

Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel

Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel Busch , Kalle Dirsch 2020-02-23 Friedrich-Alexander-University Erlangen-Nrnberg, Germany BAR20 BAR20 Motivation How secure are

352 views • 16 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav Nodar Petar Martin He Balunovic Ambroladze Tsankov Vechev Random Fuzzing vs. Symbolic Execution Random Fuzzing Symbolic Execution Fast Slow

633 views • 29 slides
Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College London Invited talk at SMT 2015 18 July, San Francisco, CA, USA Dynamic Symbolic Execution Dynamic symbolic execution is a technique for

660 views • 53 slides
Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths Symbolic Execution and Proof of Effects of the execution on program state Properties Bridges program behavior to logic Finds important

309 views • 6 slides
Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides
An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar Department of Computing Imperial College London 14 th TAROT Summer School UCL, London, 3 July 2018 Dynamic Symbolic Execution Dynamic symbolic

856 views • 56 slides
Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank Busse Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in

1.04k views • 70 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of London Joint work with: Stefan Bucur, George Candea, Volodymyr Kuznetsov @ EPFL Symbolic Execution Automatically explore program paths

2.34k views • 200 slides
Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in industry IntelliTest, SAGE Angr KLOVER 2 Why symbolic execution? No

916 views • 73 slides
Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security Ahmed Rezine IDA, Linkpings Universitet Hsttermin 2020 Outline Overview Symbolic Execution Hoare Triples and Deductive Reasoning Outline

767 views • 33 slides
Software has bugs To find them , we use testing and code reviews ! But some bugs are still

Software has bugs To find them , we use testing and code reviews ! But some bugs are still

Software has bugs To find them , we use testing and code reviews ! But some bugs are still missed Rare features Rare circumstances Nondeterminism Static analysis Can analyze all possible runs of a program An explosion

597 views • 25 slides
CANAL: A Cache Timing Analysis Framework via LLVM Transformation Chungha Sung | Brandon Paulsen |

CANAL: A Cache Timing Analysis Framework via LLVM Transformation Chungha Sung | Brandon Paulsen |

ASE 2018 CANAL: A Cache Timing Analysis Framework via LLVM Transformation Chungha Sung | Brandon Paulsen | Chao Wang Software verification &amp; analysis Checking Functional Model properties Checking Ex) Abstract assert(x &gt; 1);

638 views • 24 slides
Lec09: Fuzzing and Symbolic Execution Taesoo Kim 2 Administrivia Three more labs!

Lec09: Fuzzing and Symbolic Execution Taesoo Kim 2 Administrivia Three more labs!

1 Lec09: Fuzzing and Symbolic Execution Taesoo Kim 2 Administrivia Three more labs! including NSA code-breaking challenge! Please submit your working exploits for previous weeks! New recitations: Monday:

293 views • 28 slides
QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee,

QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee,

QSYM : A PRACTICAL CONCOLIC EXECUTION ENGINE TAILORED FOR HYBRID FUZZING Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang and Taesoo Kim, FINDING SECURITY BUGS Fuzzing Automated test to monitor exceptions (crashes &amp; memory leaks)

417 views • 17 slides
Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean

Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean

11/27/2011 Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean Harrold Supported by NSF (CCF-0725202, CCF-0541048) and IBM (Software Quality Innovation Award) Symbolic Execution 35 Databases 30

558 views • 22 slides
symbolic deobfuscation Sbastien Bardin (CEA LIST) Sbastien Bardin GreHack 2017 | 1 ABOUT

symbolic deobfuscation Sbastien Bardin (CEA LIST) Sbastien Bardin GreHack 2017 | 1 ABOUT

CODE PROTECTION: the promises and limits of symbolic deobfuscation Sbastien Bardin (CEA LIST) Sbastien Bardin GreHack 2017 | 1 ABOUT MY LAB @CEA [Paris-Saclay, France] Sbastien Bardin GreHack 2017 | 2 IN A NUTSHELL

664 views • 40 slides
Using Unfoldings in Automated Testing of Multithreaded Programs Kari Khknen, Olli Saarikivi,

Using Unfoldings in Automated Testing of Multithreaded Programs Kari Khknen, Olli Saarikivi,

Using Unfoldings in Automated Testing of Multithreaded Programs Kari Khknen, Olli Saarikivi, Keijo Heljanko (firstname.lastname@aalto.fi) Department of Computer Science and Engineering, Aalto University &amp; Helsinki Institute for

522 views • 41 slides

More recommend