Differential symbolic execution software

Differential testing, also known as differential fuzzing, is a popular software testing technique that attempts to detect bugs, by providing the same input to a series of similar applications or to different implementations of the same application, and observing differences in their execution. Although recentwork onrelational symbolic execution22 aims for simpler versions of this task like detecting incorrect calcula tions of sensitivity, it is not yet powerful enough to reason about. Detecting regression bugs in software evolution, analyzing sidechannels in programs and evaluating robustness in deep neural networks dnns can all be seen as instances of differential software analysis, where the goal is to generate diverging executions of program paths. Modern technology has come a long way in aiding programmers with these aspects of development, and at the heart of this technology lies software analysis. Directed test suite augmentation, in 16th asiapacific software engineering conference.

This technique, differential symbolic execution dse, exploits program version similarities to improve the quality of change information and reduce analysis cost. Symbolic execution is a software testing technique that is useful to aid the generation of test data and in proving the program quality. Dse is not sensitive to formatting and syntactic changes because it is based on a comparison of program semantics. Symbolic execution can also be used to generate input for differential testing. Automatic testing of symbolic execution engines via program generation and differential testing timotej kapus cristian cadar imperial college london united kingdom ft. Each execution state, labeled with an upper case letter, shows the statement to be executed, the symbolic store. Carving and replaying differential unit test cases from system test cases, ieee transactions on software engineering, v. Comput, 1997 we describe the new software package gelda for the numerical solution of linear differentialalgebraic equations with variable coefficients. Automatic testing of symbolic execution engines via program. We give most of our presentation in terms of java because.

Symbolic execution 25 explores the space of possible executions of a program by emulating or directly executing its statements. Differential symbolic execution proceedings of the 16th acm. Differential symbolic execution suzette person, matthew b. Symbolic and concolic execution play important roles in a variety of security and software testing applications, e. Differential program analysis with fuzzing and symbolic. Dec 09, 20 software testingdebugging is extremely time consuming, and hence techniques to automate debugging or program repair are of value.

Hydiff integrates and extends two very successful testing techniques. Aspects of software development besides programming, such as diagnosing bugs, testing, and debugging, comprise over 50% of development costs. A survey of new trends in symbolic execution for software. This folder includes the modified badger project, which enables the differential hybrid analysis, incl. We observe that symbolic execution, a technique proven to be effective in.

An interpreter follows the program, assuming symbolic values for inputs rather than obtaining actual inputs as normal execution of the program would. In 42nd international conference on software engineering icse 20, may 2329, 2020, seoul, republic of. Symbolic execution umd department of computer science. Prior regression testing tools focus mainly on test case selection and prioritization whereas symbolic execution. Some insights about symbolic execution i execute programs with symbols. Software security introducing symbolic execution youtube. Aug 30, 2016 importantly, we take a build security in mentality, considering techniques at each phase of the development cycle that can be used to strengthen the security of software systems.

Differential program analysis, fuzzing, symbolic execution acm reference format. Klee is a symbolic virtual machine built on top of the llvm compiler infrastructure, and available under the uiuc open source license. In proceedings of the 2018 33rd acmieee international conference on automated software engineering ase 18, september 3 7, 2018, montpellier, france. Selecta formal system for testing and debugging programs by symbolic execution. Automatic testing of symbolic execution engines via. Role of symbolic execution in software testing, debugging and.

Symbolic execution and program testing virginia tech. Multirun sidechannel analysis using symbolic execution and maxsmt. Automated circular assumeguarantee reasoning with nway decomposition and alphabet refinement. In directed incremental symbolic execution dise, our insight is to combine the ef. Symbolic execution tree of function foobar given in figure 1. To this end we built hydiffs differential symbolic execution dse component by extending shadow symbolic execution sse 33, a differential analysis technique which represents two program versions in one annotated program and uses fourway forking to explore all four decisions resulting from the combined branching behavior of both versions. Symbolic execution as empirical studies tool web application security checker enhancement to abstractionbased static analysis program synthesis tool all of these take advantage of sym exec strengths, and try to avoid drawbacks 7. As a result, the outputs computed by a program are expressed as a function of the symbolic inputs. Verlag 2009 abstract symbolic execution is a wellknown program analysis technique which represents program inputs with symbolic values instead of concrete, initialized, data and.

Differential symbolic execution dse and currie 11, 33 handle pointer aliasing soundly, but model common parts of programs with uninterpreted functions to reduce the complexity of the. Differential symbolic execution proceedings of the 16th. Successful software systems tend to be long lived and evolve over time as requirements change and faults are detected. Citeseerx citation query differential symbolic execution.

Feedbackdirected greybox fuzzing for efficient program testing and shadow symbolic execution for systematic program exploration. Automatic testing of symbolic execution engines via program generation and differential testing. Sven apel, alessandro garcia, christian kastner, david lo, alessandra russo, paolo tonella, andreas zeller, andrea zisman. Partnered with differential to automatically track strokes and deliver insights so their customers can improve. Dsc is a dynamic symbolic execution engine and test case generator for java bytecode programs. Citeseerx document details isaac councill, lee giles, pradeep teregowda. If the correctness criteria for the given program is described by a set of test cases, we will show that. Dsc uses asm to instrument java classes at loadtime.

