symbolic execution of maintainer scripts
play

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf - PowerPoint PPT Presentation

Jun 16, 2023 •549 likes •1.71k views

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

  1. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App What we will present today Analyzing the behavior of Maintainer Scripts Caveat 1: we will never be able to analyze all the > 30 . 000 maintainer scripts. Caveat 2: we have to cut corners in the model, and perform approximations . Focus on finding bugs (as opposed to guaranteeing correctness). Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  2. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App What we will present today Analyzing the behavior of Maintainer Scripts Caveat 1: we will never be able to analyze all the > 30 . 000 maintainer scripts. Caveat 2: we have to cut corners in the model, and perform approximations . Focus on finding bugs (as opposed to guaranteeing correctness). Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  3. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App What we will present today Analyzing the behavior of Maintainer Scripts Caveat 1: we will never be able to analyze all the > 30 . 000 maintainer scripts. Caveat 2: we have to cut corners in the model, and perform approximations . Focus on finding bugs (as opposed to guaranteeing correctness). Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  4. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App What we will present today Analyzing the behavior of Maintainer Scripts Caveat 1: we will never be able to analyze all the > 30 . 000 maintainer scripts. Caveat 2: we have to cut corners in the model, and perform approximations . Focus on finding bugs (as opposed to guaranteeing correctness). Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  5. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Plan 1 Introduction 2 Symbolic Execution of Scripts 3 Symbolic Execution of Maintainer Scripts 4 Demo Time 5 Detected Bugs 6 Conclusions Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  6. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Semantics of Shell Scripts First step: reasoning about one script at a time. Starting point: we need a language to talk about the semantics of scripts: symbolic representation. We do this both for the case of success and of failure of the script. We need a way to calculate effectively on these representations, and to combine them (sequential composition, conditional composition, . . . ) Analogy: Using regular expressions to talk about sets of strings. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  7. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Semantics of Shell Scripts First step: reasoning about one script at a time. Starting point: we need a language to talk about the semantics of scripts: symbolic representation. We do this both for the case of success and of failure of the script. We need a way to calculate effectively on these representations, and to combine them (sequential composition, conditional composition, . . . ) Analogy: Using regular expressions to talk about sets of strings. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  8. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Semantics of Shell Scripts First step: reasoning about one script at a time. Starting point: we need a language to talk about the semantics of scripts: symbolic representation. We do this both for the case of success and of failure of the script. We need a way to calculate effectively on these representations, and to combine them (sequential composition, conditional composition, . . . ) Analogy: Using regular expressions to talk about sets of strings. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  9. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Semantics of Shell Scripts First step: reasoning about one script at a time. Starting point: we need a language to talk about the semantics of scripts: symbolic representation. We do this both for the case of success and of failure of the script. We need a way to calculate effectively on these representations, and to combine them (sequential composition, conditional composition, . . . ) Analogy: Using regular expressions to talk about sets of strings. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  10. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Semantics of Shell Scripts First step: reasoning about one script at a time. Starting point: we need a language to talk about the semantics of scripts: symbolic representation. We do this both for the case of success and of failure of the script. We need a way to calculate effectively on these representations, and to combine them (sequential composition, conditional composition, . . . ) Analogy: Using regular expressions to talk about sets of strings. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  11. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Tree Constraints Our current approach: use predicate logic. Predicate logic allows us to talk about relations : in our case the relation between the intial configuration, and the possible configurations obtained by the execution. Special purpose logic for talking about a restricted form of tree transformations. Effective calculations on formulas. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  12. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Tree Constraints Our current approach: use predicate logic. Predicate logic allows us to talk about relations : in our case the relation between the intial configuration, and the possible configurations obtained by the execution. Special purpose logic for talking about a restricted form of tree transformations. Effective calculations on formulas. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  13. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Tree Constraints Our current approach: use predicate logic. Predicate logic allows us to talk about relations : in our case the relation between the intial configuration, and the possible configurations obtained by the execution. Special purpose logic for talking about a restricted form of tree transformations. Effective calculations on formulas. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  14. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Tree Constraints Our current approach: use predicate logic. Predicate logic allows us to talk about relations : in our case the relation between the intial configuration, and the possible configurations obtained by the execution. Special purpose logic for talking about a restricted form of tree transformations. Effective calculations on formulas. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  15. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Example Specification: mkdir q / f ∃ x , x ′ , y ′ · resolve ( r , cwd , q , x ) ∧ dir ( x ) ∧ x [ f ] ↑ ∧ similar ( r , r ′ , cwd , q , x , x ′ ) ∧ x ∼ { f } x ′ Success ∧ dir ( x ′ ) ∧ x ′ [ f ] y ′ ∧ dir ( y ′ ) ∧ y ′ [ ∅ ] ∃ y · resolve ( r , cwd , q / f , y ) ∧ r . = r ′ Failure File exists No such noresolve ( r , cwd , q ) ∧ r . = r ′ Failure file ∃ x · resolve ( r , cwd , q , x ) ∧ ¬ dir ( x ) ∧ r . = r ′ Failure Not a dir Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  16. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Example Specification: mkdir q / f ∃ x , x ′ , y ′ · resolve ( r , cwd , q , x ) ∧ dir ( x ) ∧ x [ f ] ↑ ∧ similar ( r , r ′ , cwd , q , x , x ′ ) ∧ x ∼ { f } x ′ Success ∧ dir ( x ′ ) ∧ x ′ [ f ] y ′ ∧ dir ( y ′ ) ∧ y ′ [ ∅ ] ∃ y · resolve ( r , cwd , q / f , y ) ∧ r . = r ′ Failure File exists Outcome of the No such noresolve ( r , cwd , q ) ∧ r . Specification Case = r ′ Failure file ∃ x · resolve ( r , cwd , q , x ) ∧ ¬ dir ( x ) ∧ r . = r ′ Failure Not a dir Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  17. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Example Specification: mkdir q / f ∃ x , x ′ , y ′ · resolve ( r , cwd , q , x ) ∧ dir ( x ) ∧ x [ f ] ↑ ∧ similar ( r , r ′ , cwd , q , x , x ′ ) ∧ x ∼ { f } x ′ Success ∧ dir ( x ′ ) ∧ x ′ [ f ] y ′ ∧ dir ( y ′ ) ∧ y ′ [ ∅ ] ∃ y · resolve ( r , cwd , q / f , y ) ∧ r . = r ′ Failure File exists Outcome of the No such noresolve ( r , cwd , q ) ∧ r . Specification Case = r ′ Failure file ∃ x · resolve ( r , cwd , q , x ) ∧ ¬ dir ( x ) ∧ r . = r ′ Failure Not a dir Description Text human beings) Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  18. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Example Specification: mkdir q / f Formula in our logic ∃ x , x ′ , y ′ · resolve ( r , cwd , q , x ) ∧ dir ( x ) ∧ x [ f ] ↑ ∧ similar ( r , r ′ , cwd , q , x , x ′ ) ∧ x ∼ { f } x ′ Success ∧ dir ( x ′ ) ∧ x ′ [ f ] y ′ ∧ dir ( y ′ ) ∧ y ′ [ ∅ ] ∃ y · resolve ( r , cwd , q / f , y ) ∧ r . = r ′ Failure File exists Outcome of the No such noresolve ( r , cwd , q ) ∧ r . Specification Case = r ′ Failure file ∃ x · resolve ( r , cwd , q , x ) ∧ ¬ dir ( x ) ∧ r . = r ′ Failure Not a dir Description Text human beings) Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  19. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Example Specification: mkdir q / f Formula in our logic ∃ x , x ′ , y ′ · resolve ( r , cwd , q , x ) ∧ dir ( x ) ∧ x [ f ] ↑ ∧ similar ( r , r ′ , cwd , q , x , x ′ ) ∧ x ∼ { f } x ′ Success ∧ dir ( x ′ ) ∧ x ′ [ f ] y ′ ∧ dir ( y ′ ) ∧ y ′ [ ∅ ] ∃ y · resolve ( r , cwd , q / f , y ) ∧ r . = r ′ Failure File exists Outcome of the No such noresolve ( r , cwd , q ) ∧ r . Specification Case = r ′ Failure file ∃ x · resolve ( r , cwd , q , x ) ∧ ¬ dir ( x ) ∧ r . = r ′ Failure Not a dir Description Text human beings) Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  20. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Example Specification: mkdir q / f Formula in our logic ∃ x , x ′ , y ′ · resolve ( r , cwd , q , x ) ∧ dir ( x ) ∧ x [ f ] ↑ ∧ similar ( r , r ′ , cwd , q , x , x ′ ) ∧ x ∼ { f } x ′ Success ∧ dir ( x ′ ) ∧ x ′ [ f ] y ′ ∧ dir ( y ′ ) ∧ y ′ [ ∅ ] ∃ y · resolve ( r , cwd , q / f , y ) ∧ r . = r ′ Failure File exists Outcome of the r No such noresolve ( r , cwd , q ) ∧ r . Specification Case = r ′ Failure q file ∃ x · resolve ( r , cwd , q , x ) ∧ ¬ dir ( x ) ∧ r . = r ′ Failure Not a dir ∃ x Description Text human beings) Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  21. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Example Specification: mkdir q / f Formula in our logic ∃ x , x ′ , y ′ · resolve ( r , cwd , q , x ) ∧ dir ( x ) ∧ x [ f ] ↑ ∧ similar ( r , r ′ , cwd , q , x , x ′ ) ∧ x ∼ { f } x ′ Success ∧ dir ( x ′ ) ∧ x ′ [ f ] y ′ ∧ dir ( y ′ ) ∧ y ′ [ ∅ ] ∃ y · resolve ( r , cwd , q / f , y ) ∧ r . = r ′ Failure File exists Outcome of the r No such noresolve ( r , cwd , q ) ∧ r . Specification Case = r ′ Failure q file ∃ x · resolve ( r , cwd , q , x ) ∧ ¬ dir ( x ) ∧ r . = r ′ Failure Not a dir ∃ x (dir) Description Text human beings) Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  22. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Example Specification: mkdir q / f Formula in our logic ∃ x , x ′ , y ′ · resolve ( r , cwd , q , x ) ∧ dir ( x ) ∧ x [ f ] ↑ ∧ similar ( r , r ′ , cwd , q , x , x ′ ) ∧ x ∼ { f } x ′ Success ∧ dir ( x ′ ) ∧ x ′ [ f ] y ′ ∧ dir ( y ′ ) ∧ y ′ [ ∅ ] ∃ y · resolve ( r , cwd , q / f , y ) ∧ r . = r ′ Failure File exists Outcome of the r No such noresolve ( r , cwd , q ) ∧ r . Specification Case = r ′ Failure q file ∃ x · resolve ( r , cwd , q , x ) ∧ ¬ dir ( x ) ∧ r . = r ′ Failure Not a dir ∃ x (dir) f × Description Text human beings) Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  23. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Example Specification: mkdir q / f Formula in our logic ∃ x , x ′ , y ′ · resolve ( r , cwd , q , x ) ∧ dir ( x ) ∧ x [ f ] ↑ ∧ similar ( r , r ′ , cwd , q , x , x ′ ) ∧ x ∼ { f } x ′ Success ∧ dir ( x ′ ) ∧ x ′ [ f ] y ′ ∧ dir ( y ′ ) ∧ y ′ [ ∅ ] ∃ y · resolve ( r , cwd , q / f , y ) ∧ r . = r ′ Failure File exists Outcome of the “ ∼ { q } ” r r ′ No such noresolve ( r , cwd , q ) ∧ r . Specification Case = r ′ Failure q file q ∃ x · resolve ( r , cwd , q , x ) ∧ ¬ dir ( x ) ∧ r . = r ′ Failure Not a dir ∃ x ′ ∃ x (dir) f × Description Text human beings) Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  24. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Example Specification: mkdir q / f Formula in our logic ∃ x , x ′ , y ′ · resolve ( r , cwd , q , x ) ∧ dir ( x ) ∧ x [ f ] ↑ ∧ similar ( r , r ′ , cwd , q , x , x ′ ) ∧ x ∼ { f } x ′ Success ∧ dir ( x ′ ) ∧ x ′ [ f ] y ′ ∧ dir ( y ′ ) ∧ y ′ [ ∅ ] ∃ y · resolve ( r , cwd , q / f , y ) ∧ r . = r ′ Failure File exists “ ∼ { q } ” r r ′ No such noresolve ( r , cwd , q ) ∧ r . = r ′ Failure q file q ∃ x · resolve ( r , cwd , q , x ) ∧ ¬ dir ( x ) ∧ r . = r ′ Failure Not a dir ∃ x ′ ∃ x ∼ { f } (dir) f × Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  25. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Example Specification: mkdir q / f Formula in our logic ∃ x , x ′ , y ′ · resolve ( r , cwd , q , x ) ∧ dir ( x ) ∧ x [ f ] ↑ ∧ similar ( r , r ′ , cwd , q , x , x ′ ) ∧ x ∼ { f } x ′ Success ∧ dir ( x ′ ) ∧ x ′ [ f ] y ′ ∧ dir ( y ′ ) ∧ y ′ [ ∅ ] ∃ y · resolve ( r , cwd , q / f , y ) ∧ r . = r ′ Failure File exists “ ∼ { q } ” r r ′ No such noresolve ( r , cwd , q ) ∧ r . = r ′ Failure q file q ∃ x · resolve ( r , cwd , q , x ) ∧ ¬ dir ( x ) ∧ r . = r ′ Failure Not a dir ∃ x ′ ∃ x ∼ { f } (dir) (dir) f f ∃ y ′ × (empty dir) Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  26. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Example Specification: mkdir q / f Formula in our logic ∃ x , x ′ , y ′ · resolve ( r , cwd , q , x ) ∧ dir ( x ) ∧ x [ f ] ↑ ∧ similar ( r , r ′ , cwd , q , x , x ′ ) ∧ x ∼ { f } x ′ Success ∧ dir ( x ′ ) ∧ x ′ [ f ] y ′ ∧ dir ( y ′ ) ∧ y ′ [ ∅ ] ∃ y · resolve ( r , cwd , q / f , y ) ∧ r . = r ′ Failure File exists “ ∼ { q } ” r r ′ No such noresolve ( r , cwd , q ) ∧ r . = r ′ Failure q file q ∃ x · resolve ( r , cwd , q , x ) ∧ ¬ dir ( x ) ∧ r . = r ′ Failure Not a dir ∃ x ′ ∃ x ∼ { f } (dir) (dir) f f ∃ y ′ × (empty dir) Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  27. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Example Specification: mkdir q / f Formula in our logic ∃ x , x ′ , y ′ · resolve ( r , cwd , q , x ) ∧ dir ( x ) ∧ x [ f ] ↑ ∧ similar ( r , r ′ , cwd , q , x , x ′ ) ∧ x ∼ { f } x ′ Success ∧ dir ( x ′ ) ∧ x ′ [ f ] y ′ ∧ dir ( y ′ ) ∧ y ′ [ ∅ ] ∃ y · resolve ( r , cwd , q / f , y ) ∧ r . = r ′ Failure File exists Outcome of the No such noresolve ( r , cwd , q ) ∧ r . Specification Case = r ′ Failure file ∃ x · resolve ( r , cwd , q , x ) ∧ ¬ dir ( x ) ∧ r . = r ′ Failure Not a dir Description Text human beings) Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  28. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Using the Logic: sequential composition cmd 1 ( in , out ) cmd 2 ( in , out ) Compose ∃ tmp . ( cmd 1 ( in , tmp ) ∧ cmd 2 ( tmp , out )) Simplify cmd 1;2 ( in , out ) ⊥ Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  29. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Using the Logic: sequential composition cmd 1 ( in , out ) cmd 2 ( in , out ) Compose ∃ tmp . ( cmd 1 ( in , tmp ) ∧ cmd 2 ( tmp , out )) Simplify cmd 1;2 ( in , out ) ⊥ Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  30. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Using the Logic: sequential composition cmd 1 ( in , out ) cmd 2 ( in , out ) Compose ∃ tmp . ( cmd 1 ( in , tmp ) ∧ cmd 2 ( tmp , out )) Simplify cmd 1;2 ( in , out ) ⊥ Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  31. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution Idea: We simulate the script, and collect in our logical formalism its effect on the file system. More precisely: Mixed concrete/symbolic execution: We only describe symbolically the effect on the file system, other effects like variable assignements etc. are simulated concretely. We know the parameters the script is invoked on, and we make reasonable assumptions on environment variables. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  32. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution Idea: We simulate the script, and collect in our logical formalism its effect on the file system. More precisely: Mixed concrete/symbolic execution: We only describe symbolically the effect on the file system, other effects like variable assignements etc. are simulated concretely. We know the parameters the script is invoked on, and we make reasonable assumptions on environment variables. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  33. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution Idea: We simulate the script, and collect in our logical formalism its effect on the file system. More precisely: Mixed concrete/symbolic execution: We only describe symbolically the effect on the file system, other effects like variable assignements etc. are simulated concretely. We know the parameters the script is invoked on, and we make reasonable assumptions on environment variables. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  34. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Plan 1 Introduction 2 Symbolic Execution of Scripts 3 Symbolic Execution of Maintainer Scripts 4 Demo Time 5 Detected Bugs 6 Conclusions Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  35. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Installation Scenarios Second Step: scenarios, like this one: More (and more complex) scenarios: see the policy. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  36. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Installation Scenarios Second Step: scenarios, like this one: More (and more complex) scenarios: see the policy. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  37. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Failures and bad states Three different kinds of observations: 1 The failure (exit code > 0) of a maintainer script 2 The failure of a request to dpkg 3 The state a package is in at the end of the process As one can see in the scenarios: it is possible that a request fails, but still all packages are in a consistent state: when the error unwind has worked. there are situations where some script may fail, and still the request succeeds in the end. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  38. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Failures and bad states Three different kinds of observations: 1 The failure (exit code > 0) of a maintainer script 2 The failure of a request to dpkg 3 The state a package is in at the end of the process As one can see in the scenarios: it is possible that a request fails, but still all packages are in a consistent state: when the error unwind has worked. there are situations where some script may fail, and still the request succeeds in the end. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  39. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Failures and bad states Three different kinds of observations: 1 The failure (exit code > 0) of a maintainer script 2 The failure of a request to dpkg 3 The state a package is in at the end of the process As one can see in the scenarios: it is possible that a request fails, but still all packages are in a consistent state: when the error unwind has worked. there are situations where some script may fail, and still the request succeeds in the end. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  40. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Failures and bad states Three different kinds of observations: 1 The failure (exit code > 0) of a maintainer script 2 The failure of a request to dpkg 3 The state a package is in at the end of the process As one can see in the scenarios: it is possible that a request fails, but still all packages are in a consistent state: when the error unwind has worked. there are situations where some script may fail, and still the request succeeds in the end. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  41. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Failures and bad states Three different kinds of observations: 1 The failure (exit code > 0) of a maintainer script 2 The failure of a request to dpkg 3 The state a package is in at the end of the process As one can see in the scenarios: it is possible that a request fails, but still all packages are in a consistent state: when the error unwind has worked. there are situations where some script may fail, and still the request succeeds in the end. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  42. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Failures and bad states Three different kinds of observations: 1 The failure (exit code > 0) of a maintainer script 2 The failure of a request to dpkg 3 The state a package is in at the end of the process As one can see in the scenarios: it is possible that a request fails, but still all packages are in a consistent state: when the error unwind has worked. there are situations where some script may fail, and still the request succeeds in the end. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  43. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Failures and bad states Three different kinds of observations: 1 The failure (exit code > 0) of a maintainer script 2 The failure of a request to dpkg 3 The state a package is in at the end of the process As one can see in the scenarios: it is possible that a request fails, but still all packages are in a consistent state: when the error unwind has worked. there are situations where some script may fail, and still the request succeeds in the end. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  44. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Failures and Bugs Policy 6.1 says: The package management system looks at the exit status from these scripts. It is important that they exit with a non-zero status if there is an error, so that the package management system can stop its processing... It is also important, of course, that they exit with a zero status if everything went well. Consequence: A possible failure case of a script is not necessarily a bug! Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  45. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Failures and Bugs Policy 6.1 says: The package management system looks at the exit status from these scripts. It is important that they exit with a non-zero status if there is an error, so that the package management system can stop its processing... It is also important, of course, that they exit with a zero status if everything went well. Consequence: A possible failure case of a script is not necessarily a bug! Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  46. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Failures and Bugs Policy 6.1 says: The package management system looks at the exit status from these scripts. It is important that they exit with a non-zero status if there is an error, so that the package management system can stop its processing... It is also important, of course, that they exit with a zero status if everything went well. Consequence: A possible failure case of a script is not necessarily a bug! Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  47. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Plan 1 Introduction 2 Symbolic Execution of Scripts 3 Symbolic Execution of Maintainer Scripts 4 Demo Time 5 Detected Bugs 6 Conclusions Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  48. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Infrastructure Corpus of 13906 packages containing 33320 maintainer scripts extracted on 2019-03-18 from a Debian mirror Corpus of 165 additional files which are included by maintainer scripts Using the Contents file to simulate dpkg -L Running for 20 minutes on a 80 cores Intel(R) Xeon(R) CPU at 2.20GHz. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  49. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Infrastructure Corpus of 13906 packages containing 33320 maintainer scripts extracted on 2019-03-18 from a Debian mirror Corpus of 165 additional files which are included by maintainer scripts Using the Contents file to simulate dpkg -L Running for 20 minutes on a 80 cores Intel(R) Xeon(R) CPU at 2.20GHz. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  50. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Infrastructure Corpus of 13906 packages containing 33320 maintainer scripts extracted on 2019-03-18 from a Debian mirror Corpus of 165 additional files which are included by maintainer scripts Using the Contents file to simulate dpkg -L Running for 20 minutes on a 80 cores Intel(R) Xeon(R) CPU at 2.20GHz. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  51. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Infrastructure Corpus of 13906 packages containing 33320 maintainer scripts extracted on 2019-03-18 from a Debian mirror Corpus of 165 additional files which are included by maintainer scripts Using the Contents file to simulate dpkg -L Running for 20 minutes on a 80 cores Intel(R) Xeon(R) CPU at 2.20GHz. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  52. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Plan 1 Introduction 2 Symbolic Execution of Scripts 3 Symbolic Execution of Maintainer Scripts 4 Demo Time 5 Detected Bugs 6 Conclusions Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  53. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App sgml-base preinst Script snippet: if [ ! -d /var/lib/sgml -base ] then mkdir /var/lib/sgml -base 2>/dev/null fi Problem: If /var/lib/sgml-base exists and is not a directory this fails silently We have asked on the mailing list for confirmation that this is a bug. https://bugs.debian.org/929706 Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  54. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App sgml-base preinst Script snippet: if [ ! -d /var/lib/sgml -base ] then mkdir /var/lib/sgml -base 2>/dev/null fi Problem: If /var/lib/sgml-base exists and is not a directory this fails silently We have asked on the mailing list for confirmation that this is a bug. https://bugs.debian.org/929706 Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  55. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App sgml-base preinst Script snippet: if [ ! -d /var/lib/sgml -base ] then mkdir /var/lib/sgml -base 2>/dev/null fi Problem: If /var/lib/sgml-base exists and is not a directory this fails silently We have asked on the mailing list for confirmation that this is a bug. https://bugs.debian.org/929706 Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  56. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App sgml-base preinst Script snippet: if [ ! -d /var/lib/sgml -base ] then mkdir /var/lib/sgml -base 2>/dev/null fi Problem: If /var/lib/sgml-base exists and is not a directory this fails silently We have asked on the mailing list for confirmation that this is a bug. https://bugs.debian.org/929706 Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  57. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App armagetronad-dedicated postrm Script snippet: if [ "$1" = "purge" ]; then rm -r /var/games/ armagetronad rmdir --ignore -fail -on -non -empty /var/games fi Will fail if /var/games/armagedtronad does not exist. Do we have to account for this case? Policy, section 6.2: Maintainer scripts have to be idempotent. Note that if a postrm purge succeeds the package is gone completely. We still think this is a bug since the script may fail later. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  58. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App armagetronad-dedicated postrm Script snippet: if [ "$1" = "purge" ]; then rm -r /var/games/ armagetronad rmdir --ignore -fail -on -non -empty /var/games fi Will fail if /var/games/armagedtronad does not exist. Do we have to account for this case? Policy, section 6.2: Maintainer scripts have to be idempotent. Note that if a postrm purge succeeds the package is gone completely. We still think this is a bug since the script may fail later. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  59. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App armagetronad-dedicated postrm Script snippet: if [ "$1" = "purge" ]; then rm -r /var/games/ armagetronad rmdir --ignore -fail -on -non -empty /var/games fi Will fail if /var/games/armagedtronad does not exist. Do we have to account for this case? Policy, section 6.2: Maintainer scripts have to be idempotent. Note that if a postrm purge succeeds the package is gone completely. We still think this is a bug since the script may fail later. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  60. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App armagetronad-dedicated postrm Script snippet: if [ "$1" = "purge" ]; then rm -r /var/games/ armagetronad rmdir --ignore -fail -on -non -empty /var/games fi Will fail if /var/games/armagedtronad does not exist. Do we have to account for this case? Policy, section 6.2: Maintainer scripts have to be idempotent. Note that if a postrm purge succeeds the package is gone completely. We still think this is a bug since the script may fail later. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  61. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App armagetronad-dedicated postrm Script snippet: if [ "$1" = "purge" ]; then rm -r /var/games/ armagetronad rmdir --ignore -fail -on -non -empty /var/games fi Will fail if /var/games/armagedtronad does not exist. Do we have to account for this case? Policy, section 6.2: Maintainer scripts have to be idempotent. Note that if a postrm purge succeeds the package is gone completely. We still think this is a bug since the script may fail later. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  62. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App armagetronad-dedicated postrm Script snippet: if [ "$1" = "purge" ]; then rm -r /var/games/ armagetronad rmdir --ignore -fail -on -non -empty /var/games fi Will fail if /var/games/armagedtronad does not exist. Do we have to account for this case? Policy, section 6.2: Maintainer scripts have to be idempotent. Note that if a postrm purge succeeds the package is gone completely. We still think this is a bug since the script may fail later. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  63. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Idempotency Debian policy (section 6.2) requires maintainer scripts to be idempotent. Mathematically, i is idempotent when i ◦ i = i The sense in Debian is much larger: If the first call failed, or aborted half way through for some reason, the second call should merely do the things that were left undone the first time, if any, and exit with a success status if everything is OK. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  64. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Idempotency Debian policy (section 6.2) requires maintainer scripts to be idempotent. Mathematically, i is idempotent when i ◦ i = i The sense in Debian is much larger: If the first call failed, or aborted half way through for some reason, the second call should merely do the things that were left undone the first time, if any, and exit with a success status if everything is OK. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  65. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Idempotency Debian policy (section 6.2) requires maintainer scripts to be idempotent. Mathematically, i is idempotent when i ◦ i = i The sense in Debian is much larger: If the first call failed, or aborted half way through for some reason, the second call should merely do the things that were left undone the first time, if any, and exit with a success status if everything is OK. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  66. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Idempotency Debian policy (section 6.2) requires maintainer scripts to be idempotent. Mathematically, i is idempotent when i ◦ i = i The sense in Debian is much larger: If the first call failed, or aborted half way through for some reason, the second call should merely do the things that were left undone the first time, if any, and exit with a success status if everything is OK. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  67. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App courier-filter-perl postrm Script snippet: case "$1" in purge ) rm /etc/courier/filters/courier -filter -perl.conf ;; esac Will fail when .../courier-filter-perl.conf does not exist: script not idempotent. However, this is at the end of script, so when it succeeds and removes the file the package is gone, so this seems purely formal. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  68. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App courier-filter-perl postrm Script snippet: case "$1" in purge ) rm /etc/courier/filters/courier -filter -perl.conf ;; esac Will fail when .../courier-filter-perl.conf does not exist: script not idempotent. However, this is at the end of script, so when it succeeds and removes the file the package is gone, so this seems purely formal. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  69. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App courier-filter-perl postrm Script snippet: case "$1" in purge ) rm /etc/courier/filters/courier -filter -perl.conf ;; esac Will fail when .../courier-filter-perl.conf does not exist: script not idempotent. However, this is at the end of script, so when it succeeds and removes the file the package is gone, so this seems purely formal. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  70. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App oz postrm Script snippet: FILE="/etc/oz/id_rsa -icicle -gen" case "$1" in purge) if [ -f $FILE ]; then rm $FILE $FILE.pub fi ;; esac Fails if $FILE exists but $FILE.pub does not. In that case, a second invocation of postrm purge will succeed! Even if it is not against idempotency, this behavior is at least strange and annoying. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  71. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App oz postrm Script snippet: FILE="/etc/oz/id_rsa -icicle -gen" case "$1" in purge) if [ -f $FILE ]; then rm $FILE $FILE.pub fi ;; esac Fails if $FILE exists but $FILE.pub does not. In that case, a second invocation of postrm purge will succeed! Even if it is not against idempotency, this behavior is at least strange and annoying. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  72. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App oz postrm Script snippet: FILE="/etc/oz/id_rsa -icicle -gen" case "$1" in purge) if [ -f $FILE ]; then rm $FILE $FILE.pub fi ;; esac Fails if $FILE exists but $FILE.pub does not. In that case, a second invocation of postrm purge will succeed! Even if it is not against idempotency, this behavior is at least strange and annoying. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  73. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App oz postrm Script snippet: FILE="/etc/oz/id_rsa -icicle -gen" case "$1" in purge) if [ -f $FILE ]; then rm $FILE $FILE.pub fi ;; esac Fails if $FILE exists but $FILE.pub does not. In that case, a second invocation of postrm purge will succeed! Even if it is not against idempotency, this behavior is at least strange and annoying. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  74. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Bugs found by Colis Listing: https://bugs.debian.org/cgi-bin/pkgreport. cgi?tag=colis-shparser;users=treinen@debian.org 148 bugs filed so far, 90 of which are solved. So far a great majority are on a trivial level (like missing set -e ), or on the level of syntactic structure (requires morbig , hence is not trivial). How did we find the last four bugs: The first two from bad package states detected by our tool, then investigation by hand. The last two where found by running our tool on a dedicated scenario for testing a subcase of idempotency. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  75. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Bugs found by Colis Listing: https://bugs.debian.org/cgi-bin/pkgreport. cgi?tag=colis-shparser;users=treinen@debian.org 148 bugs filed so far, 90 of which are solved. So far a great majority are on a trivial level (like missing set -e ), or on the level of syntactic structure (requires morbig , hence is not trivial). How did we find the last four bugs: The first two from bad package states detected by our tool, then investigation by hand. The last two where found by running our tool on a dedicated scenario for testing a subcase of idempotency. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  76. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Bugs found by Colis Listing: https://bugs.debian.org/cgi-bin/pkgreport. cgi?tag=colis-shparser;users=treinen@debian.org 148 bugs filed so far, 90 of which are solved. So far a great majority are on a trivial level (like missing set -e ), or on the level of syntactic structure (requires morbig , hence is not trivial). How did we find the last four bugs: The first two from bad package states detected by our tool, then investigation by hand. The last two where found by running our tool on a dedicated scenario for testing a subcase of idempotency. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  77. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Bugs found by Colis Listing: https://bugs.debian.org/cgi-bin/pkgreport. cgi?tag=colis-shparser;users=treinen@debian.org 148 bugs filed so far, 90 of which are solved. So far a great majority are on a trivial level (like missing set -e ), or on the level of syntactic structure (requires morbig , hence is not trivial). How did we find the last four bugs: The first two from bad package states detected by our tool, then investigation by hand. The last two where found by running our tool on a dedicated scenario for testing a subcase of idempotency. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  78. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Bugs found by Colis Listing: https://bugs.debian.org/cgi-bin/pkgreport. cgi?tag=colis-shparser;users=treinen@debian.org 148 bugs filed so far, 90 of which are solved. So far a great majority are on a trivial level (like missing set -e ), or on the level of syntactic structure (requires morbig , hence is not trivial). How did we find the last four bugs: The first two from bad package states detected by our tool, then investigation by hand. The last two where found by running our tool on a dedicated scenario for testing a subcase of idempotency. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  79. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Bugs found by Colis Listing: https://bugs.debian.org/cgi-bin/pkgreport. cgi?tag=colis-shparser;users=treinen@debian.org 148 bugs filed so far, 90 of which are solved. So far a great majority are on a trivial level (like missing set -e ), or on the level of syntactic structure (requires morbig , hence is not trivial). How did we find the last four bugs: The first two from bad package states detected by our tool, then investigation by hand. The last two where found by running our tool on a dedicated scenario for testing a subcase of idempotency. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  80. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Plan 1 Introduction 2 Symbolic Execution of Scripts 3 Symbolic Execution of Maintainer Scripts 4 Demo Time 5 Detected Bugs 6 Conclusions Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  81. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Ongoing Work Include simulation of the unpack phase. Increase the number of script we can handle, by modeling more commands. Being more precise about idempotency: checking equivalence of the executing a script once or twice. This uses our result on decidability of the logic. Investigate other properties, like commutation of scripts. Using tree transducers to represent the semantics of scripts. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  82. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Ongoing Work Include simulation of the unpack phase. Increase the number of script we can handle, by modeling more commands. Being more precise about idempotency: checking equivalence of the executing a script once or twice. This uses our result on decidability of the logic. Investigate other properties, like commutation of scripts. Using tree transducers to represent the semantics of scripts. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  83. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Ongoing Work Include simulation of the unpack phase. Increase the number of script we can handle, by modeling more commands. Being more precise about idempotency: checking equivalence of the executing a script once or twice. This uses our result on decidability of the logic. Investigate other properties, like commutation of scripts. Using tree transducers to represent the semantics of scripts. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

  84. Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Ongoing Work Include simulation of the unpack phase. Increase the number of script we can handle, by modeling more commands. Being more precise about idempotency: checking equivalence of the executing a script once or twice. This uses our result on decidability of the logic. Investigate other properties, like commutation of scripts. Using tree transducers to represent the semantics of scripts. Nicolas Jeannerod, Ralf Treinen IRIF, Universit´ e de Paris Symbolic Execution of Maintainer Scripts

Recommend

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin & Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Mining Debian Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Yann R

Mining Debian Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Yann R

Intro Static Parser for Shell Statistical Analysis of Scripts Findings Conclusion Mining Debian Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Yann R egis-Gianas IRIF, Universit e Paris-Diderot July 31, 2018

581 views • 41 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav Nodar Petar Martin He Balunovic Ambroladze Tsankov Vechev Random Fuzzing vs. Symbolic Execution Random Fuzzing Symbolic Execution Fast Slow

633 views • 29 slides
Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College London Invited talk at SMT 2015 18 July, San Francisco, CA, USA Dynamic Symbolic Execution Dynamic symbolic execution is a technique for

660 views • 53 slides
Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths Symbolic Execution and Proof of Effects of the execution on program state Properties Bridges program behavior to logic Finds important

309 views • 6 slides
An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar Department of Computing Imperial College London 14 th TAROT Summer School UCL, London, 3 July 2018 Dynamic Symbolic Execution Dynamic symbolic

856 views • 56 slides
Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank Busse Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in

1.04k views • 70 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson, "Applications of Symbolic Evaluation," Journal of Systems and Software, 5 (1), January 1985, pp.15-35. Symbolic Evaluation/Execution

1.07k views • 60 slides
Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of London Joint work with: Stefan Bucur, George Candea, Volodymyr Kuznetsov @ EPFL Symbolic Execution Automatically explore program paths

2.34k views • 200 slides
Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in industry IntelliTest, SAGE Angr KLOVER 2 Why symbolic execution? No

916 views • 73 slides
Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90: Software Security Symbolic Execution Ahmed Rezine Hoare Triples and Deductive Reasoning IDA, Linkpings Universitet Hsttermin 2014 Static

373 views • 6 slides
Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security Ahmed Rezine IDA, Linkpings Universitet Hsttermin 2020 Outline Overview Symbolic Execution Hoare Triples and Deductive Reasoning Outline

767 views • 33 slides
Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure

Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure

Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure North America public Concrete execution r1 = 0xBE; r2 = 0x08 mov r1,r2 add r1,0x10 r1 = 0x18; r2 = 0x08 public 2 Symbolic execution r1 = 0xBE;

470 views • 31 slides
Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean

Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean

11/27/2011 Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean Harrold Supported by NSF (CCF-0725202, CCF-0541048) and IBM (Software Quality Innovation Award) Symbolic Execution 35 Databases 30

558 views • 22 slides
Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014,

Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014,

Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014, Vienna, 17 July 2014 Dynamic Symbolic Execution Automated program analysis technique that employs an SMT solver to systematically explore paths

503 views • 39 slides
Symbolic Execution Mathy Vanhoef @vanhoefm HITB DXB 2018, Dubai, 27 November 2018 Overview

Symbolic Execution Mathy Vanhoef @vanhoefm HITB DXB 2018, Dubai, 27 November 2018 Overview

Rooting Routers Using Symbolic Execution Mathy Vanhoef @vanhoefm HITB DXB 2018, Dubai, 27 November 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic Execution 4-way handshake Handling Crypto

1.17k views • 88 slides
Lec09: Fuzzing and Symbolic Execution Taesoo Kim 2 Administrivia Three more labs!

Lec09: Fuzzing and Symbolic Execution Taesoo Kim 2 Administrivia Three more labs!

1 Lec09: Fuzzing and Symbolic Execution Taesoo Kim 2 Administrivia Three more labs! including NSA code-breaking challenge! Please submit your working exploits for previous weeks! New recitations: Monday:

293 views • 28 slides
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) (Yes, we were trying to overflow the title length field on the submission server) Edward J. Schwartz, Thanassis

738 views • 25 slides

More recommend