Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Related Work
Design Principles of Symbolic Executors
Program Analysis and Optimization
Conclusions
References
All Topics
Computer Science
Cybersecurity

A Survey of Symbolic Execution Techniques

Profile image of Emilio CoppaEmilio Coppa

2019, ACM Computing Surveys

https://doi.org/10.1145/3182657
visibility

description

37 pages

link

1 file

Abstract

Many security and software testing applications require checking whether certain properties of a program hold for any possible usage scenario. For instance, a tool for identifying software vulnerabilities may need to rule out the existence of any backdoor to bypass a program’s authentication. One approach would be to test the program using different, possibly random inputs. As the backdoor may only be hit for very specific program workloads, automated exploration of the space of possible inputs is of the essence. Symbolic execution provides an elegant solution to the problem, by systematically exploring many possible execution paths at the same time without necessarily requiring concrete inputs. Rather than taking on fully specified input values, the technique abstractly represents them as symbols, resorting to constraint solvers to construct actual instances that would cause property violations. Symbolic execution has been incubated in dozens of tools developed over the past four d...

Related papers

Techniques to facilitate symbolic execution of real-world programs
SANDEEP ANAND

2012

View PDFchevron_right
Gillian, Part I: A Multi-language Platform for Symbolic Execution
Philippa Gardner

Artifact Digital Object Group, 2020

We introduce Gillian, a platform for developing symbolic analysis tools for programming languages. Here, we focus on the symbolic execution engine at the heart of Gillian, which is parametric on the memory model of the target language. We give a formal description of the symbolic analysis and a modular implementation that closely follows this description. We prove a parametric soundness result, introducing restriction on abstract states, which generalises path conditions used in classical symbolic execution. We instantiate Gillian to obtain trusted symbolic testing tools for JavaScript and C, and use these tools to find bugs in real-world code, thus demonstrating the viability of our parametric approach. CCS Concepts: • Theory of computation → Program analysis; Program semantics; • Software and its engineering → Formal language definitions.

View PDFchevron_right
Sound Symbolic Execution via Abstract Interpretation and Its Application to Security
Xavier Rival

Lecture Notes in Computer Science, 2023

Symbolic execution is a program analysis technique commonly utilized to determine whether programs violate properties and, in case violations are found, to generate inputs that can trigger them. Used in the context of security properties such as noninterference, symbolic execution is precise when looking for counter-example pairs of traces when insecure information flows are found, however it is sound only up to a bound thus it does not allow to prove the correctness of programs with executions beyond the given bound. By contrast, abstract interpretation-based static analysis guarantees soundness but generally lacks the ability to provide counter-example pairs of traces. In this paper, we propose to weave both to obtain the best of two worlds. We demonstrate this with a series of static analyses, including a static analysis called RedSoundRSE aimed at verifying noninterference. RedSoundRSE provides both semantically sound results and the ability to derive counterexample pairs of traces up to a bound. It relies on a combination of symbolic execution and abstract domains inspired by the well known notion of reduced product. We formalize RedSoundRSE and prove its soundness as well as its relative precision up to a bound. We also provide a prototype implementation of RedSoundRSE and evaluate it on a sample of challenging examples.

View PDFchevron_right
Symbolic execution with abstraction
SANDEEP ANAND

International Journal on Software Tools for Technology Transfer, 2008

We address the problem of error detection for programs that take recursive data structures and arrays as input. Previously we proposed a combination of symbolic execution and model checking for the analysis of such programs: we put a bound on the size of the program inputs and/or the search depth of the model checker to limit the search state space. Here we look beyond bounded model checking and consider state matching techniques to limit the state space. We describe a method for examining whether a symbolic state that arises during symbolic execution is subsumed by another symbolic state. Since the number of symbolic states may be infinite, subsumption is not enough to ensure termination. Therefore, we also consider abstraction techniques for computing and storing abstract states during symbolic execution. Subsumption checking determines whether an abstract state is being revisited, in which case the model checker backtracks-this enables analysis of an under-approximation of the program behaviors. We illustrate the technique with abstractions for lists and arrays. We also discuss abstractions for more general data structures. The abstractions encode both the shape of the program heap and the constraints on numeric data. We have implemented the techniques in the Java PathFinder tool and we show their effectiveness on Java programs. This paper is an extended version of [2].

View PDFchevron_right
Using symbolic execution for verifying safety-critical systems
Carlo Ghezzi

ACM Sigsoft Software Engineering Notes, 2001

Safety critical systems require to be highly reliable and thus special care is taken when verifying them in order to increase the confidence in their behavior. This paper addresses the problem of formal verification of safety critical systems by providing empirical evidence of the practical applicability of symbolic execution and of its usefulness for checking safety-related properties. In this paper, symbolic execution is used for building an operational model of the software on which safety properties, expressed by means of a Path Description Language (PDL), can be assessed.

View PDFchevron_right
Manticore: A User-Friendly Symbolic Execution Framework for Binaries and Smart Contracts
Felipe Andres Manzano

2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE), 2019

An effective way to maximize code coverage in software tests is through dynamic symbolic execution-a technique that uses constraint solving to systematically explore a program's state space. We introduce an open-source dynamic symbolic execution framework called Manticore for analyzing binaries and Ethereum smart contracts. Manticore's flexible architecture allows it to support both traditional and exotic execution environments, and its API allows users to customize their analysis. Here, we discuss Manticore's architecture and demonstrate the capabilities we have used to find bugs and verify the correctness of code for our commercial clients.

View PDFchevron_right
Automatically generating test cases for safety-critical software via symbolic execution
Giovanni Denaro

Journal of Systems and Software

Automated test generation based on symbolic execution can be beneficial for systematically testing safety-critical software, to facilitate test engineers to pursue the strict testing requirements mandated by the certification standards, while controlling at the same time the costs of the testing process. At the same time, the development of safety-critical software is often constrained with programming languages or coding conventions that ban linguistic features which are believed to downgrade the safety of the programs, e.g., they do not allow dynamic memory allocation and variable-length arrays, limit the way in which loops are used, forbid recursion, and bound the complexity of control conditions. As a matter of facts, these linguistic features are also the main efficiency-blockers for the test generation approaches based on symbolic execution at the state of the art. This paper contributes new evidence of the effectiveness of generating test cases with symbolic execution for a significant class of industrial safety critical-systems. We specifically focus on Scade, a largely adopted model-based development language for safety-critical embedded software, and we report on a case study in which we exploited symbolic execution to automatically generate test cases for a set of safety-critical programs developed in Scade. To this end, we introduce a novel test generator that we developed in a recent industrial project on testing safety-critical railway software written in Scade, and we report on our experience of using this test generator for testing a set of Scade programs that belong to the development of an on-board signaling unit for high-speed rail. The results provide empirically evidence that symbolic execution is indeed a viable approach for generating high-quality test suites for the safety-critical programs considered in our case study.

