Enhancing Symbolic Execution with Veritesting

Transcript

1. Enhancing Symbolic Execution with Veritesting in ICSE 2014 Presented by

   Liang Gong @ Berkeley Thanassis Avgerinos, Alexandre Rebert, Sang Kil Cha, and David Brumley Slides made and presented by Liang Gong in Correctness Group Meeting @ UC Berkeley

2. Slides made and presented by Liang Gong in Correctness Group

   Meeting @ UC Berkeley Works on binary: 11,687 distinct bugs in 4379 programs 224 bugs lead to security issues

3. Slides made and presented by Liang Gong in Correctness Group

   Meeting @ UC Berkeley http://forallsecure.com/

4. Main Contribution of This paper DART, KLEE etc. Separate state

   for each path Exponential No. of paths Small path formula  easy for SMT solver Dynamic Symbolic Execution Static Symbolic Execution SMART Multiex etc. Calculate a summary formula Explore once Huge summary formula  nightmare for SMT solver

5. Dynamic Symbolic Execution Reason about one path at a time

    SMT query is fast  Path explosion  Concrete value (out of theory)

6. Static Symbolic Execution if(x>1) { y = 1; } else

   if(x<42) { y = 17; } Reason about one path at a time  Single formula  SMT query is slow  No path explosion  No Concrete value (out of theory)  Loop & recursion (limitation)  Not scalable

7. Static Symbolic Execution Similar to SMART & Multiex if(x>1) {

   y = 1; } else if(x<42) { y = 17; }

8. Static Symbolic Execution Similar to SMART & Multiex if(x>1) {

   y = 1; } else if(x<42) { y = 17; } if(x2>1) { y = 1; } else if(x2<42) { y = 17; }

9. Slides made by Liang Gong @ UC Berkeley What kind

   of program is explored faster by SSE? function f(v){ if(v) { // branch1 } else { // branch 2 } } var v1 = readInput(); var v2 = readInput(); var v3 = readInput(); f(v1); f(v2); f(v3); Symbolic execution Multiex

10. Main Contribution of This paper Able to combine concrete execution

    to handle: • Out of theory (real numbers) • External function calls (system call) Fast SMT query • solve one path at a time Dynamic Symbolic Execution Static Symbolic Execution No Path Explosion • Path merges in control flow graph (or function call)

11. Paper

12. Paper

13. Overview Binary code Recovered CFG Transition Point Identification & Unrolling

    Dynamic Symbolic Execution CFG summary Dynamic Symbolic Execution

14. An Example (if I understand correctly) Dynamic Symbolic Execution function

    fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; }

15. An Example (if I understand correctly) Dynamic Symbolic Execution function

    fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; }

16. An Example (if I understand correctly) Dynamic Symbolic Execution function

    fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; }

17. An Example (if I understand correctly) Dynamic Symbolic Execution function

    fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; }

18. An Example (if I understand correctly) Dynamic Symbolic Execution function

    fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; }

19. An Example (if I understand correctly) Dynamic Symbolic Execution function

    fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; } Only one path feasible, continue with DSE

20. An Example (if I understand correctly) Dynamic Symbolic Execution function

    fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; }

21. An Example (if I understand correctly) Dynamic Symbolic Execution function

    fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; }

22. An Example (if I understand correctly) Dynamic Symbolic Execution function

    fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; }

23. An Example (if I understand correctly) Dynamic Symbolic Execution function

    fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; } Both branches are feasible, use SSE

24. An Example (if I understand correctly) Static Symbolic Execution function

    fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; } Scan the binary code Start from the branch Ends at: • function boundary • system calls • unknown instructions

25. An Example (if I understand correctly) Static Symbolic Execution function

    fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; } Scan the binary code Start from the branch Ends at: • function boundary • system calls • unknown instructions

26. An Example (if I understand correctly) Static Symbolic Execution function

    fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; } Extract CFG

27. An Example (if I understand correctly) Static Symbolic Execution function

    fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; } Unroll loops Identify Transition Points Where to start DSE

28. An Example (if I understand correctly) Static Symbolic Execution Transition

    Points function fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; }

29. An Example (if I understand correctly) Static Symbolic Execution Transition

    Points run function fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; }

30. An Example (if I understand correctly) Static Symbolic Execution Transition

    Points run Generate test case function fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; }

31. An Example (if I understand correctly) Static Symbolic Execution Transition

    Points run CFG summary S, similar to function summary in SMART/Multiex function fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; }

32. An Example (if I understand correctly) Static Symbolic Execution function

    fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; } Transition Points run CFG summary S, similar to function summary in SMART/Multiex

33. An Example (if I understand correctly) function fun(){ var a

    = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; } Dynamic Symbolic Execution

34. An Example (if I understand correctly) function fun(){ var a

    = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; } Handle by SSE Static Symbolic Execution

35. Loop unrolling remove back edge unroll one iteration of loop

    How many loops to unroll? • Concrete execution • Specify a min number

36. Transition Point • Points immediately post-dominated by Exit • System

    calls • Unknown Instructions

37. Experimental Result Run each program for 30 min or 1

    hour

38. Experimental Result Path Time SMT query takes more time Re-executing

    time

39. Experimental Result Lower fork rate is better Fork rate: after

    exploring one path, how many new paths are forked

40. Limitation & Missing Part • Number of unique bugs is

    measured by counting the number of unique stack hashes among crashes. • Did not report the size of those programs under test • Hard to read, mistakes, lack of description for some symbols Many technical details are missing (startup, not camera ready)

41. Thank you!