A Survey of Symbolic Execution Techniques

Many security and software testing applications require checking whether certain properties of a program hold for any possible usage scenario. For instance, a tool for identifying software vulnerabilities may need to rule out the existence of any backdoor to bypass a program's authentication. One approach would be to test the program using different, possibly random inputs. As the backdoor may only be hit for very specific program workloads, automated exploration of the space of possible inputs is of the essence. Symbolic execution provides an elegant solution to the problem, by systematically exploring many possible execution paths at the same time without necessarily requiring concrete inputs. Rather than taking on fully specified input values, the technique abstractly represents them as symbols, resorting to constraint solvers to construct actual instances that would cause property violations. Symbolic execution has been incubated in dozens of tools developed over the last four decades, leading to major practical breakthroughs in a number of prominent software reliability applications. The goal of this survey is to provide an overview of the main ideas, challenges, and solutions developed in the area, distilling them for a broad audience. The present survey has been accepted for publication at ACM Computing Surveys. If you are considering citing this survey, we would appreciate if you could use the following BibTeX entry: http://goo.gl/Hf5FvcComment: This is the authors pre-print copy. If you are considering citing this survey, we would appreciate if you could use the following BibTeX entry: http://goo.gl/Hf5Fv

Verbessern der Präzision des Statischen Analysators Goblint durch Loop Unrolling

Goblint is a source code analysis tool for C programs. It is based on abstract interpretation, and aims for a sound analysis. For loop representation and analysis, Goblint currently performs a simple CIL transformation to the input C code and can be refined by choosing one of two different abstract array domains. These domains are quite imprecise, as all elements of an array are represented by either one or three abstract values, depending on the domain used. In other known static analyzers, the analysis of loops is made more precise by treating the first k iterations of the loop separately from the following ones. This transformation is known as loop unrolling. In general, the larger the k, the more precise the analysis, and the longer it takes to perform. The goal of this thesis is to design and implement a limited unrolling of loops of the analyzed program, and an abstract domain for arrays that can express precise information for the values at the first k index of the array. Together, those modifications optimize the precision of the analysis results that Goblint produces at loops. The approach proposed is powerful enough to transform all types of loops supported in C programs, even complex structures like nested loops. It also handles complete initialization of arrays and updates after initialization. The overhead of the analysis for real-world programs (about 50%) after integration into Goblint is also reported