View PDFchevron_right
All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask)
Thanassis Avgerinos

2010

Abstract Dynamic taint analysis and forward symbolic execution are quickly becoming staple techniques in security analyses. Example applications of dynamic taint analysis and forward symbolic execution include malware analysis, input filter generation, test case generation, and vulnerability discovery. Despite the widespread usage of these two techniques, there has been little effort to formally define the algorithms and summarize the critical issues that arise when these techniques are used in typical security contexts.

View PDFchevron_right
Symbolic Execution Techniques for Test Purpose Definition
Pascale Le Gall, Christophe Gaston

2006

We propose an approach to test whether a system conforms to its specification given in terms of an Input/Output Symbolic Transition System (IOSTS). IOSTSs use data types to enrich transitions with data-based messages and guards depending on state variables. We use symbolic execution techniques both to extract IOSTS behaviours to be tested in the role of test purposes and to ground an algorithm of test case generation. Thus, contrarily to some already existing approaches, our test purposes are directly expressed as symbolic execution paths of the specification. They are finite symbolic subtrees of its symbolic execution. Finally, we give coverage criteria and demonstrate our approach on a running example.

View PDFchevron_right
Symbolic Execution Enhanced System Testing
Misty Davies

Lecture Notes in Computer Science, 2012

We describe a testing technique that uses information computed by symbolic execution of a program unit to guide the generation of inputs to the system containing the unit, in such a way that the unit's, and hence the system's, coverage is increased. The symbolic execution computes unit constraints at run-time, along program paths obtained by system simulations. We use machine learning techniques -treatment learning and function fitting-to approximate the system input constraints that will lead to the satisfaction of the unit constraints. Execution of system input predictions either uncovers new code regions in the unit under analysis or provides information that can be used to improve the approximation. We have implemented the technique and we have demonstrated its effectiveness on several examples, including one from the aerospace domain.

View PDFchevron_right

References (119)

