Article

Free access

Rethinking pointer reasoning in symbolic execution

Authors:

Emilio Coppa,

Daniele Cono D’Elia,

Camil DemetrescuAuthors Info & Claims

ASE '17: Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering

Pages 613 - 618

Published: 30 October 2017 Publication History

PDF eReader

Abstract

Symbolic execution is a popular program analysis technique that allows seeking for bugs by reasoning over multiple alternative execution states at once. As the number of states to explore may grow exponentially, a symbolic executor may quickly run out of space. For instance, a memory access to a symbolic address may potentially reference the entire address space, leading to a combinatorial explosion of the possible resulting execution states. To cope with this issue, state-of-the-art executors concretize symbolic addresses that span memory intervals larger than some threshold. Unfortunately, this could result in missing interesting execution states, e.g., where a bug arises. In this paper we introduce MEMSIGHT, a new approach to symbolic memory that reduces the need for concretization, hence offering the opportunity for broader state explorations and more precise pointer reasoning. Rather than mapping address instances to data as previous tools do, our technique maps symbolic address expressions to data, maintaining the possible alternative states resulting from the memory referenced by a symbolic address in a compact, implicit form. A preliminary experimental investigation on prominent benchmarks from the DARPA Cyber Grand Challenge shows that MEMSIGHT enables the exploration of states unreachable by previous techniques.

References

[1]

R. Baldoni, E. Coppa, D. C. D’Elia, C. Demetrescu, and I. Finocchi, “A survey of symbolic execution techniques,” CoRR, vol. abs/1610.00502. {Online}. Available: http://arxiv.org/abs/1610.00502

Google Scholar

[2]

B. Elkarablieh, P. Godefroid, and M. Y. Levin, “Precise pointer reasoning for dynamic test generation,” in Proc. of ISSTA 2009. ACM, 2009. {Online}. Available:

Digital Library

Google Scholar

[3]

S. K. Cha, T. Avgerinos, A. Rebert, and D. Brumley, “Unleashing Mayhem on binary code,” in Proc. of SP 2012.

Digital Library

Google Scholar

[4]

IEEE Computer Society, 2012. {Online}. Available:

Google Scholar

[5]

T. Avgerinos, A. Rebert, S. K. Cha, and D. Brumley, “Enhancing symbolic execution with veritesting,” in Proc. of ICSE 2014. ACM, 2014. {Online}. Available:

Digital Library

Google Scholar

[6]

Y. Shoshitaishvili, R. Wang, C. Salls, N. Stephens, M. Polino, A. Dutcher, J. Grosen, S. Feng, C. Hauser, C. Krügel, and G. Vigna, “SOK: (state of) the art of war: Offensive techniques in binary analysis,” in Proc. of SP 2016. IEEE Computer Society, 2016. {Online}. Available:

Crossref

Google Scholar

[7]

C. Cadar, D. Dunbar, and D. Engler, “KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs,” in Proc. of OSDI 2008. USENIX Association, 2008. {Online}. Available: http://dl.acm.org/citation.cfm?id=1855741.1855756

Digital Library

Google Scholar

[8]

N. Stephens, J. Grosen, C. Salls, A. Dutcher, R. Wang, J. Corbetta, Y. Shoshitaishvili, C. Kruegel, and G. Vigna, “Driller: Augmenting fuzzing through selective symbolic execution,” in NDSS 2016, 2016.

Crossref

Google Scholar

[9]

C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler, “EXE: Automatically generating inputs of death,” in CCS 2006. ACM, 2006. {Online}. Available:

Digital Library

Google Scholar

[10]

E. Duesterwald, Ed., Analyzing Memory Accesses in x86 Executables, ser. CC 2004. Springer Berlin Heidelberg, 2004. {Online}. Available: 2

Google Scholar

[11]

M. Trt´ık and J. Strejˇcek, Symbolic Memory with Pointers, ser. ATVA 2014. Cham: Springer International Publishing, 2014, pp. 380–395. {Online}. Available: 27

Google Scholar

[12]

R. David, S. Bardin, J. Feist, L. Mounier, M.-L. Potet, T. D. Ta, and J.-Y. Marion, “Specification of concretization and symbolization policies in symbolic execution,” in Proc. of ISSTA 2016. ACM, 2016. {Online}. Available:

Digital Library

Google Scholar

[13]

