140,510 research outputs found
A Static Analyzer for Large Safety-Critical Software
We show that abstract interpretation-based static program analysis can be
made efficient and precise enough to formally verify a class of properties for
a family of large programs with few or no false alarms. This is achieved by
refinement of a general purpose static analyzer and later adaptation to
particular programs of the family by the end-user through parametrization. This
is applied to the proof of soundness of data manipulation operations at the
machine level for periodic synchronous safety critical embedded software. The
main novelties are the design principle of static analyzers by refinement and
adaptation through parametrization, the symbolic manipulation of expressions to
improve the precision of abstract transfer functions, the octagon, ellipsoid,
and decision tree abstract domains, all with sound handling of rounding errors
in floating point computations, widening strategies (with thresholds, delayed)
and the automatic determination of the parameters (parametrized packing)
Statistical Symbolic Execution with Informed Sampling
Symbolic execution techniques have been proposed recently for the probabilistic analysis of programs. These techniques seek to quantify the likelihood of reaching program events of interest, e.g., assert violations. They have many promising applications but have scalability issues due to high computational demand. To address this challenge, we propose a statistical symbolic execution technique that performs Monte Carlo sampling of the symbolic program paths and uses the obtained information for Bayesian estimation and hypothesis testing with respect to the probability of reaching the target events. To speed up the convergence of the statistical analysis, we propose Informed Sampling, an iterative symbolic execution that first explores the paths that have high statistical significance, prunes them from the state space and guides the execution towards less likely paths. The technique combines Bayesian estimation with a partial exact analysis for the pruned paths leading to provably improved convergence of the statistical analysis. We have implemented statistical symbolic execution with in- formed sampling in the Symbolic PathFinder tool. We show experimentally that the informed sampling obtains more precise results and converges faster than a purely statistical analysis and may also be more efficient than an exact symbolic analysis. When the latter does not terminate symbolic execution with informed sampling can give meaningful results under the same time and memory limits
Improving Function Coverage with Munch: A Hybrid Fuzzing and Directed Symbolic Execution Approach
Fuzzing and symbolic execution are popular techniques for finding
vulnerabilities and generating test-cases for programs. Fuzzing, a blackbox
method that mutates seed input values, is generally incapable of generating
diverse inputs that exercise all paths in the program. Due to the
path-explosion problem and dependence on SMT solvers, symbolic execution may
also not achieve high path coverage. A hybrid technique involving fuzzing and
symbolic execution may achieve better function coverage than fuzzing or
symbolic execution alone. In this paper, we present Munch, an open source
framework implementing two hybrid techniques based on fuzzing and symbolic
execution. We empirically show using nine large open-source programs that
overall, Munch achieves higher (in-depth) function coverage than symbolic
execution or fuzzing alone. Using metrics based on total analyses time and
number of queries issued to the SMT solver, we also show that Munch is more
efficient at achieving better function coverage.Comment: To appear at 33rd ACM/SIGAPP Symposium On Applied Computing (SAC). To
be held from 9th to 13th April, 201
MPro: Combining Static and Symbolic Analysis for Scalable Testing of Smart Contract
Smart contracts are executable programs that enable the building of a
programmable trust mechanism between multiple entities without the need of a
trusted third-party. Researchers have developed several security scanners in
the past couple of years. However, many of these analyzers either do not scale
well, or if they do, produce many false positives. This issue is exacerbated
when bugs are triggered only after a series of interactions with the functions
of the contract-under-test. A depth-n vulnerability, refers to a vulnerability
that requires invoking a specific sequence of n functions to trigger. Depth-n
vulnerabilities are time-consuming to detect by existing automated analyzers,
because of the combinatorial explosion of sequences of functions that could be
executed on smart contracts.
In this paper, we present a technique to analyze depth-n vulnerabilities in
an efficient and scalable way by combining symbolic execution and data
dependency analysis. A significant advantage of combining symbolic with static
analysis is that it scales much better than symbolic alone and does not have
the problem of false positive that static analysis tools typically have. We
have implemented our technique in a tool called MPro, a scalable and automated
smart contract analyzer based on the existing symbolic analysis tool
Mythril-Classic and the static analysis tool Slither. We analyzed 100 randomly
chosen smart contracts on MPro and our evaluation shows that MPro is about
n-times faster than Mythril-Classic for detecting depth-n vulnerabilities,
while preserving all the detection capabilities of Mythril-Classic
- …