Targeted program transformations for symbolic execution

Cadar, Cristian

doi:10.1145/2786805.2803205

Cited by 30 publications

(24 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The main problem is that different symbolic executors may explore different paths in a given time budget, and also that the same code may have different number of paths at different levels (e.g., source, binary and LLVM) [3]. Therefore, instead of performing differential testing between different symbolic execution engines, we crosschecked native and symbolic execution versions of the same program, with the symbolic execution versions carefully constructed in three different modes ( §II-B).…”

Section: Discussion and Lessons Learnedmentioning

confidence: 99%

Automatic testing of symbolic execution engines via program generation and differential testing

Kapus

Cadar

2017

2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE)

Self Cite

View full text Add to dashboard Cite

Abstract-Symbolic execution has attracted significant attention in recent years, with applications in software testing, security, networking and more. Symbolic execution tools, like CREST, KLEE, FuzzBALL, and Symbolic PathFinder, have enabled researchers and practitioners to experiment with new ideas, scale the technique to larger applications and apply it to new application domains. Therefore, the correctness of these tools is of critical importance.In this paper, we present our experience extending compiler testing techniques to find errors in both the concrete and symbolic execution components of symbolic execution engines. The approach used relies on a novel way to create program versions, in three different testing modes-concrete, single-path and multi-path-each exercising different features of symbolic execution engines. When combined with existing program generation techniques and appropriate oracles, this approach enables differential testing within a single symbolic execution engine.We have applied our approach to the KLEE, CREST and FuzzBALL symbolic execution engines, where it has discovered 20 different bugs exposing a variety of important errors having to do with the handling of structures, division, modulo, casting, vector instructions and more, as well as issues related to constraint solving, compiler optimisations and test input replay.

show abstract

Section: Discussion and Lessons Learnedmentioning

confidence: 99%

Automatic testing of symbolic execution engines via program generation and differential testing

Kapus

Cadar

2017

2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE)

Self Cite

View full text Add to dashboard Cite

show abstract

“…Compiler Optimizations. [19] argues that program optimization techniques should be a first-class ingredient of practical implementations of symbolic execution, alongside widely accepted solutions such as search heuristics, state merging, and constraint solving optimizations. In fact, program transformations can affect both the complexity of the constraints generated during path exploration and the exploration itself.…”

Section: Leveraging Program Analysis and Optimization Techniquesmentioning

confidence: 99%

A Survey of Symbolic Execution Techniques

et al. 2018

View full text Add to dashboard Cite

Many security and software testing applications require checking whether certain properties of a program hold for any possible usage scenario. For instance, a tool for identifying software vulnerabilities may need to rule out the existence of any backdoor to bypass a program's authentication. One approach would be to test the program using different, possibly random inputs. As the backdoor may only be hit for very specific program workloads, automated exploration of the space of possible inputs is of the essence. Symbolic execution provides an elegant solution to the problem, by systematically exploring many possible execution paths at the same time without necessarily requiring concrete inputs. Rather than taking on fully specified input values, the technique abstractly represents them as symbols, resorting to constraint solvers to construct actual instances that would cause property violations. Symbolic execution has been incubated in dozens of tools developed over the last four decades, leading to major practical breakthroughs in a number of prominent software reliability applications. The goal of this survey is to provide an overview of the main ideas, challenges, and solutions developed in the area, distilling them for a broad audience.If you are considering citing this survey, we would appreciate if you could use the following BibTeX entry: http://goo.gl/Hf5Fvc 0:2 R. Baldoni et al.

show abstract

“…KLEE's developers theorized about the possibility of using such transformations to improve symbolic execution [29], but this paper is the first to our knowledge to design and implement nonsemantics-preserving testability transformations explicitly for this purpose. As our design goals in the symbolic execution setting are similar to those of compiler optimizations in the concrete execution setting, we have decided that it is appropriate to refer to our transformations as testability optimizations (shortened to optimizations for ease of discussion).…”

Section: Compiler Optimizations and Testability Transformationsmentioning

confidence: 99%

“…The study observed that, somewhat counter-intuitively, some compiler optimizations can actually slow down symbolic execution. Cadar's more recent new ideas paper [29] hypothesizes about the use of non-semantics-preserving transformations for symbolic execution. The central idea of using unsound program transforms to preprocess programs for more efficient test data generation was initially formalized by Harman et al [24].…”

Section: Related Workmentioning

confidence: 99%