automatic testing of symbolic execution engines via
play

Automatic Testing of Symbolic Execution Engines via Program - PowerPoint PPT Presentation

Oct 24, 2022 •611 likes •1.08k views

Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing Timotej Kapus, Cristian Cadar Department of Computing Imperial College London if (x > 2294967295) { assert(false); } printf("x:

  1. Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing Timotej Kapus, Cristian Cadar Department of Computing Imperial College London

  2. if (x > 2294967295) { assert(false); } printf("x: %u\n", x); 2

  3. Symbolic execution ● Used in industry: ○ IntelliTest ○ SAGE ○ KLOVER ○ SPF ○ Apollo ● Active research field 3

  4. Symbolic execution 1 unsigned int x = 5; 2 int main() { 3 if (x > 2294967295) { 4 assert(false); 5 } 6 printf("x: %u\n",x); 7 } 4

  5. Symbolic execution x = * 1 unsigned int x = 5; 2 int main() { TRUE FALSE x > 2294967295 3 make_symbolic(&x); 4 if (x > 2294967295) { 5 assert(false); x ≤ 2294967295 x > 2294967295 6 } 7 printf("x: %u\n",x); assert(false); printf("x: %d", x); 8 } Assertion x: 2 5 fail

  6. Symbolic executors ● Many available open source ● Complex pieces of software ○ Accurate interpreter or precise instrumentation ○ Accurate constraint solving ○ Constraint gathering ○ Scheduling Angr ○ Effective optimizations such as caching, fast solving, etc. 6

  7. Symbolic executors ● Many available open source ● Complex pieces of software ○ Accurate interpreter or precise instrumentation ○ Accurate constraint solving ○ Constraint gathering ○ Scheduling Angr ○ Effective optimizations such as caching, fast solving, etc. 7

  8. Bugs in symbolic executors 1 unsigned int x = 5; ● Particularly bad 2 int main() { ● Lead to false sense of security 3 make_symbolic(&x); ● Examples: 4 if(x > 2294967295) { ○ Missing a branch 5 assert(false); ○ Exploring spurious branches 6 } 7 printf("x: %u\n",x); 8 } 8

  9. Differential testing of symbolic execution Randomly generated program Compile Compile Execute Symbolically execute Compare 9

  10. Testing symbolic executors ● Compare two executions (native/symbolic) in 3 different modes: ○ Concrete - tests interpretation/instrumentation ○ Single Path - tests constraint gathering and solving ○ Multi Path - tests scheduling, test case generation 10

  11. Concrete mode x: 5 1 unsigned int x = 5; 2 int main() { 3 if (x > 2294967295) { 4 assert(false); 5 } 6 printf("x: %u\n",x); 7 } x: 343 11

  12. Single-Path mode 1 unsigned int x = 5; x: 5 2 int main() { 3 make_symbolic(&x); 4 CONSTRAIN(x, 5); 5 if(x > 2294967295) { 6 assert(false); 7 } 8 printf("x: %u\n",x); 9 } Assertion fail 12

  13. Single-Path mode: Constrainers 1 unsigned int x = 5; x: 5 2 int main() { 3 make_symbolic(&x); 4 CONSTRAIN(x, 5); CONSTRAIN(x, 5); 5 if(x > 2294967295) { 6 assert(false); if(x < 5) silent_exit(0); 7 } 8 printf("x: %u\n",x); if(x > 5) silent_exit(0); 9 } Assertion fail 13

  14. Single-Path mode: Constrainers 1 unsigned int x = 5; x: 5 2 int main() { 3 make_symbolic(&x); 4 CONSTRAIN(x, 5); CONSTRAIN(x, 5); 5 if(x > 2294967295) { 6 assert(false); 7 } if(x != 5) silent_exit(0); 8 printf("x: %u\n",x); 9 } Assertion fail 14

  15. Multi-Path mode Test case: Test case: 1 unsigned int x = 5; x = 7 x = 23 2 int main() { 3 make_symbolic(&x); 4 if(x > 2294967295) { 5 assert(false); 6 } 7 printf("x: %u\n",x); 8 } x: 7 x: 7 x: 23 x: 23 15 MATCH!

  16. Multi-Path mode int x = 5; Test case: Test case: x = -7 x = 23 void main() { make_symbolic(&x); if(x < 0) printf("x: %d", -x); else printf("x: %d", x); } x: 7 x: 7 x: 23 x: -23 16

  17. Testing symbolic executors ● Built a pipeline ● Run experiments in batches ● Avoid bugs found in previous batches 17

  18. Instrumentation supports ● Csmith ○ Random program generator ○ Found many bugs in compilers ○ Doesn’t generate programs with undefined behaviour ● Instrumentation supports: ○ Marking variables as symbolic ○ Oracles ○ Constraining 18

  19. Versions correspond to mode: ● Concrete mode - native version ● Single path mode - single path version ● Multi path mode - multi path version 19

  20. Oracles can check: 1. Executor doesn’t crash 2. Function call chain 3. Output (values of all global variables) matches 4. Coverage achieved on the random program 20

  21. Finally: ● Gather mismatches ● Reduce interesting ones ● Report bugs 21

  22. CREST Case Studies ● Concolic execution KLEE ● Instrumentation instead of interpretation ● Main case study ● Doesn’t generate test cases ○ Familiarity ○ Flexibility ● Built on top of LLVM FuzzBALL ● Keeps all paths in memory ● Binary level executor ● Doesn’t generate test cases 22

  23. 23

  24. 1 24

  25. 25

  26. 26

  27. 3 27

  28. 0 0 0 0 28

  29. Example bug: Crest Expected output Actual output 1 unsigned int a; 2 int main() { a: 6 a: 6 3 make_symbolic(&a); Assertion fail a: 23 4 if(a > 2294967295) { 5 assert(false); 6 } 7 printf("a: %d\n",a); 8 } 29

  30. Example bug: KLEE Expected Actual output output 1 int g_10 = 0; loop loop 2 int main() { loop 3 make_symbolic(&g_10); loop loop 4 do { loop loop 5 printf("loop\n"); loop 6 g_10 &= 2; ... 7 } while(!((3 ^ g_10) / 1)); 8 } 30

  31. Example bug: FuzzBALL Expected Actual output output 1 unsigned int g_54 = 0; 2 unsigned int g_56 = 0; g_56: 0 Strange term cast (cast(t2:reg32t)L:reg8t)U: 3 reg32t ^ 0xbc84814c:reg32t 4 void main ( void ) { 5 make_symbolic(&g_54); 6 CONSTRAIN(g_54, 0); 7 g_56 ^= 0 < g_54; 8 printf("g_56: %u\n", *(&g_56)); 9 } 31

  32. Conclusions ● Developed techniques that test many aspects of symbolic executors ● Applied them to 3 different symbolic executors ● Total bugs found: ○ 14 in KLEE ○ 3 in Crest ○ 3 in FuzzBALL 32

  33. 33

  34. Constrainers 34

  35. 35

  36. 36

  37. CREST bug ● 14 in KLEE (9 fixed) ● 3 in Crest (1 fixed) ● 3 in FuzzBALL (3 fixed) ● found within first 5000 runs of a batch 37

  38. Single-Path Mode Compare native execution, with symbolic execution constrained to the exact same path as native execution. 38

  39. Symbolic execution ● Mark some inputs as symbolic ● Runs the program, while gathering constraints on the symbolic data ● Forks at branch points when both sides are feasible ● Upon hitting a terminal state (ie. error), solves the gathered constraints, to produce an input leading the program to the same state 39

  40. Configuration includes: ● Program generation options ○ size/complexity of the program ○ language features to use ● Compilation options ● Mode ● Oracles to use 40

  41. Instrumentation supports ● Marking variables as symbolic ● Oracles ● Constraining 41

  42. V ersions correspond to mode used: ● Concrete mode - native version ● Single path mode - single path version ● Multi path mode - multi path version 42

  43. Oracles can check: 1. Executor doesn’t crash 2. Function call chain 3. Output (values of all global variables) matches 4. Coverage achieved on the program 43

  44. Finally: ● Gather mismatches ● Reduce interesting ones ● Report bugs 44

  45. Expected output Actual output 1 void foo(unsigned int x) { x: 6 x: 6 2 if( x > 2294967295) { Assertion fail x: 23 3 assert(false); 4 } 5 printf("x: %u\n", x); 6 } 45

Recommend

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of London Joint work with: Stefan Bucur, George Candea, Volodymyr Kuznetsov @ EPFL Symbolic Execution Automatically explore program paths

2.34k views • 200 slides
Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Concolic Testing Dynamic Symbolic Execution Marco Probst Albert-Ludwigs-Universitt Freiburg

Concolic Testing Dynamic Symbolic Execution Marco Probst Albert-Ludwigs-Universitt Freiburg

