Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic - PowerPoint PPT Presentation

Timotej Kapus Cristian Cadar Imperial College London 1

Symbolic Execution ● Program analysis technique ● Active research area ● Used in industry ○ IntelliTest, SAGE Angr ○ KLOVER 2

Why symbolic execution? ● No false-positives! ○ Every bug found has a concrete input triggering it ● Can interact with the environment ○ I/O, unmodeled libraries ● Only relevant code executed “symbolically”, the rest is fast “native” execution 3

Why (not) symbolic execution? ● Scalability, scalability, scalability ○ Constraint solving is hard ○ Path explosion 4

This talk Show a segmented memory model that tackles path explosion due to dereferences of symbolic pointers through the use of static pointer alias analysis 5

1D symbolic pointers int i; make_symbolic(i); int vector[10] = {1,2,3,4,5,6,7,8,9,10}; if (vector[i] > 8) printf("big element\n"); else printf("small element"); 6

1D Symbolic pointers i = symbolic int i; make_symbolic(i); int vector[10] = {1,2,3,4,5,6,7,8,9,10}; if (vector[i] > 8) printf("big element\n"); else printf("small element"); 7

1D Symbolic pointers i = symbolic int i; make_symbolic(i); int vector[10] = {1,2,3,4,5,6,7,8,9,10}; vector = {1,2,...} if (vector[i] > 8) printf("big element\n"); else printf("small element"); 8

1D Symbolic pointers i = symbolic int i; make_symbolic(i); int vector[10] = {1,2,3,4,5,6,7,8,9,10}; vector = {1,2,...} if (vector[i] > 8) printf("big element\n"); else printf("small element"); vector[i] > 8 9

1D Symbolic pointers i = symbolic int i; make_symbolic(i); int vector[10] = {1,2,3,4,5,6,7,8,9,10}; vector = {1,2,...} if (vector[i] > 8) printf("big element\n"); else printf("small element"); vector[i] > 8 printf("big element\n"); 10

1D Symbolic pointers i = symbolic int i; make_symbolic(i); int vector[10] = {1,2,3,4,5,6,7,8,9,10}; vector = {1,2,...} if (vector[i] > 8) printf("big element\n"); else printf("small element"); vector[i] > 8 printf("big element\n"); printf("small element"); 11

1D Symbolic pointers ● vector[i] is a dereference of a i = symbolic symbolic pointer char i; make_symbolic(i); ○ Concrete base address int vector[10] = {1,2,3,4,5,6,7,8,9,10}; ○ Some symbolic offset i vector = {1,2,...} if (vector[i] > 8) printf("big element\n"); ● I.e. if vector is at 0xdeedbeef else vector[i] is a printf("small element"); load (0xdeedbeef + i) vector[i] > 8 printf("big element\n"); printf("small element"); 12

Constraints over memory ● Theory of arrays: ○ read: array × index → value ○ write: array × index × value → array ○ read(write(a, p, v), r) = v if p = r read(write(a, p, v), r) = read(a,r) if p ≠ r ○ ● Simply map C arrays to solver arrays ● Use concrete addresses to resolve C arrays to solver arrays 13

1D Symbolic pointers: constraints in theory of arrays int i; i = symbolic make_symbolic(i); int vector[10] = {1,2,3,4,5,6,7,8,9,10}; if (vector[i] > 8) printf("big element"); else printf("small element"); 14

1D Symbolic pointers: constraints in theory of arrays int i; i = symbolic make_symbolic(i); int vector[10] = {1,2,3,4,5,6,7,8,9,10}; array vector [10] = [1 2 3 4 5 6 7 8 9 10] if (vector[i] > 8) printf("big element"); else printf("small element"); 15

1D Symbolic pointers: constraints in theory of arrays int i; i = symbolic make_symbolic(i); int vector[10] = {1,2,3,4,5,6,7,8,9,10}; array vector [10] = [1 2 3 4 5 6 7 8 9 10] if (vector[i] > 8) printf("big element"); else (Read i vector ) printf("small element"); 16

2D Symbolic pointers int i, j; make_symbolic(i, j); int *matrix[3]; for ( int k = 0; k < 3; k++) matrix[i] = calloc(3, sizeof ( int )); matrix[1][2] = 42; if (matrix[i][j] > 8) printf("big element\n"); else printf("zero"); 17

2D Symbolic pointers: constraints in theory of arrays i = symbolic int i, j; j = symbolic make_symbolic(i, j); int *matrix[3]; for ( int k = 0; k < 3; k++) matrix[i] = calloc(3, 4); matrix[1][2] = 42; if (matrix[i][j] > 8) printf("big element\n"); else printf("zero"); 18

2D Symbolic pointers: constraints in theory of arrays i = symbolic int i, j; j = symbolic make_symbolic(i, j); int *matrix[3]; for ( int k = 0; k < 3; k++) array matrix [3] = [0xdeedbeef 0xdeedbef0 0xdeedbef1] matrix[i] = calloc(3, 4); matrix[1][2] = 42; if (matrix[i][j] > 8) printf("big element\n"); else printf("zero"); 19

2D Symbolic pointers: constraints in theory of arrays i = symbolic int i, j; j = symbolic make_symbolic(i, j); int *matrix[3]; for ( int k = 0; k < 3; k++) array matrix [3] = [0xdeedbeef 0xdeedbef0 0xdeedbef1] matrix[i] = calloc(3, 4); array matrix_0 [3] = [0 0 0] array matrix_1 [3] = [0 0 42] matrix[1][2] = 42; array matrix_2 [3] = [0 0 0] if (matrix[i][j] > 8) printf("big element\n"); else printf("zero"); 20

2D Symbolic pointers: constraints in theory of arrays i = symbolic int i, j; j = symbolic make_symbolic(i, j); int *matrix[3]; for ( int k = 0; k < 3; k++) array matrix [3] = [0xdeedbeef 0xdeedbef0 0xdeedbef1] matrix[i] = calloc(3, 4); array matrix_0 [3] = [0 0 0] array matrix_1 [3] = [0 0 42] matrix[1][2] = 42; array matrix_2 [3] = [0 0 0] if (matrix[i][j] > 8) printf("big element\n"); else (Read i matrix ) printf("zero"); 21

2D Symbolic pointers: constraints in theory of arrays i = symbolic int i, j; j = symbolic make_symbolic(i, j); int *matrix[3]; for ( int k = 0; k < 3; k++) array matrix [3] = [0xdeedbeef 0xdeedbef0 0xdeedbef1] matrix[i] = calloc(3, 4); array matrix_0 [3] = [0 0 0] array matrix_1 [3] = [0 0 42] matrix[1][2] = 42; array matrix_2 [3] = [0 0 0] if (matrix[i][j] > 8) printf("big element\n"); else (Read j (Read i matrix )) printf("zero"); 22

2D Symbolic pointers: constraints in theory of arrays i = symbolic int i, j; j = symbolic make_symbolic(i, j); int *matrix[3]; for ( int k = 0; k < 3; k++) array matrix [3] = [0xdeedbeef 0xdeedbef0 0xdeedbef1] matrix[i] = calloc(3, 4); array matrix_0 [3] = [0 0 0] array matrix_1 [3] = [0 0 42] matrix[1][2] = 42; array matrix_2 [3] = [0 0 0] if (matrix[i][j] > 8) printf("big element\n"); else (Read j 0xdeedbeef) printf("zero"); 23

2D Symbolic pointers: constraints in theory of arrays i = symbolic int i, j; j = symbolic make_symbolic(i, j); int *matrix[3]; for ( int k = 0; k < 3; k++) array matrix [3] = [0xdeedbeef 0xdeedbef0 0xdeedbef1] matrix[i] = calloc(3, 4); array matrix_0 [3] = [0 0 0] array matrix_1 [3] = [0 0 42] matrix[1][2] = 42; array matrix_2 [3] = [0 0 0] if (matrix[i][j] > 8) printf("big element\n"); else (Read j 0xdeedbeef) printf("zero"); 24

So what now? ● Forking (KLEE) ○ Concretize and fork for each possible value of matrix[i] ● State Merging / OR Expression (SAGE) ○ Create a disjunction over all possible values of matrix[i] ● Flat Memory (considered by EXE, not implemented) ○ Have the whole memory as a single array 25

2D Symbolic pointers: Forking int i, j; i = 0 make_symbolic(i, j); j = symbolic int *matrix[3]; for ( int k = 0; k < 3; k++) matrix[i] = calloc(3, 4); matrix[1][2] = 42; if (matrix[i][j] > 8) printf("big element\n"); else printf("zero"); 26

2D Symbolic pointers: Forking int i, j; i = 0 make_symbolic(i, j); j = symbolic int *matrix[3]; for ( int k = 0; k < 3; k++) matrix[i] = calloc(3, 4); array matrix_0 [3] = [0 0 0] matrix[1][2] = 42; if (matrix[i][j] > 8) printf("big element\n"); else printf("zero"); 27

2D Symbolic pointers: Forking int i, j; i = 0 make_symbolic(i, j); j = symbolic int *matrix[3]; for ( int k = 0; k < 3; k++) matrix[i] = calloc(3, 4); array matrix_0 [3] = [0 0 0] matrix[1][2] = 42; if (matrix[i][j] > 8) printf("big element\n"); else (Read j matrix_0 ) printf("zero"); 28

2D Symbolic pointers: Forking int i, j; int i, j; i = 2 make_symbolic(i, j); int i, j; j = symbolic make_symbolic(i, j); int *matrix[3]; make_symbolic(i, j); int *matrix[3]; for ( int k = 0; k < 3; k++) int *matrix[3]; for ( int k = 0; k < 3; k++) matrix[i] = calloc(3, 4); for ( int k = 0; k < 3; k++) matrix[i] = calloc(3, 4); matrix[i] = calloc(3, 4); array matrix_2 [3] = [0 0 0] matrix[1][2] = 42; matrix[1][2] = 42; matrix[1][2] = 42; if (matrix[i][j] > 8) if (matrix[i][j] > 8) if (matrix[i][j] > 8) printf("big element\n"); printf("big element\n"); else printf("big element\n"); else (Read j matrix_2 ) else printf("zero"); printf("zero"); 29 printf("zero");

