Concrete Constraint Guided Symbolic Execution
Authors: 
Yue Sun, Guowei Yang, Shichao Lv, Zhi Li, Limin SunAuthors Info & Claims
Yue Sun, Guowei Yang, Shichao Lv, Zhi Li, Limin SunAuthors Info & ClaimsArticle No.: 122, Pages 1 - 12
Abstract
Symbolic execution is a popular program analysis technique. It systematically explores all feasible paths of a program but its scalability is largely limited by the path explosion problem, which causes the number of paths proliferates at runtime. A key idea in existing methods to mitigate this problem is to guide the selection of states for path exploration, which primarily relies on the features to represent program states. In this paper, we propose concrete constraint guided symbolic execution, which aims to cover more concrete branches and ultimately improve the overall code coverage during symbolic execution. Our key insight is based on the fact that symbolic execution strives to cover all symbolic branches while concrete branches are neglected, and directing symbolic execution toward uncovered concrete branches has a great potential to improve the overall code coverage. The experimental results demonstrate that our approach can improve the ability of KLEE to both increase code coverage and find more security violations on 10 open-source C programs.
References
[1]
2023. Source code of grep 3.6. https://ftp.gnu.org/gnu/grep/grep-3.6.tar.gz
[2]
2023. UndefinedBehaviorSanitizer - Clang 17.0.0git documentation. https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html
[3]
Alireza S. Abyaneh and Christoph M. Kirsch. 2021. ASE: A Value Set Decision Procedure for Symbolic Execution. In Proceedings of the 36th IEEE/ACM International Conference on Automated Software Engineering (Melbourne, Australia) (ASE '21). IEEE Press, 203--214.
[4]
Saswat Anand, Patrice Godefroid, and Nikolai Tillmann. 2008. Demand-Driven Compositional Symbolic Execution. In Tools and Algorithms for the Construction and Analysis of Systems, C. R. Ramakrishnan and Jakob Rehof (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 367--381.
[5]
Roberto Baldoni, Emilio Coppa, Daniele Cono D'elia, Camil Demetrescu, and Irene Finocchi. 2018. A Survey of Symbolic Execution Techniques. ACM Comput. Surv. 51, 3, Article 50 (may 2018), 39 pages.
[6]
Frank Busse, Pritam Gharat, Cristian Cadar, and Alastair F. Donaldson. 2022. Combining Static Analysis Error Traces with Dynamic Symbolic Execution (Experience Paper). In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis (Virtual, South Korea) (ISSTA 2022). Association for Computing Machinery, New York, NY, USA, 568--579.
[7]
Cristian Cadar, Daniel Dunbar, and Dawson Engler. 2008. KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation (San Diego, California) (OSDI'08). USA, 209--224.
[8]
Cristian Cadar and Koushik Sen. 2013. Symbolic Execution for Software Testing: Three Decades Later. Commun. ACM 56, 2 (feb 2013), 82--90.
[9]
Chen Cao, Le Guan, Jiang Ming, and Peng Liu. 2020. Device-Agnostic Firmware Execution is Possible: A Concolic Execution Approach for Peripheral Emulation. In Annual Computer Security Applications Conference (Austin, USA) (ACSAC '20). Association for Computing Machinery, New York, NY, USA, 746--759.
[10]
Sooyoung Cha, Seongjoon Hong, Junhee Lee, and Hakjoo Oh. 2018. Automatically Generating Search Heuristics for Concolic Testing. In Proceedings of the 40th International Conference on Software Engineering (Gothenburg, Sweden) (ICSE '18). Association for Computing Machinery, New York, NY, USA, 1244--1254.
[11]
Sooyoung Cha and Hakjoo Oh. 2019. Concolic Testing with Adaptively Changing Search Heuristics (ESEC/FSE 2019). Association for Computing Machinery, New York, NY, USA, 235--245.
[12]
Sooyoung Cha and Hakjoo Oh. 2020. Making Symbolic Execution Promising by Learning Aggressive State-Pruning Strategy (ESEC/FSE 2020). Association for Computing Machinery, New York, NY, USA, 147--158.
[13]
Vitaly Chipounov. 2022. The S2E Platform: A Journey from a Research Prototype to a Commercial Product. https://srg.doc.ic.ac.uk/klee22/talks/Chipounov-S2E-Platform.pdf
[14]
Lori A. Clarke. 1976. A Program Testing System. In Proceedings of the 1976 Annual Conference (Houston, Texas, USA) (ACM '76). Association for Computing Machinery, New York, NY, USA, 488--491.
