z3strbv a solver for a theory of strings and bit vectors
play

Z3strBV: A Solver for a Theory of Strings and Bit-vectors Murphy - PowerPoint PPT Presentation

Jul 01, 2023 •349 likes •582 views

Z3strBV: A Solver for a Theory of Strings and Bit-vectors Murphy Berzish 1 , Sanu Subramanian 2 , Yunhui Zheng 3 , Omer Tripp 4 , and Vijay Ganesh 1 (1) University of Waterloo (2) Intel Security (3) IBM Research (4) Google July 1, 2016 SMT

  1. Z3strBV: A Solver for a Theory of Strings and Bit-vectors Murphy Berzish 1 , Sanu Subramanian 2 , Yunhui Zheng 3 , Omer Tripp 4 , and Vijay Ganesh 1 (1) University of Waterloo (2) Intel Security (3) IBM Research (4) Google July 1, 2016 SMT Workshop 1

  2. Outline ● Background ● Existing solutions, motivation ● Decidability of strings+bit-vectors ● Design of Z3strBV ● Binary search heuristics ● Library-aware SMT solving ● Experimental evaluation ● Future work ● Summary and conclusion 2

  3. Background: Symbolic Execution and SMT ● Analysis of low-level programs in C/C++ ● Powerful application of SMT solvers for ○ Detection of security vulnerabilities ○ Automated test case generation ● Strength of the symbolic execution engine related to expressive power, efficiency of the SMT solver backend 3

  4. Why Not String-Integer Combination? ● Existing SMT solvers supporting theory of strings interpret the length of a string as an arbitrary-precision integer ● In languages like C/C++, integer values (e.g. strlen ) are fixed-precision ● Relevant: semantics of overflow/underflow ● More efficient to model as a bit-vector and not an integer 4

  5. Why Not Represent Strings as Bit-vectors? ● Strings can also be represented as (arrays of) bit-vectors ● KLEE, S2E both do this ● Performance issue: low-level bit-vector representation vs. high-level semantics of the string type ○ Path explosion: strlen on a symbolic string of length N forks N+1 paths. ● Difficulty in handling unbounded / arbitrary-length strings 5

  6. Motivation for a String+Bit-vector Combination ● In summary, the problems with existing solutions are: ○ Strings + natural numbers has limited ability to model overflow, underflow, bit-wise operations, pointer casting, etc. without bit-vectors ○ Bit-vector solvers are not able to perform direct reasoning on strings efficiently, and cannot handle unbounded strings ● This motivates us to build Z3strBV, a solver for strings + bit-vectors. ○ Combination of a string solver (Z3str2), bit-vector solver (Z3’s BV theory), bit-vector sorted length function (on top of Z3str2), and SMT solver framework (Z3) ○ Opportunity to apply new heuristics: ■ Binary search ■ Library-aware SMT solving 6

  7. Contributions ● Solver for quantifier-free theory of strings, bit-vectors, and bit-vector-sorted string length ○ Built on top of the Z3str2 string solver (Zheng et al., 2015) ■ ...which is itself built on top of the Z3 SMT solver (de Moura, Bjorner, et al., 2008) ○ Extensions for bit-vector sorts, in particular strlen bv : String -> Bitvector ● New solver heuristics: ○ Binary search pruning strategy to reach consistent length assignments ○ Library-aware SMT solving for improved performance ● Decidability of string+bit-vector combination 7

  8. Motivating Example bool check_login(char *username, char *password) { if (!validate_password(password)) { invalid_login_attempt(); exit(-1); } const char *salt = get_salt8(username); uint16_t len = strlen(password) + strlen(salt) + 1; if (len > 32) { invalid_login_attempt(); exit(-1); } char *saltedpw = (char*)malloc(len); strcpy(saltedpw, password); strcpy(saltedpw, salt); ... } 8

