finding code that explodes under symbolic evalua on
play

Finding Code That Explodes Under Symbolic Evalua<on James - PowerPoint PPT Presentation

Jul 31, 2023 •235 likes •850 views

Finding Code That Explodes Under Symbolic Evalua<on James Bornholt Emina Torlak University of Washington unsat.org Automated reasoning tools help us solve hard programming problems Automated reasoning tools help us solve hard programming

  1. Finding Code That Explodes Under Symbolic Evalua<on James Bornholt Emina Torlak University of Washington unsat.org

  2. Automated reasoning tools help us solve hard programming problems

  3. Automated reasoning tools help us solve hard programming problems Does my program s8ll 👸 Verifica8on work a:er the file system crashes? [ASPLOS’16]

  4. Automated reasoning tools help us solve hard programming problems Does my program s8ll 👸 Verifica8on work a:er the file system crashes? [ASPLOS’16] How do I compile code 
 architecture? [PLDI’14]  Synthesis for this weird new

  5. Automated reasoning tools help us solve hard programming problems Does my program s8ll 👸 Verifica8on work a:er the file system crashes? [ASPLOS’16] How do I compile code 
 architecture? [PLDI’14]  Synthesis for this weird new How do I teach kids 
  “Programs” the rules of algebra effec8vely? [VMCAI’18]

  6. Symbolic evaluators Does my program s8ll How do I compile code 
 👸 architecture? [PLDI’14]  work a:er the file system for this weird new crashes? [ASPLOS’16]

  7. Symbolic evaluators Does my program s8ll How do I compile code 
 👸 architecture? [PLDI’14]  work a:er the file system for this weird new crashes? [ASPLOS’16] Interpreter for file system Interpreter for new architecture opera8ons instruc8ons

  8. Symbolic evaluators Does my program s8ll How do I compile code 
 👸 architecture? [PLDI’14]  work a:er the file system for this weird new crashes? [ASPLOS’16] Interpreter for file system Interpreter for new architecture opera8ons instruc8ons Symbolic evaluator Sketch, RoseWe, …

  9. Symbolic evaluators Does my program s8ll How do I compile code 
 👸 architecture? [PLDI’14]  work a:er the file system for this weird new crashes? [ASPLOS’16] Interpreter for file system Interpreter for new architecture opera8ons instruc8ons Symbolic evaluator Sketch, RoseWe, … Angelic Verifica8on Synthesis for free! Execu8on

  10. Symbolic evaluators: no free lunch Does my program s8ll 👸 work a:er the file system crashes? [ASPLOS’16] Interpreter for file system opera8ons Symbolic evaluator Sketch, RoseWe, … Angelic Verifica8on Synthesis for free! Execu8on

  11. Symbolic evaluators: no free lunch Does my program s8ll 👸 How do you make work a:er the file system these tools scale? crashes? [ASPLOS’16] Interpreter for file system opera8ons Symbolic evaluator Sketch, RoseWe, … Angelic Verifica8on Synthesis for free! Execu8on

  12. Symbolic evaluators: no free lunch Does my program s8ll 👸 How do you make work a:er the file system these tools scale? crashes? [ASPLOS’16] Searching all paths Searching all paths Interpreter for file system through the interpreter through the interpreter opera8ons Symbolic evaluator Sketch, RoseWe, … Angelic Verifica8on Synthesis for free! Execu8on

  13. Symbolic profiling iden<fies performance issues in symbolic evalua<on

  14. Symbolic profiling iden<fies performance issues in symbolic evalua<on Symbolic profiling Data structures and analyses

  15. Symbolic profiling iden<fies performance issues in symbolic evalua<on Symbolic profiling Data structures and analyses 20 Symbolic evalua8on an8-paWerns 10 Common issues and source-level repairs 0 0 1500

  16. Symbolic profiling iden<fies performance issues in symbolic evalua<on Symbolic profiling Data structures and analyses 20 Symbolic evalua8on an8-paWerns 10 Common issues and source-level repairs 0 0 1500 Empirical results 300× speedup on real-world tools

