9 research outputs found
ΠΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ ΡΠ»ΡΡΠ°ΠΉΠ½ΠΎΠΉ Π²ΡΠ±ΠΎΡΠΊΠΈ ΠΌΠΎΠ΄Π΅Π»Π΅ΠΉ Π΄Π»Ρ ΡΠ΅ΡΠ΅Π½ΠΈΡ Π·Π°Π΄Π°ΡΠΈ ΠΈΠ½ΡΠ΅ΡΠΏΠΎΠ»ΡΡΠΈΠΈ ΠΡΠ΅ΠΉΠ³Π° Π² ΡΠ°ΠΌΠΊΠ°Ρ ΠΎΠ³ΡΠ°Π½ΠΈΡΠ΅Π½Π½ΠΎΠΉ ΠΏΡΠΎΠ²Π΅ΡΠΊΠΈ ΠΌΠΎΠ΄Π΅Π»Π΅ΠΉ
One of the most serious problems when doing program analyses is dealing with function calls. While function inlining is the traditional approach to this problem, it nonetheless suffers from the increase in analysis complexity due to the state space explosion. Craig interpolation has been successfully used in recent years in the context of bounded model checking to do function summarization which allows one to replace the complete function body with its succinct summary and, therefore, reduce the complexity. Unfortunately this technique can be applied only to a pair of unsatisfiable formulae.In this work-in-progress paper we present an approach to function summarization based on Craig interpolation that overcomes its limitation by using random model sampling. It captures interesting input/output relations, strengthening satisfiable formulae into unsatisfiable ones and thus allowing the use of Craig interpolation. Preliminary experiments show the applicability of this approach; in our future work we plan to do a full evaluation on real-world examples.ΠΠ΄Π½ΠΎΠΉ ΠΈΠ· ΡΠ°ΠΌΡΡ
ΡΠ»ΠΎΠΆΠ½ΡΡ
ΠΏΡΠΎΠ±Π»Π΅ΠΌ ΠΏΡΠΈ ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠΌ Π°Π½Π°Π»ΠΈΠ·Π΅ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌ ΡΠ²Π»ΡΠ΅ΡΡΡ Π°Π½Π°Π»ΠΈΠ· Π²ΡΠ·ΠΎΠ²ΠΎΠ² ΡΡΠ½ΠΊΡΠΈΠΉ, ΡΠ°ΠΊΠΆΠ΅ ΠΈΠ·Π²Π΅ΡΡΠ½ΡΠΉ ΠΊΠ°ΠΊ ΠΌΠ΅ΠΆΠΏΡΠΎΡΠ΅Π΄ΡΡΠ½ΡΠΉ Π°Π½Π°Π»ΠΈΠ·. ΠΠ»Π°ΡΡΠΈΡΠ΅ΡΠΊΠΈΠΌ ΡΠΏΠΎΡΠΎΠ±ΠΎΠΌ ΡΠ΅ΡΠ΅Π½ΠΈΡ ΡΡΠΎΠΉ ΠΏΡΠΎΠ±Π»Π΅ΠΌΡ ΡΠ²Π»ΡΠ΅ΡΡΡ ΠΏΠΎΠ΄ΡΡΠ°Π½ΠΎΠ²ΠΊΠ° ΡΠ΅Π» ΡΡΠ½ΠΊΡΠΈΠΉ Π² ΠΌΠ΅ΡΡΠ° Π²ΡΠ·ΠΎΠ²ΠΎΠ², ΠΎΠ΄Π½Π°ΠΊΠΎ ΠΏΡΠΈ ΡΡΠΎΠΌ Π·Π½Π°ΡΠΈΡΠ΅Π»ΡΠ½ΠΎ Π²ΠΎΠ·ΡΠ°ΡΡΠ°Π΅Ρ Π²ΡΡΠΈΡΠ»ΠΈΡΠ΅Π»ΡΠ½Π°Ρ ΡΠ»ΠΎΠΆΠ½ΠΎΡΡΡ Π°Π½Π°Π»ΠΈΠ·Π° ΠΈΠ·-Π·Π° ΡΠ²Π΅Π»ΠΈΡΠ΅Π½ΠΈΡ ΡΠ°Π·ΠΌΠ΅ΡΠ° ΠΌΠΎΠ΄Π΅Π»ΠΈ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΡ. ΠΠ»Ρ ΡΠ΅ΡΠ΅Π½ΠΈΡ ΡΡΠΎΠΉ ΠΏΡΠΎΠ±Π»Π΅ΠΌΡ ΠΌΠΎΠΆΠ½ΠΎ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ ΡΠ°Π·Π»ΠΈΡΠ½ΡΠ΅ Π°Π»Π³ΠΎΡΠΈΡΠΌΡ Π°ΠΏΠΏΡΠΎΠΊΡΠΈΠΌΠ°ΡΠΈΠΈ ΡΡΠ½ΠΊΡΠΈΠΉ, ΠΊΠΎΡΠΎΡΡΠ΅ Π·Π°ΠΌΠ΅Π½ΡΡΡ ΠΏΠΎΠ»Π½ΠΎΠ΅ ΡΠ΅Π»ΠΎ ΡΡΠ½ΠΊΡΠΈΠΈ Π½Π° Π΅Π΅ ΡΠΏΡΠΎΡΠ΅Π½Π½ΠΎΠ΅ ΠΎΠΏΠΈΡΠ°Π½ΠΈΠ΅, ΡΠ΅ΠΌ ΡΠ°ΠΌΡΠΌ ΡΠ½ΠΈΠΆΠ°Ρ ΡΠ»ΠΎΠΆΠ½ΠΎΡΡΡ Π°Π½Π°Π»ΠΈΠ·Π°. Π ΠΊΠΎΠ½ΡΠ΅ΠΊΡΡΠ΅ ΠΎΠ³ΡΠ°Π½ΠΈΡΠ΅Π½Π½ΠΎΠΉ ΠΏΡΠΎΠ²Π΅ΡΠΊΠΈ ΠΌΠΎΠ΄Π΅Π»Π΅ΠΉ Π² ΠΏΠΎΡΠ»Π΅Π΄Π½Π΅Π΅ Π²ΡΠ΅ΠΌΡ Π½Π°ΡΠ°Π»Π° Π°ΠΊΡΠΈΠ²Π½ΠΎ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡΡΡ ΠΈΠ½ΡΠ΅ΡΠΏΠΎΠ»ΡΡΠΈΡ ΠΡΠ΅ΠΉΠ³Π°, ΠΎΠ΄Π½Π°ΠΊΠΎ Π΅Π΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎ ΡΠΎΠ»ΡΠΊΠΎ Π΄Π»Ρ ΠΏΠ°ΡΡ Π½Π΅ΡΠΎΠ²ΠΌΠ΅ΡΡΠ½ΡΡ
Π»ΠΎΠ³ΠΈΡΠ΅ΡΠΊΠΈΡ
ΡΠΎΡΠΌΡΠ».Π Π΄Π°Π½Π½ΠΎΠΉ ΡΡΠ°ΡΡΠ΅ ΠΏΡΠ΅Π΄Π»Π°Π³Π°Π΅ΡΡΡ ΠΏΠΎΠ΄Ρ
ΠΎΠ΄ ΠΊ Π°ΠΏΠΏΡΠΎΠΊΡΠΈΠΌΠ°ΡΠΈΠΈ ΡΡΠ½ΠΊΡΠΈΠΉ, ΠΎΡΠ½ΠΎΠ²Π°Π½Π½ΡΠΉ Π½Π° ΠΈΠ½ΡΠ΅ΡΠΏΠΎΠ»ΡΡΠΈΠΈ ΠΡΠ΅ΠΉΠ³Π°, ΠΊΠΎΡΠΎΡΡΠΉ Π»ΠΈΡΠ΅Π½ Π΄Π°Π½Π½ΠΎΠ³ΠΎ ΠΎΠ³ΡΠ°Π½ΠΈΡΠ΅Π½ΠΈΡ Π·Π° ΡΡΠ΅Ρ ΡΡΠΈΠ»Π΅Π½ΠΈΡ ΠΈΠ½ΡΠ΅ΡΠΏΠΎΠ»ΡΡΠΈΠΈ ΠΏΡΠΈ ΠΏΠΎΠΌΠΎΡΠΈ ΡΠ»ΡΡΠ°ΠΉΠ½ΠΎΠΉ Π²ΡΠ±ΠΎΡΠΊΠΈ ΠΌΠΎΠ΄Π΅Π»Π΅ΠΉ. ΠΡΠΈ ΠΏΠΎΠΌΠΎΡΠΈ ΠΏΠΎΠΈΡΠΊΠ° ΠΈΠ½ΡΠ΅ΡΠ΅ΡΠ½ΡΡ
Π²Π·Π°ΠΈΠΌΠΎΠ·Π°Π²ΠΈΡΠΈΠΌΠΎΡΡΠ΅ΠΉ ΠΌΠ΅ΠΆΠ΄Ρ Π²Ρ
ΠΎΠ΄Π½ΡΠΌΠΈ ΠΈ Π²ΡΡ
ΠΎΠ΄Π½ΡΠΌΠΈ Π°ΡΠ³ΡΠΌΠ΅Π½ΡΠ°ΠΌΠΈ ΡΡΠ½ΠΊΡΠΈΠΈ, ΡΠ»ΡΡΠ°ΠΉΠ½Π°Ρ Π²ΡΠ±ΠΎΡΠΊΠ° ΠΌΠΎΠ΄Π΅Π»Π΅ΠΉ ΠΏΠΎΠ·Π²ΠΎΠ»ΡΠ΅Ρ ΡΡΠΈΠ»ΠΈΡΡ ΡΠΎΠ²ΠΌΠ΅ΡΡΠ½ΡΠ΅ ΡΠΎΡΠΌΡΠ»Ρ Π΄ΠΎ Π½Π΅ΡΠΎΠ²ΠΌΠ΅ΡΡΠ½ΡΡ
, ΡΠ΅ΠΌ ΡΠ°ΠΌΡΠΌ Π΄Π΅Π»Π°Ρ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΡΠΌ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ ΠΈΠ½ΡΠ΅ΡΠΏΠΎΠ»ΡΡΠΈΠΈ ΠΡΠ΅ΠΉΠ³Π°. Π Π΅Π·ΡΠ»ΡΡΠ°ΡΡ ΠΏΡΠΎΠ²Π΅Π΄Π΅Π½Π½ΡΡ
ΠΏΡΠ΅Π΄Π²Π°ΡΠΈΡΠ΅Π»ΡΠ½ΡΡ
ΡΠΊΡΠΏΠ΅ΡΠΈΠΌΠ΅Π½ΡΠΎΠ² ΠΏΠΎΠ΄ΡΠ²Π΅ΡΠΆΠ΄Π°ΡΡ ΠΏΡΠΈΠΌΠ΅Π½ΠΈΠΌΠΎΡΡΡ Π΄Π°Π½Π½ΠΎΠ³ΠΎ ΠΏΠΎΠ΄Ρ
ΠΎΠ΄Π°; Π² Π΄Π°Π»ΡΠ½Π΅ΠΉΡΠ΅ΠΌ ΠΏΠ»Π°Π½ΠΈΡΡΠ΅ΡΡΡ ΠΏΡΠΎΠ²Π΅ΡΡΠΈ Π±ΠΎΠ»Π΅Π΅ ΠΏΠΎΠ΄ΡΠΎΠ±Π½ΡΠ΅ ΠΈΡΡΠ»Π΅Π΄ΠΎΠ²Π°Π½ΠΈΡ Π΅Π³ΠΎ Ρ
Π°ΡΠ°ΠΊΡΠ΅ΡΠΈΡΡΠΈΠΊ Π½Π° ΡΠ΅Π°Π»ΡΠ½ΡΡ
ΠΏΡΠΈΠΌΠ΅ΡΠ°Ρ
.
