Pending Constraints in Symbolic Execution for Better Exploration and - PowerPoint PPT Presentation

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank Busse Cristian Cadar Imperial College London 1

Symbolic Execution ● Program analysis technique ● Active research area ● Used in industry ○ IntelliTest, SAGE Angr ○ KLOVER 2

Why symbolic execution? ● No false positives! ○ Every bug found has a concrete input triggering it ● Can interact with the environment ○ I/O, unmodeled libraries ● Only relevant code executed “symbolically”, the rest is fast “native” execution 3

Why (not) symbolic execution? ● Scalability, scalability, scalability ○ Constraint solving is hard ○ Path explosion 4

This talk Introduce pending constraints which enhance the scalability of symbolic execution via aggressively tackling paths that are known to be feasible. 5

“known to be feasible” Caching Seeding ● Cache assignments from ● External, usually valid previous solver queries concrete inputs ● Already widely adopted ● Used to bootstrap symbolic execution ● From test-suites, examples, production data 6

Symbolic execution example: get_sign int get_sign( int x) { int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; return r; } 7

get_sign( x ); int get_sign( int x) { int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; return r; } Known assignments ∅ 8

get_sign( x ); int get_sign( int x) { r = -1; int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; return r; } Known assignments ∅ 9

get_sign( x ); int get_sign( int x) { r = -1; int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; x >= 1 return r; } Known assignments ∅ 10

get_sign( x ); int get_sign( int x) { r = -1; int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; x >= 1 return r; } x < 1 Known assignments Known assignments x = -2 x = -2 11

get_sign( x ); int get_sign( int x) { r = -1; int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; x >= 1 return r; } x ≥ 1 x < 1 Known assignments Known assignments x = -2 x = -2 x = 7 12

get_sign( x ); int get_sign( int x) { r = -1; int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; x >= 1 return r; } x ≥ 1 x < 1 Known assignments x == 0 x = -2 x = 7 13

get_sign( x ); int get_sign( int x) { r = -1; int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; x >= 1 return r; } x ≥ 1 x < 1 Known assignments x == 0 x ≠ 0 x = -2 x = 7 14

get_sign( x ); int get_sign( int x) { r = -1; int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; x >= 1 return r; } x ≥ 1 x < 1 Known assignments x == 0 x ≠ 0 x = -2 x = 0 x = 0 x = 7 x = 0 15

get_sign( x ); int get_sign( int x) { r = -1; int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; x >= 1 return r; } x ≥ 1 x < 1 Known assignments x == 0 x ≠ 0 x = -2 x = 0 x = 0 x = 7 x = 0 r = 0; 16

get_sign( x ); int get_sign( int x) { r = -1; int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; x >= 1 return r; } x ≥ 1 x < 1 Known assignments x == 0 x ≠ 0 x = -2 x = 0 x = 7 x = 0 r = 0; return r; 17

get_sign( x ); int get_sign( int x) { r = -1; int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; x >= 1 return r; } x ≥ 1 x < 1 Known assignments x == 0 x ≠ 0 x = -2 x = 0 x = 7 x = 0 r = 0; return r; return r; 18

get_sign( x ); int get_sign( int x) { r = -1; int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; x >= 1 return r; } x ≥ 1 x < 1 r = 1; Known assignments x == 0 x ≠ 0 x = -2 x = 0 x = 7 x = 0 r = 0; return r; return r; 19

get_sign( x ); int get_sign( int x) { r = -1; int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; x >= 1 return r; } x ≥ 1 x < 1 r = 1; Known assignments x == 0 x ≠ 0 x = -2 x = 0 x == 0 x = 7 x = 0 r = 0; return r; return r; 20

get_sign( x ); int get_sign( int x) { r = -1; int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; x >= 1 return r; } x ≥ 1 x < 1 r = 1; Known assignments x == 0 x ≠ 0 x = -2 x = 0 x == 0 x = 7 x = 0 x = 0 r = 0; return r; return r; 21

get_sign( x ); int get_sign( int x) { r = -1; int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; x >= 1 return r; } x ≥ 1 x < 1 r = 1; Known assignments x == 0 x ≠ 0 x = -2 x = 0 x == 0 x = 7 x ≠ 0 x = 0 x = 0 r = 0; return r; return r; 22

get_sign( x ); int get_sign( int x) { r = -1; int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; x >= 1 return r; } x ≥ 1 x < 1 r = 1; Known assignments x == 0 x ≠ 0 x = -2 x = 0 x == 0 x = 7 x ≠ 0 x = 0 x = 0 r = 0; return r; return r; return r; 23

Symbolic execution with pending constraints int get_sign( int x) { ● Explore paths that are known int r = -1; to be feasible if (x >= 1) r = 1; ● Solve constraints only when if (x == 0) r = 0; necessary to make progress return r; } 24

get_sign( x ); int get_sign( int x) { int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; return r; } Known assignments ∅ 25

get_sign( x ); int get_sign( int x) { r = -1; int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; return r; } Known assignments ∅ 26

get_sign( x ); int get_sign( int x) { r = -1; int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; x >= 1 return r; } x ≥ 1 x < 1 Known assignments ∅ 27

get_sign( x ); int get_sign( int x) { Pending constraints r = -1; int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; x >= 1 return r; ● Not known to be feasible } x ≥ 1 x < 1 ● When only pending constraints left ○ Pick one and check Known assignments ∅ 28

get_sign( x ); int get_sign( int x) { r = -1; int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; x >= 1 return r; } x ≥ 1 x < 1 Known assignments x = -2 29

get_sign( x ); int get_sign( int x) { r = -1; int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; x >= 1 return r; } x ≥ 1 x < 1 Known assignments x == 0 x ≠ 0 x = -2 x = 0 30

get_sign( x ); int get_sign( int x) { Pending constraints: still not known if feasible r = -1; int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; x >= 1 return r; } x ≥ 1 x < 1 Known assignments x == 0 x ≠ 0 x = -2 x = 0 31

get_sign( x ); int get_sign( int x) { Pending constraints: known feasible path! r = -1; int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; x >= 1 return r; } x ≥ 1 x < 1 Known assignments x == 0 x ≠ 0 x = -2 x = 0 32

get_sign( x ); int get_sign( int x) { r = -1; int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; x >= 1 return r; } x ≥ 1 x < 1 Known assignments x == 0 x ≠ 0 x = -2 x = 0 return r; 33

get_sign( x ); int get_sign( int x) { Only pending constraints: check one r = -1; int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; x >= 1 return r; } x ≥ 1 x < 1 Known assignments x == 0 x ≠ 0 x = -2 x = 0 return r; 34

get_sign( x ); int get_sign( int x) { r = -1; int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; x >= 1 return r; } x ≥ 1 x < 1 Known assignments x == 0 x ≠ 0 x = -2 x = 0 x = 0 r = 0; return r; return r; 35

get_sign( x ); int get_sign( int x) { r = -1; int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; x >= 1 return r; } x ≥ 1 x < 1 r = 1; Known assignments x == 0 x ≠ 0 x = -2 x = 0 x = 0 x = 7 r = 0; return r; return r; 36

get_sign( x ); int get_sign( int x) { r = -1; int r = -1; if (x >= 1) r = 1; if (x == 0) r = 0; x >= 1 return r; } x ≥ 1 x < 1 r = 1; Known assignments x == 0 x ≠ 0 x = -2 x = 0 x == 0 x = 0 x ≠ 0 x = 0 x = 7 r = 0; return r; return r; 37

Pending constraints: why would they be useful? ● Reversing md5 hash char msg[8] = symbolic; ○ Very hard for SMT solvers uint32_t *hash = md5(msg, 8); ● assert(hash[0] == 1471037522) 1471037522 = md5("ase2020")[0] ○ Use as seed 40

Suppose this exploration tree for md5 41

Suppose this path md5("ase2020") 42

Solver queries: 0 Pending Vanilla 43

Solver queries: 0 Pending Vanilla ase20 20 44

Solver queries: 8 Pending Vanilla ase20 ase20 20 20 54

Pending Constraints in Symbolic Execution for Better Exploration and - PowerPoint PPT Presentation

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank Busse Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Path Constraints from Symbolic Execution Tod Amon (ttamon@sandia.gov) Tim Loffredo

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure

Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean

Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014,

Symbolic Execution Mathy Vanhoef @vanhoefm HITB DXB 2018, Dubai, 27 November 2018 Overview

Lec09: Fuzzing and Symbolic Execution Taesoo Kim 2 Administrivia Three more labs!

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but

Pending Constraints in Symbolic Execution for Better Exploration and - PowerPoint PPT Presentation

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank Busse Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Path Constraints from Symbolic Execution Tod Amon (ttamon@sandia.gov) Tim Loffredo

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure

Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean

Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014,

Symbolic Execution Mathy Vanhoef @vanhoefm HITB DXB 2018, Dubai, 27 November 2018 Overview

Lec09: Fuzzing and Symbolic Execution Taesoo Kim 2 Administrivia Three more labs!

All You Ever Wanted to Know About Dynamic Taint Analysis &amp; Forward Symbolic Execution (but

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but