  17. Symbolic profiling iden<fies performance issues in symbolic evalua<on if (…) { … } Symbolic evalua8on All-paths execu8on of programs ∀ x. φ(…, x) Symbolic profiling Data structures and analyses 20 Symbolic evalua8on an8-paWerns 10 Common issues and source-level repairs 0 0 1500 Empirical results 300× speedup on real-world tools

  18. Symbolic evalua<on All-paths execu8on of programs

  19. Symbolic evalua<on executes all paths through a program #lang rosette ( define (first-k-even lst k) ( define xs ( filter even? lst)) ( take xs k))

  20. Symbolic evalua<on executes all paths through a program Inputs are unknown #lang rosette (trying to find values that violate spec) ( define (first-k-even lst k) ( define xs ( filter even? lst)) ( take xs k))

  21. Symbolic evalua<on executes all paths through a program Inputs are unknown #lang rosette (trying to find values that violate spec) ( define (first-k-even lst k) ( define xs ( filter even? lst)) ( take xs k)) (filter even? ‘(x 0 x 1 ))

  22. Symbolic evalua<on executes all paths through a program Inputs are unknown #lang rosette (trying to find values that violate spec) ( define (first-k-even lst k) ( define xs ( filter even? lst)) ( take xs k)) (filter even? ‘(x 0 x 1 )) ¬(even? x 0 ) (even? x 0 ) ‘() ‘(x 0 )

  23. Symbolic evalua<on executes all paths through a program Inputs are unknown #lang rosette (trying to find values that violate spec) ( define (first-k-even lst k) ( define xs ( filter even? lst)) ( take xs k)) (filter even? ‘(x 0 x 1 )) ¬(even? x 0 ) (even? x 0 ) ‘() ‘(x 0 ) ¬(even? x 1 ) (even? x 1 ) ¬(even? x 1 ) (even? x 1 ) ‘() ‘(x 1 ) ‘(x 0 ) ‘(x 0 x 1 )

  24. Symbolic evalua<on executes all paths through a program Inputs are unknown #lang rosette (trying to find values that violate spec) ( define (first-k-even lst k) ( define xs ( filter even? lst)) ( take xs k)) (filter even? ‘(x 0 x 1 )) ¬(even? x 0 ) (even? x 0 ) ‘() ‘(x 0 ) ¬(even? x 1 ) (even? x 1 ) ¬(even? x 1 ) (even? x 1 ) ‘() ‘(x 1 ) ‘(x 0 ) ‘(x 0 x 1 )

  25. Symbolic evalua<on executes all paths through a program Inputs are unknown #lang rosette (trying to find values that violate spec) ( define (first-k-even lst k) ( define xs ( filter even? lst)) ( take xs k)) (filter even? ‘(x 0 x 1 )) ¬(even? x 0 ) (even? x 0 ) ‘() ‘(x 0 ) ¬(even? x 1 ) (even? x 1 ) ¬(even? x 1 ) (even? x 1 ) ‘() ‘(x 1 ) ‘(x 0 ) ‘(x 0 x 1 ) k=0 k=0 k=1 k=0 k=1 k=0 k=2 k=1 ‘() ‘() ‘(x 1 ) ‘() ‘(x 0 ) ‘() ‘(x 0 ) ‘(x 0 x 1 )

  26. Symbolic evalua<on executes all paths through a program Inputs are unknown #lang rosette (trying to find values that violate spec) ( define (first-k-even lst k) ( define xs ( filter even? lst)) ( take xs k)) (filter even? ‘(x 0 x 1 )) ¬(even? x 0 ) (even? x 0 ) ‘() ‘(x 0 ) ¬(even? x 1 ) (even? x 1 ) ¬(even? x 1 ) (even? x 1 ) take runs 2 2 8mes ‘() ‘(x 1 ) ‘(x 0 ) ‘(x 0 x 1 ) k=0 k=0 k=1 k=0 k=1 k=0 k=2 k=1 ‘() ‘() ‘(x 1 ) ‘() ‘(x 0 ) ‘() ‘(x 0 ) ‘(x 0 x 1 )

  27. Symbolic evalua<on executes all paths through a program Inputs are unknown #lang rosette (trying to find values that violate spec) ( define (first-k-even lst k) ( define xs ( filter even? lst)) ( take xs k)) because filter ran (filter even? ‘(x 0 x 1 )) on a list of size 2 ¬(even? x 0 ) (even? x 0 ) ‘() ‘(x 0 ) ¬(even? x 1 ) (even? x 1 ) ¬(even? x 1 ) (even? x 1 ) take runs 2 2 8mes ‘() ‘(x 1 ) ‘(x 0 ) ‘(x 0 x 1 ) k=0 k=0 k=1 k=0 k=1 k=0 k=2 k=1 ‘() ‘() ‘(x 1 ) ‘() ‘(x 0 ) ‘() ‘(x 0 ) ‘(x 0 x 1 )

  29. Blaming filter even though it’s not the slowest

  30. Symbolic profiling Data structures and metrics

  31. Two data structures to summarize symbolic evalua<on ‘() ∧ ∧ ∧ ∧ ¬(even? x 0 ) (even? x 0 ) ‘() ‘(x 0 ) ¬ ¬ ¬(even? x 1 ) (even? x 1 ) ¬(even? x 1 ) (even? x 1 ) (even? x 0 ) (even? x 1 ) ‘() ‘(x 1 ) ‘(x 0 ) ‘(x 0 x 1 ) Symbolic evalua<on graph Symbolic heap Reflects the evaluator’s strategy 
 Shape of all symbolic values 
 for all-paths execu8on of the program created by the program Any symbolic evalua<on technique can be summarized by these two data structures

  32. The symbolic evalua4on graph summarizes branching and merging (filter even? ‘(x 0 x 1 )) Symbolic evalua<on graph ¬(even? x 0 ) (even? x 0 ) • Nodes are program states • Edges are transi8ons ‘() ‘(x 0 ) ¬(even? x 1 ) (even? x 1 ) ¬(even? x 1 ) (even? x 1 ) between states ‘() ‘(x 1 ) ‘(x 0 ) ‘(x 0 x 1 ) k=0 k=0 k=1 k=0 k=1 k=0 k=2 k=1 ‘() ‘() ‘(x 1 ) ‘() ‘(x 0 x 1 ) ‘(x 0 ) ‘() ‘(x 0 )

  33. The symbolic evalua4on graph summarizes branching and merging (filter even? ‘(x 0 x 1 )) ¬(even? x 0 ) (even? x 0 ) ‘() ‘(x 0 ) ¬(even? x 1 ) (even? x 1 ) ¬(even? x 1 ) (even? x 1 ) ‘() ‘(x 1 ) ‘(x 0 ) ‘(x 0 x 1 )

  34. The symbolic evalua4on graph summarizes branching and merging Symbolic execu8on (filter even? ‘(x 0 x 1 )) ¬(even? x 0 ) (even? x 0 ) ‘() ‘(x 0 ) ¬(even? x 1 ) (even? x 1 ) ¬(even? x 1 ) (even? x 1 ) ‘() ‘(x 1 ) ‘(x 0 ) ‘(x 0 x 1 )

  35. The symbolic evalua4on graph summarizes branching and merging Symbolic execu8on Bounded model checking (filter even? ‘(x 0 x 1 )) (filter even? ‘(x 0 x 1 )) ¬(even? x 0 ) (even? x 0 ) ¬(even? x 0 ) (even? x 0 ) ‘() ‘(x 0 ) ‘() ‘(x 0 ) ¬(even? x 1 ) (even? x 1 ) ¬(even? x 1 ) (even? x 1 ) ‘() ‘(x 1 ) ‘(x 0 ) ‘(x 0 x 1 )

Recommend

turchi@&lt;k.eu Slides from the presenta&amp;on by MaDeo Negri and myself MT Evalua&amp;on,

turchi@&lt;k.eu Slides from the presenta&amp;on by MaDeo Negri and myself MT Evalua&amp;on,

Outline Importance of MT Evalua&amp;on Difficulty of MT Evalua&amp;on Evalua&amp;on of Human evalua&amp;on: fluency/adequacy Automa&amp;c evalua&amp;on: Machine Transla&amp;on Quality Reference-based: BLEU, TER, HTER (chosen

478 views • 25 slides
Evalua'ng Your Medical Educa'on UME Evalua'on Office Susan Claxon Evalua-on Specialist Gretchen

Evalua'ng Your Medical Educa'on UME Evalua'on Office Susan Claxon Evalua-on Specialist Gretchen

Evalua'ng Your Medical Educa'on UME Evalua'on Office Susan Claxon Evalua-on Specialist Gretchen Guiton, Ph.D. Director Jennifer Gong, Ph.D. Assistant Director Brooke Parsons, M.P.A. Evaluator Susan Peth Sr Evalua-on Specialist Traci

818 views • 19 slides
FINDING TOXIC CODE Experiences and techniques for finding dangerous code in large multi-language

FINDING TOXIC CODE Experiences and techniques for finding dangerous code in large multi-language

FINDING TOXIC CODE Experiences and techniques for finding dangerous code in large multi-language codebases Kornelis (Korny) Sietsma - @kornys on Twitter WHO AM I? 2 WHAT DO I DO NOW? Consulting, Delivery, Agile, Technical excellence And the

630 views • 33 slides
Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel

Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel

Finding 1-Day Vulnerabilities in Trusted Applications using Selective Symbolic Execution Marcel Busch , Kalle Dirsch 2020-02-23 Friedrich-Alexander-University Erlangen-Nrnberg, Germany BAR20 BAR20 Motivation How secure are

352 views • 16 slides
The Effect of of Tapping a Coke Can on How Much Coke Explodes NAMES The Science Behind The Myth

The Effect of of Tapping a Coke Can on How Much Coke Explodes NAMES The Science Behind The Myth

The Effect of of Tapping a Coke Can on How Much Coke Explodes NAMES The Science Behind The Myth The bubbles in a carbonated drink like coke or sparkling water are made by pushing gas into a liquid that is under pressure. When a bottle is

539 views • 10 slides
Finding Rare Concurrent Programming Bugs An Automatic , Symbolic , Randomized , and Parallelizable

Finding Rare Concurrent Programming Bugs An Automatic , Symbolic , Randomized , and Parallelizable

ICTAC 2018 15 th International Colloquium on Theoretical Aspects of Computing Stellenbosch, South Africa, Oct 19, 2018 Finding Rare Concurrent Programming Bugs An Automatic , Symbolic , Randomized , and Parallelizable Approach Gennaro Parlato

818 views • 59 slides
Part 2: Finding Protocol Flaws with Symbolic Analysis The Needham-Schroeder problem In Using

Part 2: Finding Protocol Flaws with Symbolic Analysis The Needham-Schroeder problem In Using

Part 2: Finding Protocol Flaws with Symbolic Analysis The Needham-Schroeder problem In Using encryption for authentication in large networks of computers (CACM 1978) , Needham and Schroeder didnt just initiate a field that led to widely

1.32k views • 104 slides
Static Code Analysis on Networking Code: Identifying the capabilities of finding implementation

Static Code Analysis on Networking Code: Identifying the capabilities of finding implementation

RP1 Presenter: Ivar Slotboom Supervisor: Wouter van Dongen , DongIT UvA/SNE Static Code Analysis on Networking Code: Identifying the capabilities of finding implementation flaws using Abstract Syntax Trees RP1 4th of July, 2019 Presenter:

439 views • 20 slides
Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng

Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng

Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng Xu (Georgia Tech) Finding Race Conditions in Kernels 1 July 16, 2020 The game of attack and defense Bug fi nding Exploitation Pro fi t Meng Xu

2.82k views • 173 slides
Qemu code fault automatic discovery with symbolic search Paul Marinescu, Cristian Cadar, Chunjie

Qemu code fault automatic discovery with symbolic search Paul Marinescu, Cristian Cadar, Chunjie

Qemu code fault automatic discovery with symbolic search Paul Marinescu, Cristian Cadar, Chunjie Zhu, Philippe Gabriel Goals of this presentation Introduction of KLEE (symbolic execution tool) Qemu fault/patch retrospective Understand

283 views • 13 slides
Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail

Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail

Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail Aizatulin 1 supervised by Andrew Gordon 23 , Jan J urjens 4 , Bashar Nuseibeh 1 1 The Open University 2 Microsoft Research Cambridge 3 University of

543 views • 29 slides
1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

Finding Bugs Problem Last time What is a bug? a path in the code that causes a run-time exception Alias/Pointer analysis a path through the code that causes incorrect results Today Issues Program Analysis for finding bugs,

214 views • 4 slides
Evalua&amp;onoftheSimulated PlanetaryBoundaryLayerin

Evalua&amp;onoftheSimulated PlanetaryBoundaryLayerin

Evalua&amp;onoftheSimulated PlanetaryBoundaryLayerin EasternTexas JennaKolling JonathanPleim(USEPA),WilliamVizuete(UNC),HarveyJeffries(UNC) October12,2010

228 views • 20 slides
Dreaming in Drupal How to think like a developer to build without code Planning Finding a

Dreaming in Drupal How to think like a developer to build without code Planning Finding a

Dreaming in Drupal How to think like a developer to build without code Planning Finding a Module Filter &amp; Sort Deciding Between Modules Installation Profiles Government, library, university - http://openpublicapp.com Intranet -

295 views • 7 slides
Scaling symbolic evaluation for automated verification of systems code with Serval Luke Nelson

Scaling symbolic evaluation for automated verification of systems code with Serval Luke Nelson

Scaling symbolic evaluation for automated verification of systems code with Serval Luke Nelson , James Bornholt , Ronghui Gu , Andrew Baumann , Emina Torlak , Xi Wang University of Washington, Columbia University,

713 views • 38 slides
Scaling symbolic evaluation for automated verification of systems code with Serval Luke Nelson

Scaling symbolic evaluation for automated verification of systems code with Serval Luke Nelson

Scaling symbolic evaluation for automated verification of systems code with Serval Luke Nelson , James Bornholt , Ronghui Gu , Andrew Baumann , Emina Torlak , Xi Wang University of Washington, Columbia University,

661 views • 42 slides
1. Overview of NOAA CMIP5 Task Force Model Evalua=ons 2. Global

1. Overview of NOAA CMIP5 Task Force Model Evalua=ons 2. Global

1. Overview of NOAA CMIP5 Task Force Model Evalua=ons 2. Global and regional drought from CMIP5: Evalua=ons of contemporary climate simula=ons and implica=ons

490 views • 19 slides
Symbolic Crosschecking of Floating-Point and SIMD Code Peter Collingbourne, Cristian Cadar, Paul

Symbolic Crosschecking of Floating-Point and SIMD Code Peter Collingbourne, Cristian Cadar, Paul

Symbolic Crosschecking of Floating-Point and SIMD Code Peter Collingbourne, Cristian Cadar, Paul H J Kelly Department of Computing, Imperial College London 13 April, 2011 1 SIMD Single Instruction Multiple Data A popular means of

905 views • 51 slides
Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic Execution Supervisors: Author: Lesly-Ann Daniel Sbastien Bardin CEA LIST CEA LIST Tamara Rezk Oct 2018 - Oct 2021 INRIA Sophia Antipolis

777 views • 38 slides
Evalua&amp;on of Alkanediamide-linked Bisbenzamidines as

Evalua&amp;on of Alkanediamide-linked Bisbenzamidines as

Evalua&amp;on of Alkanediamide-linked Bisbenzamidines as Poten&amp;al An&amp;parasi&amp;c Agents Jean J. Vanden Eynde 1 , Annie Mayence 2 , Madhusoodanan MoEamal 3 ,

269 views • 25 slides
Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your

Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your

Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your way in a graph = station One loop = junction A system of interconnected loops L L What is the best way to go from L to ? L L L 1 ? L

2.13k views • 166 slides
Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic

Binsec/RelSE Efficient Constant-Time Analysis of Binary-Level Code with Relational Symbolic Execution Lesly-Ann Daniel Sbastien Bardin Tamara Rezk CEA LIST, France CEA LIST, France INRIA, France IEEE Symposium on Security and Privacy May

464 views • 25 slides
Keansburg School District SGO Refresher 2014 Teacher Evalua&gt;on

Keansburg School District SGO Refresher 2014 Teacher Evalua&gt;on

Keansburg School District SGO Refresher 2014 Teacher Evalua&gt;on 2014-2015 Teacher Evalua&gt;on Weigh&gt;ngs Non-SGP teachers: 80% teacher prac5ce 20%

628 views • 27 slides

More recommend