  1. Erika Abraham. 2015. Building Bridges Between Symbolic Computation and Satisfiability Checking. In Proc. 2015 ACM on Int. Symp. on Symbolic and Algebraic Computation (ISSAC'15). ACM, 1-6.
  2. Erika Abraham, John Abbott, Bernd Becker, Anna M. Bigatti, Martin Brain, Bruno Buchberger, Alessandro Cimatti, James H. Davenport, Matthew England, Pascal Fontaine, Stephen Forrest, Alberto Griggio, Daniel Kroening, Werner M. Seiler, and Thomas Sturm. 2016. SC2: Satisfiability Checking Meets Sym- bolic Computation. In Proc. 9th Int. Conf. on Intelligent Computer Math. (CICM'16). Springer, 28-43.
  3. Saswat Anand. 2012. Techniques to Facilitate Symbolic Execution of Real-world Programs. Ph.D. Disserta- tion. Atlanta, GA, USA. AAI3531671.
  4. Saswat Anand, Patrice Godefroid, and Nikolai Tillmann. 2008. Demand-driven Compositional Symbolic Ex- ecution. In Proc. Theory and Practice of Software, 14th Int. Conf. on Tools and Algorithms for the Con- struction and Analysis of Systems (TACAS'08/ETAPS'08). 367-381.
  5. Saswat Anand, Alessandro Orso, and Mary Jean Harrold. 2007. Type-dependence Analysis and Program Transformation for Symbolic Execution. In Proc. 13th Int. Conf. on Tools and Algorithms for the Con- struction and Analysis of Systems (TACAS'07). 117-133.
  6. Saswat Anand, Corina S. Pasareanu, and Willem Visser. 2009. Symbolic Execution with Abstraction. Int. J. Software Tools Technol. Transf. 11, 1 (2009), 53-67.
  7. Thanassis Avgerinos. 2014. Exploiting Trade-offs in Symbolic Execution for Identifying Security Bugs. Ph.D. Dissertation. http://repository.cmu.edu/cgi/viewcontent.cgi?article=1478&context=dissertations.
  8. Thanassis Avgerinos, Sang Kil Cha, Brent Lim Tze Hao, and David Brumley. 2011. AEG: Automatic Exploit Generation. In Proc. Network and Distributed System Security Symp. (NDSS'11).
  9. Thanassis Avgerinos, Alexandre Rebert, Sang Kil Cha, and David Brumley. 2014. Enhancing Symbolic Ex- ecution with Veritesting. In Proc. 36th Int. Conf. on Software Engineering (ICSE'14). ACM, 1083-1094.
  10. Domagoj Babic and Alan J. Hu. 2008. Calysto: Scalable and Precise Extended Static Checking. In Proc. 30th Int. Conf. on Software Engineering (ICSE'08). ACM, 211-220.
  11. David F. Bacon, Susan L. Graham, and Oliver J. Sharp. 1994. Compiler Transformations for High- performance Computing. ACM Computing Surveys (CSUR) 26, 4 (1994), 345-420.
  12. Thomas Ball, Ella Bounimova, Byron Cook, Vladimir Levin, Jakob Lichtenberg, Con McGarvey, Bohus On- drusek, Sriram K. Rajamani, and Abdullah Ustuner. 2006. Thorough Static Analysis of Device Drivers. In Proc. 1st ACM SIGOPS/EuroSys European Conf. on Comp. Systems (EuroSys'06). ACM, 73-85.
  13. Clark Barrett, Daniel Kroening, and Thomas Melham. 2014. Problem solving for the 21st century: Efficient solver for satisfiability modulo theories. London Mathematical Society and Smith Institute for Industrial Mathematics and System Engineering.
  14. Fabrice Bellard. 2005. QEMU, a Fast and Portable Dynamic Translator. In Proc. USENIX Annual Technical Conf. (ATEC'05). USENIX Association, 41-41.
  15. Peter Boonstoppel, Cristian Cadar, and Dawson R. Engler. 2008. RWset: Attacking Path Explosion in Constraint-Based Test Generation. In Proc. 14th Int. Conf. on Tools and Algorithms for the Construction and Analysis of Systems (TACAS'08). 351-366.
  16. Matko Botinčan, Matthew Parkinson, and Wolfram Schulte. 2009. Separation Logic Verification of C Pro- grams with an SMT Solver. Electronic Notes in Theoretical Comp. Science 254 (2009), 5-23.
  17. Robert S. Boyer, Bernard Elspas, and Karl N. Levitt. 1975. SELECT -A Formal System for Testing and Debugging Programs by Symbolic Execution. In Proc. of Int. Conf. on Reliable Software. ACM, 234-245.
  18. David Brumley, Ivan Jager, Thanassis Avgerinos, and Edward J. Schwartz. 2011. BAP: A Binary Analysis Platform. In Proc. 23rd Int. Conf. on Computer Aided Verification (CAV'11). 463-469.
  19. Stefan Bucur, Vlad Ureche, Cristian Zamfir, and George Candea. 2011. Parallel Symbolic Execution for Automated Real-world Software Testing. In Proc. 6th Conf. on Comp. Systems (EuroSys'11). 183-198.
  20. Cristian Cadar. 2015. Targeted Program Transformations for Symbolic Execution. In Proc. 2015 10th Joint Meeting on Foundations of Software Engineering (ESEC/FSE'15). ACM, 906-909.
  21. Cristian Cadar, Daniel Dunbar, and Dawson R. Engler. 2008. KLEE: Unassisted and Automatic Genera- tion of High-coverage Tests for Complex Systems Programs. In Proc. 8th USENIX Conf. on Operating Systems Design and Implementation (OSDI'08). USENIX Association, 209-224.
  22. Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, and Dawson R. Engler. 2006. EXE: Au- tomatically Generating Inputs of Death. In Proc. 13th ACM Conf. on Computer and Communications Security (CCS'06). ACM, 322-335.
  23. Cristian Cadar and Koushik Sen. 2013. Symbolic Execution for Software Testing: Three Decades Later. Commun. ACM 56, 2 (2013), 82-90.
  24. Cristiano Calcagno, Dino Distefano, Peter W. O'Hearn, and Hongseok Yang. 2011. Compositional Shape Analysis by Means of Bi-Abduction. J. ACM 58, 6, Article 26 (2011).
  25. Matteo Ceccarello and Oksana Tkachuk. 2014. Automated Generation of Model Classes for Java PathFinder. SIGSOFT Software Engineering Notes 39, 1 (2014), 1-5.
  26. Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert, and David Brumley. 2012. Unleashing Mayhem on Binary Code. In Proc. 2012 IEEE Symp. on Sec. and Privacy (SP'12). IEEE Comp. Society, 380-394.
  27. Satish Chandra, Stephen J. Fink, and Manu Sridharan. 2009. Snugglebug: A Powerful Approach to Weakest Preconditions. In Proc. 30th ACM SIGPLAN Conf. on Programming Language Design and Implementa- tion (PLDI'09). ACM, 363-374.
  28. Ting Chen, Xiaodong Lin, Jin Huang, Abel Bacchus, and Xiaosong Zhang. 2015. An Empirical Investigation into Path Divergences for Concolic Execution Using CREST. Security and Communication Networks 8, 18 (2015), 3667-3681.
  29. Ting Chen, Xiao-Song Zhang, Shi-Ze Guo, Hong-Yuan Li, and Yue Wu. 2013. State of the Art: Dynamic Symbolic Execution for Automated Test Generation. Future Gen. Comput. Syst. 29, 7 (2013), 1758-1773.