[15]
Emilio Coppa, Heng Yin, and Camil Demetrescu. 2022. SymFusion: Hybrid Instrumentation for Concolic Execution. In Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering (Rochester, MI, USA) (ASE '22). Association for Computing Machinery, New York, NY, USA, Article 100, 12 pages.
[16]
Andrea Fioraldi, Dominik Maier, Heiko Eißfeldt, and Marc Heuse. 2020. AFL++: Combining Incremental Steps of Fuzzing Research. In Proceedings of the 14th USENIX Conference on Offensive Technologies (WOOT'20). USENIX Association, USA, Article 10, 1 pages.
[17]
Farhaan Fowze, Dave Tian, Grant Hernandez, Kevin Butler, and Tuba Yavuz. 2021. ProXray: Protocol Model Learning and Guided Firmware Analysis. IEEE Transactions on Software Engineering 47, 9 (2021), 1907--1928.
[18]
Shuitao Gan, Chao Zhang, Peng Chen, Bodong Zhao, Xiaojun Qin, Dong Wu, and Zuoning Chen. 2020. GREYONE: Data Flow Sensitive Fuzzing. In Proceedings of the 29th USENIX Conference on Security Symposium (SEC'20). USENIX Association, USA, Article 145, 18 pages.
[19]
Indradeep Ghosh. 2018. Utilization and Evolution of KLEE-based Technologies for Embedded Software Testing at Fujitsu. https://srg.doc.ic.ac.uk/klee18/talks/Ghosh-Keynote.pdf
[20]
Satyajit Ghosh. 2022. Security issues in C language. https://www.geeksforgeeks.org/security-issues-in-c-language/
[21]
Peter Goodman. 2022. Can Symbolic Execution Be a Productivity Multiplier for Human Bug-Finders? https://srg.doc.ic.ac.uk/klee22/talks/Goodman-SE-for-Bug-Finders.pdf
[22]
Jingxuan He, Gishor Sivanrupan, Petar Tsankov, and Martin Vechev. 2021. Learning to Explore Paths for Symbolic Execution. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (Virtual Event, Republic of Korea) (CCS '21). Association for Computing Machinery, New York, NY, USA, 2526--2540.
[23]
Grant Hernandez, Farhaan Fowze, Dave (Jing) Tian, Tuba Yavuz, and Kevin R.B. Butler. 2017. FirmUSB: Vetting USB Device Firmware Using Domain Informed Symbolic Execution. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (Dallas, Texas, USA) (CCS '17). Association for Computing Machinery, New York, NY, USA, 2245--2262.
[24]
Evan Johnson, Maxwell Bland, Yi Fei Zhu, Joshua Mason, Stephen Checkoway, Stefan Savage, and Kirill Levchenko. 2021. Jetset: Targeted firmware rehosting for embedded systems. In Proceedings of the 30th USENIX Security Symposium. USENIX Association, 321--338.
[25]
James C. King. 1976. Symbolic Execution and Program Testing. Commun. ACM 19, 7 (jul 1976), 385--394.
[26]
James Kukucka, Luís Pina, Paul Ammann, and Jonathan Bell. 2022. CONFETTI: Amplifying Concolic Guidance for Fuzzers. In Proceedings of the 44th International Conference on Software Engineering (Pittsburgh, Pennsylvania) (ICSE '22). Association for Computing Machinery, New York, NY, USA, 438--450.
[27]
Volodymyr Kuznetsov, Johannes Kinder, Stefan Bucur, and George Candea. 2012. Efficient State Merging in Symbolic Execution. In Proceedings of the 33rd ACM SIGPLAN Conference on Programming Language Design and Implementation (Beijing, China) (PLDI '12). Association for Computing Machinery, New York, NY, USA, 193--204.
[28]
Peng Li, Rundong Zhou, Yaohui Chen, Yulong Zhang, and Tao (Lenx) Wei. 2018. ConcFuzzer: A Sanitizer Guided Hybrid Fuzzing Framework Leveraging Greybox Fuzzing and Concolic Execution,. https://srg.doc.ic.ac.uk/klee18/talks/Li-Keynote.pdf
[29]
You Li, Zhendong Su, Linzhang Wang, and Xuandong Li. 2013. Steering Symbolic Execution to Less Traveled Paths. In Proceedings of the 2013 ACM SIGPLAN International Conference on Object Oriented Programming Systems Languages (Indianapolis, Indiana, USA) (OOPSLA '13). Association for Computing Machinery, New York, NY, USA, 19--32.
[30]
Jie Liang, Mingzhe Wang, Chijin Zhou, Zhiyong Wu, Yu Jiang, Jianzhong Liu, Zhe Liu, and Jiaguang Sun. 2022. PATA: Fuzzing with Path Aware Taint Analysis. In 2022 IEEE Symposium on Security and Privacy (SP). 1--17.
[31]
Alessandro Mantovani, Andrea Fioraldi, and Davide Balzarotti. 2022. Fuzzing with Data Dependency Information. In 2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P). 286--302.
[32]
Suzette Person, Guowei Yang, Neha Rungta, and Sarfraz Khurshid. 2011. Directed Incremental Symbolic Execution. In Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation (San Jose, California, USA) (PLDI '11). Association for Computing Machinery, New York, NY, USA, 504--515.
[33]
Sebastian Poeplau and Aurélien Francillon. 2020. Symbolic execution with SymCC: Don't interpret, compile!. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, Boston, MA, 181--198.
[34]
Sebastian Poeplau and Aurélien Francillon. 2021. SymQEMU: Compilation-based symbolic execution for binaries. In Network and Distributed System Security Symposium. Network & Distributed System Security Symposium.
[35]
Rui Qiu, Guowei Yang, Corina S. Pasareanu, and Sarfraz Khurshid. 2015. Compositional Symbolic Execution with Memoized Replay. In 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, Vol. 1. 632--642.
[36]
Eric F. Rizzi, Sebastian Elbaum, and Matthew B. Dwyer. 2016. On the Techniques We Create, the Tools We Build, and Their Misalignments: A Study of KLEE. In Proceedings of the 38th International Conference on Software Engineering (Austin, Texas) (ICSE '16). Association for Computing Machinery, New York, NY, USA, 132--143.
[37]
Nicola Ruaro, Kyle Zeng, Lukas Dresel, Mario Polino, Tiffany Bao, Andrea Continella, Stefano Zanero, Christopher Kruegel, and Giovanni Vigna. 2021. SyML: Guiding Symbolic Execution Toward Vulnerable States Through Pattern Learning. In Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses (San Sebastian, Spain) (RAID '21). Association for Computing Machinery, New York, NY, USA, 456--468.
[38]
Ziqi Shuai, Zhenbang Chen, Yufeng Zhang, Jun Sun, and Ji Wang. 2021. Type and interval aware array constraint solving for symbolic execution. Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis (2021).
[39]
Yulei Sui and Jingling Xue. 2016. SVF: Interprocedural Static Value-Flow Analysis in LLVM. In Proceedings of the 25th International Conference on Compiler Construction (Barcelona, Spain) (CC 2016). Association for Computing Machinery, New York, NY, USA, 265--266.
[40]
Zachary Susag, Sumit Lahiri, Justin Hsu, and Subhajit Roy. 2022. Symbolic Execution for Randomized Programs. Proc. ACM Program. Lang. 6, OOPSLA2, Article 181 (oct 2022), 30 pages.
[41]
David Trabish, Shachar Itzhaky, and Noam Rinetzky. 2021. A Bounded Symbolic-Size Model for Symbolic Execution. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (Athens, Greece) (ESEC/FSE 2021). Association for Computing Machinery, New York, NY, USA, 1190--1201.
[42]
David Trabish and Noam Rinetzky. 2020. Relocatable Addressing Model for Symbolic Execution. In Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis (Virtual Event, USA) (ISSTA 2020). Association for Computing Machinery, New York, NY, USA, 51--62.
[43]
Haijun Wang, Ting Liu, Xiaohong Guan, Chao Shen, Qinghua Zheng, and Zijiang Yang. 2017. Dependence Guided Symbolic Execution. IEEE Trans. Softw. Eng. 43, 3 (mar 2017), 252--271.
[44]
Junye Wen, Tarek Mahmud, Meiru Che, Yan Yan, and Guowei Yang. 2023. Intelligent Constraint Classification for Symbolic Execution. In 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). 144--154.
[45]
Mingyuan Wu, Ling Jiang, Jiahong Xiang, Yuqun Zhang, Guowei Yang, Huixin Ma, Sen Nie, Shi Wu, Heming Cui, and Lingming Zhang. 2022. Evaluating and Improving Neural Program-Smoothing-Based Fuzzing. In Proceedings of the 44th International Conference on Software Engineering (Pittsburgh, Pennsylvania) (ICSE '22). Association for Computing Machinery, New York, NY, USA, 847--858.
[46]
Dongpeng Xu, Binbin Liu, Weijie Feng, Jiang Ming, Qilong Zheng, Jing Li, and Qiaoyan Yu. 2021. Boosting SMT Solver Performance on Mixed-Bitwise-Arithmetic Expressions. In Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation (Virtual, