Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Background: Symbolic Execution
Experimental Evaluation
Summary of the Results
Related Work
Conclusion
References
All Topics
Computer Science

TracerX: Dynamic Symbolic Execution with Interpolation

Profile image of Rasool MagharehRasool Maghareh

2020

https://doi.org/10.1145/NNNNNNN.NNNNNNN
visibility

description

27 pages

link

1 file

Abstract

Dynamic Symbolic Execution (DSE) is an important method for the testing of programs. An important system on DSE is KLEE which inputs a C/C++ program annotated with symbolic variables, compiles it into LLVM, and then emulates the execution paths of LLVM using a specified backtracking strategy. The major challenge in symbolic execution is path explosion. The method of abstraction learning has been used to address this. The key step here is the computation of an interpolant to represent the learnt abstraction. In this paper, we present a new interpolation algorithm and implement it on top of the KLEE system. The main objective is to address the path explosion problem in pursuit of code penetration: to prove that a target program point is either reachable or unreachable. That is, our focus is verification. We show that despite the overhead of computing interpolants, the pruning of the symbolic execution tree that interpolants provide often brings significant overall benefits. We then pe...

Related papers

Redundant State Detection for Dynamic Symbolic Execution
Suhabe Bugrara

Many recent tools use dynamic symbolic execution to perform tasks ranging from automatic test generation, finding security flaws, equivalence verification, and exploit generation. However, while symbolic execution is promising, it perennially struggles with the fact that the number of paths in a program increases roughly exponentially with both code and input size. This paper presents a technique that attacks this problem by eliminating paths that cannot reach new code before they are executed and evaluates it on 66 system intensive, complicated , and widely-used programs. Our experiments demonstrate that the analysis speeds up dynamic symbolic execution by an average of 50.5 X, with a median of 10 X, and increases coverage by an average of 3.8 %.

View PDFchevron_right
Loop-extended symbolic execution on binary programs
prateek saxena

2009

Mixed concrete and symbolic execution is an important technique for finding and understanding software bugs, including securityrelevant ones. However, existing symbolic execution techniques are limited to examining one execution path at a time, in which symbolic variables reflect only direct data dependencies. We introduce loop-extended symbolic execution, a generalization that broadens the coverage of symbolic results in programs with loops. It introduces symbolic variables for the number of times each loop executes, and links these with features of a known input grammar such as variable-length or repeating fields. This allows the symbolic constraints to cover a class of paths that includes different numbers of loop iterations, expressing loop-dependent program values in terms of properties of the input. By performing more reasoning symbolically, instead of by undirected exploration, applications of loop-extended symbolic execution can achieve better results and/or require fewer program executions. To demonstrate our technique, we apply it to the problem of discovering and diagnosing buffer-overflow vulnerabilities in software given only in binary form. Our tool finds vulnerabilities in both a standard benchmark suite and 3 real-world applications, after generating only a handful of candidate inputs, and also diagnoses general vulnerability conditions.

View PDFchevron_right
On Symbolic Execution of Decompiled Programs (S)
Henrich Lauko

2020

In this paper, we present a combination of existing and new tools that together make it possible to apply formal verification methods to programs in the form of x86 64 machine code. Our approach first uses a decompilation tool (remill) to extract low-level intermediate representation (LLVM) from the machine code. This step consists of instruction translation (i.e. recovery of operation semantics), control flow extraction and address identification. The main contribution of this paper is the second step, which builds on data flow analysis and refinement of indirect (i.e. datadependent) control flow. This step makes the processed bitcode much more amenable to formal analysis. To demonstrate the viability of our approach, we have compiled a set of benchmark programs into native executables and analysed them using two LLVM-based tools: DIVINE, a software model checker and KLEE, a symbolic execution engine. We have compared the outcomes to direct analysis of the same programs.

View PDFchevron_right
SPA: Symbolic Program Approximation for Scalable Path-sensitive Analysis
Raul Santelices

2009

Symbolic execution is a static-analysis technique that has been used for applications such as test-input generation and change analysis. Symbolic execution's path sensitivity makes scaling it difficult. Despite recent advances that reduce the number of paths to explore, the scalability problem remains. Moreover, there are applications that require the analysis of all paths in a program fragment, which exacerbate the scalability problem. In this paper, we present a new technique, called Symbolic Program Approximation (SPA), that performs an approximation of the symbolic execution of all paths between two program points by abstracting away certain symbolic subterms to make the symbolic analysis practical, at the cost of some precision. We discuss several applications of SPA, including testing of software changes and static invariant discovery. We also present a tool that implements SPA and an empirical evaluation on change analysis and testing that shows the applicability, effectiveness, and potential of our technique.

View PDFchevron_right
Chopped symbolic execution
Noam Rinetzky

2018

Symbolic execution is a powerful program analysis technique that systematically explores multiple program paths. However, despite important technical advances, symbolic execution often struggles to reach deep parts of the code due to the well-known path explosion problem and constraint solving limitations. In this paper, we propose chopped symbolic execution, a novel form of symbolic execution that allows users to specify uninteresting parts of the code to exclude during the analysis, thus only targeting the exploration to paths of importance. However, the excluded parts are not summarily ignored, as this may lead to both false positives and false negatives. Instead, they are executed lazily, when their effect may be observable by code under analysis. Chopped symbolic execution leverages various on-demand static analyses at runtime to automatically exclude code fragments while resolving their side effects, thus avoiding expensive manual annotations and imprecision. Our preliminary results show that the approach can effectively improve the effectiveness of symbolic execution in several different scenarios, including failure reproduction and test suite augmentation.

View PDFchevron_right
Zero-Overhead Path Prediction with Progressive Symbolic Execution
Richard Rutledge, Haider A Khan

Proceedings of the 41st International Conference on Software Engineering, 2019

In previous work, we introduced zero-overhead profiling (ZOP), a technique that leverages the electromagnetic emissions generated by the computer hardware to profile a program without instrumenting it. Although effective, ZOP has several shortcomings: it requires test inputs that achieve extensive code coverage for its training phase; it predicts path profiles instead of complete execution traces; and its predictions can suffer unrecoverable accuracy losses. In this paper, we present zero-overhead path prediction (ZOP-2), an approach that extends ZOP and addresses its limitations. First, ZOP-2 achieves high coverage during training through progressive symbolic execution (PSE)-symbolic execution of increasingly small program fragments. Second, ZOP-2 predicts complete execution traces, rather than path profiles. Finally, ZOP-2 mitigates the problem of path mispredictions by using a stateless approach that can recover from prediction errors. We evaluated our approach on a set of benchmarks with promising results; for the cases considered, (1) ZOP-2 achieved over 90% path prediction accuracy, and (2) PSE covered feasible paths missed by traditional symbolic execution, thus boosting ZOP-2's accuracy.

View PDFchevron_right
Directed incremental symbolic execution
Neha Rungta

Proceedings of the 32nd …, 2011

The last few years have seen a resurgence of interest in the use of symbolic execution -a program analysis technique developed more than three decades ago to analyze program execution paths. Scaling symbolic execution and other path-sensitive analysis techniques to large systems remains challenging despite recent algorithmic and technological advances. An alternative to solving the problem of scalability is to reduce the scope of the analysis. One approach that is widely studied in the context of regression analysis is to analyze the differences between two related program versions. While such an approach is intuitive in theory, finding efficient and precise ways to identify program differences, and characterize their effects on how the program executes has proved challenging in practice.

View PDFchevron_right
Symbolic Execution Enhanced System Testing
Misty Davies

Lecture Notes in Computer Science, 2012

We describe a testing technique that uses information computed by symbolic execution of a program unit to guide the generation of inputs to the system containing the unit, in such a way that the unit's, and hence the system's, coverage is increased. The symbolic execution computes unit constraints at run-time, along program paths obtained by system simulations. We use machine learning techniques -treatment learning and function fitting-to approximate the system input constraints that will lead to the satisfaction of the unit constraints. Execution of system input predictions either uncovers new code regions in the unit under analysis or provides information that can be used to improve the approximation. We have implemented the technique and we have demonstrated its effectiveness on several examples, including one from the aerospace domain.

View PDFchevron_right
Past-sensitive pointer analysis for symbolic execution
Noam Rinetzky

Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 2020

We propose a novel fine-grained integration of pointer analysis with dynamic analysis, including dynamic symbolic execution. This is achieved via past-sensitive pointer analysis, an on-demand pointer analysis instantiated with an abstraction of the dynamic state on which it is invoked. We evaluate our technique in three application scenarios: chopped symbolic execution, symbolic pointer resolution, and write integrity testing. Our preliminary results show that the approach can have a significant impact in these scenarios, by effectively improving the precision of standard pointer analysis with only a modest performance overhead. • Software and its engineering → Software testing and debugging.

View PDFchevron_right
Generating Unit Tests for Floating Point Embedded Software using Compositional Dynamic Symbolic Execution
Eduardas Bareisa

Electronics and Electrical Engineering, 2012

View PDFchevron_right

References (31)

  1. REFERENCES Abductive reasoning. 2020. Abductive reasoning -Wikipedia, The Free Encyclopedia. https://en.wikipedia.org/wiki/ Abductive_reasoning [Online; accessed 10-March-2020].
  2. All-Targets 2020. Main-Experiment-All-Targets. https://figshare.com/s/2d6852ee9e53291c7c24
  3. Artifacts 2020. Artifacts for Main and Supplementary experiments. https://figshare.com/s/8ac010976689cab7ebd9
  4. Thanassis Avgerinos, Alexandre Rebert, Sang Kil Cha, and David Brumley. 2016. Enhancing symbolic execution with veritesting. Commun. ACM 59, 6 (2016), 93-100.
  5. Cristian Cadar, Daniel Dunbar, and Dawson R Engler. 2008a. KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs.. In OSDI. 209-224.
  6. Cristian Cadar, Vijay Ganesh, Peter M Pawlowski, David L Dill, and Dawson R Engler. 2008b. EXE: automatically generating inputs of death. ACM Transactions on Information and System Security (TISSEC) 12, 2 (2008), 10.
  7. Cristian Cadar and Koushik Sen. 2013. Symbolic Execution for Software Testing: Three Decades Later. Commun. ACM 56, 2 (2013), 82-90.
  8. Duc-Hiep Chu and Joxan Jaffar. 2012. A complete method for symmetry reduction in safety verification. In CAV. Springer, 616-633.
  9. Duc-Hiep Chu, Joxan Jaffar, and Rasool Maghareh. 2016. Precise Cache Timing Analysis via Symbolic Execution. In RTAS 2016.
  10. Edmund Clarke, Daniel Kroening, and Flavio Lerda. 2004. A tool for checking ANSI-C programs. In TACAS. Springer, 168-176.
  11. E. M. Clarke, D. Kroenig, N. Sharygina, and K. Yorav. 2005. SATABS: SAT-Based Predicate Abstraction for ANSI-C. In TACAS. 570-574.
  12. Lucas Cordeiro, Jeremy Morse, Denis Nicole, and Bernd Fischer. 2012. Context-bounded model checking with ESBMC 1.17. In TACAS. Springer, 534-537.
  13. Coreutils-6.11 2008. Coreutils Benchmarks (version 6.11). https://ftp.gnu.org/gnu/coreutils/ Leonardo De Moura, Harald Rueß, and Maria Sorea. 2002. Lemmas on demand for satisfiability solvers. SAT 2 (2002), 244-251.
  14. Leonardo Mendonça de Moura and Nikolaj Bjørner. 2008. Proofs and Refutations, and Z3.. In LPAR, Vol. 418. 123-132.
  15. Stephan Falke, Florian Merz, and Carsten Sinz. 2013. LLBMC: improved bounded model checking of c programs using LLVM. In TACAS. Springer, 623-626.
  16. Framma-C 2020. A static analyzer. https://frama-c.com/index.html P. Godefroid, N. Klarlund, and K. Sen. 2005. DART: Directed Automated Random Testing. In 26th PLDI. ACM Press, 213-223.
  17. T. Hansen, P. Schachte, and H. Søndergaard. 2009. State Joining and Splitting for the Symbolic Execution of Binaries. In RV. 76-92.
  18. M. Heizmann, J. Christ, D. Dietsch, J. Hoenicke, M. Lindenmann, B. Musa, C. Schilling, S. Wissert, and A. Podelski. 2014. Ultimate Automizer with Unsatisfiable Cores. In TACAS. 418-420.
  19. A. Holzer, C. Schallhart, M. Tautschnig, and H. Veith. 2008. FShell: Systematic Test Case Generation for Dynamic Analysis and Measurement. In CAV. 209-213.
  20. Joxan Jaffar, Vijayaraghavan Murali, and Jorge A Navas. 2013. Boosting concolic testing via interpolation. In FSE. ACM, 48-58.
  21. Joxan Jaffar, Vijayaraghavan Murali, Jorge A Navas, and Andrew E Santosa. 2012. TRACER: A symbolic execution tool for verification. In CAV. Springer, 758-766.
  22. J. Jaffar, J. A. Navas, and A. E. Santosa. 2011. Unbounded Symbolic Execution for Program Verification. In RV. 396-411.
  23. Joxan Jaffar, Andrew E Santosa, and Răzvan Voicu. 2009. An interpolation method for CLP traversal. In CP. Springer, 454-469.
  24. Sarfraz Khurshid, Corina S Păsăreanu, and Willem Visser. 2003. Generalized symbolic execution for model checking and testing. In International Conference on Tools and Algorithms for the Construction and Analysis of Systems. Springer, 553-568. LLBMC 2012 2012. LLBMC: Introduction. http://llbmc.org/ LLVM 2018. LLVM Compiler Infrastructure Project. https://llvm.org/. Viewed October 2017.
  25. Joao P Marques-Silva and Karem A Sakallah. 1999. GRASP: A search algorithm for propositional satisfiability. IEEE T COMPUT 48, 5 (1999), 506-521.
  26. Kenneth L McMillan. 2010. Lazy Annotation for Program Testing and Verification. In CAV. 104-118.
  27. Kenneth L McMillan. 2014. Lazy Annotation Revisited. In CAV. 243-259.
  28. Psyco 2017. SV-COMP Benchmarks: Verification Tasks. https://github.com/sosy-lab/sv-benchmarks/tree/master/c/psyco Psycotool 2017. PSYCO:. https://github.com/psycopaths/psyco RERS 2012. RERS:. http://rers-challenge.org/ RERS 2017. RERS17:. http://rers-challenge.org/2017/ RERS 2019. RERS19:. http://rers-challenge.org/2019/
  29. K. Sen, D. Marinov, and G. Agha. 2005. CUTE: a concolic unit testing engine for C. In 10th ESEC/13th SIGSOFT FSE. ACM Press, 263-272.
  30. David Trabish, Andrea Mattavelli, Noam Rinetzky, and Cristian Cadar. 2018. Chopped symbolic execution. In ICSE. ACM, 350-360.
  31. Q. Yi, Z. Yang, S. Guo, C. Wang, J. Liu, and C. Zhao. 2015. Postconditioned Symbolic Execution. In ICST. 1-10.

Related papers

TracerX: Dynamic Symbolic Execution with Interpolation (Competition Contribution)
Rasool Maghareh

Lecture Notes in Computer Science, 2020

Dynamic Symbolic Execution (DSE) is an important method for testing of programs. An important system on DSE is KLEE [1] which inputs a C/C++ program annotated with symbolic variables, compiles it into LLVM, and then emulates the execution paths of LLVM using a specified backtracking strategy. The major challenge in symbolic execution is path explosion. The method of abstraction learning [7] has been used to address this. The key step here is the computation of an interpolant to represent the learned abstraction. TracerX, our tool, is built on top of KLEE and it implements and utilizes abstraction learning. The core feature in abstraction learning is subsumption of paths whose traversals are deemed to no longer be necessary due to similarity with already-traversed paths. Despite the overhead of computing interpolants, the pruning of the symbolic execution tree that interpolants provide often brings significant overall benefits. In particular, TracerX can fully explore many programs that would be impossible for any non-pruning system like KLEE to do so.

View PDFchevron_right
TracerX: Pruning Dynamic Symbolic Execution with Deletion and Weakest Precondition Interpolation (Competition Contribution)
Rasool Maghareh

Lecture notes in computer science, 2024

Dynamic Symbolic Execution (DSE) is an important method for the testing of programs. The major advantage of DSE is its path-bypath exploration of the program execution space. However, this often leads to the path explosion problem. To address this issue, a method of abstraction learning has been used. The key step here is the computation of an interpolant to represent the learned abstraction. In Test-Comp 2024, we use two different approaches of interpolant generation viz., Deletion Interpolation and Weakest Precondition Interpolation. The former is our more stable and mature system and briefly discussed in [8]. In this paper, we present the latter approach which is the heart of TracerX. In general, the Weakest Precondition (WP) is the ideal (most general) interpolant. However, WP is intractable to compute and is exponentially disjunctive. A major challenge is to obtain a conjunctive approximation of the WP. Therefore, we generate an approximation of the WP.

View PDFchevron_right
Infeasible path generalization in dynamic symbolic execution
A. Gotlieb

Information and Software Technology, 2015

Context: Automatic code-based test input generation aims at generating a test suite ensuring good code coverage. Dynamic Symbolic Execution (DSE) recently emerged as a strong code-based testing technique to increase coverage by solving path conditions with a combination of symbolic constraint solving and concrete executions. Objective: When selecting paths in DSE for generating test inputs, some paths are actually detected as being infeasible, meaning that no input can be found to exercize them. But, showing path infeasibility instead of generating test inputs is costly and most effort could be saved in DSE by reusing path infeasibility information. Method: In this paper, we propose a method that takes opportunity of the detection of a single infeasible path to generalize to a possibly infinite family of infeasible paths. The method first extracts an explanation of path condition, that is, the reason of the path infeasibility. Then, it determines conditions, using data dependency information, that paths must respect to exhibit the same infeasibility. Finally, it constructs an automaton matching the generalized infeasible paths. Results: We implemented our method in a prototype tool called IPEG (Infeasible Path Explanation and Generalization), for DSE of C programs. First experimental results obtained with IPEG show that our approach can save considerable effort in DSE, when generating test inputs for increasing code coverage. Conclusion: Infeasible path generalization allows test generation to know of numerous infeasible paths ahead of time, and consequently to save the time needed to show their infeasibility.

View PDFchevron_right
Symbolic execution with abstraction
SANDEEP ANAND

International Journal on Software Tools for Technology Transfer, 2008

We address the problem of error detection for programs that take recursive data structures and arrays as input. Previously we proposed a combination of symbolic execution and model checking for the analysis of such programs: we put a bound on the size of the program inputs and/or the search depth of the model checker to limit the search state space. Here we look beyond bounded model checking and consider state matching techniques to limit the state space. We describe a method for examining whether a symbolic state that arises during symbolic execution is subsumed by another symbolic state. Since the number of symbolic states may be infinite, subsumption is not enough to ensure termination. Therefore, we also consider abstraction techniques for computing and storing abstract states during symbolic execution. Subsumption checking determines whether an abstract state is being revisited, in which case the model checker backtracks-this enables analysis of an under-approximation of the program behaviors. We illustrate the technique with abstractions for lists and arrays. We also discuss abstractions for more general data structures. The abstractions encode both the shape of the program heap and the constraints on numeric data. We have implemented the techniques in the Java PathFinder tool and we show their effectiveness on Java programs. This paper is an extended version of [2].

View PDFchevron_right
Exploiting program dependencies for scalable multiple-path symbolic execution
Raul Santelices

… of the 19th international symposium on …, 2010

View PDFchevron_right

Related topics

  • Computer Science

    • Cited by

    SeDAR: Reading Floorplans Like a Human—Using Deep Learning to Enable Human-Inspired Localisation
    Simon Hadfield

    International Journal of Computer Vision

    The use of human-level semantic information to aid robotic tasks has recently become an important area for both Computer Vision and Robotics. This has been enabled by advances in Deep Learning that allow consistent and robust semantic understanding. Leveraging this semantic vision of the world has allowed human-level understanding to naturally emerge from many different approaches. Particularly, the use of semantic information to aid in localisation and reconstruction has been at the forefront of both fields. Like robots, humans also require the ability to localise within a structure. To aid this, humans have designed high-level semantic maps of our structures called floorplans. We are extremely good at localising in them, even with limited access to the depth information used by robots. This is because we focus on the distribution of semantic elements, rather than geometric ones. Evidence of this is that humans are normally able to localise in a floorplan that has not been scaled p...

    View PDFchevron_right
    Understanding health and behavioral trends of successful students through machine learning models
    Abigale Kim

    2021

    This study analyzes patterns of physical, mental, lifestyle, and personality factors in college students in different periods over the course of a semester and models their relationships with students’ academic performance. The data analyzed was collected through smartphones and Fitbit. The use of machine learning models derived from the gathered data was employed to observe the extent of students’ behavior associated with their GPA, lifestyle, physical health, mental health, and personality attributes. A mutual agreement method was used in which rather than looking at the accuracy of results, the model parameters and weights of features were used to find common behavioral trends. From the results of the model creation, it was determined that the most significant indicator of academic success defined as a higher GPA, was the places a student spent their time. Lifestyle and personality factors were deemed more significant than mental and physical factors. This study will provide insi...

    View PDFchevron_right
    Personality-targeted persuasive gamified systems: exploring the impact of application domain on the effectiveness of behaviour change strategies
    Rita Orji

    User Modeling and User-Adapted Interaction, 2022

    Persuasive gamified systems for health are interventions that promote behaviour change using various persuasive strategies. While research has shown that these strategies are effective at motivating behaviour change, there is little knowledge on whether and how the effectiveness of these strategies vary across multiple domains for people of distinct personality traits. To bridge this gap, we conducted a quantitative study with 568 participants to investigate (a) whether the effectiveness of the persuasive strategies implemented vary within each domain (b) whether the effectiveness of various strategies vary across two distinct domains, (c) how people belonging to different personality traits respond to these strategies, and (d) if people high in a personality trait would be influenced by a persuasive strategy within one domain and not in the other. Our results show that there are significant differences in the effectiveness of various strategies across domains and that people's personality plays a significant role in the perceived persuasiveness of different strategies both within and across distinct B Chinenye Ndulue

    View PDFchevron_right
    Smart Contracts Security Threats and Solutions
    Jules Degila

    International Journal of Information Technology and Web Engineering

    Blockchain-enabled smart contracts are subjected to several issues leading to vigorous attacks such as the decentralized autonomous organization (DAO) and the ParitySig bug on the Ethereum platform with disastrous consequences. Several solutions have been proposed. However, new threats are identified as technology evolves and new solutions are produced, while some older threats remain unsolved. Thus, the need to fill the gap with a more comprehensive survey on existing issues and solutions for researchers and practitioners arises. The resulting updated database will become an essential means for choosing a particular solution for a specific subject. In this review, the authors embrace mainly codifying security privacy and performance issues and their respective solutions. Each problem is attached to its corresponding solutions when they exist. A summary of the threats and solutions is provided as well as the relationship between threat importance and the given answers. They finally ...

    View PDFchevron_right
    Is Social Distancing Law the New Normal? Forced Shift to Media Online Learning and Its Effectiveness: A Moderating Role of Student Engagement During the Pandemic of COVID-19
    Shuwen Mo

    Frontiers in Psychology

    The author intends to investigate the role of social distancing laws in the new normal as well as the effectiveness of forced shift to media online learning. This research indicates that student involvement had a moderating influence during the epidemic. This study is based on social learning theory (SLT), which endeavors to emulate the behavior, perceptions, and emotions of other individuals. The data were obtained from various Chinese universities. We gathered data utilizing the stratified sample approach as well as Google Form. A total of 256 students enrolled in a variety of programs at Chinese universities completed a questionnaire for this investigation. The direct, mediating, and moderating effects of the variables were evaluated using partial least square structural equation modeling in this study (PLS-SEM), using the Smart-PLS software 3.0. According to the findings, forced shift to media online learning acts as a mediator between the lack of social interaction, perceived h...

    View PDFchevron_right
    580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved