Yang Liu,Guofeng Zhang,Zhenbang Chen,Ziqi Shuai

DOI: https://doi.org/10.1109/qrs-c55045.2021.00178

2021-01-01

Abstract:Symbolic execution provides an effective method for automatic test case generation. However, symbolic execution is challenged by the problem of constraint solving and environment modeling. This extended abstract reports our recent progress of improving symbolic execution's efficiency by selective symbolization. We selectively collect the path conditions during symbolic execution and utilize fuzzing to solve the complex conditions at the constraint solving level. We have implemented a prototype for $\mathbf{C}$ programs. The preliminary experimental results indicate the promising of our method.

Pan-Pan SUN,Wei DONG

2016-01-01

Abstract:In software engineering, symbolic execution technology is an efficient program defect detection technology. Symbolic execution uses symbolic values as the inputs, which transforms the execution of the program into the corresponding symbolic expressions, and the precise analysis of the program behaviors is realized by systematacially traversing routing space. However, due to the restriction of the path explosion and constraint solving problems, symbolic execution technology has poor scalability. In order to mitigate the problem, this paper implemented a distributed symbolic execution platform which realized tasks parallelly execute and reduced the symbolic execution time overhead through a scheduling algorithm distributes tasks from master to slaves.

Yufeng Zhang,Zhenbang Chen,Ji Wang

DOI: https://doi.org/10.48550/arXiv.1205.4951

2012-05-31

Abstract:Symbolic execution is an effective path oriented and constraint based program analysis technique. Recently, there is a significant development in the research and application of symbolic execution. However, symbolic execution still suffers from the scalability problem in practice, especially when applied to large-scale or very complex programs. In this paper, we propose a new fashion of symbolic execution, named Speculative Symbolic Execution (SSE), to speed up symbolic execution by reducing the invocation times of constraint solver. In SSE, when encountering a branch statement, the search procedure may speculatively explore the branch without regard to the feasibility. Constraint solver is invoked only when the speculated branches are accumulated to a specified number. In addition, we present a key optimization technique that enhances SSE greatly. We have implemented SSE and the optimization technique on Symbolic Pathfinder (SPF). Experimental results on six programs show that, our method can reduce the invocation times of constraint solver by 21% to 49% (with an average of 30%), and save the search time from 23.6% to 43.6% (with an average of 30%).

Software Engineering

Christopher Scherb,Luc Bryan Heitz,Hermann Grieder

2024-09-20

Abstract:In modern software development, vulnerability detection is crucial due to the inevitability of bugs and vulnerabilities in complex software systems. Effective detection and elimination of these vulnerabilities during the testing phase are essential. Current methods, such as fuzzing, are widely used for this purpose. While fuzzing is efficient in identifying a broad range of bugs and vulnerabilities by using random mutations or generations, it does not guarantee correctness or absence of vulnerabilities. Therefore, non-random methods are preferable for ensuring the safety and security of critical infrastructure and control systems. This paper presents a vulnerability detection approach based on symbolic execution and control flow graph analysis to identify various types of software weaknesses. Our approach employs a divide-and-conquer algorithm to eliminate irrelevant program information, thus accelerating the process and enabling the analysis of larger programs compared to traditional symbolic execution and model checking methods.

Cryptography and Security

Jiahe Xu,Jingwei Xu,Taolue Chen,Xiaoxing Ma

DOI: https://doi.org/10.1109/qrs62785.2024.00031

2024-01-01

Abstract:Symbolic execution is a powerful program analysis technique. External environment construction and internal path explosion are two long-standing problems which may affect the effectiveness and performance of symbolic execution on complex programs. The intrinsic challenge is to achieve a sufficient understanding of the program context to construct a set of execution environments which can guide the selection of symbolic states. In this paper, we propose a novel program-context-guided symbolic execution framework LangSym based on program’s instruction/user manual. Leveraging the capabilities of natural language understanding and code generation in large language models (LLMs), LangSym can automatically extract the knowledge related to the functionality of the program, and generate adequate test cases and the corresponding environments as the prior knowledge for symbolic execution. We instantiate LangSym in KLEE, a widely adopted symbolic execution engine, to build a pipeline that could automatically leverage LLMs to boost the symbolic execution. We evaluate LangSym on almost all GNU Coreutils programs and considerable large-scale programs, showing that LangSym outperforms the existing strategies in KLEE with at least a 10% increase for line coverage.