  9. Decidability of String + Bit-Vector Combination ● The satisfiability problem for the QF theory of word equations, bit-vector length, and bit-vector terms is decidable. ● Proof sketch: by reduction to strings + regular language membership ○ Shown decidable by Schulz (1992) ● This may seem trivial -- finitely many BVs implies finitely many strings? ○ NO! Overflow semantics apply to length terms too ● Decidability is in fact non-trivial as infinitely many strings must be considered 9

  10. Design Overview ● Word equation solving ● Integration of string and bit-vector theory ● Binary search heuristic for search-space pruning 10

  11. String Equation Solving ● Key technique of Z3str2: recursively split equations into subproblems until the system can be solved directly ● Given an equation, identify all possible splits / “arrangements” 11

  12. String Equation Solving ● Given an arrangement, generate a set of sub-equations over smaller strings 12

  13. String Equation Solving ● Given an arrangement, generate a set of sub-equations over smaller strings ● New equations are split recursively until all equations are between variables and string constants 13

  14. String-Bitvector Theory Integration ● Three main rules: ○ Each character has length 1, the empty string has length 0 ○ X = Y ⇒ strlen bv (X) = strlen bv (Y) ○ W = X . Y . Z … ⇒ strlen bv (W) = strlen bv (X) + strlen bv (Y) + strlen bv (Z) + … ● These are, elegantly, of similar form to the rules for string-integer integration ● Overflow semantics handled by bit-vector theory solver 14

  15. Binary Search Heuristic ● Z3str2 performs (naive) linear search for the length of variables ○ Constraints of the form “len(X) > 15000” are checked starting at “len(X) = 0, 1, 2, 3, …” ● Z3strBV performs binary search over bit-vector lengths ○ e.g. searching for a 2-bit length L: midpoint is 2, branch on len(X) < 2, len(X) = 2, len(X) > 2 ○ If strings are longer than the upper bound, overflow semantics come into play ○ Consistent lengths found in significantly less time ○ This is sound and very efficient ● Similar technique back-ported to the integer version ○ Main difference: no a priori fixed upper bound for integers ○ Choose a “floating” upper bound that the solver can choose to increase if necessary 15

  16. Library-Aware SMT Solving ● Provide native solver support for library functions that are: ○ Available in popular programming languages like C/C++ ○ Very commonly used by programmers ○ A frequent source of errors due to programmer mistakes ○ Expensive to analyze symbolically due to large number of potential paths ● Extend the logic of traditional SMT solvers with declarative summaries of functions such as strlen , strcpy , etc. ● Preliminary work with Z3strBV to support these functions 16

  17. Experimental Results ● We evaluated our solver on 7 real buffer overflow vulnerabilities: ○ CVE-2015-3824: Google stagefright ’tx3g’ MP4 atom integer overflow ○ CVE-2015-3826: Google stagefright 3GPP metadata buffer overread ○ CVE-2009-0585: libsoup integer overflow ○ CVE-2009-2463: Mozilla Firefox/Thunderbird Base64 integer overflow ○ CVE-2002-0639: Integer and heap overflows in OpenSSH 3.3 ○ CVE-2005-0180: Linux kernel SCSI IOCTL integer overflow ○ FreeBSD wpa supplicant(8) Base64 integer overflow ● Handcrafted constraints for vulnerable region ● String+bit-vector generated a model for all instances ● String+integer could not solve any instances 17

  18. Experimental Results ● Evaluation of library-aware SMT solving via comparison with KLEE ● Input constraints from the motivating example ( check_login ) ● The size of the length variable determines the total number of paths ● We consider 8-bit and 16-bit length variables ○ KLEE times out after 120 minutes with a 16-bit length ○ Z3strBV finds the bug in 0.27 seconds ● The path constraints are not hard; there are just too many paths 18

  19. Experimental Results ● Binary search heuristic applied to unconstrained string variables ● Implemented a modified Z3strBV that uses linear search ● Significant gain in performance when binary search is used 19

