Symbolic execution is a software testing technique that is useful to aid the generation of test data and in proving the program quality. This paper presents hydiff, the first hybrid approach for differential software analysis. Importantly, we take a build security in mentality, considering techniques at each phase of the development cycle that can be used to strengthen the security of software systems. Detecting and characterizing the effects of software changes is a fundamental component of software maintenance. Finally, we give a short survey of interesting new applications, such as predictive testing, invariant inference, program repair, analysis of parallel numerical programs and differential symbolic execution. In directed incremental symbolic execution dise, our insight is to combine the ef. Citeseerx citation query differential symbolic execution. Feedbackdirected greybox fuzzing for efficient program testing and shadow symbolic execution for systematic program exploration. To this end we built hydiffs differential symbolic execution dse component by extending shadow symbolic execution sse 34, a differential analysis technique which represents two program versions in one annotated program and uses fourway forking to explore all four decisions resulting from the combined branching behavior of both versions. Dec 09, 20 software testingdebugging is extremely time consuming, and hence techniques to automate debugging or program repair are of value. If the program is executed on these concrete input values, it will take exactly the same path as the symbolic execution and terminate in the same way.
Symbolic execution as empirical studies tool web application security checker enhancement to abstractionbased static analysis program synthesis tool all of these take advantage of sym exec strengths, and try to avoid drawbacks 7. Dynamic symbolic execution visual studio microsoft docs. During symbolic execution, some variables have concrete values e. The path conditions computed by dise then characterize the differences between two related program versions. Differential program analysis with fuzzing and symbolic execution. Selecta formal system for testing and debugging programs by symbolic execution. Intellitest generates inputs for parameterized unit tests by analyzing the branch conditions in the program. Directed test suite augmentation, in 16th asiapacific software engineering conference. Differential testing, also known as differential fuzzing, is a popular software testing technique that attempts to detect bugs, by providing the same input to a series of similar applications or to different implementations of the same application, and observing differences in their execution.
Dsc uses the instrumentation code to build and maintain a symbolic shadow representation of the dynamic program state call stack, operand stacks, and. Dsc uses asm to instrument java classes at loadtime. Although recentwork onrelational symbolic execution 22 aims for simpler versions of this task like detecting incorrect calcula tions of sensitivity, it is not yet powerful enough to reason about. Pasareanu, marcel bohme, youcheng sun, hoang lam nguyen, and lars grunske. Corina pasareanu, quocsang phan, pasquale malacaria. Prior regression testing tools focus mainly on test case selection and prioritization whereas symbolic execution. Partnered with differential to automatically track strokes and deliver insights so their customers can improve. Symbolic execution and program testing virginia tech. Verifying systems rules using ruledirected symbolic execution. Home browse by title theses differential symbolic execution. Symbolic execution has been proposed over three decades ago but recently it has found renewed interest in the research community, due in. We define the foundational concepts of dse, describe costeffective tool support for dse, and illustrate its potential benefit through an exploratory study that considers version histories of two java code bases.
Detecting regression bugs in software evolution, analyzing sidechannels in programs and evaluating robustness in deep neural networks dnns can all be seen as instances of differential software analysis, where the goal is to generate diverging executions of program paths. As a result, the outputs computed by a program are expressed as a function of the symbolic inputs. I think symbolic execution can be used in many other interesting ways next. Differential program analysis, symbolic execution, fuzzing acm reference format. Especially the symbolic execution side needs to be designed to not only solve constraints for unexplored paths, but to also choose promising paths that likely lead to a measurable difference. This folder includes the modified badger project, which enables the differential hybrid analysis, incl. A fundamental problem with using these guarded value sets is the inability to generate test inputs in a manner. An interpreter follows the program, assuming symbolic values for inputs rather than obtaining actual inputs as normal execution of the program would. An interpreter follows the program, assuming symbolic values for inputs rather than obtaining actual inputs as normal execution of the program would, a case of abstract interpretation. Symbolic execution is a wellknown program analysis technique which represents program inputs with symbolic values instead of concrete, initialized, data and executes the program by manipulating program expressions involving the symbolic values. Symbolic execution has attracted significant attention in recent years, with applications in software testing, security, networking and more.
I concrete execution versus symbolic execution i symbolic execution tree i applications of symbolic execution. Differential program analysis, fuzzing, symbolic execution acm reference format. Partnered with differential to engage their community through the worlds first spiritualfitness app. In computer science, symbolic execution also symbolic evaluation or symbex is a means of analyzing a program to determine what inputs cause each part of a program to execute.
Dse is not sensitive to formatting and syntactic changes because it is based on a comparison of program semantics. Partnered with differential to drive sales through a custom platform tailored to their sales team and process. Verlag 2009 abstract symbolic execution is a wellknown program analysis technique which represents program inputs with symbolic values instead of concrete, initialized, data and. The numerical solution of differentialalgebraic systems. In computer science, symbolic execution also symbolic evaluation is a means of analyzing a program to determine what inputs cause each part of a program to execute. The execution requires a selection of paths that are exercised by a set of data values. Our second contribution is the w system with a simple yet expressive checker interface, a set of builtin checkers, and a sound, checker and. Exact heap summaries for symbolic execution abstract a recent trend in the analysis of objectoriented programs is the modeling of references as sets of guarded values, enabling multiple heap shapes to be represented in a single state. Differential symbolic execution dse and currie 11, 33 handle pointer aliasing soundly, but model common parts of programs with uninterpreted functions to reduce the complexity of the. Successful software systems tend to be long lived and evolve over time as requirements change and faults are detected. A survey of new trends in symbolic execution for software testing and analysis. In this paper, we propose the first incremental symbolic execution method for concurrent software to generate new tests by exploring only the executions affected by code changes between two. Revalidation of an updated system, before it is released, is a critical component of the software. First, symbolic execution is used in a lightweight approach to generate qualified initial seeds.
