4 research outputs found
A Survey of Symbolic Execution Techniques
Many security and software testing applications require checking whether
certain properties of a program hold for any possible usage scenario. For
instance, a tool for identifying software vulnerabilities may need to rule out
the existence of any backdoor to bypass a program's authentication. One
approach would be to test the program using different, possibly random inputs.
As the backdoor may only be hit for very specific program workloads, automated
exploration of the space of possible inputs is of the essence. Symbolic
execution provides an elegant solution to the problem, by systematically
exploring many possible execution paths at the same time without necessarily
requiring concrete inputs. Rather than taking on fully specified input values,
the technique abstractly represents them as symbols, resorting to constraint
solvers to construct actual instances that would cause property violations.
Symbolic execution has been incubated in dozens of tools developed over the
last four decades, leading to major practical breakthroughs in a number of
prominent software reliability applications. The goal of this survey is to
provide an overview of the main ideas, challenges, and solutions developed in
the area, distilling them for a broad audience.
The present survey has been accepted for publication at ACM Computing
Surveys. If you are considering citing this survey, we would appreciate if you
could use the following BibTeX entry: http://goo.gl/Hf5FvcComment: This is the authors pre-print copy. If you are considering citing
this survey, we would appreciate if you could use the following BibTeX entry:
http://goo.gl/Hf5Fv
Verbessern der Präzision des Statischen Analysators Goblint durch Loop Unrolling
Goblint is a source code analysis tool for C programs. It is based on abstract interpretation, and aims for a sound analysis. For loop representation and analysis, Goblint currently performs a simple CIL transformation to the input C code and can be refined by choosing one of two different abstract array domains. These domains are quite imprecise, as all elements of an array are represented by either one or three abstract values, depending on the domain used. In other known static analyzers, the analysis of loops is made more precise by treating the first k iterations of the loop separately from the following ones. This transformation is known as loop unrolling. In general, the larger the k, the more precise the analysis, and the longer it takes to perform. The goal of this thesis is to design and implement a limited unrolling of loops of the analyzed program, and an abstract domain for arrays that can express precise information for the values at the first k index of the array. Together, those modifications optimize the precision of the analysis results that Goblint produces at loops. The approach proposed is powerful enough to transform all types of loops supported in C programs, even complex structures like nested loops. It also handles complete initialization of arrays and updates after initialization. The overhead of the analysis for real-world programs (about 50%) after integration into Goblint is also reported