An interpreter follows the program, assuming symbolic values for inputs rather than obtaining actual inputs as normal execution of the program would, a case of abstract interpretation. Symbolic execution is a wellknown program analysis technique which represents program inputs with symbolic values instead of concrete, initialized, data and executes the program by manipulating program expressions involving the symbolic values. This technique, which we call differential symbolic execution dse, exploits the fact that program versions are largely similar to reduce cost and improve the quality of analysis results. Our second contribution is the w system with a simple yet expressive checker interface, a set of builtin checkers, and a sound, checker and. We define the foundational concepts of dse, describe costeffective tool support for dse, and illustrate its potential benefit through an exploratory study that considers version histories of two java code bases. Partnered with differential to engage their community through the worlds first spiritualfitness app. Exact heap summaries for symbolic execution abstract a recent trend in the analysis of objectoriented programs is the modeling of references as sets of guarded values, enabling multiple heap shapes to be represented in a single state. Dynamic symbolic execution visual studio microsoft docs. During symbolic execution, some variables have concrete values e.

First, symbolic execution is used in a lightweight approach to generate qualified initial seeds. The numerical solution of differentialalgebraic systems. Home browse by title theses differential symbolic execution. Finally, we give a short survey of interesting new applications, such as predictive testing, invariant inference, program repair, analysis of parallel numerical programs and differential symbolic execution. Nov 09, 2008 differential symbolic execution suzette person, matthew b.

Verifying systems rules using ruledirected symbolic execution. Directly applying an offtheshelf symbolic execution engine on ssltls libraries is, however, not practical due to the problem. In computer science, symbolic execution also symbolic evaluation or symbex is a means of analyzing a program to determine what inputs cause each part of a program to execute. Differential program analysis with fuzzing and symbolic execution. Suzette person differential symbolic execution adam kiezun effective software testing with a stringconstraint solver defense slides rugang xu symbolic execution algorithms for test generation. I think symbolic execution can be used in many other interesting ways next. We define the foundational concepts of dse, describe costeffective tool support for dse, and illustrate its potential benefit through an exploratory study. To this end we built hydiffs differential symbolic execution dse component by extending shadow symbolic execution sse 34, a differential analysis technique which represents two program versions in one annotated program and uses fourway forking to explore all four decisions resulting from the combined branching behavior of both versions. Importantly, we take a build security in mentality, considering techniques at each phase of the development cycle that can be used to strengthen the security of software systems. This paper presents hydiff, the first hybrid approach for differential software analysis. Valuable explore directions are learned from the seeds, thus the later fuzzing process can reach deep paths in program state space earlier and easier. Directed incremental symbolic execution by suzette person, guowei yang, neha rungta, sarfraz khurshid in pldi, 2011 the last few years have seen a resurgence of interest in the use of symbolic execution a program analysis technique developed more than three decades ago to analyze program execution paths.

Intellitest generates inputs for parameterized unit tests by analyzing the branch conditions in the program. Differential program analysis, symbolic execution, fuzzing acm reference format. Pasareanu, marcel bohme, youcheng sun, hoang lam nguyen, and lars grunske. Hydiff performs a hybrid analysis by running fuzzing and symbolic execution in parallel. Conference proceedings produced as a result of this research xu, zh. Although recentwork onrelational symbolic execution 22 aims for simpler versions of this task like detecting incorrect calcula tions of sensitivity, it is not yet powerful enough to reason about. The execution requires a selection of paths that are exercised by a set of data values. In this talk, i will discuss the use of symbolic execution for software testing, debugging and repair. At the end of a symbolic execution along an execution path of the program, pcis solved using a constraint solver to generate concrete input values.

For more information on what klee is and what it can do, see the osdi 2008 paper. The path conditions computed by dise then characterize the differences between two related program versions. Detecting and characterizing the effects of software changes is a fundamental component of software maintenance. Revalidation of an updated system, before it is released, is a critical component of the software. Dsc uses the instrumentation code to build and maintain a symbolic shadow representation of the dynamic program state call stack, operand stacks, and. Differential program analysis needs a multidimensional approach with more sophisticated cost functions. A fundamental problem with using these guarded value sets is the inability to generate test inputs in a manner.

Corina pasareanu, quocsang phan, pasquale malacaria. A survey of new trends in symbolic execution for software testing and analysis. Symbolic execution has attracted significant attention in recent years, with applications in software testing, security, networking and more. The number of times a system is updated and redeployed may be in the hundreds, or even thousands. Two executions are said to be diverging if the observable. Software updates often introduce new bugs to existing code bases. Especially the symbolic execution side needs to be designed to not only solve constraints for unexplored paths, but to also choose promising paths that likely lead to a measurable difference. In computer science, symbolic execution also symbolic evaluation is a means of analyzing a program to determine what inputs cause each part of a program to execute. Incremental symbolic execution of concurrent software. Version differencing information can be used to perform version merging, infer change characteristics, produce program documentation, and guide program revalidation. Symbolic execution has been proposed over three decades ago but recently it has found renewed interest in the research community, due in. I concrete execution versus symbolic execution i symbolic execution tree i applications of symbolic execution.

Concurrency debugging with differential schedule projections. If the program is executed on these concrete input values, it will take exactly the same path as the symbolic execution and terminate in the same way. In this paper, we propose the first incremental symbolic execution method for concurrent software to generate new tests by exploring only the executions affected by code changes between two. This concept is based on badger, which provides the technical basis for our implementation. Partnered with differential to drive sales through a custom platform tailored to their sales team and process. Differential testing complements traditional software testing, because it is wellsuited to find.

1442 1105 1298 822 965 42 844 251 1497 840 913 1457 467 258 396 390 646 709 564 577 901 882 1272 383 49 562 899 510 1138 300 1437 1457 512 496