Eshan Singh,David Lin,Clark Barrett,Subhasish Mitra

DOI: https://doi.org/10.1109/tcad.2018.2834401

2018-01-01

Abstract:We present Symbolic Quick Error Detection (Symbolic QED), a structured approach for logic bug detection and localization which can be used both during pre-silicon design verification as well as post-silicon validation and debug. This new methodology leverages prior work on Quick Error Detection (QED) which has been demonstrated to drastically reduce the latency, in terms of the number of clock cycles, of error detection following the activation of a logic (or electrical) bug. QED works through software transformations, including redundant execution and control flow checking, of the applied tests. Symbolic QED combines these error-detecting QED transformations with bounded model checking-based formal analysis to generate minimal-length bug activation traces that detect and localize any logic bugs in the design. We demonstrate the practicality and effectiveness of Symbolic QED using the OpenSPARC T2, a 500-million-transistor open-source multicore System-on-Chip (SoC) design, and using “difficult” logic bug scenarios observed in various state-of-the-art commercial multicore SoCs. Our results show that Symbolic QED: (i) is fully automatic, unlike manual techniques in use today that can be extremely time-consuming and expensive; (ii) requires only a few hours in contrast to manual approaches that might take days (or even months) or formal techniques that often take days or fail completely for large designs; and (iii) generates counter-examples (for activating and detecting logic bugs) that are up to 6 orders of magnitude shorter than those produced by traditional techniques. Significantly, this new approach does not require any additional hardware.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Wang Fang,Mingsheng Ying

DOI: https://doi.org/10.1145/3656419

2024-04-28

Abstract:We define QSE, a symbolic execution framework for quantum programs by integrating symbolic variables into quantum states and the outcomes of quantum measurements. The soundness of QSE is established through a theorem that ensures the correctness of symbolic execution within operational semantics. We further introduce symbolic stabilizer states, which symbolize the phases of stabilizer generators, for the efficient analysis of quantum error correction (QEC) programs. Within the QSE framework, we can use symbolic expressions to characterize the possible discrete Pauli errors in QEC, providing a significant improvement over existing methods that rely on sampling with simulators. We implement QSE with the support of symbolic stabilizer states in a prototype tool named QuantumSE.jl. Our experiments on representative QEC codes, including quantum repetition codes, Kitaev's toric codes, and quantum Tanner codes, demonstrate the efficiency of QuantumSE.jl for debugging QEC programs with over 1000 qubits. In addition, by substituting concrete values in symbolic expressions of measurement results, QuantumSE.jl is also equipped with a sampling feature for stabilizer circuits. Despite a longer initialization time than the state-of-the-art stabilizer simulator, Google's Stim, QuantumSE.jl offers a quicker sampling rate in the experiments.

Quantum Physics,Programming Languages

Muhui Jiang,Xiaoye Zheng,Rui Chang,Yajin Zhou,Xiapu Luo

DOI: https://doi.org/10.1109/tse.2024.3406900

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Emulators are commonly employed to construct dynamic analysis frameworks due to their ability to perform fine-grained tracing, monitor full system functionality, and run on diverse operating systems and architectures. Nonetheless, the consistency of emulators with the real devices, remains uncertain. To address this issue, our objective is to automatically identify inconsistent instructions that exhibit different behavior between emulators and real devices across distinct privileges, including user-level and system-level privilege.We target the Arm architecture, which provides machine-readable specifications. Based on the specification, we propose a sufficient test case generator by designing and implementing the first symbolic execution engine for the Arm architecture specification language (ASL). We generated 2,774,649 representative instruction streams and developed a differential testing engine, EXAMINER PRO. With this engine, we compared the behavior of real Arm devices across different instruction sets (A32, A64, T16, and T32) with the popular QEMU emulator, both at the user-level and system-level. To demonstrate the generalizability of EXAMINER PRO, we also tested two other emulators, namely Unicorn and Angr. We find that undefined implementation in Arm manual and bugs of emulators are the major causes of inconsistencies. Furthermore, we discover 17 bugs, which influence commonly used instructions (e.g., BLX). With the inconsistent instructions, we build three security applications and demonstrate the capability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.

