Especially the symbolic execution side needs to be designed to not only solve constraints for unexplored paths, but to also choose promising paths that likely lead to a measurable difference. Nov 09, 2008 differential symbolic execution suzette person, matthew b. Differential symbolic execution proceedings of the 16th acm. Aug 30, 2016 importantly, we take a build security in mentality, considering techniques at each phase of the development cycle that can be used to strengthen the security of software systems. I concrete execution versus symbolic execution i symbolic execution tree i applications of symbolic execution. Valuable explore directions are learned from the seeds, thus the later fuzzing process can reach deep paths in program state space earlier and easier.
Corina pasareanu, quocsang phan, pasquale malacaria. Dsc is a dynamic symbolic execution engine and test case generator for java bytecode programs. Aspects of software development besides programming, such as diagnosing bugs, testing, and debugging, comprise over 50% of development costs. If the correctness criteria for the given program is described by a set of test cases, we will show that. Conference proceedings produced as a result of this research xu, zh. Dec 09, 20 software testingdebugging is extremely time consuming, and hence techniques to automate debugging or program repair are of value. Differential program analysis with fuzzing and symbolic execution. In 42nd international conference on software engineering icse 20, may 2329, 2020, seoul, republic of. Directed test suite augmentation, in 16th asiapacific software engineering conference. Sven apel, alessandro garcia, christian kastner, david lo, alessandra russo, paolo tonella, andreas zeller, andrea zisman. Exact heap summaries for symbolic execution abstract a recent trend in the analysis of objectoriented programs is the modeling of references as sets of guarded values, enabling multiple heap shapes to be represented in a single state.
Hydiff performs a hybrid analysis by running fuzzing and symbolic execution in parallel. Symbolic execution tree of function foobar given in figure 1. Differential symbolic execution suzette person, matthew b. Symbolic execution is a software testing technique that is useful to aid the generation of test data and in proving the program quality.
In computer science, symbolic execution also symbolic evaluation is a means of analyzing a program to determine what inputs cause each part of a program to execute. Automatic testing of symbolic execution engines via. We give most of our presentation in terms of java because. Although recentwork onrelational symbolic execution22 aims for simpler versions of this task like detecting incorrect calcula tions of sensitivity, it is not yet powerful enough to reason about. Dse is not sensitive to formatting and syntactic changes because it is based on a comparison of program semantics. Software security introducing symbolic execution youtube. For more information on what klee is and what it can do, see the osdi 2008 paper. Klee is a symbolic virtual machine built on top of the llvm compiler infrastructure, and available under the uiuc open source license. Differential symbolic execution dse and currie 11, 33 handle pointer aliasing soundly, but model common parts of programs with uninterpreted functions to reduce the complexity of the. This technique, which we call differential symbolic execution dse, exploits the fact that program versions are largely similar to reduce cost and improve the quality of analysis results. An interpreter follows the program, assuming symbolic values for inputs rather than obtaining actual inputs as normal execution of the program would. We observe that symbolic execution, a technique proven to be effective in. We define the foundational concepts of dse, describe costeffective tool support for dse, and illustrate its potential benefit through an exploratory study that considers version histories of two java code bases. Differential program analysis, symbolic execution, fuzzing acm reference format.
Revalidation of an updated system, before it is released, is a critical component of the software. Suzette person differential symbolic execution adam kiezun effective software testing with a stringconstraint solver defense slides rugang xu symbolic execution algorithms for test generation. A survey of new trends in symbolic execution for software. Hydiff integrates and extends two very successful testing techniques. Symbolic execution can also be used to generate input for differential testing. Role of symbolic execution in software testing, debugging and. In this talk, i will discuss the use of symbolic execution for software testing, debugging and repair. Comput, 1997 we describe the new software package gelda for the numerical solution of linear differentialalgebraic equations with variable coefficients. Dsc uses asm to instrument java classes at loadtime. The numerical solution of differentialalgebraic systems. Differential program analysis, fuzzing, symbolic execution acm reference format. Differential program analysis with fuzzing and symbolic.
Finally, we give a short survey of interesting new applications, such as predictive testing, invariant inference, program repair, analysis of parallel numerical programs and differential symbolic execution. Some insights about symbolic execution i execute programs with symbols. Symbolic execution umd department of computer science. We define the foundational concepts of dse, describe costeffective tool support for dse, and illustrate its potential benefit through an exploratory study. Dsc uses the instrumentation code to build and maintain a symbolic shadow representation of the dynamic program state call stack, operand stacks, and. To this end we built hydiffs differential symbolic execution dse component by extending shadow symbolic execution sse 33, a differential analysis technique which represents two program versions in one annotated program and uses fourway forking to explore all four decisions resulting from the combined branching behavior of both versions. Our second contribution is the w system with a simple yet expressive checker interface, a set of builtin checkers, and a sound, checker and. Each execution state, labeled with an upper case letter, shows the statement to be executed, the symbolic store. First, symbolic execution is used in a lightweight approach to generate qualified initial seeds. Directly applying an offtheshelf symbolic execution engine on ssltls libraries is, however, not practical due to the problem. Partnered with differential to drive sales through a custom platform tailored to their sales team and process. Automatic testing of symbolic execution engines via program. Directed incremental symbolic execution by suzette person, guowei yang, neha rungta, sarfraz khurshid in pldi, 2011 the last few years have seen a resurgence of interest in the use of symbolic execution a program analysis technique developed more than three decades ago to analyze program execution paths. The path conditions computed by dise then characterize the differences between two related program versions.
Version differencing information can be used to perform version merging, infer change characteristics, produce program documentation, and guide program revalidation. Detecting regression bugs in software evolution, analyzing sidechannels in programs and evaluating robustness in deep neural networks dnns can all be seen as instances of differential software analysis, where the goal is to generate diverging executions of program paths. In proceedings of the 2018 33rd acmieee international conference on automated software engineering ase 18, september 3 7, 2018, montpellier, france. Automatic testing of symbolic execution engines via program generation and differential testing timotej kapus cristian cadar imperial college london united kingdom ft. Two executions are said to be diverging if the observable. A survey of new trends in symbolic execution for software testing and analysis. A fundamental problem with using these guarded value sets is the inability to generate test inputs in a manner. Multirun sidechannel analysis using symbolic execution and maxsmt. This paper presents hydiff, the first hybrid approach for differential software analysis.
The number of times a system is updated and redeployed may be in the hundreds, or even thousands. Incremental symbolic execution of concurrent software. Automated circular assumeguarantee reasoning with nway decomposition and alphabet refinement. As a result, the outputs computed by a program are expressed as a function of the symbolic inputs. Symbolic execution as empirical studies tool web application security checker enhancement to abstractionbased static analysis program synthesis tool all of these take advantage of sym exec strengths, and try to avoid drawbacks 7. Citeseerx document details isaac councill, lee giles, pradeep teregowda. Partnered with differential to automatically track strokes and deliver insights so their customers can improve. Differential symbolic execution proceedings of the 16th. Symbolic and concolic execution play important roles in a variety of security and software testing applications, e. Pasareanu, marcel bohme, youcheng sun, hoang lam nguyen, and lars grunske. An interpreter follows the program, assuming symbolic values for inputs rather than obtaining actual inputs as normal execution of the program would, a case of abstract interpretation. In this paper, we propose the first incremental symbolic execution method for concurrent software to generate new tests by exploring only the executions affected by code changes between two.
Concurrency debugging with differential schedule projections. At the end of a symbolic execution along an execution path of the program, pcis solved using a constraint solver to generate concrete input values. Successful software systems tend to be long lived and evolve over time as requirements change and faults are detected. Feedbackdirected greybox fuzzing for efficient program testing and shadow symbolic execution for systematic program exploration. Symbolic execution 25 explores the space of possible executions of a program by emulating or directly executing its statements. Symbolic execution has attracted significant attention in recent years, with applications in software testing, security, networking and more. Citeseerx citation query differential symbolic execution. Automatic testing of symbolic execution engines via program generation and differential testing. This technique, differential symbolic execution dse, exploits program version similarities to improve the quality of change information and reduce analysis cost.
Intellitest generates inputs for parameterized unit tests by analyzing the branch conditions in the program. Software updates often introduce new bugs to existing code bases. Symbolic execution is a wellknown program analysis technique which represents program inputs with symbolic values instead of concrete, initialized, data and executes the program by manipulating program expressions involving the symbolic values. Dynamic symbolic execution visual studio microsoft docs. Modern technology has come a long way in aiding programmers with these aspects of development, and at the heart of this technology lies software analysis. I think symbolic execution can be used in many other interesting ways next. Differential testing complements traditional software testing, because it is wellsuited to find. Home browse by title theses differential symbolic execution.
Carving and replaying differential unit test cases from system test cases, ieee transactions on software engineering, v. Importantly, we take a build security in mentality, considering techniques at each phase of the development cycle that can be used to strengthen the security of software systems. In computer science, symbolic execution also symbolic evaluation or symbex is a means of analyzing a program to determine what inputs cause each part of a program to execute. Differential testing, also known as differential fuzzing, is a popular software testing technique that attempts to detect bugs, by providing the same input to a series of similar applications or to different implementations of the same application, and observing differences in their execution. Symbolic execution and program testing virginia tech. Although recentwork onrelational symbolic execution 22 aims for simpler versions of this task like detecting incorrect calcula tions of sensitivity, it is not yet powerful enough to reason about. In directed incremental symbolic execution dise, our insight is to combine the ef. Detecting and characterizing the effects of software changes is a fundamental component of software maintenance. This folder includes the modified badger project, which enables the differential hybrid analysis, incl. Symbolic execution has been proposed over three decades ago but recently it has found renewed interest in the research community, due in. To this end we built hydiffs differential symbolic execution dse component by extending shadow symbolic execution sse 34, a differential analysis technique which represents two program versions in one annotated program and uses fourway forking to explore all four decisions resulting from the combined branching behavior of both versions. During symbolic execution, some variables have concrete values e.
This concept is based on badger, which provides the technical basis for our implementation. If the program is executed on these concrete input values, it will take exactly the same path as the symbolic execution and terminate in the same way. Partnered with differential to engage their community through the worlds first spiritualfitness app. Prior regression testing tools focus mainly on test case selection and prioritization whereas symbolic execution. Verifying systems rules using ruledirected symbolic execution. Verlag 2009 abstract symbolic execution is a wellknown program analysis technique which represents program inputs with symbolic values instead of concrete, initialized, data and. Selecta formal system for testing and debugging programs by symbolic execution. Differential program analysis needs a multidimensional approach with more sophisticated cost functions.
526 222 1493 222 985 959 393 35 773 335 382 72 798 1156 1172 1367 411 884 765 447 434 568 362 855 1127 1507 438 639 1151 824 1031 604 886 793 106 32 579