Tweet
Tweet

Slide 1

Slide 1 text

Enhancing Symbolic Execution with Veritesting in ICSE 2014 Presented by Liang Gong @ Berkeley Thanassis Avgerinos, Alexandre Rebert, Sang Kil Cha, and David Brumley Slides made and presented by Liang Gong in Correctness Group Meeting @ UC Berkeley

Slide 2

Slide 2 text

Slides made and presented by Liang Gong in Correctness Group Meeting @ UC Berkeley Works on binary: 11,687 distinct bugs in 4379 programs 224 bugs lead to security issues

Slide 3

Slide 3 text

Slides made and presented by Liang Gong in Correctness Group Meeting @ UC Berkeley http://forallsecure.com/

Slide 4

Slide 4 text

Main Contribution of This paper DART, KLEE etc. Separate state for each path Exponential No. of paths Small path formula  easy for SMT solver Dynamic Symbolic Execution Static Symbolic Execution SMART Multiex etc. Calculate a summary formula Explore once Huge summary formula  nightmare for SMT solver

Slide 5

Slide 5 text

Dynamic Symbolic Execution Reason about one path at a time  SMT query is fast  Path explosion  Concrete value (out of theory)

Slide 6

Slide 6 text

Static Symbolic Execution if(x>1) { y = 1; } else if(x<42) { y = 17; } Reason about one path at a time  Single formula  SMT query is slow  No path explosion  No Concrete value (out of theory)  Loop & recursion (limitation)  Not scalable

Slide 7

Slide 7 text

Static Symbolic Execution Similar to SMART & Multiex if(x>1) { y = 1; } else if(x<42) { y = 17; }

Slide 8

Slide 8 text

Static Symbolic Execution Similar to SMART & Multiex if(x>1) { y = 1; } else if(x<42) { y = 17; } if(x2>1) { y = 1; } else if(x2<42) { y = 17; }

Slide 9

Slide 9 text

Slides made by Liang Gong @ UC Berkeley What kind of program is explored faster by SSE? function f(v){ if(v) { // branch1 } else { // branch 2 } } var v1 = readInput(); var v2 = readInput(); var v3 = readInput(); f(v1); f(v2); f(v3); Symbolic execution Multiex

Slide 10

Slide 10 text

Main Contribution of This paper Able to combine concrete execution to handle: • Out of theory (real numbers) • External function calls (system call) Fast SMT query • solve one path at a time Dynamic Symbolic Execution Static Symbolic Execution No Path Explosion • Path merges in control flow graph (or function call)

Slide 11

Slide 11 text

Paper

Slide 12

Slide 12 text

Paper

Slide 13

Slide 13 text

Overview Binary code Recovered CFG Transition Point Identification & Unrolling Dynamic Symbolic Execution CFG summary Dynamic Symbolic Execution

Slide 14

Slide 14 text

An Example (if I understand correctly) Dynamic Symbolic Execution function fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; }

Slide 15

Slide 15 text

An Example (if I understand correctly) Dynamic Symbolic Execution function fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; }

Slide 16

Slide 16 text

An Example (if I understand correctly) Dynamic Symbolic Execution function fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; }

Slide 17

Slide 17 text

An Example (if I understand correctly) Dynamic Symbolic Execution function fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; }

Slide 18

Slide 18 text

An Example (if I understand correctly) Dynamic Symbolic Execution function fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; }

Slide 19

Slide 19 text

An Example (if I understand correctly) Dynamic Symbolic Execution function fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; } Only one path feasible, continue with DSE

Slide 20

Slide 20 text

An Example (if I understand correctly) Dynamic Symbolic Execution function fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; }

Slide 21

Slide 21 text

An Example (if I understand correctly) Dynamic Symbolic Execution function fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; }

Slide 22

Slide 22 text

An Example (if I understand correctly) Dynamic Symbolic Execution function fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; }

Slide 23

Slide 23 text

An Example (if I understand correctly) Dynamic Symbolic Execution function fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; } Both branches are feasible, use SSE

Slide 24

Slide 24 text

An Example (if I understand correctly) Static Symbolic Execution function fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; } Scan the binary code Start from the branch Ends at: • function boundary • system calls • unknown instructions

Slide 25

Slide 25 text

An Example (if I understand correctly) Static Symbolic Execution function fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; } Scan the binary code Start from the branch Ends at: • function boundary • system calls • unknown instructions

Slide 26

Slide 26 text

An Example (if I understand correctly) Static Symbolic Execution function fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; } Extract CFG

Slide 27

Slide 27 text

An Example (if I understand correctly) Static Symbolic Execution function fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; } Unroll loops Identify Transition Points Where to start DSE

Slide 28

Slide 28 text

An Example (if I understand correctly) Static Symbolic Execution Transition Points function fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; }

Slide 29

Slide 29 text

An Example (if I understand correctly) Static Symbolic Execution Transition Points run function fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; }

Slide 30

Slide 30 text

An Example (if I understand correctly) Static Symbolic Execution Transition Points run Generate test case function fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; }

Slide 31

Slide 31 text

An Example (if I understand correctly) Static Symbolic Execution Transition Points run CFG summary S, similar to function summary in SMART/Multiex function fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; }

Slide 32

Slide 32 text

An Example (if I understand correctly) Static Symbolic Execution function fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; } Transition Points run CFG summary S, similar to function summary in SMART/Multiex

Slide 33

Slide 33 text

An Example (if I understand correctly) function fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; } Dynamic Symbolic Execution

Slide 34

Slide 34 text

An Example (if I understand correctly) function fun(){ var a = readInput(); var b = 1; if(a+b===a+b) { // do something } else { // unreachable code } if(a>1) { // node 3 } else { system.whatever(); if(a>5){ // node 4 } else { // node 5 } } return a + b; } Handle by SSE Static Symbolic Execution

Slide 35

Slide 35 text

Loop unrolling remove back edge unroll one iteration of loop How many loops to unroll? • Concrete execution • Specify a min number

Slide 36

Slide 36 text

Transition Point • Points immediately post-dominated by Exit • System calls • Unknown Instructions

Slide 37

Slide 37 text

Experimental Result Run each program for 30 min or 1 hour

Slide 38

Slide 38 text

Experimental Result Path Time SMT query takes more time Re-executing time

Slide 39

Slide 39 text

Experimental Result Lower fork rate is better Fork rate: after exploring one path, how many new paths are forked

Slide 40

Slide 40 text

Limitation & Missing Part • Number of unique bugs is measured by counting the number of unique stack hashes among crashes. • Did not report the size of those programs under test • Hard to read, mistakes, lack of description for some symbols Many technical details are missing (startup, not camera ready)

Slide 41

Slide 41 text

Thank you!