Haijun Wang,Ting Liu,Xiaohong Guan,Chao Shen,Qinghua Zheng,Zijiang Yang

DOI: https://doi.org/10.1109/TSE.2016.2584063

IF: 7.4

2017-01-01

IEEE Transactions on Software Engineering

Abstract:Symbolic execution is a powerful technique for systematically exploring the paths of a program and generating the corresponding test inputs. However, its practical usage is often limited by the path explosion problem, that is, the number of explored paths usually grows exponentially with the increase of program size. In this paper, we argue that for the purpose of fault detection it is not necessary to systematically explore the paths, and propose a new symbolic execution approach to mitigate the path explosion problem by predicting and eliminating the redundant paths based on symbolic value. Our approach can achieve the equivalent fault detection capability as traditional symbolic execution without exhaustive path exploration. In addition, we develop a practical implementation called Dependence Guided Symbolic Execution (DGSE) to soundly approximate our approach. Through exploiting program dependence, DGSE can predict and eliminate the redundant paths at a reasonable computational cost. Our empirical study shows that the redundant paths are abundant and widespread in a program. Compared with traditional symbolic execution, DGSE only explores 6.96 to 96.57 percent of the paths and achieves a speedup of 1.02 $\\times$ to 49.56$\\times$ . We have released our tool and the benchmarks used to evaluate DGSE$^\\ast$ .

You Li,Zhendong Su,Linzhang Wang,Xuandong Li

DOI: https://doi.org/10.1145/2544173.2509553

2013-01-01

ACM SIGPLAN Notices

Abstract:Symbolic execution is a promising testing and analysis methodology. It systematically explores a program's execution space and can generate test cases with high coverage. One significant practical challenge for symbolic execution is how to effectively explore the enormous number of program paths in real-world programs. Various heuristics have been proposed for guiding symbolic execution, but they are generally inefficient and ad-hoc. In this paper, we introduce a novel, unified strategy to guide symbolic execution to less explored parts of a program. Our key idea is to exploit a specific type of path spectra, namely the length-n subpath program spectra , to systematically approximate full path information for guiding path exploration. In particular, we use frequency distributions of explored length- n subpaths to prioritize "less traveled" parts of the program to improve test coverage and error detection. We have implemented our general strategy in KLEE, a state-of-the-art symbolic execution engine. Evaluation results on the GNU Coreutils programs show that (1) varying the length n captures program-specific information and exhibits different degrees of effectiveness, and (2) our general approach outperforms traditional strategies in both coverage and error detection.

Ting Chen,Xiao-Song Zhang,Shi-Ze Guo,Hong-Yuan Li,Yue Wu

DOI: https://doi.org/10.1016/j.future.2012.02.006

IF: 7.307

2013-01-01

Future Generation Computer Systems

Abstract:Dynamic symbolic execution for automated test generation consists of instrumenting and running a program while collecting path constraint on inputs from predicates encountered in branch instructions, and of deriving new inputs from a previous path constraint by an SMT (Satisfiability Modulo Theories) solver in order to steer next executions toward new program paths. It has been introduced into several applications, such as automated test generation, automated filter generation and malware analysis mainly for its two intrinsic properties: low false positives and high code-coverage. In this paper, we focus on the topics that are closely related to automated test generation. Our contributions are five-fold. First, we summarize the theoretical foundation of dynamic symbolic execution. Second, we highlight the challenges when turning ideas into reality. Besides, we describe the state-of-the-art solutions including advantages and disadvantages for those challenges. In addition, twelve typical tools are analyzed and many properties of those tools are censused. Finally, we outline the prospects of this research field in detail.