Dsc is a dynamic symbolic execution engine and test case generator for java bytecode programs. Symbolic execution 25 explores the space of possible executions of a program by emulating or directly executing its statements. Role of symbolic execution in software testing, debugging and. Sven apel, alessandro garcia, christian kastner, david lo, alessandra russo, paolo tonella, andreas zeller, andrea zisman. Hydiff performs a hybrid analysis by running fuzzing and symbolic execution in parallel. Symbolic and concolic execution play important roles in a variety of security and software testing applications, e. Carving and replaying differential unit test cases from system test cases, ieee transactions on software engineering, v. Two executions are said to be diverging if the observable. Hydiff integrates and extends two very successful testing techniques. Multirun sidechannel analysis using symbolic execution and maxsmt. Software security introducing symbolic execution youtube. At the end of a symbolic execution along an execution path of the program, pcis solved using a constraint solver to generate concrete input values. Version differencing information can be used to perform version merging, infer change characteristics, produce program documentation, and guide program revalidation. Although recentwork onrelational symbolic execution22 aims for simpler versions of this task like detecting incorrect calcula tions of sensitivity, it is not yet powerful enough to reason about.
Some insights about symbolic execution i execute programs with symbols. Modern technology has come a long way in aiding programmers with these aspects of development, and at the heart of this technology lies software analysis. Directly applying an offtheshelf symbolic execution engine on ssltls libraries is, however, not practical due to the problem. Automated circular assumeguarantee reasoning with nway decomposition and alphabet refinement. For more information on what klee is and what it can do, see the osdi 2008 paper. Automatic testing of symbolic execution engines via program generation and differential testing timotej kapus cristian cadar imperial college london united kingdom ft. This technique, differential symbolic execution dse, exploits program version similarities to improve the quality of change information and reduce analysis cost. Suzette person differential symbolic execution adam kiezun effective software testing with a stringconstraint solver defense slides rugang xu symbolic execution algorithms for test generation. Aug 30, 2016 importantly, we take a build security in mentality, considering techniques at each phase of the development cycle that can be used to strengthen the security of software systems. Symbolic execution umd department of computer science. This technique, which we call differential symbolic execution dse, exploits the fact that program versions are largely similar to reduce cost and improve the quality of analysis results. Differential program analysis needs a multidimensional approach with more sophisticated cost functions. Concurrency debugging with differential schedule projections.
Automatic testing of symbolic execution engines via program. Conference proceedings produced as a result of this research xu, zh. Automatic testing of symbolic execution engines via program generation and differential testing. Comput, 1997 we describe the new software package gelda for the numerical solution of linear differentialalgebraic equations with variable coefficients.
Differential program analysis with fuzzing and symbolic. Symbolic execution can also be used to generate input for differential testing. Differential symbolic execution proceedings of the 16th. Klee is a symbolic virtual machine built on top of the llvm compiler infrastructure, and available under the uiuc open source license. The number of times a system is updated and redeployed may be in the hundreds, or even thousands. We define the foundational concepts of dse, describe costeffective tool support for dse, and illustrate its potential benefit through an exploratory study. If the correctness criteria for the given program is described by a set of test cases, we will show that. Automatic testing of symbolic execution engines via. Symbolic execution tree of function foobar given in figure 1. We give most of our presentation in terms of java because. In proceedings of the 2018 33rd acmieee international conference on automated software engineering ase 18, september 3 7, 2018, montpellier, france. To this end we built hydiffs differential symbolic execution dse component by extending shadow symbolic execution sse 33, a differential analysis technique which represents two program versions in one annotated program and uses fourway forking to explore all four decisions resulting from the combined branching behavior of both versions.
Directed incremental symbolic execution by suzette person, guowei yang, neha rungta, sarfraz khurshid in pldi, 2011 the last few years have seen a resurgence of interest in the use of symbolic execution a program analysis technique developed more than three decades ago to analyze program execution paths. Nov 09, 2008 differential symbolic execution suzette person, matthew b. Each execution state, labeled with an upper case letter, shows the statement to be executed, the symbolic store. In 42nd international conference on software engineering icse 20, may 2329, 2020, seoul, republic of. Differential testing complements traditional software testing, because it is wellsuited to find. In this talk, i will discuss the use of symbolic execution for software testing, debugging and repair. We observe that symbolic execution, a technique proven to be effective in. Software updates often introduce new bugs to existing code bases. Incremental symbolic execution of concurrent software. Aspects of software development besides programming, such as diagnosing bugs, testing, and debugging, comprise over 50% of development costs. A survey of new trends in symbolic execution for software. Valuable explore directions are learned from the seeds, thus the later fuzzing process can reach deep paths in program state space earlier and easier. This concept is based on badger, which provides the technical basis for our implementation. Citeseerx document details isaac councill, lee giles, pradeep teregowda.
1522 117 1127 1203 15 781 264 1314 1453 854 923 1078 183 699 8 783 309 278 1653 1275 292 733 88 1655 590 533 654 1022 1214 914 1195 456 1240