C. S. Păsăreanu, N. Rungta, and W. Visser, “Symbolic execution with mixed concrete-symbolic solving,” in Proc. of ISSTA 2011. ACM, 2011. {Online}. Available: Introduction Technique Base Version Memory Loading and Storing State Merging Refinements Address Range Selection Memory Cleanup Symbolic Uninitialized Memory Multi-byte Load and Store Discussion Implementation angr MemSight Prototype Evaluation Experimental Setup and Methodology Case Study Experiments Related Work Conclusion References

Digital Library

Google Scholar

Cited By

View all

Grossman SToman JBakst AArora SSagiv MNandi C(2024)Practical Verification of Smart Contracts using Memory SplittingProceedings of the ACM on Programming Languages10.1145/36897968:OOPSLA2(2402-2433)Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3689796
Borzacchiello LCoppa EDemetrescu C(2021)Fuzzing Symbolic ExpressionsProceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00071(711-722)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00071
Trabish DRinetzky NKhurshid SPăsăreanu C(2020)Relocatable addressing model for symbolic executionProceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3395363.3397363(51-62)Online publication date: 18-Jul-2020
https://dl.acm.org/doi/10.1145/3395363.3397363
Show More Cited By

Recommendations

Handling Memory-Intensive Operations in Symbolic Execution
ISEC '22: Proceedings of the 15th Innovations in Software Engineering Conference

Symbolic execution is a popular software testing technique that can help developers identify complex bugs in real-world applications. Unfortunately, symbolic execution may struggle at analyzing programs containing memory-intensive operations, such as ...
Running symbolic execution forever
ISSTA 2020: Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis

When symbolic execution is used to analyse real-world applications, it often consumes all available memory in a relatively short amount of time, sometimes making it impossible to analyse an application for an extended period. In this paper, we present a ...
Symbolic execution based on language transformation

We propose a language-independent symbolic execution framework for languages endowed with a formal operational semantics based on term rewriting. Starting from a given definition of a language, a new language definition is generated, with the same ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

ASE '17: Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering

October 2017

1033 pages

ISBN:9781538626849

General Chair:
Grigore Rosu
University of Illinois at Urbana-Champaign, USA
,
Program Chairs:
Massimiliano Di Penta
University of Sannio, Italy
,
Tien N. Nguyen
University of Texas at Dallas, USA

Publisher

IEEE Press

Publication History

Published: 30 October 2017

Author Tags

Qualifiers

Article

Acceptance Rates

Overall Acceptance Rate 82 of 337 submissions, 24%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
403
Total Downloads

Downloads (Last 12 months)82
Downloads (Last 6 weeks)11

Reflects downloads up to 20 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Grossman SToman JBakst AArora SSagiv MNandi C(2024)Practical Verification of Smart Contracts using Memory SplittingProceedings of the ACM on Programming Languages10.1145/36897968:OOPSLA2(2402-2433)Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3689796
Borzacchiello LCoppa EDemetrescu C(2021)Fuzzing Symbolic ExpressionsProceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00071(711-722)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00071
Trabish DRinetzky NKhurshid SPăsăreanu C(2020)Relocatable addressing model for symbolic executionProceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3395363.3397363(51-62)Online publication date: 18-Jul-2020
https://dl.acm.org/doi/10.1145/3395363.3397363
Lin JJiang LAi CChao S(2020)A Shape-inference-based Approach to Enhance Constraint Independence OptimizationProceedings of the 2020 4th International Conference on Cryptography, Security and Privacy10.1145/3377644.3377665(141-145)Online publication date: 10-Jan-2020
https://dl.acm.org/doi/10.1145/3377644.3377665
Kapus TCadar CDumas MPfahl DApel SRusso A(2019)A segmented memory model for symbolic executionProceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3338906.3338936(774-784)Online publication date: 12-Aug-2019
https://dl.acm.org/doi/10.1145/3338906.3338936
D'Elia DCoppa ESalvati ADemetrescu C(2019)Static Analysis of ROP CodeProceedings of the 12th European Workshop on Systems Security10.1145/3301417.3312494(1-6)Online publication date: 25-Mar-2019
https://dl.acm.org/doi/10.1145/3301417.3312494
Baldoni RCoppa ED’elia DDemetrescu CFinocchi I(2018)A Survey of Symbolic Execution TechniquesACM Computing Surveys10.1145/318265751:3(1-39)Online publication date: 23-May-2018
https://dl.acm.org/doi/10.1145/3182657

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Recommendations

Handling Memory-Intensive Operations in Symbolic Execution

Running symbolic execution forever

Symbolic execution based on language transformation