Huibin Wang,Chunqiang Li,Jianyi Meng,Xiaoyan Xiang

DOI: https://doi.org/10.1587/transinf.2018edp7298

2019-01-01

IEICE Transactions on Information and Systems

Abstract:Symbolic execution is capable of automatically generating tests that achieve high coverage. However, its practical use is limited by the scalability problem. To mitigate it, this paper proposes State Concretization based Symbolic Execution (SCSE). SCSE speeds up symbolic execution via state concretization. Specifically, by introducing a concrete store, our approach avoids invoking the constraint solver to check path feasibility at conditional instructions. Intuitively, there is no need to check the feasibility of a path along a concrete execution since it is always feasible. With state concretization, the number of solver queries greatly decreases, thus improving the efficiency of symbolic execution. Through experimental evaluation on real programs, we show that state concretization helps to speed up symbolic execution significantly.

Fan Yao,Yongbo Li,Yurong Chen,Hongfa Xue,Tian Lan,Guru Venkataramani

DOI: https://doi.org/10.1109/dsn.2017.57

2017-01-01

Abstract:Identifying vulnerabilities in software systems is crucial to minimizing the damages that result from malicious exploits and software failures. This often requires proper identification of vulnerable execution paths that contain program vulnerabilities or bugs. However, with rapid rise in software complexity, it has become notoriously difficult to identify such vulnerable paths through exhaustively searching the entire program execution space. In this paper, we propose StatSym, a novel, automated Statistics-Guided Symbolic Execution framework that integrates the swiftness of statistical inference and the rigorousness of symbolic execution techniques to achieve precision, agility and scalability in vulnerable program path discovery. Our solution first leverages statistical analysis of program runtime information to construct predicates that are indicative of potential vulnerability in programs. These statistically identified paths, along with the associated predicates, effectively drive a symbolic execution engine to verify the presence of vulnerable paths and reduce their time to solution. We evaluate StatSym on four real-world applications including polymorph, CTree, Grep and thttpd that come from diverse domains. Results show that StatSym is able to assist the symbolic executor, KLEE, in identifying the vulnerable paths for all of the four cases, whereas pure symbolic execution fails in three out of four applications due to memory space overrun.

Alexey Vishnyakov,Andrey Fedotov,Daniil Kuts,Alexander Novikov,Darya Parygina,Eli Kobrin,Vlada Logunova,Pavel Belecky,Shamil Kurmangaleev

DOI: https://doi.org/10.1109/ISPRAS51486.2020.00014

2021-01-26

Abstract:The security development lifecycle (SDL) is becoming an industry standard. Dynamic symbolic execution (DSE) has enormous amount of applications in computer security (fuzzing, vulnerability discovery, reverse-engineering, etc.). We propose several performance and accuracy improvements for dynamic symbolic execution. Skipping non-symbolic instructions allows to build a path predicate 1.2--3.5 times faster. Symbolic engine simplifies formulas during symbolic execution. Path predicate slicing eliminates irrelevant conjuncts from solver queries. We handle each jump table (switch statement) as multiple branches and describe the method for symbolic execution of multi-threaded programs. The proposed solutions were implemented in Sydr tool. Sydr performs inversion of branches in path predicate. Sydr combines DynamoRIO dynamic binary instrumentation tool with Triton symbolic engine. We evaluated Sydr features on 64-bit Linux executables.

Cryptography and Security

Michaël Marcozzi,Wim Vanhoof,Jean-Luc Hainaut

DOI: https://doi.org/10.48550/arXiv.1501.05265

2015-01-22

Abstract:Symbolic execution is a technique which enables automatically generating test inputs (and outputs) exercising a set of execution paths within a program to be tested. If the paths cover a sufficient part of the code under test, the test data offer a representative view of the program's actual behaviour, which notably enables detecting errors and correcting faults. Relational databases are ubiquitous in software, but symbolic execution of pieces of code that manipulate them remains a non-trivial problem, particularly because of the complex structure of such databases and the complex behaviour of SQL statements. In this work, we define a direct symbolic execution for database manipulation code and integrate it with a more traditional symbolic execution of normal program code. The database tables are represented by relational symbols and the SQL statements by relational constraints over these symbols and the symbols representing the normal variables of the program. An algorithm based on these principles is presented for the symbolic execution of Java methods that implement business use cases by reading and writing in a relational database, the latter subject to data integrity constraints. The algorithm is integrated in a test generation tool and experimented over sample code. The target language for the constraints produced by the tool is the SMT-Lib standard and the used solver is Microsoft Z3. The results show that the proposed approach enables generating meaningful test data, including valid database content, in reasonable time. In particular, the Z3 solver is shown to be more scalable than the Alloy solver, used in our previous work, for solving relational constraints.

