1,970 research outputs found
A Survey of Symbolic Execution Techniques
Many security and software testing applications require checking whether
certain properties of a program hold for any possible usage scenario. For
instance, a tool for identifying software vulnerabilities may need to rule out
the existence of any backdoor to bypass a program's authentication. One
approach would be to test the program using different, possibly random inputs.
As the backdoor may only be hit for very specific program workloads, automated
exploration of the space of possible inputs is of the essence. Symbolic
execution provides an elegant solution to the problem, by systematically
exploring many possible execution paths at the same time without necessarily
requiring concrete inputs. Rather than taking on fully specified input values,
the technique abstractly represents them as symbols, resorting to constraint
solvers to construct actual instances that would cause property violations.
Symbolic execution has been incubated in dozens of tools developed over the
last four decades, leading to major practical breakthroughs in a number of
prominent software reliability applications. The goal of this survey is to
provide an overview of the main ideas, challenges, and solutions developed in
the area, distilling them for a broad audience.
The present survey has been accepted for publication at ACM Computing
Surveys. If you are considering citing this survey, we would appreciate if you
could use the following BibTeX entry: http://goo.gl/Hf5FvcComment: This is the authors pre-print copy. If you are considering citing
this survey, we would appreciate if you could use the following BibTeX entry:
http://goo.gl/Hf5Fv
Concolic Testing Heap-Manipulating Programs
Concolic testing is a test generation technique which works effectively by
integrating random testing generation and symbolic execution. Existing concolic
testing engines focus on numeric programs. Heap-manipulating programs make
extensive use of complex heap objects like trees and lists. Testing such
programs is challenging due to multiple reasons. Firstly, test inputs for such
program are required to satisfy non-trivial constraints which must be specified
precisely. Secondly, precisely encoding and solving path conditions in such
programs are challenging and often expensive. In this work, we propose the
first concolic testing engine called CSF for heap-manipulating programs based
on separation logic. CSF effectively combines specification-based testing and
concolic execution for test input generation. It is evaluated on a set of
challenging heap-manipulating programs. The results show that CSF generates
valid test inputs with high coverage efficiently. Furthermore, we show that CSF
can be potentially used in combination with precondition inference tools to
reduce the user effort
Symbolic PathFinder: Symbolic Execution of Java Bytecode
Symbolic Pathfinder (SPF) combines symbolic execution with model checking and constraint solving for automated test case generation and error detection in Java programs with unspecified inputs. In this tool, programs are executed on symbolic inputs representing multiple concrete inputs. Values of variables are represented as constraints generated from the analysis of Java bytecode. The constraints are solved using off-the shelf solvers to generate test inputs guaranteed to achieve complex coverage criteria. SPF has been used successfully at NASA, in academia, and in industry
Badger: Complexity Analysis with Fuzzing and Symbolic Execution
Hybrid testing approaches that involve fuzz testing and symbolic execution
have shown promising results in achieving high code coverage, uncovering subtle
errors and vulnerabilities in a variety of software applications. In this paper
we describe Badger - a new hybrid approach for complexity analysis, with the
goal of discovering vulnerabilities which occur when the worst-case time or
space complexity of an application is significantly higher than the average
case. Badger uses fuzz testing to generate a diverse set of inputs that aim to
increase not only coverage but also a resource-related cost associated with
each path. Since fuzzing may fail to execute deep program paths due to its
limited knowledge about the conditions that influence these paths, we
complement the analysis with a symbolic execution, which is also customized to
search for paths that increase the resource-related cost. Symbolic execution is
particularly good at generating inputs that satisfy various program conditions
but by itself suffers from path explosion. Therefore, Badger uses fuzzing and
symbolic execution in tandem, to leverage their benefits and overcome their
weaknesses. We implemented our approach for the analysis of Java programs,
based on Kelinci and Symbolic PathFinder. We evaluated Badger on Java
applications, showing that our approach is significantly faster in generating
worst-case executions compared to fuzzing or symbolic execution on their own
A unit-based symbolic execution method for detecting memory corruption vulnerabilities in executable codes
Memory corruption is a serious class of software vulnerabilities, which
requires careful attention to be detected and removed from applications before
getting exploited and harming the system users. Symbolic execution is a
well-known method for analyzing programs and detecting various vulnerabilities,
e.g., memory corruption. Although this method is sound and complete in theory,
it faces some challenges, such as path explosion, when applied to real-world
complex programs. In this paper, we present a method for improving the
efficiency of symbolic execution and detecting four classes of memory
corruption vulnerabilities in executable codes, i.e., heap-based buffer
overflow, stack-based buffer overflow, use-after-free, and double-free. We
perform symbolic execution only on test units rather than the whole program to
avoid path explosion. In our method, test units are considered parts of the
program's code, which might contain vulnerable statements and are statically
identified based on the specifications of memory corruption vulnerabilities.
Then, each test unit is symbolically executed to calculate path and
vulnerability constraints of each statement of the unit, which determine the
conditions on unit input data for executing that statement or activating
vulnerabilities in it, respectively. Solving these constraints gives us input
values for the test unit, which execute the desired statements and reveal
vulnerabilities in them. Finally, we use machine learning to approximate the
correlation between system and unit input data. Thereby, we generate system
inputs that enter the program, reach vulnerable instructions in the desired
test unit, and reveal vulnerabilities in them. This method is implemented as a
plugin for angr framework and evaluated using a group of benchmark programs.
The experiments show its superiority over similar tools in accuracy and
performance
Enhancing Symbolic Execution of Heap-based Programs with Separation Logic for Test Input Generation
Symbolic execution is a well established method for test input generation.
Despite of having achieved tremendous success over numerical domains, existing
symbolic execution techniques for heap-based programs are limited due to the
lack of a succinct and precise description for symbolic values over unbounded
heaps. In this work, we present a new symbolic execution method for heap-based
programs based on separation logic. The essence of our proposal is
context-sensitive lazy initialization, a novel approach for efficient test
input generation. Our approach differs from existing approaches in two ways.
Firstly, our approach is based on separation logic, which allows us to
precisely capture preconditions of heap-based programs so that we avoid
generating invalid test inputs. Secondly, we generate only fully initialized
test inputs, which are more useful in practice compared to those partially
initialized test inputs generated by the state-of-the-art tools. We have
implemented our approach as a tool, called Java StarFinder, and evaluated it on
a set of programs with complex heap inputs. The results show that our approach
significantly reduces the number of invalid test inputs and improves the test
coverage
- …