  20. Experimental Results ● Performance of binary search heuristic in the integer version (Z3str2) ● Compared against the previous (linear search) Z3str2, and CVC4 ● Z3str2 with binary search is faster than both linear-search Z3str2 and CVC4 20

  21. Future Work ● Tighter integration with symbolic execution engines ○ String + bit-vector in KLEE, S2E ○ String + integer into Jalangi ● Development of efficient function summaries for string functions in the standard libraries of several programming languages ● Integration of Z3str2 and Z3strBV into the main Z3 codebase ○ The port to the newest version of Z3 is now feature-complete and in testing. 21

  22. Summary and Conclusion ● Motivation and design for a solver for strings + bit-vectors ○ String+integer less efficient than string+bit-vector for overflow/underflow ○ Bit-vector solvers are inefficient at modelling strings as arrays of bit-vectors ● Binary search heuristic for consistent length assignments ○ Useful for both bit-vector and integer length terms ○ Significant performance improvements vs. state-of-the-art solvers ● Library-aware SMT solving ○ Large performance improvements over traditional symbolic execution techniques 22

Recommend

Strings A string is an array of characters s = 'abc' MATLAB Strings is equivalent to s =

Strings A string is an array of characters s = 'abc' MATLAB Strings is equivalent to s =

Strings A string is an array of characters s = 'abc' MATLAB Strings is equivalent to s = [ 'a' 'b' 'c' ] All operations that apply to vectors and Selim Aksoy arrays can be used together with Bilkent University strings as well

39 views • 3 slides
STRINGS AND FACTORS Jeff Goldsmith, PhD Department of Biostatistics 1 Strings vs Factors

STRINGS AND FACTORS Jeff Goldsmith, PhD Department of Biostatistics 1 Strings vs Factors

STRINGS AND FACTORS Jeff Goldsmith, PhD Department of Biostatistics 1 Strings vs Factors They both look like character vectors, but: Strings are just strings Factors have an underlying numeric structure with character labels sitting

241 views • 8 slides
SAT Solver as coNP Solver Beyond Resolution Norbert Manthey International Center for

SAT Solver as coNP Solver Beyond Resolution Norbert Manthey International Center for

SAT Solver as coNP Solver Beyond Resolution Norbert Manthey International Center for Computational Logic Technische Universit at Dresden Germany Motivation Propositional Logic and Satisfiability Proof Theory and SAT Solving

640 views • 49 slides
Z3str3: A String Solver with Theory-Aware Heuristics Murphy Berzish 1 , Yunhui Zheng 2 , Vijay

Z3str3: A String Solver with Theory-Aware Heuristics Murphy Berzish 1 , Yunhui Zheng 2 , Vijay

Z3str3: A String Solver with Theory-Aware Heuristics Murphy Berzish 1 , Yunhui Zheng 2 , Vijay Ganesh 1 1 University of Waterloo 2 IBM Research Outline l Background and overview l The Z3str3 string solver l New heuristics Theory-aware branching

798 views • 23 slides
Sequences, lists, vectors, strings The name lisp comes from list processing, representation of

Sequences, lists, vectors, strings The name lisp comes from list processing, representation of

Sequences, lists, vectors, strings The name lisp comes from list processing, representation of information using lists is key aspect of the language Sequence is the most general list-like type Lists are a subtype of sequences

249 views • 14 slides
Chapter 9 Strings 1 C-Strings vs C++ Strings T wo string types: C-strings Array

Chapter 9 Strings 1 C-Strings vs C++ Strings T wo string types: C-strings Array

Chapter 9 Strings 1 C-Strings vs C++ Strings T wo string types: C-strings Array with base type char End of string marked with null, \0 Older method inherited from C C++ strings Objects of string class 2

469 views • 18 slides
Vectors Vectors and Scalars Properties of Vectors Components of a Vector and Unit

Vectors Vectors and Scalars Properties of Vectors Components of a Vector and Unit

Vectors Vectors and Scalars Properties of Vectors Components of a Vector and Unit Vectors Homework 1 Vectors and Scalars Vector - quantity that has magnitude and direction e.g. displacement, velocity, acceleration, force

560 views • 16 slides
Strings on Celestial Sphere Stephan Stieberger, MPP Mnchen String Theory from a Worldsheet

Strings on Celestial Sphere Stephan Stieberger, MPP Mnchen String Theory from a Worldsheet

Strings on Celestial Sphere Stephan Stieberger, MPP Mnchen String Theory from a Worldsheet Perspective Galileo Galilei Institute, Firenze April 15 - 19, 2019 based on: St.St., T.R. Taylor: Strings on Celestial Sphere arXiv:1806.05688 Nucl.

483 views • 22 slides
Complete factorization in minimal N=4 Chern-Simons matter theory 7. Aug. 2017 @ YITP Strings and

Complete factorization in minimal N=4 Chern-Simons matter theory 7. Aug. 2017 @ YITP Strings and

Complete factorization in minimal N=4 Chern-Simons matter theory 7. Aug. 2017 @ YITP Strings and Fields 2017 Shuichi Yokoyama Yukawa Institute for Theoretical Physics Ref. T.Nosaka-SY arXiv:1706.07234 From M-theory to CS theory Existence

703 views • 38 slides
CVC4 1.5 for Sygus Comp 2015 CVC4 is an SMT solver Fourth generation of Cooperating

CVC4 1.5 for Sygus Comp 2015 CVC4 is an SMT solver Fourth generation of Cooperating

CVC4 1.5 for Sygus Comp 2015 CVC4 is an SMT solver Fourth generation of Cooperating Validity Checker (CVC, CVC Lite, CVC3, CVC4) Supports many ground theories: Linear arithmetic, bitvectors , UF, datatypes, arrays, sets, strings,

341 views • 14 slides
Chapter 7 Attaway MATLAB 4E Strings: Terminology A string in MATLAB consists of any number of

Chapter 7 Attaway MATLAB 4E Strings: Terminology A string in MATLAB consists of any number of

String Manipulation Chapter 7 Attaway MATLAB 4E Strings: Terminology A string in MATLAB consists of any number of characters and is contained in single quotes strings are vectors in which every element is a single character A substring

573 views • 19 slides
IMHOTEP-SMT: A Satisfiability Modulo Theory Solver For Secure State Estimation Yasser Shoukry 1

IMHOTEP-SMT: A Satisfiability Modulo Theory Solver For Secure State Estimation Yasser Shoukry 1

IMHOTEP-SMT: A Satisfiability Modulo Theory Solver For Secure State Estimation Yasser Shoukry 1 Pierluigi Nuzzo 2 , Alberto Puggelli 2 , Alberto Sangiovani-Vincentelli 2 , Sanjit A. Seshia 2 , Mani Srivastava 1 , and Paulo Tabuada 1 1 EE Department

1.12k views • 91 slides
Why Should You Care? Writing a CSP Solver in Understanding how the solver works 3 (or 4) Easy

Why Should You Care? Writing a CSP Solver in Understanding how the solver works 3 (or 4) Easy

Why Should You Care? Writing a CSP Solver in Understanding how the solver works 3 (or 4) Easy Lessons makes better models. Christopher Jefferson Minion already imposes this on you, University of Oxford through its low-level input

598 views • 27 slides
Adjoint Solver Workshop Why is an Adjoint Solver useful? Design and manufacture for better

Adjoint Solver Workshop Why is an Adjoint Solver useful? Design and manufacture for better

Adjoint Solver Workshop Why is an Adjoint Solver useful? Design and manufacture for better performance: e.g. airfoil, combustor, rotor blade, ducts, body shape, etc. by optimising a certain characteristic CFD has the capability to explore

426 views • 24 slides
Strings Testing for equality with strings. Lexicographic ordering of strings. Other

Strings Testing for equality with strings. Lexicographic ordering of strings. Other

Strings Testing for equality with strings. Lexicographic ordering of strings. Other string methods. 1 Strings and Testing for Equality The == operator is also not appropriate for determining if two objects , such as strings, have

380 views • 13 slides
Python:Strings Strings

Python:Strings Strings

Python:Strings Strings Source:https://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-0001-introduction-to-computer-science-and- programming-in-python-fall-2016/lecture-slides-code/ Strings String is a sequence of

293 views • 13 slides
Methods of Adding Vectors Geometrically MCV4U: Calculus &amp; Vectors Recall that two vectors are

Methods of Adding Vectors Geometrically MCV4U: Calculus &amp; Vectors Recall that two vectors are

g e o m e t r i c v e c t o r s g e o m e t r i c v e c t o r s Methods of Adding Vectors Geometrically MCV4U: Calculus &amp; Vectors Recall that two vectors are equivalent if they have the same magnitude and direction. This means that vectors

281 views • 4 slides
Vectors, Signals &amp; Shannons Information Theory A/Prof. Vaughan Clarkson 10 PROCEEDINGS OF

Vectors, Signals &amp; Shannons Information Theory A/Prof. Vaughan Clarkson 10 PROCEEDINGS OF

Vectors, Signals &amp; Shannons Information Theory A/Prof. Vaughan Clarkson 10 PROCEEDINGS OF THE I.R.E. January through the attenuator to the receiver. In this manner, space-charge type illustrated in Fig. 5. The shape of this the gain

269 views • 10 slides
MA/CSSE 474 Theory of Computation Course Intro Finish T = S proof from Day 1 More about strings

MA/CSSE 474 Theory of Computation Course Intro Finish T = S proof from Day 1 More about strings

3/10/2020 MA/CSSE 474 Theory of Computation Course Intro Finish T = S proof from Day 1 More about strings and languages Today's Agenda Roll call Student questions Introductions and Course overview Overview of yesterday's

370 views • 13 slides
KY 1 Engineering 10 San Jose State University Solver The Solver is intended primarily for

KY 1 Engineering 10 San Jose State University Solver The Solver is intended primarily for

KY 1 Engineering 10 San Jose State University Solver The Solver is intended primarily for solving constrained optimization problems. For example, the goal could be to minimize the amount of material used to make the can while keeping the

209 views • 18 slides
Geometric Vectors A geometric vector is a representation of a vector using an arrow diagram, or

Geometric Vectors A geometric vector is a representation of a vector using an arrow diagram, or

Culminating Review for Vectors An Introduction to Vectors Applications of Vectors 4 2 1 Equations of Lines and Planes 0011 0010 1010 1101 0001 0100 1011 Relationships between Points, Lines and Planes 5 An Introduction to Vectors Geometric

737 views • 18 slides
Geometric Vectors A geometric vector is a representation of a vector using an arrow diagram, or

Geometric Vectors A geometric vector is a representation of a vector using an arrow diagram, or

Culminating Review for Vectors An Introduction to Vectors Applications of Vectors 4 2 1 Equations of Lines and Planes 0011 0010 1010 1101 0001 0100 1011 Relationships between Points, Lines and Planes 5 An Introduction to Vectors Geometric

341 views • 31 slides
Trees, Strings, and Representation Theory Adam Wood Department of Mathematics University of Iowa

Trees, Strings, and Representation Theory Adam Wood Department of Mathematics University of Iowa

Trees, Strings, and Representation Theory Adam Wood Department of Mathematics University of Iowa Graduate and Undergraduate Student Seminar University of Iowa October 9, 2019 Outline Motivating Example Representation Theory of Finite Groups

1.4k views • 94 slides
CS 162 Intro to Programming II Vectors 1 Vectors A

CS 162 Intro to Programming II Vectors 1 Vectors A

CS 162 Intro to Programming II Vectors 1 Vectors A container from the Standard Template Library Holds a set of elements, like an array Flexible number of elements - can grow and shrink

511 views • 10 slides

More recommend