31,857 research outputs found
Benchmarking Symbolic Execution Using Constraint Problems -- Initial Results
Symbolic execution is a powerful technique for bug finding and program
testing. It is successful in finding bugs in real-world code. The core
reasoning techniques use constraint solving, path exploration, and search,
which are also the same techniques used in solving combinatorial problems,
e.g., finite-domain constraint satisfaction problems (CSPs). We propose CSP
instances as more challenging benchmarks to evaluate the effectiveness of the
core techniques in symbolic execution. We transform CSP benchmarks into C
programs suitable for testing the reasoning capabilities of symbolic execution
tools. From a single CSP P, we transform P depending on transformation choice
into different C programs. Preliminary testing with the KLEE, Tracer-X, and
LLBMC tools show substantial runtime differences from transformation and solver
choice. Our C benchmarks are effective in showing the limitations of existing
symbolic execution tools. The motivation for this work is we believe that
benchmarks of this form can spur the development and engineering of improved
core reasoning in symbolic execution engines
Enhancing Reuse of Constraint Solutions to Improve Symbolic Execution
Constraint solution reuse is an effective approach to save the time of
constraint solving in symbolic execution. Most of the existing reuse approaches
are based on syntactic or semantic equivalence of constraints; e.g. the Green
framework is able to reuse constraints which have different representations but
are semantically equivalent, through canonizing constraints into syntactically
equivalent normal forms. However, syntactic/semantic equivalence is not a
necessary condition for reuse--some constraints are not syntactically or
semantically equivalent, but their solutions still have potential for reuse.
Existing approaches are unable to recognize and reuse such constraints.
In this paper, we present GreenTrie, an extension to the Green framework,
which supports constraint reuse based on the logical implication relations
among constraints. GreenTrie provides a component, called L-Trie, which stores
constraints and solutions into tries, indexed by an implication partial order
graph of constraints. L-Trie is able to carry out logical reduction and logical
subset and superset querying for given constraints, to check for reuse of
previously solved constraints. We report the results of an experimental
assessment of GreenTrie against the original Green framework, which shows that
our extension achieves better reuse of constraint solving result and saves
significant symbolic execution time.Comment: this paper has been submitted to conference ISSTA 201
Abstract Interpretation, Symbolic Execution and Constraints
Abstract interpretation is a static analysis framework for sound over-approximation of all possible runtime states of a program. Symbolic execution is a framework for reachability analysis which tries to explore all possible execution paths of a program. A shared feature between abstract interpretation and symbolic execution is that each - implicitly or explicitly - maintains constraints during execution, in the form of invariants or path conditions. We investigate the relations between the worlds of abstract interpretation, symbolic execution and constraint solving, to expose potential synergies
Accelerating array constraints in symbolic execution
Despite significant recent advances, the effectiveness of symbolic execution is limited when used to test complex, real-world software. One of the main scalability challenges is related to constraint solv- ing: large applications and long exploration paths lead to complex constraints, often involving big arrays indexed by symbolic expres- sions. In this paper, we propose a set of semantics-preserving trans- formations for array operations that take advantage of contextual information collected during symbolic execution. Our transforma- tions lead to simpler encodings and hence better performance in constraint solving. The results we obtain are encouraging: we show, through an extensive experimental analysis, that our transforma- tions help to significantly improve the performance of symbolic execution in the presence of arrays. We also show that our transfor- mations enable the analysis of new code, which would be otherwise out of reach for symbolic execution
State Merging with Quantifiers in Symbolic Execution
We address the problem of constraint encoding explosion which hinders the
applicability of state merging in symbolic execution. Specifically, our goal is
to reduce the number of disjunctions and if-then-else expressions introduced
during state merging. The main idea is to dynamically partition the symbolic
states into merging groups according to a similar uniform structure detected in
their path constraints, which allows to efficiently encode the merged path
constraint and memory using quantifiers. To address the added complexity of
solving quantified constraints, we propose a specialized solving procedure that
reduces the solving time in many cases. Our evaluation shows that our approach
can lead to significant performance gains
Towards Smart Hybrid Fuzzing for Smart Contracts
Smart contracts are Turing-complete programs that are executed across a
blockchain network. Unlike traditional programs, once deployed they cannot be
modified. As smart contracts become more popular and carry more value, they
become more of an interesting target for attackers. In recent years, smart
contracts suffered major exploits, costing millions of dollars, due to
programming errors. As a result, a variety of tools for detecting bugs has been
proposed. However, majority of these tools often yield many false positives due
to over-approximation or poor code coverage due to complex path constraints.
Fuzzing or fuzz testing is a popular and effective software testing technique.
However, traditional fuzzers tend to be more effective towards finding shallow
bugs and less effective in finding bugs that lie deeper in the execution. In
this work, we present CONFUZZIUS, a hybrid fuzzer that combines evolutionary
fuzzing with constraint solving in order to execute more code and find more
bugs in smart contracts. Evolutionary fuzzing is used to exercise shallow parts
of a smart contract, while constraint solving is used to generate inputs which
satisfy complex conditions that prevent the evolutionary fuzzing from exploring
deeper paths. Moreover, we use data dependency analysis to efficiently generate
sequences of transactions, that create specific contract states in which bugs
may be hidden. We evaluate the effectiveness of our fuzzing strategy, by
comparing CONFUZZIUS with state-of-the-art symbolic execution tools and
fuzzers. Our evaluation shows that our hybrid fuzzing approach produces
significantly better results than state-of-the-art symbolic execution tools and
fuzzers
Symbolic PathFinder: Symbolic Execution of Java Bytecode
Symbolic Pathfinder (SPF) combines symbolic execution with model checking and constraint solving for automated test case generation and error detection in Java programs with unspecified inputs. In this tool, programs are executed on symbolic inputs representing multiple concrete inputs. Values of variables are represented as constraints generated from the analysis of Java bytecode. The constraints are solved using off-the shelf solvers to generate test inputs guaranteed to achieve complex coverage criteria. SPF has been used successfully at NASA, in academia, and in industry
A reduced semantics for deciding trace equivalence using constraint systems
Many privacy-type properties of security protocols can be modelled using
trace equivalence properties in suitable process algebras. It has been shown
that such properties can be decided for interesting classes of finite processes
(i.e., without replication) by means of symbolic execution and constraint
solving. However, this does not suffice to obtain practical tools. Current
prototypes suffer from a classical combinatorial explosion problem caused by
the exploration of many interleavings in the behaviour of processes.
M\"odersheim et al. have tackled this problem for reachability properties using
partial order reduction techniques. We revisit their work, generalize it and
adapt it for equivalence checking. We obtain an optimization in the form of a
reduced symbolic semantics that eliminates redundant interleavings on the fly.Comment: Accepted for publication at POST'1
- …