80,016 research outputs found
A Survey of Symbolic Execution Techniques
Many security and software testing applications require checking whether
certain properties of a program hold for any possible usage scenario. For
instance, a tool for identifying software vulnerabilities may need to rule out
the existence of any backdoor to bypass a program's authentication. One
approach would be to test the program using different, possibly random inputs.
As the backdoor may only be hit for very specific program workloads, automated
exploration of the space of possible inputs is of the essence. Symbolic
execution provides an elegant solution to the problem, by systematically
exploring many possible execution paths at the same time without necessarily
requiring concrete inputs. Rather than taking on fully specified input values,
the technique abstractly represents them as symbols, resorting to constraint
solvers to construct actual instances that would cause property violations.
Symbolic execution has been incubated in dozens of tools developed over the
last four decades, leading to major practical breakthroughs in a number of
prominent software reliability applications. The goal of this survey is to
provide an overview of the main ideas, challenges, and solutions developed in
the area, distilling them for a broad audience.
The present survey has been accepted for publication at ACM Computing
Surveys. If you are considering citing this survey, we would appreciate if you
could use the following BibTeX entry: http://goo.gl/Hf5FvcComment: This is the authors pre-print copy. If you are considering citing
this survey, we would appreciate if you could use the following BibTeX entry:
http://goo.gl/Hf5Fv
Constraint-based reachability
Iterative imperative programs can be considered as infinite-state systems
computing over possibly unbounded domains. Studying reachability in these
systems is challenging as it requires to deal with an infinite number of states
with standard backward or forward exploration strategies. An approach that we
call Constraint-based reachability, is proposed to address reachability
problems by exploring program states using a constraint model of the whole
program. The keypoint of the approach is to interpret imperative constructions
such as conditionals, loops, array and memory manipulations with the
fundamental notion of constraint over a computational domain. By combining
constraint filtering and abstraction techniques, Constraint-based reachability
is able to solve reachability problems which are usually outside the scope of
backward or forward exploration strategies. This paper proposes an
interpretation of classical filtering consistencies used in Constraint
Programming as abstract domain computations, and shows how this approach can be
used to produce a constraint solver that efficiently generates solutions for
reachability problems that are unsolvable by other approaches.Comment: In Proceedings Infinity 2012, arXiv:1302.310
Bin Packing and Related Problems: General Arc-flow Formulation with Graph Compression
We present an exact method, based on an arc-flow formulation with side
constraints, for solving bin packing and cutting stock problems --- including
multi-constraint variants --- by simply representing all the patterns in a very
compact graph. Our method includes a graph compression algorithm that usually
reduces the size of the underlying graph substantially without weakening the
model. As opposed to our method, which provides strong models, conventional
models are usually highly symmetric and provide very weak lower bounds.
Our formulation is equivalent to Gilmore and Gomory's, thus providing a very
strong linear relaxation. However, instead of using column-generation in an
iterative process, the method constructs a graph, where paths from the source
to the target node represent every valid packing pattern.
The same method, without any problem-specific parameterization, was used to
solve a large variety of instances from several different cutting and packing
problems. In this paper, we deal with vector packing, graph coloring, bin
packing, cutting stock, cardinality constrained bin packing, cutting stock with
cutting knife limitation, cutting stock with binary patterns, bin packing with
conflicts, and cutting stock with binary patterns and forbidden pairs. We
report computational results obtained with many benchmark test data sets, all
of them showing a large advantage of this formulation with respect to the
traditional ones
Combining Static and Dynamic Analysis for Vulnerability Detection
In this paper, we present a hybrid approach for buffer overflow detection in
C code. The approach makes use of static and dynamic analysis of the
application under investigation. The static part consists in calculating taint
dependency sequences (TDS) between user controlled inputs and vulnerable
statements. This process is akin to program slice of interest to calculate
tainted data- and control-flow path which exhibits the dependence between
tainted program inputs and vulnerable statements in the code. The dynamic part
consists of executing the program along TDSs to trigger the vulnerability by
generating suitable inputs. We use genetic algorithm to generate inputs. We
propose a fitness function that approximates the program behavior (control
flow) based on the frequencies of the statements along TDSs. This runtime
aspect makes the approach faster and accurate. We provide experimental results
on the Verisec benchmark to validate our approach.Comment: There are 15 pages with 1 figur
The DLV System for Knowledge Representation and Reasoning
This paper presents the DLV system, which is widely considered the
state-of-the-art implementation of disjunctive logic programming, and addresses
several aspects. As for problem solving, we provide a formal definition of its
kernel language, function-free disjunctive logic programs (also known as
disjunctive datalog), extended by weak constraints, which are a powerful tool
to express optimization problems. We then illustrate the usage of DLV as a tool
for knowledge representation and reasoning, describing a new declarative
programming methodology which allows one to encode complex problems (up to
-complete problems) in a declarative fashion. On the foundational
side, we provide a detailed analysis of the computational complexity of the
language of DLV, and by deriving new complexity results we chart a complete
picture of the complexity of this language and important fragments thereof.
Furthermore, we illustrate the general architecture of the DLV system which
has been influenced by these results. As for applications, we overview
application front-ends which have been developed on top of DLV to solve
specific knowledge representation tasks, and we briefly describe the main
international projects investigating the potential of the system for industrial
exploitation. Finally, we report about thorough experimentation and
benchmarking, which has been carried out to assess the efficiency of the
system. The experimental results confirm the solidity of DLV and highlight its
potential for emerging application areas like knowledge management and
information integration.Comment: 56 pages, 9 figures, 6 table
- …