symbolic execution a journey from safety to security
play

Symbolic Execution: a journey from safety to security S ebastien - PowerPoint PPT Presentation

Oct 16, 2023 •135 likes •1.37k views

Symbolic Execution: a journey from safety to security S ebastien Bardin joint work with Nikolai Kosmatov, Micka el Delahaye, Robin David CEA LIST Software Safety & Security Lab (Paris-Saclay, France) Bardin et al. S eminaire

  1. DSE in a nutshell Path predicate : how to compute it ? (2) Let us consider : x := a + b Try 1 : only logical variables X n +1 = A n + B n memory model : disjoint variables { A , B , X , . . . } does not handle pointers Bardin et al. S´ eminaire Confiance Num´ erique 11/ 55

  2. DSE in a nutshell Path predicate : how to compute it ? (2) Let us consider : x := a + b Try 2 : add a memory state M [ ≈ logical array with store/load functions] M ′ = store ( M , addr ( X ) , load ( M , addr ( A )) + load ( M , addr ( B ))) Bardin et al. S´ eminaire Confiance Num´ erique 11/ 55

  3. DSE in a nutshell Path predicate : how to compute it ? (2) Let us consider : x := a + b Try 2 : add a memory state M [ ≈ logical array with store/load functions] M ′ = store ( M , addr ( X ) , load ( M , addr ( A )) + load ( M , addr ( B ))) memory model : map { Addr 1 �→ A , Addr 2 �→ B , . . . } Bardin et al. S´ eminaire Confiance Num´ erique 11/ 55

  4. DSE in a nutshell Path predicate : how to compute it ? (2) Let us consider : x := a + b Try 2 : add a memory state M [ ≈ logical array with store/load functions] M ′ = store ( M , addr ( X ) , load ( M , addr ( A )) + load ( M , addr ( B ))) memory model : map { Addr 1 �→ A , Addr 2 �→ B , . . . } ok for pointers, but type-safe access only (Java vs C) Bardin et al. S´ eminaire Confiance Num´ erique 11/ 55

  5. DSE in a nutshell Path predicate : how to compute it ? (2) Let us consider : x := a + b Try 3 : byte-level M [here : 3 bytes] let tmpA = load(M,addr(A)) @ load(M,addr(A)+1) @ load(M,addr(A)+2) and tmpB = load(M,addr(B)) @ load(M,addr(B)+1) @ load(M,addr(B)+2) in let nX = tmpA+tmpB in M ′ = store ( store ( store ( M , addr ( X ) , nX [0]) , addr ( X ) + 1 , nX [1]) , addr ( X ) + 2 , nX [2]) Bardin et al. S´ eminaire Confiance Num´ erique 11/ 55

  6. DSE in a nutshell Path predicate : how to compute it ? (2) Let us consider : x := a + b Try 3 : byte-level M [here : 3 bytes] let tmpA = load(M,addr(A)) @ load(M,addr(A)+1) @ load(M,addr(A)+2) and tmpB = load(M,addr(B)) @ load(M,addr(B)+1) @ load(M,addr(B)+2) in let nX = tmpA+tmpB in M ′ = store ( store ( store ( M , addr ( X ) , nX [0]) , addr ( X ) + 1 , nX [1]) , addr ( X ) + 2 , nX [2]) ok for C, but complex formula Bardin et al. S´ eminaire Confiance Num´ erique 11/ 55

  7. DSE in a nutshell Path predicate : how to solve it ? Path predicate in some theory T Trade off on T highly expressive : easy path predicate computation, hard solving poorly expressive : hard path predicate computation, easier solving Remarks conjunctive quantifier-free formula are sufficient requires solution synthesis Current consensus : anything that fits into SMT solvers [Z3, CVC4, etc.] typical choices : array + LIA, array + bitvectors solvers are usually good enough [with proper preprocessing] yet, still some challenges : string, float, heavy memory manipulations Bardin et al. S´ eminaire Confiance Num´ erique 12/ 55

  8. DSE in a nutshell The Symbolic Execution Loop input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) [key 1] compute a path predicate ϕ σ of σ [key 2] solve ϕ σ for satisfiability [key 3 - use smt sovlers] SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. S´ eminaire Confiance Num´ erique 13/ 55

  9. DSE in a nutshell The Symbolic Execution Loop input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) [key 1] compute a path predicate ϕ σ of σ [key 2] solve ϕ σ for satisfiability [key 3 - use smt sovlers] SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. S´ eminaire Confiance Num´ erique 13/ 55

  10. DSE in a nutshell The Symbolic Execution Loop input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) [key 1] compute a path predicate ϕ σ of σ [key 2] solve ϕ σ for satisfiability [key 3 - use smt sovlers] SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. S´ eminaire Confiance Num´ erique 13/ 55

  11. DSE in a nutshell The Symbolic Execution Loop input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) [key 1] compute a path predicate ϕ σ of σ [key 2] solve ϕ σ for satisfiability [key 3 - use smt sovlers] SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. S´ eminaire Confiance Num´ erique 13/ 55

  12. DSE in a nutshell The Symbolic Execution Loop input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) [key 1] compute a path predicate ϕ σ of σ [key 2] solve ϕ σ for satisfiability [key 3 - use smt sovlers] SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. S´ eminaire Confiance Num´ erique 13/ 55

  13. DSE in a nutshell The Symbolic Execution Loop input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) [key 1] compute a path predicate ϕ σ of σ [key 2] solve ϕ σ for satisfiability [key 3 - use smt sovlers] SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. S´ eminaire Confiance Num´ erique 13/ 55

  14. DSE in a nutshell The Symbolic Execution Loop input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) [key 1] compute a path predicate ϕ σ of σ [key 2] solve ϕ σ for satisfiability [key 3 - use smt sovlers] SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. S´ eminaire Confiance Num´ erique 13/ 55

  15. DSE in a nutshell The Symbolic Execution Loop input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) [key 1] compute a path predicate ϕ σ of σ [key 2] solve ϕ σ for satisfiability [key 3 - use smt sovlers] SAT(s) ? get a new pair < s, σ > loop until no more path to cover Under-approximation ◮ correct ◮ relatively complete � No false alarm Bardin et al. S´ eminaire Confiance Num´ erique 13/ 55

  16. DSE in a nutshell About robustness Dynamic Symbolic Execution [Korel+, Williams+, Godefroid+] interleave dynamic and symbolic executions drive the search towards feasible paths for free give hints for relevant under-approximations [robustness] Concretization : force a symbolic variable to take its runtime value application 1 : follow only feasible path for free application 2 : correct approximation of “difficult” constructs [out of scope or too expensive to handle] Bardin et al. S´ eminaire Confiance Num´ erique 14/ 55

  17. DSE in a nutshell About robustness (2) Goal = find input leading to ERROR (assume we have only a solver for linear integer arith.) g(int x) {return x*x; } f(int x, int y) {z=g(x); if (y == z) ERROR; else OK } Symbolic Execution create a subformula z = x ∗ x , out of theory [FAIL] Dynamic Symbolic Execution first concrete execution with x=3, y=5 [goto OK] during path predicate computation, x ∗ x not supported . x is concretized to 3 and z is forced to 9 resulting path predicate : x = 3 ∧ z = 9 ∧ y = z a solution is found : x=3, y=9 [goto ERROR] [SUCCESS] Bardin et al. S´ eminaire Confiance Num´ erique 15/ 55

  18. DSE in a nutshell Summary Dynamic Symbolic Execution [since 2004-2005 : dart, cute, pathcrawler] � no false alarm � robustness � scales [in some ways] Many applications smart fuzzing and bug finding [Microsoft SAGE, Klee, Mayhem, etc.] completion of existing test suites exploit generation reverse engineering Still many challenges scale and high coverage (loop, function calls) coverage-oriented testing [cf. after] , target-oriented testing path selection, right trade-off between concrete and symbolic Bardin et al. S´ eminaire Confiance Num´ erique 16/ 55

  19. Coverage-oriented DSE Outline Introduction DSE in a nutshell Coverage-oriented DSE Binary-level DSE Conclusion Bardin et al. S´ eminaire Confiance Num´ erique 17/ 55

  20. Coverage-oriented DSE – The problem Context : white-box software testing Bardin et al. S´ eminaire Confiance Num´ erique 18/ 55

  21. Coverage-oriented DSE – The problem Context : white-box software testing Testing process Generate a test input Run it and check for errors Estimate coverage : if enough stop, else loop Bardin et al. S´ eminaire Confiance Num´ erique 18/ 55

  22. Coverage-oriented DSE – The problem Context : white-box software testing Testing process Generate a test input Run it and check for errors Estimate coverage : if enough stop, else loop Bardin et al. S´ eminaire Confiance Num´ erique 18/ 55

  23. Coverage-oriented DSE – The problem Context : white-box software testing Testing process Generate a test input Run it and check for errors Estimate coverage : if enough stop, else loop Coverage criteria [decision, mcdc, etc.] systematic way of deriving test objectives major role : guide testing, decide when to stop, assess quality beware : lots of different coverage criteria beware : infeasible test requirements Bardin et al. S´ eminaire Confiance Num´ erique 18/ 55

  24. Coverage-oriented DSE – The problem Context : white-box software testing Testing process Generate a test input Run it and check for errors Estimate coverage : if enough stop, else loop Coverage criteria [decision, mcdc, etc.] systematic way of deriving test objectives major role : guide testing, decide when to stop, assess quality beware : lots of different coverage criteria beware : infeasible test requirements Bardin et al. S´ eminaire Confiance Num´ erique 18/ 55

  25. Coverage-oriented DSE – The problem The problem : coverage-oriented DSE DSE is GREAT for automating structural testing � very powerful approach to (white box) test generation � many tools and many successful case-studies since mid 2000’s Bardin et al. S´ eminaire Confiance Num´ erique 19/ 55

  26. Coverage-oriented DSE – The problem The problem : coverage-oriented DSE DSE is GREAT for automating structural testing � very powerful approach to (white box) test generation � many tools and many successful case-studies since mid 2000’s Yet, no real support for structural coverage criteria [except path coverage and branch coverage] Would be useful : when required to produce tests achieving some criterion for producing “good” tests for an external oracle [functional correctness, security, performance, etc.] Bardin et al. S´ eminaire Confiance Num´ erique 19/ 55

  27. Coverage-oriented DSE – The problem The problem : coverage-oriented DSE DSE is GREAT for automating structural testing � very powerful approach to (white box) test generation � many tools and many successful case-studies since mid 2000’s Yet, no real support for structural coverage criteria [except path coverage and branch coverage] Recent efforts [Active Testing, Augmented DSE, Mutation DSE] limited or unclear expressiveness explosion of the search space [ APex : 272x avg, up to 2,000x] Bardin et al. S´ eminaire Confiance Num´ erique 19/ 55

  28. Coverage-oriented DSE – The problem Our goals and results Goals : extend DSE to a large set of structural coverage criteria support these criteria in a unified way support these criteria in an efficient way detect (some) infeasible test requirements Bardin et al. S´ eminaire Confiance Num´ erique 20/ 55

  29. Coverage-oriented DSE – The problem Our goals and results Goals : extend DSE to a large set of structural coverage criteria support these criteria in a unified way support these criteria in an efficient way detect (some) infeasible test requirements Results � generic low-level encoding of coverage criteria [ICST 14] � efficient variant of DSE for coverage criteria [ICST 14] � sound and quasi-complete detection of infeasibility [ICST 15] Bardin et al. S´ eminaire Confiance Num´ erique 20/ 55

  30. Coverage-oriented DSE – Labels Outline Introduction DSE in a nutshell Coverage-oriented DSE ◮ The problem ◮ Labels : a unified view of coverage criteria ◮ Efficient DSE for Labels ◮ The LTest testing framework ◮ Infeasible label detection Binary-level DSE Conclusion Bardin et al. S´ eminaire Confiance Num´ erique 21/ 55

  31. Coverage-oriented DSE – Labels Focus : Labels Annotate programs with labels ◮ predicate attached to a specific program instruction Label ( loc , ϕ ) is covered if a test execution ◮ reaches the instruction at loc ◮ satisfies the predicate ϕ Good for us ◮ can easily encode a large class of coverage criteria [see after] ◮ in the scope of standard program analysis techniques Bardin et al. S´ eminaire Confiance Num´ erique 22/ 55

  32. Coverage-oriented DSE – Labels Simulation of standard coverage criteria statement_1 ; statement_1 ; // l1: x==y && a<b if (x==y && a<b) // l2: !(x==y && a<b) − − − − − → {...}; if (x==y && a<b) statement_3 ; {...}; statement_3 ; Decision Coverage ( DC ) Bardin et al. S´ eminaire Confiance Num´ erique 23/ 55

  33. Coverage-oriented DSE – Labels Simulation of standard coverage criteria statement_1 ; // l1: x==y statement_1 ; // l2: !(x==y) if (x==y && a<b) // l3: a<b − − − − − → {...}; // l4: !(a<b) statement_3 ; if (x==y && a<b) {...}; statement_3 ; Condition Coverage ( CC ) Bardin et al. S´ eminaire Confiance Num´ erique 23/ 55

  34. Coverage-oriented DSE – Labels Simulation of standard coverage criteria statement_1 ; // l1: x==y && a<b statement_1 ; // l2: x==y && a>=b if (x==y && a<b) // l3: x!=y && a<b − − − − − → {...}; // l4: x!=y && a>=b statement_3 ; if (x==y && a<b) {...}; statement_3 ; Multiple-Condition Coverage ( MCC ) Bardin et al. S´ eminaire Confiance Num´ erique 23/ 55

  35. Coverage-oriented DSE – Labels Simulation of standard coverage criteria OBJ : generic specification mechanism for coverage criteria � IC , DC , FC , CC , MCC GACC (a variant of MCDC) large part of Weak Mutations Input Domain Partition Run-Time Error Bardin et al. S´ eminaire Confiance Num´ erique 23/ 55

  36. Coverage-oriented DSE – Labels Simulation of standard coverage criteria OBJ : generic specification mechanism for coverage criteria � IC , DC , FC , CC , MCC GACC (a variant of MCDC) large part of Weak Mutations Input Domain Partition Run-Time Error Out of scope : . strong mutations, MCDC . (side-effect weak mutations) Bardin et al. S´ eminaire Confiance Num´ erique 23/ 55

  37. Coverage-oriented DSE – DSE ⋆ Outline Introduction DSE in a nutshell Coverage-oriented DSE ◮ The problem ◮ Labels : a unified view of coverage criteria ◮ Efficient DSE for Labels ◮ The LTest testing framework ◮ Infeasible label detection Binary-level DSE Conclusion Bardin et al. S´ eminaire Confiance Num´ erique 24/ 55

  38. Coverage-oriented DSE – DSE ⋆ Direct instrumentation Covering label l ⇔ Covering branch True � sound & complete instrumentation × complexification of the search space [#paths, shape of paths] × dramatic overhead [theory & practice] [Apex : avg 272x, max 2000x] Bardin et al. S´ eminaire Confiance Num´ erique 25/ 55

  39. Coverage-oriented DSE – DSE ⋆ Direct instrumentation is not good enough Non-tightness 1 × P’ has exponentially more paths than P Bardin et al. S´ eminaire Confiance Num´ erique 26/ 55

  40. Coverage-oriented DSE – DSE ⋆ Direct instrumentation is not good enough Non-tightness 1 × P’ has exponentially more paths than P Non-tightness 2 × Paths in P’ too complex ◮ at each label, require to cover p or to cover ¬ p ◮ π ′ covers up to N labels Bardin et al. S´ eminaire Confiance Num´ erique 26/ 55

  41. Coverage-oriented DSE – DSE ⋆ Our approach The DSE ⋆ algorithm [ICST 14] Tight instrumentation P ⋆ : totally prevents “complexification” Iterative Label Deletion : discards some redundant paths Both techniques can be implemented in black-box Bardin et al. S´ eminaire Confiance Num´ erique 27/ 55

  42. Coverage-oriented DSE – DSE ⋆ DSE ⋆ : Tight Instrumentation Covering label l ⇔ Covering exit(0) � sound & complete instrumentation � no complexification of the search space Bardin et al. S´ eminaire Confiance Num´ erique 28/ 55

  43. Coverage-oriented DSE – DSE ⋆ DSE ⋆ : Tight Instrumentation (2) Bardin et al. S´ eminaire Confiance Num´ erique 29/ 55

  44. Coverage-oriented DSE – DSE ⋆ DSE ⋆ : Tight Instrumentation (2) Bardin et al. S´ eminaire Confiance Num´ erique 29/ 55

  45. Coverage-oriented DSE – DSE ⋆ DSE ⋆ : Tight Instrumentation (2) Bardin et al. S´ eminaire Confiance Num´ erique 29/ 55

  46. Coverage-oriented DSE – DSE ⋆ DSE ⋆ : Iterative Label Deletion Observations we need to cover each label only once yet, DSE explores paths of P ⋆ ending in already-covered labels burden DSE with “useless” paths w.r.t. label coverage Solution : Iterative Label Deletion keep a cover status for each label symbolic execution ignores paths ending in covered labels dynamic execution updates cover status [truly requires DSE] Iterative Label Deletion is relatively complete w.r.t. label coverage Bardin et al. S´ eminaire Confiance Num´ erique 30/ 55

  47. Coverage-oriented DSE – DSE ⋆ DSE ⋆ : Iterative Label Deletion (2) Bardin et al. S´ eminaire Confiance Num´ erique 31/ 55

  48. Coverage-oriented DSE – DSE ⋆ Experiments Benchmark : Standard (test generation) benchmarks [Siemens, Verisec, Mediabench] 12 programs (50-300 loc), 3 criteria ( CC , MCC , WM ) 26 pairs (program, coverage criterion) 1,270 test requirements Performance overhead DSE DSE’ DSE ⋆ Min × 1 × 1.02 × 0.49 Median × 1 × 1.79 × 1.37 Max × 1 × 122.50 × 7.15 Mean × 1 × 20.29 × 2.15 Timeouts 0 5 ∗ 0 ∗ : TO are discarded for overhead computation cherry picking : 94s vs TO [1h30] Bardin et al. S´ eminaire Confiance Num´ erique 32/ 55

  49. Coverage-oriented DSE – DSE ⋆ Experiments Benchmark : Standard (test generation) benchmarks [Siemens, Verisec, Mediabench] 12 programs (50-300 loc), 3 criteria ( CC , MCC , WM ) 26 pairs (program, coverage criterion) 1,270 test requirements Coverage Random DSE DSE ⋆ Min 37% 61% 62% Median 63% 90% 95% Max 100% 100% 100% Mean 70% 87% 90% vs DSE : +39% coverage on some examples Bardin et al. S´ eminaire Confiance Num´ erique 32/ 55

  50. Coverage-oriented DSE – DSE ⋆ Experiments Conclusion DSE ⋆ performs significantly better than DSE’ The overhead of handling labels is kept reasonable high coverage, better than DSE Bardin et al. S´ eminaire Confiance Num´ erique 32/ 55

  51. Coverage-oriented DSE – LTest Outline Introduction DSE in a nutshell Coverage-oriented DSE ◮ The problem ◮ Labels : a unified view of coverage criteria ◮ Efficient DSE for Labels ◮ The LTest testing framework ◮ Infeasible label detection Binary-level DSE Conclusion Bardin et al. S´ eminaire Confiance Num´ erique 33/ 55

  52. Coverage-oriented DSE – LTest LTest overview LTest : All-in-one automated testing toolkit for C plugin of the Frama-C verification platform (open-source) based on PathCrawler for test generation the plugin itself is open-source except test generation Bardin et al. S´ eminaire Confiance Num´ erique 34/ 55

  53. Coverage-oriented DSE – LTest LTest overview Supported criteria Encoded with labels [ICST 2014] DC , CC , MCC , GACC managed in a unified way FC , IDC , WM rather easy to add new ones Bardin et al. S´ eminaire Confiance Num´ erique 34/ 55

  54. Coverage-oriented DSE – LTest LTest overview DSE ⋆ procedure [ICST 2014] DSE with native support for labels extension of PathCrawler Bardin et al. S´ eminaire Confiance Num´ erique 34/ 55

  55. Coverage-oriented DSE – LTest LTest overview Reuse static analyzers from Frama-C sound detection ! several modes : VA, WP, VA ⊕ WP Bardin et al. S´ eminaire Confiance Num´ erique 34/ 55

  56. Coverage-oriented DSE – LTest LTest overview Reuse static analyzers from Frama-C Service cooperation sound detection ! share label statuses several modes : VA, WP, VA ⊕ WP Covered , Infeasible , ? Bardin et al. S´ eminaire Confiance Num´ erique 34/ 55

  57. Coverage-oriented DSE – Infeasibility detection Outline Introduction DSE in a nutshell Coverage-oriented DSE ◮ The problem ◮ Labels : a unified view of coverage criteria ◮ Efficient DSE for Labels ◮ The LTest testing framework ◮ Infeasible label detection Binary-level DSE Conclusion Bardin et al. S´ eminaire Confiance Num´ erique 35/ 55

  58. Coverage-oriented DSE – Infeasibility detection Infeasibility detection Infeasible test objectives waste generation effort, imprecise coverage ratios cause : structural coverage criteria are ... structural can be a nightmare [mcdc, mutations] detecting infeasible test requirements is undecidable Basic ideas rely on existing sound verification methods . label ( loc , ϕ ) infeasible ⇔ assertion ( loc , ¬ ϕ ) invariant grey-box combination of existing approaches [VA ⊕ WP] Bardin et al. S´ eminaire Confiance Num´ erique 36/ 55

  59. Coverage-oriented DSE – Infeasibility detection Overview of the approach labels as a unifying criteria label infeasibility ⇔ assertion validity s-o-t-a verification for assertion checking only soundness is required (verif) ◮ label encoding not required to be perfect . mcdc and strong mutation ok Bardin et al. S´ eminaire Confiance Num´ erique 37/ 55

  60. Coverage-oriented DSE – Infeasibility detection Focus : checking assertion validity Two broad categories of sound assertion checkers Forward abstract interpretation (VA) [state approximation] ◮ compute an invariant of the program ◮ then, analyze all assertions (labels) in one run Weakest precondition calculus (WP) [goal-oriented] ◮ perform a dedicated check for each assertion ◮ a single check usually easier, but many of them Bardin et al. S´ eminaire Confiance Num´ erique 38/ 55

  61. Coverage-oriented DSE – Infeasibility detection Focus : checking assertion validity Two broad categories of sound assertion checkers Forward abstract interpretation (VA) [state approximation] ◮ compute an invariant of the program ◮ then, analyze all assertions (labels) in one run Weakest precondition calculus (WP) [goal-oriented] ◮ perform a dedicated check for each assertion ◮ a single check usually easier, but many of them The paper is more generic Bardin et al. S´ eminaire Confiance Num´ erique 38/ 55

  62. Coverage-oriented DSE – Infeasibility detection Focus : checking assertion validity (2) VA WP � � sound for assert validity � � blackbox reuse � × local precision � × calling context � × calls / loop effects × × global precision � � scalability wrt. #labels � × scalability wrt. code size hypothesis : VA is interprocedural Bardin et al. S´ eminaire Confiance Num´ erique 39/ 55

  63. Coverage-oriented DSE – Infeasibility detection VA and WP may fail int main () { int a = nondet (0 .. 20); int x = nondet (0 .. 1000); return g(x,a); } int g(int x, int a) { int res; if(x+a >= x) res = 1; else res = 0; //l1: res == 0 } Bardin et al. S´ eminaire Confiance Num´ erique 40/ 55

  64. Coverage-oriented DSE – Infeasibility detection VA and WP may fail int main () { int a = nondet (0 .. 20); int x = nondet (0 .. 1000); return g(x,a); } int g(int x, int a) { int res; if(x+a >= x) res = 1; else res = 0; //@assert res != 0 } Bardin et al. S´ eminaire Confiance Num´ erique 40/ 55

  65. Coverage-oriented DSE – Infeasibility detection VA and WP may fail int main () { int a = nondet (0 .. 20); int x = nondet (0 .. 1000); return g(x,a); } int g(int x, int a) { int res; if(x+a >= x) res = 1; else res = 0; //@assert res != 0 // both VA and WP fail } Bardin et al. S´ eminaire Confiance Num´ erique 40/ 55

  66. Coverage-oriented DSE – Infeasibility detection Proposal : VA ⊕ WP (1) Goal = get the best of the two worlds idea : VA passes to WP the global info. it lacks Which information, and how to transfer it ? VA computes (internally) some form of invariants WP naturally takes into account assumptions //@ assume solution VA exports its invariants on the form of WP-assumptions Bardin et al. S´ eminaire Confiance Num´ erique 41/ 55

  67. Coverage-oriented DSE – Infeasibility detection Proposal : VA ⊕ WP (1) Goal = get the best of the two worlds idea : VA passes to WP the global info. it lacks Which information, and how to transfer it ? VA computes (internally) some form of invariants WP naturally takes into account assumptions //@ assume solution VA exports its invariants on the form of WP-assumptions Should work for any reasonable VA and WP engine No manually-inserted WP assumptions Bardin et al. S´ eminaire Confiance Num´ erique 41/ 55

  68. Coverage-oriented DSE – Infeasibility detection VA ⊕ WP succeeds! int main () { int a = nondet (0 .. 20); int x = nondet (0 .. 1000); return g(x,a); } int g(int x, int a) { int res; if(x+a >= x) res = 1; else res = 0; //l1: res == 0 } Bardin et al. S´ eminaire Confiance Num´ erique 42/ 55

  69. Coverage-oriented DSE – Infeasibility detection VA ⊕ WP succeeds! int main () { int a = nondet (0 .. 20); int x = nondet (0 .. 1000); return g(x,a); } int g(int x, int a) { //@assume 0 < = a < = 20 //@assume 0 < = x < = 1000 int res; if(x+a >= x) res = 1; else res = 0; //@assert res != 0 } Bardin et al. S´ eminaire Confiance Num´ erique 42/ 55

  70. Coverage-oriented DSE – Infeasibility detection VA ⊕ WP succeeds! int main () { int a = nondet (0 .. 20); int x = nondet (0 .. 1000); return g(x,a); } int g(int x, int a) { //@assume 0 < = a < = 20 //@assume 0 < = x < = 1000 int res; if(x+a >= x) res = 1; else res = 0; // VA ⊕ WP succeeds //@assert res != 0 } Bardin et al. S´ eminaire Confiance Num´ erique 42/ 55

  71. Coverage-oriented DSE – Infeasibility detection Proposal : VA ⊕ WP (2) Exported invariants only names appearing in the program (params, lhs, vars) ◮ independent from memory size non-relational information numerical constraints (sets, intervals, congruence) ◮ linear in the number of names only numerical information ◮ sets, intervals, congruence Bardin et al. S´ eminaire Confiance Num´ erique 43/ 55

  72. Coverage-oriented DSE – Infeasibility detection Proposal : VA ⊕ WP (3) Soundness ok as long as VA is sound Exhaustivity of “export” only affect deductive power [full export has only a little overhead] Bardin et al. S´ eminaire Confiance Num´ erique 44/ 55

  73. Coverage-oriented DSE – Infeasibility detection Summary VA WP VA ⊕ WP � � � sound for assert validity � � � blackbox reuse � � × local precision � � × calling context � � × calls / loop effects × × × global precision � � � scalability wrt. #labels � × scalability wrt. code size ? Bardin et al. S´ eminaire Confiance Num´ erique 45/ 55

  74. Coverage-oriented DSE – Infeasibility detection Detection power Reuse the same benchmarks [Siemens, Verisec, Mediabench] 12 programs (50-300 loc), 3 criteria ( CC , MCC , WM ) 26 pairs (program, coverage criterion) 1,270 test requirements, 121 infeasible ones #Lab #Inf VA WP VA ⊕ WP #d %d #d %d #d %d Total 1,270 121 84 69% 73 60% 118 98% Min 0 0 0% 0 0% 2 67% Max 29 29 100% 15 100% 29 100% Mean 4.7 3.2 63% 2.8 82% 4.5 95% #d : number of detected infeasible labels %d : ratio of detected infeasible labels Bardin et al. S´ eminaire Confiance Num´ erique 46/ 55

  75. Coverage-oriented DSE – Infeasibility detection Detection power Reuse the same benchmarks [Siemens, Verisec, Mediabench] 12 programs (50-300 loc), 3 criteria ( CC , MCC , WM ) 26 pairs (program, coverage criterion) 1,270 test requirements, 121 infeasible ones #Lab #Inf VA WP VA ⊕ WP #d %d #d %d #d %d Total 1,270 121 84 69% 73 60% 118 98% Min 0 0 0% 0 0% 2 67% Max 29 29 100% 15 100% 29 100% Mean 4.7 3.2 63% 2.8 82% 4.5 95% #d : number of detected infeasible labels %d : ratio of detected infeasible labels VA ⊕ WP achieves almost perfect detection detection speed is reasonable [ ≤ 1s/obj.] Bardin et al. S´ eminaire Confiance Num´ erique 46/ 55

  76. Coverage-oriented DSE – Infeasibility detection Impact on test generation report more accurate coverage ratio Coverage ratio reported by DSE ⋆ VA Detection None Perfect* ⊕ WP method Total 90.5% 99.2% 100.0% Min 61.54% 91.7% 100.0% Max 100.00% 100.0% 100.0% Mean 91.10% 99.2% 100.0% * preliminary, manual detection of infeasible labels Bardin et al. S´ eminaire Confiance Num´ erique 47/ 55

  77. Coverage-oriented DSE – Infeasibility detection Impact on test generation optimisation : speedup test generation : take care ! DSE ⋆ - opt vs DSE ⋆ Min. 0.96 × Ideal speedup Max. 592.54 × Mean 49.04 × DSE ⋆ - opt vs DSE ⋆ Min 0.1x RT(1s) in practice Max 55.4x + LUncov +DSE ⋆ Mean 3.8x RT : random testing Speedup wrt. DSE ⋆ alone Bardin et al. S´ eminaire Confiance Num´ erique 47/ 55

  78. DSE for binary code analysis Outline Introduction DSE in a nutshell Coverage-oriented DSE Binary-level DSE Conclusion Bardin et al. S´ eminaire Confiance Num´ erique 48/ 55

Recommend

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin &amp; Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security Ahmed Rezine IDA, Linkpings Universitet Hsttermin 2020 Outline Overview Symbolic Execution Hoare Triples and Deductive Reasoning Outline

767 views • 33 slides
Automated Test Generation: A Journey from Symbolic Execution to Smart Fuzzing and Beyond Koushik

Automated Test Generation: A Journey from Symbolic Execution to Smart Fuzzing and Beyond Koushik

Automated Test Generation: A Journey from Symbolic Execution to Smart Fuzzing and Beyond Koushik Sen EECS Department University of California, Berkeley https://people.eecs.berkeley.edu/~ksen/ 1 Programs are still written by humans, and will

1.62k views • 134 slides
Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90: Software Security Symbolic Execution Ahmed Rezine Hoare Triples and Deductive Reasoning IDA, Linkpings Universitet Hsttermin 2014 Static

373 views • 6 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav Nodar Petar Martin He Balunovic Ambroladze Tsankov Vechev Random Fuzzing vs. Symbolic Execution Random Fuzzing Symbolic Execution Fast Slow

633 views • 29 slides
CMPSC 497: Symbolic Execution Trent Jaeger Systems and Internet Infrastructure Security

CMPSC 497: Symbolic Execution Trent Jaeger Systems and Internet Infrastructure Security

CMPSC 497: Symbolic Execution Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security Laboratory (SIIS) Page

735 views • 46 slides
Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College London Invited talk at SMT 2015 18 July, San Francisco, CA, USA Dynamic Symbolic Execution Dynamic symbolic execution is a technique for

660 views • 53 slides
Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths Symbolic Execution and Proof of Effects of the execution on program state Properties Bridges program behavior to logic Finds important

309 views • 6 slides
Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides
An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar Department of Computing Imperial College London 14 th TAROT Summer School UCL, London, 3 July 2018 Dynamic Symbolic Execution Dynamic symbolic

856 views • 56 slides
Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank Busse Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in

1.04k views • 70 slides
Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson, &quot;Applications of Symbolic Evaluation,&quot; Journal of Systems and Software, 5 (1), January 1985, pp.15-35. Symbolic Evaluation/Execution

1.07k views • 60 slides
Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of London Joint work with: Stefan Bucur, George Candea, Volodymyr Kuznetsov @ EPFL Symbolic Execution Automatically explore program paths

2.34k views • 200 slides
Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in industry IntelliTest, SAGE Angr KLOVER 2 Why symbolic execution? No

916 views • 73 slides
A Visual Approach to Symbolic Execution Nick Pfister - Astrophysics Mentors: Fish Wang,

A Visual Approach to Symbolic Execution Nick Pfister - Astrophysics Mentors: Fish Wang,

A Visual Approach to Symbolic Execution Nick Pfister - Astrophysics Mentors: Fish Wang, Christophe Hauser, Yan Shoshitaishvili Faculty Adviser: Christopher Kruegel Department of Computer Science Our safety depends on software! What happens if

468 views • 16 slides
Towards computationally sound symbolic security analysis Daniele Micciancio, UCSD DIMACS

Towards computationally sound symbolic security analysis Daniele Micciancio, UCSD DIMACS

Towards computationally sound symbolic security analysis Daniele Micciancio, UCSD DIMACS Tutorial June 2004 Security protocols Protocols: distributed programs Goal: maintain prescribed behavior in adversarial execution environment

1.34k views • 51 slides
Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure

Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure

Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure North America public Concrete execution r1 = 0xBE; r2 = 0x08 mov r1,r2 add r1,0x10 r1 = 0x18; r2 = 0x08 public 2 Symbolic execution r1 = 0xBE;

470 views • 31 slides
Fun with symbolic execution Carl Svensson, 27 MSc in Computer Science, KTH Head of

Fun with symbolic execution Carl Svensson, 27 MSc in Computer Science, KTH Head of

Carl Svensson Exploit development and deobfuscation September 13, 2018 SEC-T 2018 Fun with symbolic execution Carl Svensson, 27 MSc in Computer Science, KTH Head of Security, Kry CTF-player, HackingForSoju 1 About me

695 views • 23 slides

More recommend