Haijun Wang,Ting Liu,Xiaohong Guan,Chao Shen,Qinghua Zheng,Zijiang Yang

DOI: https://doi.org/10.1109/TSE.2016.2584063

IF: 7.4

2017-01-01

IEEE Transactions on Software Engineering

Abstract:Symbolic execution is a powerful technique for systematically exploring the paths of a program and generating the corresponding test inputs. However, its practical usage is often limited by the path explosion problem, that is, the number of explored paths usually grows exponentially with the increase of program size. In this paper, we argue that for the purpose of fault detection it is not necessary to systematically explore the paths, and propose a new symbolic execution approach to mitigate the path explosion problem by predicting and eliminating the redundant paths based on symbolic value. Our approach can achieve the equivalent fault detection capability as traditional symbolic execution without exhaustive path exploration. In addition, we develop a practical implementation called Dependence Guided Symbolic Execution (DGSE) to soundly approximate our approach. Through exploiting program dependence, DGSE can predict and eliminate the redundant paths at a reasonable computational cost. Our empirical study shows that the redundant paths are abundant and widespread in a program. Compared with traditional symbolic execution, DGSE only explores 6.96 to 96.57 percent of the paths and achieves a speedup of 1.02 $\\times$ to 49.56$\\times$ . We have released our tool and the benchmarks used to evaluate DGSE$^\\ast$ .

Jiang Nan,Wang Zichen,Wang Jian

DOI: https://doi.org/10.48550/arXiv.2209.08582

2022-09-18

Abstract:With advances in quantum computing, researchers can now write and run many quantum programs. However, there is still a lack of effective methods for debugging quantum programs. In this paper, quantum symbolic execution (QSE) is proposed to generate test cases, which helps to finding bugs in quantum programs. The main idea of quantum symbolic execution is to find the suitable test cases from all possible ones (i.e. test case space). It is different from the way of classical symbol execution, which gets test cases by calculating instead of searching. QSE utilizes quantum superposition and parallelism to store the test case space with only a few qubits. According to the conditional statements in the debugged program, the test case space is continuously divided into subsets, subsubsets and so on. Elements in the same subset are suitable test cases that can test the corresponding branch in the code to be tested. QSE not only provides a possible way to debug quantum programs, but also avoids the difficult problem of solving constraints in classical symbolic execution.

Quantum Physics

Lingxiao Tang,Chao Ni,Qiao Huang,Lingfeng Bao

DOI: https://doi.org/10.1109/tse.2024.3468296

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:The SZZ algorithm and its variants have been extensively utilized for identifying bug-inducing commits based on bug-fixing commits. However, these algorithms face challenges when there are no deletion lines in the bug-fixing commit. Previous studies have attempted to address this issue by tracing back all lines in the block that encapsulates the added lines. However, this method is too coarse-grained and suffers from low precision. To address this issue, we propose a novel method in this paper called SEM-SZZ, which is based on fine-grained semantic analysis. Initially, we observe that a significant number of bug-inducing commits can be identified by tracing back the unmodified lines near added lines, resulting in improved precision and F1-score. Building on this observation, we conduct a more fine-grained semantic analysis. We begin by performing program slicing to extract the program part near the added lines. Subsequently, we compare the program’s states between the previous version and the current version, focusing on data flow and control flow differences based on the extracted program part. Finally, we extract statements contributing to the bug based on these differences and utilize them to locate bug-inducing commits. We also extend our approach to fit the scenario where the bug-fixing commits contain deleted lines. Experimental results demonstrate that SEM-SZZ outperforms the state-of-the-art methods in identifying bug-inducing commits, regardless of whether the bug-fixing commit contains deleted lines.

Qixue Xiao,Yu Chen,Chengang Wu,Kang Li,Junjie Mao,Shize Guo,Yuanchun Shi

DOI: https://doi.org/10.1109/dsn.2017.48

2017-01-01

Abstract:The study of software bugs has long been a key area in software security. Dynamic symbolic execution, in exploring the program's execution paths, finds bugs by analyzing all potential dangerous operations. Due to its high coverage and abilities to generate effective testcases, dynamic symbolic execution has attracted wide attention in the research community. However, the success of dynamic symbolic execution is limited due to complex program logic and its difficulty to handle large symbolic data. In our experiments we found that phase-related features of a program often prevents dynamic symbolic execution from exploring deep paths. On the basis of this discovery, we proposed a novel symbolic execution technology guided by program phase characteristics. Compared to KLEE, the most well-known symbolic execution approach, our method is capable of covering more code and discovering more bugs. We designed and implemented pbSE system, which was used to test several commonly used tools and libraries in Linux. Our results showed that pbSE on average covers code twice as much as what KLEE does, and we discovered 21 previously unknown vulnerabilities by using pbSE, out of which 7 are assigned CVE IDs.

Yufeng Zhang,Zhenbang Chen,Ji Wang

DOI: https://doi.org/10.48550/arXiv.1205.4951

2012-05-31

Abstract:Symbolic execution is an effective path oriented and constraint based program analysis technique. Recently, there is a significant development in the research and application of symbolic execution. However, symbolic execution still suffers from the scalability problem in practice, especially when applied to large-scale or very complex programs. In this paper, we propose a new fashion of symbolic execution, named Speculative Symbolic Execution (SSE), to speed up symbolic execution by reducing the invocation times of constraint solver. In SSE, when encountering a branch statement, the search procedure may speculatively explore the branch without regard to the feasibility. Constraint solver is invoked only when the speculated branches are accumulated to a specified number. In addition, we present a key optimization technique that enhances SSE greatly. We have implemented SSE and the optimization technique on Symbolic Pathfinder (SPF). Experimental results on six programs show that, our method can reduce the invocation times of constraint solver by 21% to 49% (with an average of 30%), and save the search time from 23.6% to 43.6% (with an average of 30%).

Software Engineering

Kaki Ryan,Matthew Gregoire,Cynthia Sturton

2023-08-01

Abstract:We present SEIF, a methodology that combines static analysis with symbolic execution to verify and explicate information flow paths in a hardware design. SEIF begins with a statically built model of the information flow through a design and uses guided symbolic execution to recognize and eliminate non-flows with high precision or to find corresponding paths through the design state for true flows. We evaluate SEIF on two open-source CPUs, an AES core, and the AKER access control module. SEIF can exhaustively explore 10-12 clock cycles deep in 4-6 seconds on average, and can automatically account for 86-90% of the paths in the statically built model. Additionally, SEIF can be used to find multiple violating paths for security properties, providing a new angle for security verification.

Cryptography and Security

Ting Chen,Xiao-song Zhang,Xu Xiao,Yue Wu,Chun-xiang Xu,Hong-tian Zhao

DOI: https://doi.org/10.1108/03321641311297016

2013-01-01

COMPEL The International Journal for Computation and Mathematics in Electrical and Electronic Engineering

Abstract:PurposeSoftware vulnerabilities have been the greatest threat to the software industry for a long time. Many detection techniques have been developed to address this kind of issue, such as Fuzzing, but mere Fuzz Testing is not good enough, because the Fuzzing only alters the input of program randomly, and does not consider the basic semantics of the target software. The purpose of this paper is to introduce a new vulnerability exploring system, called “SEVE” to explore the target software more deeply and to generate more test cases with more accuracy.Design/methodology/approachSymbolic execution is the core technique of SEVE. The user can just input a standard input, and the SEVE system will record the execution path, alter the critical branches of it, and generate a totally different test case which will make the software under test execute a different path. In this way, some potential bugs or defects, even the exploitable vulnerabilities will be discovered. To alleviate path explosion, the authors propose heuristic method and function abstraction, which in turn improve the performance of SEVE even further.FindingsWe evaluate SEVE system to record critical data about its efficiency and performance. We have tested some real‐world vulnerabilities, from which the underlying file‐input programs suffer. After that, the results show that SEVE is not only re‐creating the discovery of these vulnerabilities, but also at a higher performance level than traditional techniques.Originality/valueThe paper proposes a new vulnerability exploring system, called “SEVE” to explore the target software and generate test cases automatically and also heuristic method and function abstraction to handle path explosion.

Ting Chen,Xiao-song Zhang,Cong Zhu,Xiao-li Ji,Shi-ze Guo,Yue Wu

DOI: https://doi.org/10.1002/smr.1601

2013-01-01

Journal of Software

Abstract:Dynamic symbolic execution, or DSE for short, has become a promising technique in software testing. However, the implementation details of DSE have not been described in depth in existing works. Although some open‐source DSE tools are available nowadays, to design and implement a specific DSE tool from scratch is necessary for some reasons. To this end, we implement a Smart Fuzzing Tool for Windows Native Executables, or SMAFE for short, which utilizes Pin and STP for instrumentation and constraint solving, respectively. Advantages of Pin and STP make SMAFE portable. The major contribution of this paper is our detailed description of the implementation of DSE, including symbolization of inputs, tracking of symbols, synchronization of overlapped symbols, environment modeling, and so on. A practical case study validates the effectiveness of SMAFE. Then, the experiments with two benchmark sets present that the code coverage is above 90% on average. Benefits from this paper are at least twofold: moderating learning curve for scholars and shortening the development circle for practitioners. Copyright © 2013 John Wiley & Sons, Ltd.

Arthur Correnson,Dominic Steinhoefel

DOI: https://doi.org/10.48550/arXiv.2305.05570

2023-10-12

Abstract:Symbolic execution is a program analysis technique executing programs with symbolic instead of concrete inputs. This principle allows for exploring many program paths at once. Despite its wide adoption -- in particular for program testing -- little effort was dedicated to studying the semantic foundations of symbolic execution. Without these foundations, critical questions regarding the correctness of symbolic executors cannot be satisfyingly answered: Can a reported bug be reproduced, or is it a false positive (soundness)? Can we be sure to find all bugs if we let the testing tool run long enough (completeness)? This paper presents a systematic approach for engineering provably sound and complete symbolic execution-based bug finders by relating a programming language's operational semantics with a symbolic semantics. In contrast to prior work on symbolic execution semantics, we address the correctness of critical implementation details of symbolic bug finders, including the search strategy and the role of constraint solvers to prune the search space. We showcase our approach by implementing WiSE, a prototype of a verified bug finder for an imperative language, in the Coq proof assistant and proving it sound and complete. We demonstrate that the design principles of WiSE survive outside the ecosystem of interactive proof assistants by (1) automatically extracting an OCaml implementation and (2) transforming WiSE to PyWiSE, a functionally equivalent Python version.

Programming Languages

Peilin Zheng,Bowei Su,Xiapu Luo,Ting Chen,Neng Zhang,Zibin Zheng

DOI: https://doi.org/10.1145/3650212.3680303

2024-01-01

Abstract:Symbolic execution has proven effective for code analytics in smart contracts. However, for smart contracts, existing symbolic tools use multiple-transaction symbolic execution, which differs from traditional symbolic tools and also exacerbates the path explosion problem. In this paper, we first quantitatively analyze the bottleneck of symbolic execution in multiple transactions (TXs), finding the redundancy of the paths of TXs. Based on this finding, we propose LENT-SSE as a new speculation heuristic for Speculative Symbolic Execution of smart contracts, which leverages the executed and near TXs for skipping and recalling the SMT solving of paths. LENT-SSE uses an executed-transaction-based skipping algorithm to reduce the time required for SMT solving by leveraging the redundancy between executed and executing paths. Moreover, LENT-SSE uses a near-transaction-based recalling algorithm to reduce false skipping of the solving paths. Experimental results on the SmartBugs dataset show that LENT-SSE can reduce the total time by 37.4% and the solving time of paths by 65.2% on average without reducing the reported bugs. On the other dataset of 1000 realistic contracts, the total time and solving time are reduced by 38.1% and 54.7%.