  30. Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. 2012. The S2E Platform: Design, Implemen- tation, and Applications. ACM Transactions on Computer Systems (TOCS) 30, 1 (2012), 2:1-2:49.
  31. Peter Collingbourne, Cristian Cadar, and Paul H.J. Kelly. 2011. Symbolic Crosschecking of Floating-point and SIMD Code. In Proc. Sixth Conf. on Computer Systems (EuroSys'11). ACM, 315-328.
  32. Byron Cook, Andreas Podelski, and Andrey Rybalchenko. 2006. Termination Proofs for Systems Code. In Proc. 27th ACM SIGPLAN Conf. on Programming Language Design and Implementation. 415-426.
  33. Emilio Coppa, Daniele Cono D'Elia, and Camil Demetrescu. 2017. Rethinking Pointer Reasoning in Symbolic Execution. In Proc. 32nd IEEE/ACM Int. Conf. on Automated Software Engineering (ASE'17). 613-618.
  34. Florian Corzilius, Gereon Kremer, Sebastian Junges, Stefan Schupp, and Erika Abraham. 2015. SMT-RAT: An Open Source C++ Toolbox for Strategic and Parallel SMT Solving. In Proc. 18th Int. Conf. on Theory and Applications of Satisfiability Testing (SAT'15), Marijn Heule and Sean Weaver (Eds.). 360-368.
  35. William Craig. 1957. Three Uses of the Herbrand-Gentzen Theorem in Relating Model Theory and Proof Theory. J. Symbolic Logic 22, 3 (1957), 269-285.
  36. Christoph Csallner and Yannis Smaragdakis. 2005. Check 'N' Crash: Combining Static Checking and Test- ing. In Proc. 27th Int. Conf. on Software Engineering (ICSE'05). ACM, 422-431.
  37. Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: An Efficient SMT Solver. In Proc. Theory and Prac- tice of Software, 14th Int. Conf. on Tools and Algorithms for the Construction and Analysis of Systems (TACAS'08/ETAPS'08). 337-340.
  38. Leonardo De Moura and Nikolaj Bjørner. 2011. Satisfiability Modulo Theories: Introduction and Applica- tions. Commun. ACM 54, 9 (2011), 69-77.
  39. Xianghua Deng, Jooyong Lee, and Robby. 2012. Efficient and Formal Generalized Symbolic Execution. Au- tomated Software Engineering 19, 3 (2012), 233-301.
  40. Peter Dinges and Gul Agha. 2014a. Solving Complex Path Conditions Through Heuristic Search on Induced Polytopes. In Proc. 22nd ACM SIGSOFT Int. Symp. on Foundations of Software Engineering. 425-436.
  41. Peter Dinges and Gul Agha. 2014b. Targeted Test Input Generation Using Symbolic-concrete Backward Execution. In Proc. 29th ACM/IEEE Int. Conf. on Automated Software Engineering (ASE'14). 31-36.
  42. Shiyu Dong, Oswaldo Olivo, Lingming Zhang, and Sarfraz Khurshid. 2015. Studying the Influence of Stan- dard Compiler Optimizations on Symbolic Execution. In Proc. 2015 IEEE 26th Int. Symp. on Software Reliability Engineering. 205-215.
  43. Evelyn Duesterwald (Ed.). 2004. Analyzing Memory Accesses in x86 Executables. Springer. Bassem Elkarablieh, Patrice Godefroid, and Michael Y. Levin. 2009. Precise Pointer Reasoning for Dynamic Test Generation. In Proc. 18th Int. Symp. on Software Testing and Analysis (ISSTA'09). ACM, 129-140.
  44. Dawson R. Engler and Ken Ashcraft. 2003. RacerX: Effective, Static Detection of Race Conditions and Dead- locks. In Proc,. 19th ACM Symp. on Operating Systems Principles (SOSP'03). ACM, 237-252. 0:35
  45. Dawson R. Engler and Daniel Dunbar. 2007. Under-constrained Execution: Making Automatic Code De- struction Easy and Scalable. In Proc. of 2007 Int. Symp. on Soft. Test. and Analysis (ISSTA'07). 1-4.
  46. Cormac Flanagan and Shaz Qadeer. 2002. Predicate Abstraction for Software Verification. In Proc. of 29th ACM SIGPLAN-SIGACT Symp. on Principles of Programming Languages (POPL'02). ACM, 191-202.
  47. Carlo A. Furia, Bertrand Meyer, and Sergey Velder. 2014. Loop Invariants: Analysis, Classification, and Examples. ACM Computing Surveys (CSUR) 46, 3, Article 34 (2014).
  48. Juan P. Galeotti, Carlo A. Furia, Eva May, Gordon Fraser, and Andreas Zeller. 2015. Inferring Loop Invari- ants by Mutation, Dynamic Analysis, and Static Checking. IEEE Transactions on Software Engineering (TSE) 41, 10 (2015), 1019-1037.
  49. Vijay Ganesh and David L. Dill. 2007. A Decision Procedure for Bit-vectors and Arrays. In Proc. 19th Int. Conf. on Computer Aided Verification (CAV'07). 519-531.
  50. Patrice Godefroid. 2007. Compositional Dynamic Test Generation. In Proc. 34th SIGPLAN-SIGACT Symp. on Principles of Programming Languages (POPL'07). 47-54.
  51. Patrice Godefroid, Nils Klarlund, and Koushik Sen. 2005. DART: Directed Automated Random Testing. In Proc. ACM SIGPLAN Conf. on Programming Language Design and Implementation (PLDI'05). 213-223.
  52. Patrice Godefroid, Michael Y. Levin, and David A. Molnar. 2008. Automated Whitebox Fuzz Testing. In Proc. Network and Distributed System Security Symp. (NDSS'08).
  53. Patrice Godefroid, Michael Y. Levin, and David A. Molnar. 2012. SAGE: Whitebox Fuzzing for Security Testing. Queue 10, 1, Article 20 (2012), 20:20-20:27 pages.
  54. Patrice Godefroid and Daniel Luchaup. 2011. Automatic Partial Loop Summarization in Dynamic Test Gen- eration. In Proc. 2011 Int. Symp. on Software Testing and Analysis (ISSTA'11). ACM, 23-33.
  55. Laure Gonnord, David Monniaux, and Gabriel Radanne. 2015. Synthesis of Ranking Functions Using Ex- tremal Counterexamples. In Proc. 36th ACM SIGPLAN Conf. on Programming Language Design and Implementation (PLDI'15). ACM, 608-618.
  56. Johannes Grabmeier, Erich Kaltofen, and Volker Weispfenning. 2003. Computer Algebra Handbook: Foun- dations, Applications, Systems. Vol. 1. Springer Science & Business Media, 109-124.
  57. Trevor Hansen, Peter Schachte, and Harald Søndergaard. 2009. Runtime Verification. Chapter State Joining and Splitting for the Symbolic Execution of Binaries, 76-92.
  58. William E. Howden. 1977. Symbolic Testing and the DISSECT Symbolic Evaluation System. IEEE Trans- actions on Software Engineering (TSE) 3, 4 (1977), 266-278.
  59. Joxan Jaffar, Vijayaraghavan Murali, and Jorge A. Navas. 2013. Boosting Concolic Testing via Interpolation. In Proc. 2013 9th Joint Meeting on Foundations of Software Engineering (ESEC/FSE'13). ACM, 48-58.