Software Engineering,Databases

Bo Wu,Mengjun Li,Bin Zhang,Quan Zhang,Chaojing Tang

DOI: https://doi.org/10.1109/iweca.2014.6845695

2014-01-01

Abstract:Despite more than three decades of independent, academic, and industry-related research on symbolic execution, it is still difficult applying symbolic execution to real-world software testing, especially to binary software. The emergence of more and more cloud computing platforms makes it feasible to scale this technique using the concept of distributed computing. In this paper, we proposed a distributed symbolic execution approach, which is a novel schema for scaling symbolic execution to real-world binary software testing. We design our method in peer-to-peer way,that is to say, the work node can do the task alone or together, so it can make full use of the elasticity of cloud computing. Also a prototype system is implemented, which is built based on the S2E platform using its plug-in structure. The evaluation shows that our method can be used to test real-world binary software more efficiently.

Shiqi Shen,Soundarya Ramesh,Shweta Shinde,Abhik Roychoudhury,Prateek Saxena

2018-01-01

Abstract:Symbolic execution is a powerful technique for program analysis. However, it has many limitations in practical applicability: the path explosion problem encumbers scalability, the need for language-specific implementation, the inability to handle complex dependencies, and the limited expressiveness of theories supported by underlying satisfiability checkers. Often, relationships between variables of interest are not expressible directly as purely symbolic constraints. To this end, we present a new approach -- neuro-symbolic execution -- which learns an approximation of the relationship as a neural net. It features a constraint solver that can solve mixed constraints, involving both symbolic expressions and neural network representation. To do so, we envision such constraint solving as procedure combining SMT solving and gradient-based optimization. We demonstrate the utility of neuro-symbolic execution in constructing exploits for buffer overflows. We report success on 13/14 programs which have difficult constraints, known to require specialized extensions to symbolic execution. In addition, our technique solves $100$% of the given neuro-symbolic constraints in $73$ programs from standard verification and invariant synthesis benchmarks.

Emilio Coppa,Alessio Izzillo

DOI: https://doi.org/10.1016/j.jss.2024.112001

IF: 3.5

2024-02-17

Journal of Systems and Software

Abstract:Symbolic execution is a well-known software testing technique that evaluates how a program runs when considering a symbolic input, i.e., an input that can initially assume any concrete value admissible for its data type. The dynamic twist of this technique is dubbed concolic execution and has been demonstrated to be a practical technique for testing even complex real-world programs. Unfortunately, developing concolic engines is hard. Indeed, an engine has to correctly instrument the program to build accurate symbolic expressions, which represent the program computation. Furthermore, to reason over such expressions, it has to interact with an SMT solver. Hence, several implementation bugs may emerge within the different layers of an engine. In this article, we consider the problem of testing concolic engines. In particular, we propose several testing strategies whose main intuition is to exploit the concrete state kept by the executor to identify inconsistencies within the symbolic state. We integrated our strategies into three state-of-the-art concolic executors ( SymCC , SymQEMU , and Fuzzolic , respectively) and then performed several experiments to show that our ideas can find bugs in these frameworks. Overall, our approach was able to discover more than 12 bugs across these engines.

computer science, theory & methods, software engineering

Daniil Kuts

DOI: https://doi.org/10.48550/arXiv.2109.03698

2021-09-08

Cryptography and Security

Abstract:Dynamic symbolic execution is a widely used technique for automated software testing, designed for execution paths exploration and program errors detection. A hybrid approach has recently become widespread, when the main goal of symbolic execution is helping fuzzer increase program coverage. The more branches symbolic executor can invert, the more useful it is for fuzzer. A program control flow often depends on memory values, which are obtained by computing address indexes from user input. However, most DSE tools don't support such dependencies, so they miss some desired program branches. We implement symbolic addresses reasoning on memory reads in our dynamic symbolic execution tool Sydr. Possible memory access regions are determined by either analyzing memory address symbolic expressions, or binary searching with SMT-solver. We propose an enhanced linearization technique to model memory accesses. Different memory modeling methods are compared on the set of programs. Our evaluation shows that symbolic addresses handling allows to discover new symbolic branches and increase the program coverage.

Shibo Tang,Xingxin Wang,Yifei Gao,Wei Hu

DOI: https://doi.org/10.1109/ISOCC56007.2022.10031481

2022-01-01

Abstract:Model checking is one of the most commonly used technique in formal verification. However, the exponential scale state space renders exhaustive state enumeration inefficient even for a moderate System on Chip (SoC) design. In this paper, we propose a method that leverages symbolic execution to accelerate state space search and pinpoint security vulnerabilities. We automatically convert the hardware design to functionally equivalent C++ code and utilize the KLEE symbolic execution engine to perform state exploration through heuristic search. To reduce the search space, we symbolically represent essential input signals while making non-critical inputs concrete. Experiment results have demonstrated that our method can precisely identify security vulnerabilities at significantly lower computation cost.

Guofeng Zhang,Zhenbang Chen,Ziqi Shuai,Yufeng Zhang,Ji Wang

DOI: https://doi.org/10.1109/apsec57359.2022.00045

2022-01-01

Abstract:Constraint solving and environment modeling are two challenging problems for symbolic execution. When a program contains non-linear expressions, it is difficult for symbolic execution to explore the program’s whole path space due to the high complexity of the constraint solving for the nonlinear constraints. Besides, when the program uses a third-party library and the source code of the library is not available, the symbolic execution of the program often under-approximates the analysis by concrete execution or over-approximates by introducing new symbolic variables, which may fail to explore the whole path space or introduce false alarms, respectively. This paper proposes FUSE, a framework of synergizing symbolic execution and fuzzing by function-level selective symbolization to tackle these problems. First, FUSE collects the path constraints of each function selectively and introduces symbolic function invocation expressions for the complex or third-party functions. Then, FUSE combines SMT solving and fuzzing to solve the path constraints. We have implemented FUSE on the start-of-theart symbolic execution engine KLEE. The experimental results demonstrate that FUSE effectively and efficiently improves the code coverage. Compared with the state-of-the-art, FUSE achieves 6. 6x speedups for achieving the same code coverage.

Andrea Fioraldi

DOI: https://doi.org/10.48550/arXiv.2006.16601

2020-06-30

Abstract:In this thesis, we introduce the idea of combining symbolic execution with dynamic analysis for reverse engineering. Differently from DSE, we devise an approach where the reverse engineer can use a debugger to drive and inspect a concrete execution engine of the application code and then, when needed, transfer the execution into a symbolic executor in order to automatically identify the input values required to reach a target point in the code. After that, the user can also transfer back the correct input values found with symbolic execution in order to continue the debugging. The synchronization between a debugger and a symbolic executor can enhance manual dynamic analysis and allow a reverser to easily solve small portions of code without leaving the debugger. We implemented a synchronization mechanism on top of the binary analysis framework angr, allowing for transferring the state of the debugged process to the angr environment and back. The backend library is debugger agnostic and can be extended to work with various frontends. We implemented a frontend for the IDA Pro debugger and one for the GNU Debugger, which are both widely popular among reverse engineers.

Cryptography and Security,Programming Languages

Yufeng Zhang,Zhenbang Chen,Ziqi Shuai,Tianqi Zhang,Kenli Li,Ji Wang

DOI: https://doi.org/10.1145/3324884.3416645

2020-01-01

Abstract:Path explosion and constraint solving are two challenges to symbolic execution's scalability. Symbolic execution explores the program's path space with a searching strategy and invokes the underlying constraint solver in a black-box manner to check the feasibility of a path. Inside the constraint solver, another searching procedure is employed to prove or disprove the feasibility. Hence, there exists the problem of double searchings in symbolic execution. In this paper, we propose to unify the double searching procedures to improve the scalability of symbolic execution. We propose Multiplex Symbolic Execution (MuSE) that utilizes the intermediate assignments during the constraint solving procedure to generate new program inputs. MuSE maps the constraint solving procedure to the path exploration in symbolic execution and explores multiple paths in one time of solving. We have implemented MuSE on two symbolic execution tools (based on KLEE and JPF) and three commonly used constraint solving algorithms. The results of the extensive experiments on real-world benchmarks indicate that MuSE has orders of magnitude speedup to achieve the same coverage.