ΠΠ±Π½Π°ΡΡΠΆΠ΅Π½ΠΈΠ΅ Π΄Π΅ΡΠ΅ΠΊΡΠΎΠ² Π² ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½ΠΎΠΌ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΠΈ ΠΏΡΡΠ΅ΠΌ ΠΎΠ±ΡΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΡ ΠΎΠ³ΡΠ°Π½ΠΈΡΠ΅Π½Π½ΠΎΠΉ ΠΏΡΠΎΠ²Π΅ΡΠΊΠΈ ΠΌΠΎΠ΄Π΅Π»Π΅ΠΉ ΠΈ Π°ΠΏΠΏΡΠΎΠΊΡΠΈΠΌΠ°ΡΠΈΠΈ ΡΡΠ½ΠΊΡΠΈΠΉ
Bounded model checking (BMC) of C/C++ programs is a matter of scientific enquiry that attracts great attention in the last few years. In this paper, we present our approach to this problem. It is based on combining several recent results in BMC, namely, the use of LLVM as a baseline for model generation, employment of high-performance Z3 SMT solver to do the formula heavy-lifting, and the use of various function summaries to improve analysis efficiency and expressive power. We have implemented a basic prototype; experiment results on a set of simple test BMC problems are satisfactory.Β Β Π ΠΏΠΎΡΠ»Π΅Π΄Π½ΠΈΠ΅ Π³ΠΎΠ΄Ρ ΡΠ°ΠΊΠΎΠΉ ΠΌΠ΅ΡΠΎΠ΄ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΡ ΠΊΠ°ΡΠ΅ΡΡΠ²Π° ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½ΠΎΠ³ΠΎ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΡ (ΠΠ), ΠΊΠ°ΠΊ ΠΎΠ³ΡΠ°Π½ΠΈΡΠ΅Π½Π½Π°Ρ ΠΏΡΠΎΠ²Π΅ΡΠΊΠ° ΠΌΠΎΠ΄Π΅Π»Π΅ΠΉ (Bounded Model Checking, BMC), ΠΈΡΡΠ»Π΅Π΄ΡΠ΅ΡΡΡ Π²ΡΠ΅ Π±ΠΎΠ»Π΅Π΅ ΠΈ Π±ΠΎΠ»Π΅Π΅ Π°ΠΊΡΠΈΠ²Π½ΠΎ, ΠΏΠΎΡΠΊΠΎΠ»ΡΠΊΡ ΠΎΠ½ ΠΏΠΎΠ·Π²ΠΎΠ»ΡΠ΅Ρ ΡΡΠΏΠ΅ΡΠ½ΠΎ ΠΎΠ±Π½Π°ΡΡΠΆΠΈΠ²Π°ΡΡ ΠΊΠ°ΠΊ ΡΡΠ½ΠΊΡΠΈΠΎΠ½Π°Π»ΡΠ½ΡΠ΅, ΡΠ°ΠΊ ΠΈ Π½Π΅ΡΡΠ½ΠΊΡΠΈΠΎΠ½Π°Π»ΡΠ½ΡΠ΅ Π΄Π΅ΡΠ΅ΠΊΡΡ Π² ΡΠ΅Π°Π»ΡΠ½ΠΎΠΌ ΠΠ. Π Π΄Π°Π½Π½ΠΎΠΉ ΡΡΠ°ΡΡΠ΅ ΠΏΡΠ΅Π΄Π»Π°Π³Π°Π΅ΡΡΡ ΠΎΡΠΈΠ³ΠΈΠ½Π°Π»ΡΠ½ΡΠΉ ΠΏΠΎΠ΄Ρ
ΠΎΠ΄ ΠΊ ΡΠ΅Π°Π»ΠΈΠ·Π°ΡΠΈΠΈ BMC, ΠΎΡΠ½ΠΎΠ²Π°Π½Π½ΡΠΉ Π½Π° ΠΎΠ±ΡΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΠΈ ΡΠ΅Π·ΡΠ»ΡΡΠ°ΡΠΎΠ² Π½Π΅ΡΠΊΠΎΠ»ΡΠΊΠΈΡ
ΠΏΠΎΡΠ»Π΅Π΄Π½ΠΈΡ
ΠΈΡΡΠ»Π΅Π΄ΠΎΠ²Π°Π½ΠΈΠΉ Π² ΡΡΠΎΠΉ ΠΎΠ±Π»Π°ΡΡΠΈ: ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠΈ ΡΠΈΡΡΠ΅ΠΌΡ ΠΊΠΎΠΌΠΏΠΈΠ»ΡΡΠΈΠΈ LLVM Π΄Π»Ρ ΡΠ°Π·Π±ΠΎΡΠ° ΠΈ ΡΡΠ°Π½ΡΡΠΎΡΠΌΠ°ΡΠΈΠΈ ΠΈΡΡ
ΠΎΠ΄Π½ΠΎΠ³ΠΎ ΠΊΠΎΠ΄Π°, ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΠΈ SMT-ΡΠ΅ΡΠ°ΡΠ΅Π»Ρ Z3 Π΄Π»Ρ ΠΏΡΠΎΠ²Π΅ΡΠΊΠΈ ΡΠ²ΠΎΠΉΡΡΠ² ΠΊΠΎΡΡΠ΅ΠΊΡΠ½ΠΎΡΡΠΈ ΠΈ ΠΏΠΎΠ²ΡΡΠ΅Π½ΠΈΡ ΡΡΡΠ΅ΠΊΡΠΈΠ²Π½ΠΎΡΡΠΈ Π°Π½Π°Π»ΠΈΠ·Π° Π·Π° ΡΡΠ΅Ρ Π°ΠΏΠΏΡΠΎΠΊΡΠΈΠΌΠ°ΡΠΈΠΉ ΡΡΠ½ΠΊΡΠΈΠΉ. ΠΡΠΎΠ²Π΅Π΄Π΅Π½Π½ΡΠ΅ ΡΠΊΡΠΏΠ΅ΡΠΈΠΌΠ΅Π½ΡΠ°Π»ΡΠ½ΡΠ΅ ΠΈΡΡΠ»Π΅Π΄ΠΎΠ²Π°Π½ΠΈΡ ΠΏΠΎΠΊΠ°Π·ΡΠ²Π°ΡΡ ΠΏΡΠΈΠΌΠ΅Π½ΠΈΠΌΠΎΡΡΡ ΠΏΠΎΠ΄Ρ
ΠΎΠ΄Π° ΠΊ ΡΠ΅Π°Π»ΡΠ½ΡΠΌ ΠΏΡΠΎΠ΅ΠΊΡΠ°ΠΌ
A Survey of Symbolic Execution Techniques
Many security and software testing applications require checking whether
certain properties of a program hold for any possible usage scenario. For
instance, a tool for identifying software vulnerabilities may need to rule out
the existence of any backdoor to bypass a program's authentication. One
approach would be to test the program using different, possibly random inputs.
As the backdoor may only be hit for very specific program workloads, automated
exploration of the space of possible inputs is of the essence. Symbolic
execution provides an elegant solution to the problem, by systematically
exploring many possible execution paths at the same time without necessarily
requiring concrete inputs. Rather than taking on fully specified input values,
the technique abstractly represents them as symbols, resorting to constraint
solvers to construct actual instances that would cause property violations.
Symbolic execution has been incubated in dozens of tools developed over the
last four decades, leading to major practical breakthroughs in a number of
prominent software reliability applications. The goal of this survey is to
provide an overview of the main ideas, challenges, and solutions developed in
the area, distilling them for a broad audience.
The present survey has been accepted for publication at ACM Computing
Surveys. If you are considering citing this survey, we would appreciate if you
could use the following BibTeX entry: http://goo.gl/Hf5FvcComment: This is the authors pre-print copy. If you are considering citing
this survey, we would appreciate if you could use the following BibTeX entry:
http://goo.gl/Hf5Fv
Improving systems software security through program analysis and instrumentation
Security and reliability bugs are prevalent in systems software. Systems code is often written in low-level languages like C/C++, which offer many benefits but also delegate memory management and type safety to programmers. This invites bugs that cause crashes or can be exploited by attackers to take control of the program. This thesis presents techniques to detect and fix security and reliability issues in systems software without burdening the software developers. First, we present code-pointer integrity (CPI), a technique that combines static analysis with compile-time instrumentation to guarantee the integrity of all code pointers in a program and thereby prevent all control-flow hijack attacks. We also present code-pointer separation (CPS), a relaxation of CPI with better performance properties. CPI and CPS offer substantially better security-to-overhead ratios than the state of the art in control flow hijack defense mechanisms, they are practical (we protect a complete FreeBSD system and over 100 packages like apache and postgresql), effective (prevent all attacks in the RIPE benchmark), and efficient: on SPEC CPU2006, CPS averages 1.2% overhead for C and 1.9% for C/C++, while CPIΓ’s overhead is 2.9% for C and 8.4% for C/C++. Second, we present DDT, a tool for testing closed-source device drivers to automatically find bugs like memory errors or race conditions. DDT showcases a combination of a form of program analysis called selective symbolic execution with virtualization to thoroughly exercise tested drivers and produce detailed, executable traces for every path that leads to a failure. We applied DDT to several closed-source Microsoft-certified Windows device drivers and discovered 14 serious new bugs that can cause crashes or compromise security of the entire system. Third, we present a technique for increasing the scalability of symbolic execution by merging states obtained on different execution paths. State merging reduces the number of states to analyze, but the merged states can be more complex and harder to analyze than their individual components. We introduce query count estimation, a technique to reason about the analysis time of merged states and decide which states to merge in order to achieve optimal net performance of symbolic execution. We also introduce dynamic state merging, a technique for merging states that interacts favorably with search strategies employed by practical bug finding tools, such as DDT and KLEE. Experiments on the 96 GNU Coreutils show that our approach consistently achieves several orders of magnitude speedup over previously published results