A Survey of Symbolic Execution Techniques

Many security and software testing applications require checking whether certain properties of a program hold for any possible usage scenario. For instance, a tool for identifying software vulnerabilities may need to rule out the existence of any backdoor to bypass a program's authentication. One approach would be to test the program using different, possibly random inputs. As the backdoor may only be hit for very specific program workloads, automated exploration of the space of possible inputs is of the essence. Symbolic execution provides an elegant solution to the problem, by systematically exploring many possible execution paths at the same time without necessarily requiring concrete inputs. Rather than taking on fully specified input values, the technique abstractly represents them as symbols, resorting to constraint solvers to construct actual instances that would cause property violations. Symbolic execution has been incubated in dozens of tools developed over the last four decades, leading to major practical breakthroughs in a number of prominent software reliability applications. The goal of this survey is to provide an overview of the main ideas, challenges, and solutions developed in the area, distilling them for a broad audience. The present survey has been accepted for publication at ACM Computing Surveys. If you are considering citing this survey, we would appreciate if you could use the following BibTeX entry: http://goo.gl/Hf5FvcComment: This is the authors pre-print copy. If you are considering citing this survey, we would appreciate if you could use the following BibTeX entry: http://goo.gl/Hf5Fv

COLAB : a hybrid knowledge representation and compilation laboratory

Knowledge bases for real-world domains such as mechanical engineering require expressive and efficient representation and processing tools. We pursue a declarative-compilative approach to knowledge engineering. While Horn logic (as implemented in PROLOG) is well-suited for representing relational clauses, other kinds of declarative knowledge call for hybrid extensions: functional dependencies and higher-order knowledge should be modeled directly. Forward (bottom-up) reasoning should be integrated with backward (top-down) reasoning. Constraint propagation should be used wherever possible instead of search-intensive resolution. Taxonomic knowledge should be classified into an intuitive subsumption hierarchy. Our LISP-based tools provide direct translators of these declarative representations into abstract machines such as an extended Warren Abstract Machine (WAM) and specialized inference engines that are interfaced to each other. More importantly, we provide source-to-source transformers between various knowledge types, both for user convenience and machine efficiency. These formalisms with their translators and transformers have been developed as part of COLAB, a compilation laboratory for studying what we call, respectively, "vertical\u27; and "horizontal\u27; compilation of knowledge, as well as for exploring the synergetic collaboration of the knowledge representation formalisms. A case study in the realm of mechanical engineering has been an important driving force behind the development of COLAB. It will be used as the source of examples throughout the paper when discussing the enhanced formalisms, the hybrid representation architecture, and the compilers

Queries, rules and definitions as epistemic statements in concept languages

Concept languages have been studied in order to give a formal account of the basic features of frame-based languages. The focus of research in concept languages was initially on the semantical reconstruction of frame-based systems and the computational complexity of reasoning. More recently, attention has been paid to the formalization of other aspects of frame-based languages, such as non-monotonic reasoning and procedural rules, which are necessary in order to bring concept languages closer to implemented systems. In this paper we discuss the above issues in the framework of concept languages enriched with an epistemic operator. In particular, we show that the epistemic operator both introduces novel features in the language, such as sophisticated query formulation and closed world reasoning, and makes it possible to provide a formal account for some aspects of the existing systems, such as rules and definitions, that cannot be characterized in a standard first-order framework

Logic Programs as Declarative and Procedural Bias in Inductive Logic Programming

Machine Learning is necessary for the development of Artificial Intelligence, as pointed out by Turing in his 1950 article ``Computing Machinery and Intelligence''. It is in the same article that Turing suggested the use of computational logic and background knowledge for learning. This thesis follows a logic-based machine learning approach called Inductive Logic Programming (ILP), which is advantageous over other machine learning approaches in terms of relational learning and utilising background knowledge. ILP uses logic programs as a uniform representation for hypothesis, background knowledge and examples, but its declarative bias is usually encoded using metalogical statements. This thesis advocates the use of logic programs to represent declarative and procedural bias, which results in a framework of single-language representation. We show in this thesis that using a logic program called the top theory as declarative bias leads to a sound and complete multi-clause learning system MC-TopLog. It overcomes the entailment-incompleteness of Progol, thus outperforms Progol in terms of predictive accuracies on learning grammars and strategies for playing Nim game. MC-TopLog has been applied to two real-world applications funded by Syngenta, which is an agriculture company. A higher-order extension on top theories results in meta-interpreters, which allow the introduction of new predicate symbols. Thus the resulting ILP system Metagol can do predicate invention, which is an intrinsically higher-order logic operation. Metagol also leverages the procedural semantic of Prolog to encode procedural bias, so that it can outperform both its ASP version and ILP systems without an equivalent procedural bias in terms of efficiency and accuracy. This is demonstrated by the experiments on learning Regular, Context-free and Natural grammars. Metagol is also applied to non-grammar learning tasks involving recursion and predicate invention, such as learning a definition of staircases and robot strategy learning. Both MC-TopLog and Metagol are based on a $\top$-directed framework, which is different from other multi-clause learning systems based on Inverse Entailment, such as CF-Induction, XHAIL and IMPARO. Compared to another $\top$-directed multi-clause learning system TAL, Metagol allows the explicit form of higher-order assumption to be encoded in the form of meta-rules.Open Acces

A Classification Approach for Automated Reasoning Systems--A Case Study in Graph Theory

Reasoning systems which create classifications of structured objects face the problem of how object descriptions can be used to reflect their components as well as relations among these components. Current reasoning systems on graph theory do not adequately provide models to discover complex relations among mathematical concepts (eg: relations involving subgraphs) mainly due to the inability to solve this problem. This thesis presents an approach to construct a knowledge-based system, GC (Graph Classification), which overcomes this difficulty in performing automated reasoning in graph theory. We describe graph concepts based on an attribute called Linear Recursive Constructivity (LRC). LRC defines classes by an algebraic formula supported by background knowledge of graph types. We use subsumption checking on decomposed algebraic expressions of graph classes as a major proof method. The search is guided by case-split-based inferencing. Using the approach GC has generated proofs for many theorems such as any two distinct cycles (closed paths) having a common edge e contain a cycle not traversing e , if cycle C1 contains edges e1, e2, and cycle C2 contains edges e2, e3, then there exists a cycle that contains e1 and e3 and the union of a tree and a path is a tree if they have only a single common vertex. The main contributions of this thesis are: (1) Development of a classification-based knowledge representation and a reasoning approach for graph concepts, thus providing a simple model for structured mathematical objects. (2) Development of an algebraic theory for simplifying and decomposing graph concepts. (3) Development of a proof search and a case-splitting technique with the guidance of graph type knowledge. (4) Development of a proving mechanism that can be generate constructive proofs by manipulating only simple linear formalization of theorems