Path explosion 30

2D Symbolic pointers: State Merging int i, j; i = 0 ∨ 1 ∨ 2 make_symbolic(i, j); j = symbolic int *matrix[3]; for ( int k = 0; k < 3; k++) matrix[i] = calloc(3, 4); matrix[1][2] = 42; if (matrix[i][j] > 8) printf("big element\n"); else printf("zero"); 31

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic - PowerPoint PPT Presentation

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in industry IntelliTest, SAGE Angr KLOVER 2 Why symbolic execution? No

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing

Computing Summaries of String Loops in C for Better Testing and Refactoring Timotej Kapus, Oren

Cristian Cadar Department of Computing Imperial College London Joint work with Peter

Symbolic Execution for Evolving Software Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

Symbolic Crosschecking of Floating-Point and SIMD Code Peter Collingbourne, Cristian Cadar, Paul

Deploying Dynamic Analyses and Preventing Compiler Backdoors with Multi-Version Execution Lus

Imperial College London Activity Report Nobuko Yoshida Imperial College London

Multiplicity Computing Engineering Software for Reliability, Performance, and Security Alexander

T2K & E61 Imperial College London Charlie Naseby 1/12 Charlie Naseby Imperial College

Lock Inference for Java Khilan Gudka Imperial College London Supervised by Professor Susan

SaBRE Load-time selective binary rewriting Paul-Antoine Arras , Anastasios Andronidis, Lus Pina,

A crash course on some recent bug finding tricks. Junfeng Yang, Can Sar, Cristian Cadar, Paul

Learning Software Models Alessandra Russo Imperial College London in collaboration with....

Paper K Digital Deep Dive National End of Life Care Programme Board 5 th April 2017

PHIL LONEY GROUP CHIEF EXECUTIVE 1 Our AGM is an important day for us its a day

TRECVID-2005 High-Level Feature task: Overview Wessel Kraaij TNO & Paul Over NIST

11 February, IDCC 2015, London Promoting and Enhancing Reuse of Information throughout the

LONDON ENERGY PLAN WORKSHOP HEAT SUPPLY 25 September 2015 WELCOME LEAH DAVIS Project Manager,

Immigration Update and Employer Immigration Update and Employer Compliance What You Dont

Church Street, Isleworth Trial Closure Monitoring Update Isleworth & Brentford Area Forum

online conference starting soon Welcome from the Organizers CWI University of Amsterdam

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic - PowerPoint PPT Presentation

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in industry IntelliTest, SAGE Angr KLOVER 2 Why symbolic execution? No

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing

Computing Summaries of String Loops in C for Better Testing and Refactoring Timotej Kapus, Oren

Cristian Cadar Department of Computing Imperial College London Joint work with Peter

Symbolic Execution for Evolving Software Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

Symbolic Crosschecking of Floating-Point and SIMD Code Peter Collingbourne, Cristian Cadar, Paul

Deploying Dynamic Analyses and Preventing Compiler Backdoors with Multi-Version Execution Lus

Imperial College London Activity Report Nobuko Yoshida Imperial College London

Multiplicity Computing Engineering Software for Reliability, Performance, and Security Alexander

T2K &amp; E61 Imperial College London Charlie Naseby 1/12 Charlie Naseby Imperial College

Lock Inference for Java Khilan Gudka Imperial College London Supervised by Professor Susan

SaBRE Load-time selective binary rewriting Paul-Antoine Arras , Anastasios Andronidis, Lus Pina,

A crash course on some recent bug finding tricks. Junfeng Yang, Can Sar, Cristian Cadar, Paul

Learning Software Models Alessandra Russo Imperial College London in collaboration with....

Paper K Digital Deep Dive National End of Life Care Programme Board 5 th April 2017

PHIL LONEY GROUP CHIEF EXECUTIVE 1 Our AGM is an important day for us its a day

TRECVID-2005 High-Level Feature task: Overview Wessel Kraaij TNO &amp; Paul Over NIST

11 February, IDCC 2015, London Promoting and Enhancing Reuse of Information throughout the

LONDON ENERGY PLAN WORKSHOP HEAT SUPPLY 25 September 2015 WELCOME LEAH DAVIS Project Manager,

Immigration Update and Employer Immigration Update and Employer Compliance What You Dont

Church Street, Isleworth Trial Closure Monitoring Update Isleworth &amp; Brentford Area Forum

online conference starting soon Welcome from the Organizers CWI University of Amsterdam

T2K & E61 Imperial College London Charlie Naseby 1/12 Charlie Naseby Imperial College

TRECVID-2005 High-Level Feature task: Overview Wessel Kraaij TNO & Paul Over NIST

Church Street, Isleworth Trial Closure Monitoring Update Isleworth & Brentford Area Forum