Concolic Testing Dynamic Symbolic Execution Marco Probst Albert-Ludwigs-Universitt Freiburg January 25th, 2016 Marco Probst Concolic Testing 1 / 22 Overview Code Example 1 Unit Testing 2 Random Testing Symbolic Execution Concolic

919 views • 89 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Enhancing Symbolic Execution for Coverage-Oriented Testing S ebastien Bardin, Nikolai

Enhancing Symbolic Execution for Coverage-Oriented Testing S ebastien Bardin, Nikolai

Enhancing Symbolic Execution for Coverage-Oriented Testing S ebastien Bardin, Nikolai Kosmatov, Micka el Delahaye CEA LIST, Software Safety Lab (Paris-Saclay, France) Bardin et al. CFV 2015 1/ 40 Context : white-box software testing

1.43k views • 74 slides
Interoperability-Guided Testing of QUIC Implementations using Symbolic Execution Felix Rath ,

Interoperability-Guided Testing of QUIC Implementations using Symbolic Execution Felix Rath ,

Interoperability-Guided Testing of QUIC Implementations using Symbolic Execution Felix Rath , Daniel Schemmel, Klaus Wehrle https://comsys.rwth-aachen.de EPIQ Workshop, Heraklion, Greece, 2018-12-04 QUANT ? Mozquic ? mvfst ? picoquic ?

1.45k views • 97 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin &amp; Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad Ureche, Cristian Zamfir, George Candea School of Computer and Communication Sciences Automated Software Testing Automated Industrial Techniques

1.25k views • 59 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
Testing Query Execution Engines with Mutations Xinyue Chen 1 , Chenglong Wang 1 , Alvin Cheung 2 1

Testing Query Execution Engines with Mutations Xinyue Chen 1 , Chenglong Wang 1 , Alvin Cheung 2 1

Testing Query Execution Engines with Mutations Xinyue Chen 1 , Chenglong Wang 1 , Alvin Cheung 2 1 University of Washington 2 University of California, Berkeley Motivation Query optimizers and executors are core to all modern relational

446 views • 27 slides
Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav Nodar Petar Martin He Balunovic Ambroladze Tsankov Vechev Random Fuzzing vs. Symbolic Execution Random Fuzzing Symbolic Execution Fast Slow

633 views • 29 slides
Qemu code fault automatic discovery with symbolic search Paul Marinescu, Cristian Cadar, Chunjie

Qemu code fault automatic discovery with symbolic search Paul Marinescu, Cristian Cadar, Chunjie

Qemu code fault automatic discovery with symbolic search Paul Marinescu, Cristian Cadar, Chunjie Zhu, Philippe Gabriel Goals of this presentation Introduction of KLEE (symbolic execution tool) Qemu fault/patch retrospective Understand

283 views • 13 slides
Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College London Invited talk at SMT 2015 18 July, San Francisco, CA, USA Dynamic Symbolic Execution Dynamic symbolic execution is a technique for

660 views • 53 slides
Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths Symbolic Execution and Proof of Effects of the execution on program state Properties Bridges program behavior to logic Finds important

309 views • 6 slides
Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides
An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar Department of Computing Imperial College London 14 th TAROT Summer School UCL, London, 3 July 2018 Dynamic Symbolic Execution Dynamic symbolic

856 views • 56 slides
Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank Busse Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in

1.04k views • 70 slides
Symbolic Execution and Fuzz Testing ISSISP Summer School 2018 Prof. Abhik Roychoudhury National

Symbolic Execution and Fuzz Testing ISSISP Summer School 2018 Prof. Abhik Roychoudhury National

Symbolic Execution and Fuzz Testing ISSISP Summer School 2018 Prof. Abhik Roychoudhury National University of Singapore 1 Thanks to organizers and ISSISP Steve Blackburn Adrian Herrera ISSISP Summer School 2018 Tony Hosking

1.17k views • 99 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson, &quot;Applications of Symbolic Evaluation,&quot; Journal of Systems and Software, 5 (1), January 1985, pp.15-35. Symbolic Evaluation/Execution

1.07k views • 60 slides
Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in industry IntelliTest, SAGE Angr KLOVER 2 Why symbolic execution? No

916 views • 73 slides
Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90: Software Security Symbolic Execution Ahmed Rezine Hoare Triples and Deductive Reasoning IDA, Linkpings Universitet Hsttermin 2014 Static

373 views • 6 slides

More recommend