symbolic execution for evolving software
play

Symbolic Execution for Evolving Software Cristian Cadar Department - PowerPoint PPT Presentation

Nov 21, 2022 •22 likes •362 views

Symbolic Execution for Evolving Software Cristian Cadar Department of Computing Imperial College London Joint work with Peter Collingbourne, Paul Kelly, Tomek Kuchta, Paul Marinescu, Hristina Palikareva CREST Open Workshop UCL, London, UK,

  1. Symbolic Execution for Evolving Software Cristian Cadar Department of Computing Imperial College London Joint work with Peter Collingbourne, Paul Kelly, Tomek Kuchta, Paul Marinescu, Hristina Palikareva CREST Open Workshop UCL, London, UK, 30 January 2017

  2. Motivation Software evolves, with new versions and patches being released frequently Unfortunately, patches are notoriously unreliable E.g., many users refuse to upgrade their software… …relying instead on outdated versions flawed with vulnerabilities or missing useful features and bug fixes Many admins (70% of those interviewed) refuse to upgrade Crameri, O., Knezevic, N., Kostic, D., Bianchini, R., Zwaenepoel, W. Staged deployment in Mirage, an integrated software upgrade testing and distribution system. SOSP’07 2

  3. Automatically-Generated Patches • Research community has recently started to look at automatically-generated patches for – Program repair / bug fixing – Improving non-functional properties such as performance and energy consumption – Porting to other hardware/software environments 3

  4. Symbolic Execution for Evolving Software • Active area of research in the Software Reliability Group at Imperial • Three main directions so far: – Testing/verifying semantics-preserving changes, such as performance optimizations and porting to different platforms – Coverage-testing of arbitrary software patches – Behaviour-testing of arbitrary software patches • We have only looked at manual changes – Are automatically-generated testing any different? 4

  5. Symbolic Execution or Dynamic Symbolic Execution (DSE) Symbolic execution is a program analysis technique for automatically exploring paths through a program Reasons about the feasibility of individual paths using a constraint solver Can generate test inputs for each path explored 6

  6. Symbolic Execution for Evolving Software Evolving software offer the potential to: • Prune a large part of the search space • Perform incremental reasoning/analysis • Use previous version as an oracle 10

  7. SymEx for Evolving Software Testing ng and Verifying ng Optimizations ns 12

  8. Testing Semantics-Preserving Evolution via Crosschecking Lots of available opportunities as code is: Optimized frequently Refactored frequently Ported to new platforms Unoptimized version Symbolic execution Mismatches engine Optimized version We can find any mismatches in their behavior by: 1. Use symbolic execution to explore multiple paths in version 1 2. For each explored path, explore corresponding path(s) in version 2 3. Comparing the (symbolic) output b/w versions 13

  9. SIMD Optimizations Most processors offer support for SIMD instructions • Can operate on multiple data concurrently • Many algorithms can make use of them (e.g., computer vision algorithms) [EuroSys 2011]

  10. OpenCV Popular computer vision library from Intel and Willow Garage [Corner er detec ectio ion algor orit ithm] Computer vision algorithms were optimized to make use of SIMD 20

  11. OpenCV Results • Crosschecked 51 SIMD-optimized versions against their reference scalar implementations • Verified the correctness of 41 of them up to a certain image size ( bounded verification ) • Found mismatches in 10 • Most mismatches due to tricky FP-related issues: • Precision, rounding, associativity, distributivity, NaN values [EuroSys 2011]

  12. GPGPU Optimizations Scalar vs. GPGPU code [HVC 2011]

  13. SymEx for Evolving Software High-Co Cove verage Patch ch Testing ng with Katch ch

  14. KATCH: High-Coverage Symbolic Patch Testing --- klee/trunk/lib/Core/Executor.cpp 2009/08/01 22:31:44 77819 +++ klee/trunk/lib/Core/Executor.cpp 2009/08/02 23:09:31 77922 bug test 4 test 4 test 4 test 3 @@ -2422,8 +2424,11 @@ • 1 test 4 test 4 test 4 test 4 info << "none\n"; test 1 test 4 bug test 4 test 4 } else { test 4 bug test 4 test 4 test 4 test 4 const MemoryObject *mo = lower->first; test 4 test 4 test 4 + std::string alloc_info; + mo->getAllocInfo(alloc_info); info << "object at " << mo->address - << " of size " << mo->size << "\n"; + << " of size " << mo->size << "\n" + << "\t\t" << alloc_info << "\ n“; commit KA TCH [SPIN 2012, ESEC/FSE 2013]

  15. Symbolic Patch Testing Seed input Program bug test 4 test 4 test 4 test 3 • 1 test 4 test 4 test 4 test 4 test 1 test 4 bug test 4 test 4 test 4 bug test 4 test 4 test 4 test 4 test 4 test 4 test 4 Patch KA TCH + if (errno == ECHILD) + { log_error_write(srv, __FILE__, __LINE__, "s", ”..."); + cgi_pid_del(srv, p, p- >cgi_pid.ptr[ndx]); 1. Select the regression input closest to the patch (or partially covering it)

  16. Symbolic Patch Testing Seed input Program bug test 4 test 4 test 4 test 3 • 1 test 4 test 4 test 4 test 4 test 1 test 4 bug test 4 test 4 test 4 bug test 4 test 4 test 4 test 4 test 4 test 4 test 4 Patch KA TCH 2. Greedily drive exploration toward uncovered basic blocks in the patch

  17. Symbolic Patch Testing Seed input Program bug test 4 test 4 test 4 test 3 • 1 test 4 test 4 test 4 test 4 test 1 test 4 bug test 4 test 4 test 4 bug test 4 test 4 test 4 test 4 test 4 test 4 test 4 Patch KA TCH 3. If stuck, identify the constraints/bytes that disallow execution to reach the patch, and backtrack

  18. Symbolic Patch Testing Seed input Program bug test 4 test 4 test 4 test 3 • 1 test 4 test 4 test 4 test 4 test 1 test 4 bug test 4 test 4 test 4 bug test 4 test 4 test 4 test 4 test 4 test 4 test 4 Patch KA TCH Combines symbolic execution with various program analyses such as weakest preconditions for input selection, and definition switching for backtracking [ESEC/FSE 2013]

  19. Extended Evaluation Key evaluation criteria: no cherry picking! • choose all patches for an application over a contiguous time period App. Suite ELOC Patches #BBs FindUtils (FU) ~12k 125 written over 344 ~26 months find, locate, xargs DiffUtils (DU) ~55k 175 written over 166 + 280k in libs ~30 months cmp, (s)diff, diff3 BinUtils (BU) 82k 181 written over 852 + 800k in libs ~16 months ar, elfedit, nm, etc. [ESEC/FSE 2013]

  20. Patch Coverage (basic block level) FU: TEST Uncovered 0% 63% 100% DU: TEST Uncovered 35% 100% 0% BU: TEST Uncovered 18% 100% 0% Standard symbolic execution (30min/BB) only added +1.2% to FU

  21. Patch Coverage (basic block level) FU: 10min/BB TEST + KATCH Un 0% 63% 87% 100% 10min/BB DU: TEST + KA TCH Uncovered 35% 73% 100% 0% BU: 15min/BB TEST +K Uncovered 18% 33% 100% 0% Standard symbolic execution (30min/BB) only added +1.2% to FU

  22. Binutils Bugs BU: 15min/BB TEST +K Uncovered 0% 18% 33% 100% • Found 14 distinct crash bugs • 12 bugs still present in latest version of BU • Reported and fixed by developers • 10 bugs found in the patch code itself or in code affected by patch code 41

  23. SymEx for Evolving Software Behavi vioural Patch ch Testing ng via Shadow Symbo bolic c Execu cution

  24. Is Basic Block Coverage Enough? • If I change a statement, what tests should I add? Old New if (x % 2 == 0) if (x % 3 == 0) . . . . . . x = 9 x = 6 x = 7 x = 8 44

  25. Is High Coverage Enough? • If I change a statement, what tests should I add? Old New if (x % 2 == 0) if (x % 3 == 0) . . . . . . x = 9 x = 6 x = 7 x = 8 Full branch coverage in the new version 45

  26. Is High Coverage Enough? • If I change a statement, what tests should I add? Old New if (x % 2 == 0) if (x % 3 == 0) . . . . . . x = 9 x = 6 x = 7 x = 8 However, totally useless for testing the patch! 46

  27. Is High Coverage Enough? • If I change a statement, what tests should I add? Old New if (x % 2 == 0) if (x % 3 == 0) . . . . . . x = 9 x = 6 x = 7 x = 8 old  then old  else new  else new  then

  28. Shadow Symbolic Execution Automatically generate inputs that trigger different behaviors in the two versions The novelty of shadow symbolic execution is to run the two versions together (in the same symbolic execution instance), with the old version shadowing the new • Can prune large parts of the search space, for which the two versions behave identically • Provides the ability to reason about specific values leading to simpler path constraints • Is memory-efficient by sharing large parts of the symbolic constraints • Does not execute unchanged computations twice 48

  29. Behavioural Testing: Algorithm Seed input Program 1) Start with seed inputs covering patch  Or use KATCH if one is not available Patch 52

  30. Behavioural Testing: Algorithm Seed input Program 1) Start with seed inputs covering patch  Or use KATCH if one is not available 2) Whenever a possible divergence found on those paths, generate a test case Patch 53

  31. Behavioural Testing: Methodology Seed input Program 1) Start with seed inputs covering patch  Or use KATCH if one is not available 2) Whenever a possible divergence found on those paths, generate a test input Patch 3) Start bounded symbolic execution at each divergence point, to generate BSE more divergent test inputs BSE 54

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of London Joint work with: Stefan Bucur, George Candea, Volodymyr Kuznetsov @ EPFL Symbolic Execution Automatically explore program paths

2.34k views • 200 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security Ahmed Rezine IDA, Linkpings Universitet Hsttermin 2020 Outline Overview Symbolic Execution Hoare Triples and Deductive Reasoning Outline

767 views • 33 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin &amp; Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson, &quot;Applications of Symbolic Evaluation,&quot; Journal of Systems and Software, 5 (1), January 1985, pp.15-35. Symbolic Evaluation/Execution

1.07k views • 60 slides
Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90: Software Security Symbolic Execution Ahmed Rezine Hoare Triples and Deductive Reasoning IDA, Linkpings Universitet Hsttermin 2014 Static

373 views • 6 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean

Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean

11/27/2011 Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean Harrold Supported by NSF (CCF-0725202, CCF-0541048) and IBM (Software Quality Innovation Award) Symbolic Execution 35 Databases 30

558 views • 22 slides
Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav Nodar Petar Martin He Balunovic Ambroladze Tsankov Vechev Random Fuzzing vs. Symbolic Execution Random Fuzzing Symbolic Execution Fast Slow

633 views • 29 slides
Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College London Invited talk at SMT 2015 18 July, San Francisco, CA, USA Dynamic Symbolic Execution Dynamic symbolic execution is a technique for

660 views • 53 slides
Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths Symbolic Execution and Proof of Effects of the execution on program state Properties Bridges program behavior to logic Finds important

309 views • 6 slides
Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides
Enhancing Symbolic Execution for Coverage-Oriented Testing S ebastien Bardin, Nikolai

Enhancing Symbolic Execution for Coverage-Oriented Testing S ebastien Bardin, Nikolai

Enhancing Symbolic Execution for Coverage-Oriented Testing S ebastien Bardin, Nikolai Kosmatov, Micka el Delahaye CEA LIST, Software Safety Lab (Paris-Saclay, France) Bardin et al. CFV 2015 1/ 40 Context : white-box software testing

1.43k views • 74 slides
Leveraging Program Invariants to Promote Population Diversity in Search-Based Automatic Program

Leveraging Program Invariants to Promote Population Diversity in Search-Based Automatic Program

Leveraging Program Invariants to Promote Population Diversity in Search-Based Automatic Program Repair Zhen Yu Ding , Yiwei Lyu , Christopher S. Timperley , Claire Le Goues University of Pittsburgh, Carnegie Mellon

991 views • 64 slides
PROGRAMMING SLIDES BY CLAIRE LE GOUES (MOSTLY) BUT ALSO SOME BY MAHSA VARSHOSAZ &amp; ANDRZEJ

PROGRAMMING SLIDES BY CLAIRE LE GOUES (MOSTLY) BUT ALSO SOME BY MAHSA VARSHOSAZ &amp; ANDRZEJ

AUTOMATIC PROGRAM REPAIR USING GENETIC PROGRAMMING SLIDES BY CLAIRE LE GOUES (MOSTLY) BUT ALSO SOME BY MAHSA VARSHOSAZ &amp; ANDRZEJ WASOWSKI Westley Weimer, ThanhVu Nguyen, Claire Le Goues, and Stephanie Forrest. 2009. Automatically finding

920 views • 79 slides
An Analysis of Patch Plausibility and Correctness of

An Analysis of Patch Plausibility and Correctness of

An Analysis of Patch Plausibility and Correctness of Generate-And- Validate Patch Genera8on System Zichao Qi , Fan Long, Sara Achour, and Mar8n Rinard MIT

323 views • 29 slides
Identifying Patch Correctness in Test-based Program Repair Yingfei Xiong, Xinyuan Liu, Muhan Zeng

Identifying Patch Correctness in Test-based Program Repair Yingfei Xiong, Xinyuan Liu, Muhan Zeng

Identifying Patch Correctness in Test-based Program Repair Yingfei Xiong, Xinyuan Liu, Muhan Zeng , Lu Zhang, Gang Huang Peking University Test-based Program Repair Passing test Passing test Program Program Passing test Patch Passing

465 views • 27 slides
Do Automated Program Repair Techniques Repair Hard and Important Bugs? Manish Motwani Sandhya

Do Automated Program Repair Techniques Repair Hard and Important Bugs? Manish Motwani Sandhya

Do Automated Program Repair Techniques Repair Hard and Important Bugs? Manish Motwani Sandhya Sankarnarayanan Ren e Just Yuriy Brun University of Massachusetts Amherst Automatic Program Repair: An Active Research Area patched program

525 views • 37 slides
KATCH: High-Coverage Tes2ng of So6ware Patches Paul Marinescu

KATCH: High-Coverage Tes2ng of So6ware Patches Paul Marinescu

KATCH: High-Coverage Tes2ng of So6ware Patches Paul Marinescu and Cris2an Cadar Imperial College London Intro Manual tes2ng is hard Supplement it

357 views • 23 slides
Fighting regressions with git bisect Christian Couder chriscool@tuxfamily.org October 29,2009

Fighting regressions with git bisect Christian Couder chriscool@tuxfamily.org October 29,2009

Fighting regressions with git bisect Christian Couder chriscool@tuxfamily.org October 29,2009 About Git A Distributed Version Control system (DVCS): created by Linus Torvalds maintained by Junio Hamano Basics: commits are states of the

1.11k views • 75 slides
Automated Concurrency-Bug Fixing Guoliang Jin, Wei Zhang, Dongdong Deng, Den Libit, Shan Lu (OSDI

Automated Concurrency-Bug Fixing Guoliang Jin, Wei Zhang, Dongdong Deng, Den Libit, Shan Lu (OSDI

Automated Concurrency-Bug Fixing Guoliang Jin, Wei Zhang, Dongdong Deng, Den Libit, Shan Lu (OSDI 2012) Presented by: Kevin Burns October 2, 2013 Outline Paper Presentation Background/Motivation CFix Overview Bug Understanding Fix Strategy

347 views • 24 slides

More recommend