Daniil Kuts

DOI: https://doi.org/10.48550/arXiv.2109.03698

2021-09-08

Cryptography and Security

Abstract:Dynamic symbolic execution is a widely used technique for automated software testing, designed for execution paths exploration and program errors detection. A hybrid approach has recently become widespread, when the main goal of symbolic execution is helping fuzzer increase program coverage. The more branches symbolic executor can invert, the more useful it is for fuzzer. A program control flow often depends on memory values, which are obtained by computing address indexes from user input. However, most DSE tools don't support such dependencies, so they miss some desired program branches. We implement symbolic addresses reasoning on memory reads in our dynamic symbolic execution tool Sydr. Possible memory access regions are determined by either analyzing memory address symbolic expressions, or binary searching with SMT-solver. We propose an enhanced linearization technique to model memory accesses. Different memory modeling methods are compared on the set of programs. Our evaluation shows that symbolic addresses handling allows to discover new symbolic branches and increase the program coverage.

Shen Shiqi,Shweta Shinde,Soundarya Ramesh,Abhik Roychoudhury,Prateek Saxena

DOI: https://doi.org/10.14722/ndss.2019.23530

2019-01-01

Elements

Abstract:Symbolic execution is a powerful technique for program analysis.However, it has many limitations in practical applicability: the path explosion problem encumbers scalability, the need for language-specific implementation, the inability to handle complex dependencies, and the limited expressiveness of theories supported by underlying satisfiability checkers.Often, relationships between variables of interest are not expressible directly as purely symbolic constraints.To this end, we present a new approach-neuro-symbolic execution-which learns an approximation of the relationship between program values of interest, as a neural network.We develop a procedure for checking satisfiability of mixed constraints, involving both symbolic expressions and neural representations.We implement our new approach in a tool called NEUEX as an extension of KLEE, a state-of-the-art dynamic symbolic execution engine.NEUEX finds 33 exploits in a benchmark of 7 programs within 12 hours.This is an improvement in the bug finding efficacy of 94% over vanilla KLEE.We show that this new approach drives execution down difficult paths on which KLEE and other DSE extensions get stuck, eliminating limitations of purely SMT-based techniques.

Tun Li,Qinhan Yu,Hai Wan,Sikun Li

DOI: https://doi.org/10.26599/TST.2018.9010136

2020-01-01

Abstract:Soft errors have become a critical challenge as a result of technology scaling. Existing circuit-hardening techniques are commonly associated with prohibitive overhead of performance, area, and power. However, evaluating the influence of soft errors in Flip-Flops (FFs) on the failure of circuit is a difficult verification problem. Here, we proposed a novel flip-flop soft-error failure rate analysis methodology using a formal method with respect to application behaviors. Approach and optimization techniques to implement the proposed methodology based on the given formula using Sequential Equivalence Checking (SEC) are introduced. The proposed method combines the advantage of formal technique-based approaches in completeness and the advantage of application behaviors in accuracy to differentiate vulnerability of components. As a result, the FFs in a circuit are sorted by their failure rates, and designers can use this information to perform optimal hardening of selected sequential components against soft errors. Experimental results of an implementation of a SpaceWire end node and the largest ISCAS'89 benchmark sequential circuits indicate the feasibility and potential scalability of our approach. A case study on an instruction decoder of a practical 32-bit microprocessor demonstrates the applicability of our method.

Yongwei Yuan,Zhe Zhou,Julia Belyakova,Suresh Jagannathan

2024-11-05

Abstract:We consider the formulation of a symbolic execution (SE) procedure for functional programs that interact with effectful, opaque libraries. Our procedure allows specifications of libraries and abstract data type (ADT) methods that are expressed in Linear Temporal Logic over Finite Traces (LTLf), interpreting them as symbolic finite automata (SFAs) to enable intelligent specification-guided path exploration in this setting. We apply our technique to facilitate the falsification of complex data structure safety properties in terms of effectful operations made by ADT methods on underlying opaque representation type(s). Specifications naturally characterize admissible traces of temporally-ordered events that ADT methods (and the library methods they depend upon) are allowed to perform. We show how to use these specifications to construct feasible symbolic input states for the corresponding methods, as well as how to encode safety properties in terms of this formalism. More importantly, we incorporate the notion of symbolic derivatives, a mechanism that allows the SE procedure to intelligently underapproximate the set of precondition states it needs to explore, based on the automata structures implicit in the provided specifications and the safety property that is to be falsified. Intuitively, derivatives enable symbolic execution to exploit temporal constraints defined by trace-based specifications to quickly prune unproductive paths and discover feasible error states. Experimental results on a wide-range of challenging ADT implementations demonstrate the effectiveness of our approach.

Programming Languages

Huibin Wang,Chunqiang Li,Jianyi Meng,Xiaoyan Xiang

DOI: https://doi.org/10.1587/transinf.2018edp7298

2019-01-01

IEICE Transactions on Information and Systems

Abstract:Symbolic execution is capable of automatically generating tests that achieve high coverage. However, its practical use is limited by the scalability problem. To mitigate it, this paper proposes State Concretization based Symbolic Execution (SCSE). SCSE speeds up symbolic execution via state concretization. Specifically, by introducing a concrete store, our approach avoids invoking the constraint solver to check path feasibility at conditional instructions. Intuitively, there is no need to check the feasibility of a path along a concrete execution since it is always feasible. With state concretization, the number of solver queries greatly decreases, thus improving the efficiency of symbolic execution. Through experimental evaluation on real programs, we show that state concretization helps to speed up symbolic execution significantly.

Lesly-Ann Daniel,Sébastien Bardin,Tamara Rezk

DOI: https://doi.org/10.48550/arXiv.2209.01129

2022-09-02

Abstract:This paper tackles the problem of designing efficient binary-level verification for a subset of information flow properties encompassing constant-time and secret-erasure. These properties are crucial for cryptographic implementations, but are generally not preserved by compilers. Our proposal builds on relational symbolic execution enhanced with new optimizations dedicated to information flow and binary-level analysis, yielding a dramatic improvement over prior work based on symbolic execution. We implement a prototype, Binsec/Rel, for bug-finding and bounded-verification of constant-time and secret-erasure, and perform extensive experiments on a set of 338 cryptographic implementations, demonstrating the benefits of our approach. Using Binsec/Rel, we also automate two prior manual studies on preservation of constant-time and secret-erasure by compilers for a total of 4148 and 1156 binaries respectively. Interestingly, our analysis highlights incorrect usages of volatile data pointer for secret erasure and shows that scrubbing mechanisms based on volatile function pointers can introduce additional register spilling which might break secret-erasure. We also discovered that gcc -O0 and backend passes of clang introduce violations of constant-time in implementations that were previously deemed secure by a state-of-the-art constant-time verification tool operating at LLVM level, showing the importance of reasoning at binary-level.

Cryptography and Security

Tuba Yavuz

2024-08-15

Abstract:Dynamic symbolic execution (DSE) provides a precise means to analyze programs and it can be used to generate test cases and to detect a variety of bugs including memory vulnerabilities. However, the path explosion problem may prevent a symbolic executor from covering program locations or paths of interest. In this paper, we present a Multi-Pass Targeted Dynamic Symbolic Execution approach that starts from a target program location and moves backward until it reaches a specified entry point to check for reachability, to detect bugs on the feasible paths between the entry point and the target, and to collect constraints about the memory locations accessed by the code. Our approach uses a mix of backward and forward reasoning passes. It introduces an abstract address space that gets populated during the backward pass and uses unification to precisely map the abstract objects to the objects in the concrete address space. We have implemented our approach in a tool called DESTINA using KLEE, a DSE tool. We have evaluated DESTINA using SvComp benchmarks from the memory safety and control-flow categories. Results show that DESTINA can detect memory vulnerabilities precisely and it can help DSE reach target locations faster when it struggles with the path explosion. Our approach achieves on average 4X reduction in the number of paths explored and 2X speedup.

Software Engineering,Programming Languages