  60. Joxan Jaffar, Vijayaraghavan Murali, Jorge A. Navas, and Andrew E. Santosa. 2012a. TRACER: A Symbolic Execution Tool for Verification. In Proc. 24th Int. Conf. on Comp. Aided Verification (CAV'12). 758-766.
  61. Joxan Jaffar, Jorge A. Navas, and Andrew E. Santosa. 2012b. Unbounded Symbolic Execution for Program Verification. In Proc. 2nd Int. Conf. on Runtime Verification (RV'11). 396-411.
  62. Joxan Jaffar, Andrew E. Santosa, and R ǎzvan Voicu. 2009. An Interpolation Method for CLP Traversal. In Proc. 15th Int. Conf. on Principles and Practice of Constraint Programming (CP'09). 454-469.
  63. Jinseong Jeon, Xiaokang Qiu, Jonathan Fetter-Degges, Jeffrey S. Foster, and Armando Solar-Lezama. 2016. Synthesizing Framework Models for Symbolic Execution. In Proc. 38th Int. Conf. on Software Engineer- ing (ICSE'16). ACM, 156-167.
  64. Xiangyang Jia, Carlo Ghezzi, and Shi Ying. 2015. Enhancing Reuse of Constraint Solutions to Improve Symbolic Execution. In Proc. 2015 Int. Symp. on Software Testing and Analysis (ISSTA'15). 177-187.
  65. Yit Phang Khoo, Bor-Yuh Evan Chang, and Jeffrey S. Foster. 2010. Mixing Type Checking and Symbolic Execution. In Proc. 31st ACM SIGPLAN Conf. on Prog. Lang. Design and Impl. (PLDI'10). 436-447.
  66. Sarfraz Khurshid, Corina S. Pasareanu, and Willem Visser. 2003. Generalized Symbolic Execution for Model Checking and Testing. In Proc. 9th Int. Conf. on Tools and Algorithms for the Construction and Analysis of Systems (TACAS'03). Springer-Verlag, 553-568.
  67. James C. King. 1975. A New Approach to Program Testing. In Proc. Int. Conf. on Reliable Software. ACM, 228-233.
  68. James C. King. 1976. Symbolic Execution and Program Testing. Commun. ACM 19, 7 (1976), 385-394.
  69. Daniel Kroening, Natasha Sharygina, Stefano Tonetta, Aliaksei Tsitovich, and Christoph M. Wintersteiger. 2008. Loop Summarization Using Abstract Transformers. In Proc. 6th Int. Symp. on Automated Tech- nology for Verification and Analysis (ATVA'08). 111-125.
  70. Volodymyr Kuznetsov, Johannes Kinder, Stefan Bucur, and George Candea. 2012. Efficient State Merging in Symbolic Execution. In Proc. 33rd ACM SIGPLAN Conf. on Programming Language Design and Implementation (PLDI'12). ACM, 193-204.
  71. You Li, Zhendong Su, Linzhang Wang, and Xuandong Li. 2013. Steering Symbolic Execution to Less Trav- eled Paths. In Proc. ACM SIGPLAN Conference on Object Oriented Programming Systems Languages & Applications (OOPSLA'13). 19-32.
  72. Kin-Keung Ma, Khoo Yit Phang, Jeffrey S. Foster, and Michael Hicks. 2011. Directed Symbolic Execution. In Proc. 18th Int. Conf. on Static Analysis (SAS'11). 95-111.
  73. Rupak Majumdar and Koushik Sen. 2007. Hybrid Concolic Testing. In Proc. 29th Int. Conf. on Software Engineering (ICSE'07). IEEE Computer Society, 416-426.
  74. Rupak Majumdar and Ru-Gang Xu. 2009. Reducing Test Inputs Using Information Partitions. In Proc. 21st Int. Conf. on Computer Aided Verification (CAV'09). Springer-Verlag, Berlin, Heidelberg, 555-569.
  75. Kenneth L. McMillan. 2010. Lazy Annotation for Program Testing and Verification. In Proc. 22nd Int. Conf. on Computer Aided Verification (CAV'10). 104-118.
  76. Phil McMinn. 2004. Search-based Software Test Data Generation: A Survey. Software Testing, Verification & Reliability 14, 2 (2004), 105-156.
  77. Corina S. Pasareanu and Neha Rungta. 2010. Symbolic PathFinder: Symbolic Execution of Java Bytecode. In Proc. IEEE/ACM Int. Conf. on Automated Software Engineering (ASE'10). ACM, 179-180.
  78. Corina S. Pasareanu, Neha Rungta, and Willem Visser. 2011. Symbolic Execution with Mixed Concrete- symbolic Solving. In Proc. 2011 Int. Symp. on Software Testing and Analysis (ISSTA'11). ACM, 34-44.
  79. Corina S. Pasareanu and Willem Visser. 2009. A Survey of New Trends in Symbolic Execution for Software Testing and Analysis. Int. Journal on Software Tools for Technology Transfer 11, 4 (2009), 339-353.
  80. David M. Perry, Andrea Mattavelli, Xiangyu Zhang, and Cristian Cadar. 2017. Accelerating Array Con- straints in Symbolic Execution. In Proc. 26th ACM SIGSOFT Int. Symp. on Software Testing and Anal- ysis (ISSTA'17). ACM, 68-78.
  81. Ruzica Piskac, Thomas Wies, and Damien Zufferey. 2013. Automating Separation Logic Using SMT. In Proc. 25th Int. Conf. on Computer Aided Verification (CAV'13). 773-789.
  82. Amir Pnueli and Roni Rosner. 1989. On the Synthesis of a Reactive Module. In Proc. 16th ACM SIGPLAN- SIGACT Symp. on Principles of Programming Languages (POPL'89). ACM, 179-190.
  83. Charles Prud'homme, Jean-Guillaume Fages, and Xavier Lorca. 2015. Choco Documentation. TASC, INRIA Rennes, LINA CNRS UMR 6241, COSLING S.A.S.
  84. Dawei Qi, Hoang D. T. Nguyen, and Abhik Roychoudhury. 2013. Path Exploration Based on Symbolic Out- put. ACM Transactions on Software Engineering and Methodology (TOSEM) 22, 4, Article 32 (2013).
  85. David A. Ramos and Dawson R. Engler. 2015. Under-constrained Symbolic Execution: Correctness Checking for Real Code. In Proc. 24th USENIX Conf. on Security Symp. (SEC'15). USENIX Association, 49-64.
  86. John C. Reynolds. 2002. Separation Logic: A Logic for Shared Mutable Data Structures. In Proc. 17th Annual IEEE Symp. on Logic in Computer Science (LICS'02). IEEE Computer Society, 55-74.
  87. Nicolas Rosner, Jaco Geldenhuys, Nazareno M. Aguirre, Willem Visser, and Marcelo F. Frias. 2015. BLISS: Improved Symbolic Execution by Bounded Lazy Initialization with SAT Support. IEEE Transactions on Software Engineering (TSE) 41, 7 (2015), 639-660.
  88. Prateek Saxena, Pongsin Poosankam, Stephen McCamant, and Dawn Song. 2009. Loop-extended Symbolic Execution on Binary Programs. In Proc. 18th Int. Symp. on Software Testing and Analysis. 225-236.
  89. Edward J. Schwartz, Thanassis Avgerinos, and David Brumley. 2010. All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask). In Proc. 2010 IEEE Symp. on Security and Privacy (SP'10). IEEE Computer Society, 317-331.
  90. Daniel Schwartz-Narbonne, Martin Schaf, Dejan Jovanovic, Philipp R ümmer, and Thomas Wies. 2015. Conflict-Directed Graph Coverage. In NASA Formal Methods: 7th Int. Symp. 327-342.
  91. Koushik Sen, Darko Marinov, and Gul Agha. 2005. CUTE: A Concolic Unit Testing Engine for C. In Proc. 10th European Software Engineering Conf. Held Jointly with 13th ACM SIGSOFT Int. Symp. on Foun- dations of Software Engineering (ESEC/FSE'13). ACM, 263-272.
  92. Ondrej Sery, Grigory Fedyukovich, and Natasha Sharygina. 2012a. Incremental Upgrade Checking by Means of Interpolation-based Function Summaries. In 2012 Formal Methods in Computer-Aided De- sign (FMCAD'12). 114-121.
  93. Ondrej Sery, Grigory Fedyukovich, and Natasha Sharygina. 2012b. Interpolation-Based Function Sum- maries in Bounded Model Checking. In Proc. 7th Int. Haifa Verification Conf. on Hardware and Soft- ware: Verification and Testing (HVC'11). 160-175.
  94. Yan Shoshitaishvili, Ruoyu Wang, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2015. Firmalice -Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware. In 22nd Annual Network and Distributed System Security Symp. (NDSS'15).
  95. Yan Shoshitaishvili, Ruoyu Wang, Christopher Salls, Nick Stephens, Mario Polino, Andrew Dutcher, John Grosen, Siji Feng, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2016. SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis. In IEEE Symp. on Security and Privacy (SP'16). 138-157.
  96. Jiri Slaby, Jan Strejcek, and Marek Trtik. 2013. Compact Symbolic Execution. In 11th Int. Symp. on Auto- mated Technology for Verification and Analysis (ATVA'13). 193-207.
  97. Armando Solar Lezama. 2008. Program Synthesis By Sketching. Ph.D. Dissertation. EECS Department, University of California, Berkeley.
  98. Dawn Song, David Brumley, Heng Yin, Juan Caballero, Ivan Jager, Min Gyung Kang, Zhenkai Liang, James Newsome, Pongsin Poosankam, and Prateek Saxena. 2008. BitBlaze: A New Approach to Computer Security via Binary Analysis. In Proc. 4th Int. Conf. on Information Systems Security ((ICISS'08). 1-25.
  99. Litong Song and Krishna Kavi. 2004. What Can We Gain by Unfolding Loops? SIGPLAN Not. 39, 2 (2004), 26-33.
  100. Matheus Souza, Mateus Borges, Marcelo d'Amorim, and Corina S. Pasareanu. 2011. CORAL: Solving Com- plex Constraints for Symbolic Pathfinder. In Proc. 3rd Int. NASA Formal Methods Symp. 359-374.
  101. Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2016. Driller: Augmenting Fuzzing Through Selective Symbolic Execution. In 23nd Annual Network and Distr. System Sec. Symp. (NDSS'16).
  102. Aditya Thakur, Junghee Lim, Akash Lal, Amanda Burton, Evan Driscoll, Matt Elder, Tycho Andersen, and Thomas Reps. 2010. Directed Proof Generation for Machine Code. In Proc. 22nd Int. Conf. on Computer Aided Verification (CAV'10). Springer-Verlag, 288-305.
  103. Marek Trtik and Jan Strejček. 2014. Symbolic Memory with Pointers. Springer Int. Publishing, 380-395.
  104. Aliaksei Tsitovich, Natasha Sharygina, Christoph M. Wintersteiger, and Daniel Kroening. 2011. Loop Sum- marization and Termination Analysis. In Proc. Theory and Practice of Software, Proc. 17th Int. Conf. on Tools and Algorithms for the Construction and Analysis of Systems (TACAS'11/ETAPS'11). 81-95.
  105. Heila van der Merwe, Oksana Tkachuk, Brink van der Merwe, and Willem Visser. 2015. Generation of Library Models for Verification of Android Applications. SIGSOFT Software Engineering Notes 40, 1 (2015), 1-5.
  106. Willem Visser, Jaco Geldenhuys, and Matthew B. Dwyer. 2012. Green: Reducing, Reusing and Recycling Constraints in Program Analysis. In Proc. ACM SIGSOFT 20th Int. Symp. on the Foundations of Soft- ware Engineering (FSE'12). ACM, Article 58.
  107. Willem Visser, Corina S. Pasareanu, and Sarfraz Khurshid. 2004. Test Input Generation with Java PathFinder. In Proc. 2004 ACM SIGSOFT Int. Symp. on Software Testing and Analysis. ACM, 97-107.
  108. Jonas Wagner, Volodymyr Kuznetsov, and George Candea. 2013. Overify: Optimizing Programs for Fast Verification. In Proc. 14th USENIX Conf. on Hot Topics in Operating Systems. USENIX Association.
  109. Haijun Wang, Ting Liu, Xiaohong Guan, Chao Shen, Qinghua Zheng, and Zijiang Yang. 2017. Dependence Guided Symbolic Execution. IEEE Transactions Software Engineering (TSE) 43, 3 (2017), 252-271.
  110. Mark Weiser. 1984. Program Slicing. IEEE Transactions on Software Engineering SE-10, 4 (1984), 352-357.
  111. Xusheng Xiao, Tao Xie, Nikolai Tillmann, and Jonathan de Halleux. 2011. Precise Identification of Problems for Structural Test Generation. In Proc. 33rd Int. Conf. on Software Engineering (ICSE'11). 611-620.
  112. Tao Xie, Nikolai Tillmann, Jonathan de Halleux, and Wolfram Schulte. 2009. Fitness-guided path explo- ration in dynamic symbolic execution. In Proc. 2009 IEEE/IFIP Int. Conf. on Dependable Systems and Networks (DSN'09). 359-368.
  113. Xiaofei Xie, Bihuan Chen, Yang Liu, Wei Le, and Xiaohong Li. 2016. Proteus: Computing Disjunctive Loop Summary via Path Dependency Analysis. In Proc. 2016 24th ACM SIGSOFT Int. Symp. on Foundations of Software Engineering (FSE'16). 61-72.
  114. Yichen Xie and Alex Aiken. 2005. Scalable Error Detection Using Boolean Satisfiability. In Proc. 32nd ACM SIGPLAN-SIGACT Symp. on Principles of Programming Languages (POPL'05). ACM, 351-363.
  115. Guowei Yang, Corina S. Pasareanu, and Sarfraz Khurshid. 2012. Memoized Symbolic Execution. In Proc. 2012 Int. Symp. on Software Testing and Analysis (ISSTA'12). ACM, 144-154.
  116. Guowei Yang, Suzette Person, Neha Rungta, and Sarfraz Khurshid. 2014. Directed Incremental Symbolic Execution. ACM Transactions on Software Engineering and Methodology (TOSEM) 24, 1, Article 3 (2014).
  117. Qiuping Yi, Zijiang Yang, Shengjian Guo, Chao Wang, Jian Liu, and Chen Zhao. 2015. Postconditioned Sym- bolic Execution. In 2015 IEEE 8th Int. Conf. on Software Testing, Verification and Validation (ICST).
  118. Yufeng Zhang, Zhenbang Chen, Ji Wang, Wei Dong, and Zhiming Liu. 2015. Regular Property Guided Dy- namic Symbolic Execution. In Proc. 37th Int. Conf. on Software Engineering (ICSE'15). 643-653.
  119. Yunhui Zheng, Xiangyu Zhang, and Vijay Ganesh. 2013. Z3-str: A Z3-based String Solver for Web Applica- tion Analysis. In Proc. 2013 9th Joint Meeting on Foundations of Software Engineering. ACM, 114-124.

Related papers

Loop-extended symbolic execution on binary programs
prateek saxena

2009

Mixed concrete and symbolic execution is an important technique for finding and understanding software bugs, including securityrelevant ones. However, existing symbolic execution techniques are limited to examining one execution path at a time, in which symbolic variables reflect only direct data dependencies. We introduce loop-extended symbolic execution, a generalization that broadens the coverage of symbolic results in programs with loops. It introduces symbolic variables for the number of times each loop executes, and links these with features of a known input grammar such as variable-length or repeating fields. This allows the symbolic constraints to cover a class of paths that includes different numbers of loop iterations, expressing loop-dependent program values in terms of properties of the input. By performing more reasoning symbolically, instead of by undirected exploration, applications of loop-extended symbolic execution can achieve better results and/or require fewer program executions. To demonstrate our technique, we apply it to the problem of discovering and diagnosing buffer-overflow vulnerabilities in software given only in binary form. Our tool finds vulnerabilities in both a standard benchmark suite and 3 real-world applications, after generating only a handful of candidate inputs, and also diagnoses general vulnerability conditions.

View PDFchevron_right
Under-Constrained Symbolic Execution: Correctness Checking for Real Code
david ramos

2015

Software bugs are a well-known source of security vulnerabilities. One technique for finding bugs, symbolic execution, considers all possible inputs to a program but suffers from scalability limitations. This paper uses a variant, under-constrained symbolic execution, that improves scalability by directly checking individual functions, rather than whole programs. We present UC-KLEE, a novel, scalable framework for checking C/C++ systems code, along with two use cases. First, we use UC-KLEE to check whether patches introduce crashes. We check over 800 patches from BIND and OpenSSL and find 12 bugs, including two OpenSSL denial-of-service vulnerabilities. We also verify (with caveats) that 115 patches do not introduce crashes. Second, we use UC-KLEE as a generalized checking framework and implement checkers to find memory leaks, uninitialized data, and unsafe user input. We evaluate the checkers on over 20,000 functions from BIND, OpenSSL, and the Linux kernel, find 67 bugs, and verif...

View PDFchevron_right
A Generic Framework for Symbolic Execution
Dorel Lucanu

Lecture Notes in Computer Science, 2013

We propose a language-independent symbolic execution framework for languages endowed with a formal operational semantics based on term rewriting. Starting from a given definition of a language, a new language definition is automatically generated, which has the same syntax as the original one but whose semantics extends data domains with symbolic values and adapts semantical rules to deal with these values. Then, the symbolic execution of concrete programs is the execution of programs with the new symbolic semantics, on symbolic input data. We prove that the symbolic execution thus defined has the properties naturally expected from it. A prototype implementation of our approach was developed in the K Framework. We demonstrate the genericity of our tool by instantiating it on several languages, and show how it can be used for the symbolic execution and model checking of several programs. Id ::= domain of identifiers Int ::= domain of integer numbers (including operations) Bool ::= domain of boolean constants (including operations) AExp :: = Int | AExp / AExp [strict] | Id | AExp * AExp [strict] | (AExp) | AExp + AExp [strict] BExp :: = Bool | (BExp) | AExp <= AExp [strict] | not BExp [strict] | BExp and BExp [strict(1)] Stmt :: = skip | { Stmt } | Stmt ; Stmt | Id := AExp | while BExp do Stmt | if BExp then Stmt else Stmt [strict(1)] Code ::= Id | Int | Bool | AExp | BExp | Stmt | Code Code

View PDFchevron_right
Redundant State Detection for Dynamic Symbolic Execution
Suhabe Bugrara

Many recent tools use dynamic symbolic execution to perform tasks ranging from automatic test generation, finding security flaws, equivalence verification, and exploit generation. However, while symbolic execution is promising, it perennially struggles with the fact that the number of paths in a program increases roughly exponentially with both code and input size. This paper presents a technique that attacks this problem by eliminating paths that cannot reach new code before they are executed and evaluates it on 66 system intensive, complicated , and widely-used programs. Our experiments demonstrate that the analysis speeds up dynamic symbolic execution by an average of 50.5 X, with a median of 10 X, and increases coverage by an average of 3.8 %.

View PDFchevron_right
Generalizing symbolic execution to library classes
Awais Khurshid

ACM Sigsoft Software Engineering Notes, 2006

Forward symbolic execution is a program analysis technique that allows using symbolic inputs to explore program executions. The traditional applications of this technique have focused on programs that manipulate primitive data types, such as integer or boolean. Recent extensions have shown how to handle reference types at their representation level. The extensions have favorably been backed by advances in constraint solving technology, and together they have made symbolic execution applicable, at least in theory, to a large class of programs. In practice, however, the increased potential for applications has created significant issues with scalability of symbolic execution to programs of non-trivial size-the ensuing path conditions rapidly become unfeasibly complex.

View PDFchevron_right

Related topics

  • Computer Science
  • Software Security
  • Symbolic Execution
  • SMT Solvers

    • Cited by

    Live functional programming with typed holes
    Cyrus Omar

    Proceedings of the ACM on Programming Languages

    Live programming environments aim to provide programmers (and sometimes audiences) with continuous feedback about a program's dynamic behavior as it is being edited. The problem is that programming languages typically assign dynamic meaning only to programs that are complete, i.e. syntactically well-formed and free of type errors. Consequently, live feedback presented to the programmer exhibits temporal or perceptive gaps. This paper confronts this "gap problem" from type-theoretic first principles by developing a dynamic semantics for incomplete functional programs, starting from the static semantics for incomplete functional programs developed in recent work on Hazelnut. We model incomplete functional programs as expressions with holes, with empty holes standing for missing expressions or types, and non-empty holes operating as membranes around static and dynamic type inconsistencies. Rather than aborting when evaluation encounters any of these holes as in some existing systems, evaluation proceeds around holes, tracking the closure around each hole instance as it flows through the remainder of the program. Editor services can use the information in these hole closures to help the programmer develop and confirm their mental model of the behavior of the complete portions of the program as they decide how to fill the remaining holes. Hole closures also enable a fill-and-resume operation that avoids the need to restart evaluation after edits that amount to hole filling. Formally, the semantics borrows machinery from both gradual type theory (which supplies the basis for handling unfilled type holes) and contextual modal type theory (which supplies a logical basis for hole closures), combining these and developing additional machinery necessary to continue evaluation past holes while maintaining type safety. We have mechanized the metatheory of the core calculus, called Hazelnut Live, using the Agda proof assistant. We have also implemented these ideas into the Hazel programming environment. The implementation inserts holes automatically, following the Hazelnut edit action calculus, to guarantee that every editor state has some (possibly incomplete) type. Taken together with this paper's type safety property, the result is a proof-of-concept live programming environment where rich dynamic feedback is truly available without gaps, i.e. for every reachable editor state.

    View PDFchevron_right
    Scaling symbolic evaluation for automated verification of systems code with Serval
    Ronghui Gu

    Proceedings of the 27th ACM Symposium on Operating Systems Principles

    This paper presents Serval, a framework for developing automated verifiers for systems software. Serval provides an extensible infrastructure for creating verifiers by lifting interpreters under symbolic evaluation, and a systematic approach to identifying and repairing verification performance bottlenecks using symbolic profiling and optimizations. Using Serval, we build automated verifiers for the RISC-V, x86-32, LLVM, and BPF instruction sets. We report our experience of retrofitting CertiKOS and Komodo, two systems previously verified using Coq and Dafny, respectively, for automated verification using Serval, and discuss trade-offs of different verification methodologies. In addition, we apply Serval to the Keystone security monitor and the BPF compilers in the Linux kernel, and uncover 18 new bugs through verification, all confirmed and fixed by developers.

    View PDFchevron_right
    ACHyb: a hybrid analysis approach to detect kernel access control vulnerabilities
    文曦 王

    Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

    Access control is essential for the Operating System (OS) security. Incorrect implementation of access control can introduce new attack surfaces to the OS, known as Kernel Access Control Vulnerabilities (KACVs). To understand KACVs, we conduct our study on the root causes and the security impacts of KACVs. Regarding the complexity of the recognized root causes, we particularly focus on two kinds of KACVs, namely KACV-M (due to missing permission checks) and KACV-I (due to misusing permission checks). We find that over 60% of these KACVs are of critical, high or medium security severity, resulting in a variety of security threats including bypass security checking, privileged escalation, etc. However, existing approaches can only detect KACV-M. The state-of-the-art KACV-M detector called PeX is a static analysis tool, which still suffers from extremely high false-positive rates. In this paper, we present ACHyb, a precise and scalable approach to reveal both KACV-M and KACV-I. ACHyb is a hybrid approach, which first applies static analysis to identify the potentially vulnerable paths and then applies dynamic analysis to further reduce the false positives of the paths. For the static analysis, ACHyb improves PeX in both the precision and the soundness, using the interface analysis, callsite dependence analysis and constraint-based invariant analysis with a stronger access control invariant. For the dynamic analysis, ACHyb utilizes the greybox fuzzing to identify the potential KACVs. In order to improve the fuzzing efficiency, ACHyb adopts our novel clustering-based seed distillation approach to generate high-quality seed programs. Our experimental results show that ACHyb reveals 76 potential KACVs in less than 8 hours and 22 of them are KACVs (19 KACV-M and 3 KACV-I). In contrast, PeX reveals 2,088 potential KACVs in more than 11 hours, and only 14 of them are KACVs (all KACV-M). Furthermore, ACHyb successfully uncovers 7 new KACVs, and 2 of them (1 KACV-M and 1 KACV-I) have been confirmed by kernel developers.

    View PDFchevron_right
    AI System Engineering—Key Challenges and Lessons Learned
    Lukas Fischer

    Machine Learning and Knowledge Extraction

    The main challenges are discussed together with the lessons learned from past and ongoing research along the development cycle of machine learning systems. This will be done by taking into account intrinsic conditions of nowadays deep learning models, data and software quality issues and human-centered artificial intelligence (AI) postulates, including confidentiality and ethical aspects. The analysis outlines a fundamental theory-practice gap which superimposes the challenges of AI system engineering at the level of data quality assurance, model building, software engineering and deployment. The aim of this paper is to pinpoint research topics to explore approaches to address these challenges.

    View PDFchevron_right
    On the Nature of Symbolic Execution
    Marcello Bonsangue

    2019 21st International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC), 2019

    In this paper, we provide a formal definition of symbolic execution in terms of a symbolic transition system and prove its correctness with respect to an operational semantics which models the execution on concrete values. We first introduce such a formal model for a basic programming language with a statically fixed number of programming variables. This model is extended to a programming language with recursive procedures which are called by a call-by-value parameter mechanism. Finally, we show how to extend this latter model of symbolic execution to arrays and object-oriented languages which feature dynamically allocated variables.

    View PDFchevron_right
    580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved