the auspicious couple symbolic execution
play

The Auspicious Couple: Symbolic Execution Jens Knoop, Laura Kov - PowerPoint PPT Presentation

May 14, 2023 •877 likes •1.38k views

The Auspicious Couple: Symbolic Execution and WCET Analysis Armin Biere, The Auspicious Couple: Symbolic Execution Jens Knoop, Laura Kov acs, and WCET Analysis Jakob Zwirchmayr Motivation Armin Biere, Jens Knoop, Laura Kov acs,

  1. The Auspicious Couple: Symbolic Execution and WCET Analysis Armin Biere, The Auspicious Couple: Symbolic Execution Jens Knoop, Laura Kov´ acs, and WCET Analysis Jakob Zwirchmayr Motivation Armin Biere, Jens Knoop, Laura Kov´ acs, Jakob Zwirchmayr Introduction Symbolic Execution in TU Vienna, JKU Linz r-TuBound Symbolic Execution July 9, 2013 without Path Explosion Conclusion 1 / 23

  2. The WCET Analysis Auspicious Couple: Symbolic Execution and WCET Analysis Armin Biere, Jens Knoop, WCET Analysis Laura Kov´ acs, ◮ mandatory for safety-critical real-time systems Jakob Zwirchmayr Computed WCET bounds Motivation ◮ must be safe Introduction ◮ shall be tight Symbolic Execution in r-TuBound Problem Symbolic Execution ◮ precise knowledge about the program without Path Explosion Conclusion 2 / 23

  3. The Symbolic Execution Auspicious Couple: Symbolic Execution and WCET Analysis Armin Biere, Symbolic Execution Jens Knoop, Laura ◮ use symbolic instead of concrete data Kov´ acs, Jakob Zwirchmayr Control-flow split (branch) Motivation ◮ follow both paths Introduction ◮ assume respective condition Symbolic Execution in r-TuBound Problem: path explosion Symbolic ◮ unbounded loops Execution without Path Explosion ◮ number of conditionals Conclusion 3 / 23

  4. The Our Remedy Auspicious Couple: Symbolic Execution and WCET Analysis Combine symbolic execution and WCET analysis as a remedy Armin Biere, Jens Knoop, Laura WCET analysis guides symbolic execution Kov´ acs, Jakob ◮ select only WCET relevant parts Zwirchmayr Motivation Symbolic execution infers precise information Introduction ◮ for relevant parts Symbolic Execution in r-TuBound Partial vs full symbolic coverage Symbolic ◮ full symbolic coverage often infeasible in practice Execution without Path Explosion Partial coverage often good enough to improve the WCET estimate Conclusion 4 / 23

  5. The r-TuBound Auspicious Couple: Symbolic Execution and WCET Analysis Armin Biere, Jens Knoop, Laura Kov´ acs, Jakob Zwirchmayr Motivation Introduction Symbolic Execution in r-TuBound Symbolic Execution without Path Explosion Conclusion 5 / 23

  6. The Symbolic Execution: SmacC Auspicious Couple: Symbolic SmacC Execution and WCET ◮ SMT representation of the program (BV, arrays) Analysis ◮ select paths via path-expressions Armin Biere, Jens Knoop, Laura Exact analysis Kov´ acs, Jakob Zwirchmayr Motivation Introduction Symbolic Execution in r-TuBound Symbolic Execution without Path Explosion Conclusion Full symbolic coverage requires execution of all paths! 6 / 23

  7. The Symbolic Execution in r-TuBound Auspicious Couple: Symbolic Execution and WCET Analysis 1) on selected program fragments Armin Biere, Jens Knoop, ◮ check properties on conditional updates to the loopcounter Laura Kov´ acs, Jakob ◮ if successful, loop bound computation safe Zwirchmayr 2) on single loops Motivation Introduction ◮ only if all other techniques fail Symbolic Execution in 3) on single paths r-TuBound Symbolic ◮ as post-process, after initial WCET anlysis Execution without Path ◮ symbolically check feasibility of WCET path Explosion Conclusion = Selective Symbolic Execution 7 / 23

  8. The Architecture Auspicious Couple: Symbolic Execution and WCET Analysis Armin Biere, Jens Knoop, Laura Kov´ acs, Jakob Zwirchmayr Motivation Introduction Symbolic Execution in r-TuBound Symbolic Execution without Path Explosion Conclusion 8 / 23

  9. The Analyzing Program Fragments Auspicious Couple: Symbolic Execution and WCET Conditional update to loop counter i prevents bound calculation Analysis Armin Biere, Jens Knoop, ◮ verify that updates strictly int main ( int flag ) { Laura Kov´ acs, int i ; increase(decrease) i Jakob for ( i = 0 ; i < 5 ; i + +) Zwirchmayr if ( i == 4 && flag ) { ◮ can check arbitrary i = 0 ; Motivation expressions (in flag = 0 ; Introduction } bitvectors/array theory) } Symbolic Execution in r-TuBound Success Symbolic Execution ◮ apply bound computation without Path Explosion ◮ (combined minimal update) Conclusion Fails for example 9 / 23

  10. The Loop Bounds via Symbolic Execution Auspicious Couple: Symbolic Execution and WCET (r-)loopbounds fails to compute a loop bound Analysis Armin Biere, only then Jens Knoop, Laura ◮ apply exhaustive symbolic execution of the loop Kov´ acs, Jakob Zwirchmayr The loop + required decls + additional analysis information Motivation ◮ = reduced program Introduction ◮ example: program = reduced program Symbolic Execution in r-TuBound Symbolically execute reduced program Symbolic Execution ◮ with initial bound 0 without Path Explosion ◮ increase bound while loop cond is SAT in last iteration Conclusion Example: loop bound 9 10 / 23

  11. The Precise WCET Bounds Auspicious Couple: Symbolic Execution and WCET Analysis Armin Biere, Jens Knoop, Laura a.k.a WCET Squeezing Kov´ acs, Jakob ◮ post-proces for IPET based WCET analyzer Zwirchmayr ◮ allows to tighten WCET estimates Motivation Introduction ◮ ultimately prove WCET bounds precise Symbolic Execution in Is a combination of WCET analysis and symbolic execution r-TuBound Symbolic ◮ overcomes problems inherent in both approaches! Execution without Path Explosion Conclusion 11 / 23

  12. The Problems of the Approaches Auspicious Couple: Symbolic Execution and WCET Analysis Armin Biere, Jens Knoop, Laura Kov´ acs, Jakob Zwirchmayr Symbolic Execution deficiency: path explosion (doesn’t scale due to exponential number of paths) Motivation Introduction IPET deficiency: considers little information about the program Symbolic (flow-facts) Execution in r-TuBound Symbolic Execution without Path Explosion Conclusion 12 / 23

  13. The Some Remedy Auspicious Couple: Symbolic Execution and WCET Analysis Combine IPET and Symbolic Execution for mutual Armin Biere, Jens Knoop, benefit! Laura Kov´ acs, extract path from ILP result and symbolically execute it Jakob Zwirchmayr Motivation Introduction Symbolic Execution in r-TuBound Symbolic Execution without Path Explosion Conclusion 13 / 23

  14. The Some Remedy Auspicious Couple: Symbolic Execution and WCET Analysis Combine IPET and Symbolic Execution for mutual Armin Biere, Jens Knoop, benefit! Laura Kov´ acs, extract path from ILP result and symbolically execute it Jakob Zwirchmayr Path explosion: Motivation ◮ less severe, initially examine only one path Introduction Symbolic Lack of information: Execution in r-TuBound ◮ rule out infeasible paths using precise symbolic execution Symbolic Execution ◮ by deriving new ILP constraints without Path Explosion Conclusion Requires an initial WCET analysis 13 / 23

  15. The Squeezing in a Nutshell Auspicious Couple: Symbolic in: ILP problem (from IPET), out wcet bound Execution and WCET Analysis 1. solve ILP problem Armin Biere, Jens Knoop, Laura 2. extract “abstract” WCET path candidates from ILP Kov´ acs, Jakob Zwirchmayr 3. compute “concrete” path(s) encoded by abstract path Motivation 4. symbolically execute concrete path(s) Introduction Symbolic 5. use result of execution to refine ILP problem or stop: Execution in r-TuBound 5.1 path feasible: done (path is indeed WCET path) Symbolic Execution without Path 5.2 infeasible: refine ILP, goto 2 Explosion Conclusion On termination: ◮ precise WCET bound (wrt the HW-model) ◮ optional: timeout, threshhold 14 / 23

  16. The Expected Results Auspicious Couple: Symbolic Execution and WCET Analysis Refined WC path is feasible: Armin Biere, Jens Knoop, ◮ real WCET-path, overestimation due to hardware modelling Laura Kov´ acs, Jakob ◮ precise bound Zwirchmayr Refined WC path is infeasible + TO: Motivation Introduction ◮ some improvement after a few iteration Symbolic ◮ estimate tightened Execution in r-TuBound Symbolic ILP WC path is feasible: Execution without Path ◮ no gain in precision Explosion Conclusion ◮ precise bound 15 / 23

  17. The Example Auspicious Couple: Symbolic Execution and WCET Loop bound = 9 Analysis Armin Biere, ◮ analyze example with r-TuBound Jens Knoop, Laura ◮ yields WCET estimate + ILP solution Kov´ acs, Jakob (computed from generated ILP problem) Zwirchmayr Motivation ILP Introduction ◮ problem: constraints on execution frequencies Symbolic Execution in ◮ solution: valid execution frequencies of blocks r-TuBound ◮ example: execution frequency of then -block = 9 Symbolic Execution without Path Explosion The solution is INFEASIBLE Conclusion ◮ no such concrete execution exists ◮ therefore, WCET bound is an over-estimation 16 / 23

Recommend

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin &amp; Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav Nodar Petar Martin He Balunovic Ambroladze Tsankov Vechev Random Fuzzing vs. Symbolic Execution Random Fuzzing Symbolic Execution Fast Slow

633 views • 29 slides
Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College London Invited talk at SMT 2015 18 July, San Francisco, CA, USA Dynamic Symbolic Execution Dynamic symbolic execution is a technique for

660 views • 53 slides
Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths Symbolic Execution and Proof of Effects of the execution on program state Properties Bridges program behavior to logic Finds important

309 views • 6 slides
Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides
An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar Department of Computing Imperial College London 14 th TAROT Summer School UCL, London, 3 July 2018 Dynamic Symbolic Execution Dynamic symbolic

856 views • 56 slides
Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank Busse Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in

1.04k views • 70 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson, &quot;Applications of Symbolic Evaluation,&quot; Journal of Systems and Software, 5 (1), January 1985, pp.15-35. Symbolic Evaluation/Execution

1.07k views • 60 slides
Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of London Joint work with: Stefan Bucur, George Candea, Volodymyr Kuznetsov @ EPFL Symbolic Execution Automatically explore program paths

2.34k views • 200 slides
Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in industry IntelliTest, SAGE Angr KLOVER 2 Why symbolic execution? No

916 views • 73 slides
Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90: Software Security Symbolic Execution Ahmed Rezine Hoare Triples and Deductive Reasoning IDA, Linkpings Universitet Hsttermin 2014 Static

373 views • 6 slides
Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security Ahmed Rezine IDA, Linkpings Universitet Hsttermin 2020 Outline Overview Symbolic Execution Hoare Triples and Deductive Reasoning Outline

767 views • 33 slides
Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure

Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure

Flip a bit, grab a key: Symbolic execution edition Jasper van Woudenberg @jzvw CTO Riscure North America public Concrete execution r1 = 0xBE; r2 = 0x08 mov r1,r2 add r1,0x10 r1 = 0x18; r2 = 0x08 public 2 Symbolic execution r1 = 0xBE;

470 views • 31 slides
Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean

Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean

11/27/2011 Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean Harrold Supported by NSF (CCF-0725202, CCF-0541048) and IBM (Software Quality Innovation Award) Symbolic Execution 35 Databases 30

558 views • 22 slides
Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014,

Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014,

Multi-Solver Support in Symbolic Execution Hristina Palikareva, Cristian Cadar SMT Workshop 2014, Vienna, 17 July 2014 Dynamic Symbolic Execution Automated program analysis technique that employs an SMT solver to systematically explore paths

503 views • 39 slides
Symbolic Execution Mathy Vanhoef @vanhoefm HITB DXB 2018, Dubai, 27 November 2018 Overview

Symbolic Execution Mathy Vanhoef @vanhoefm HITB DXB 2018, Dubai, 27 November 2018 Overview

Rooting Routers Using Symbolic Execution Mathy Vanhoef @vanhoefm HITB DXB 2018, Dubai, 27 November 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic Execution 4-way handshake Handling Crypto

1.17k views • 88 slides
Lec09: Fuzzing and Symbolic Execution Taesoo Kim 2 Administrivia Three more labs!

Lec09: Fuzzing and Symbolic Execution Taesoo Kim 2 Administrivia Three more labs!

1 Lec09: Fuzzing and Symbolic Execution Taesoo Kim 2 Administrivia Three more labs! including NSA code-breaking challenge! Please submit your working exploits for previous weeks! New recitations: Monday:

293 views • 28 slides
All You Ever Wanted to Know About Dynamic Taint Analysis &amp; Forward Symbolic Execution (but

All You Ever Wanted to Know About Dynamic Taint Analysis &amp; Forward Symbolic Execution (but

All You Ever Wanted to Know About Dynamic Taint Analysis &amp; Forward Symbolic Execution (but might have been afraid to ask) (Yes, we were trying to overflow the title length field on the submission server) Edward J. Schwartz, Thanassis

738 views • 25 slides

More recommend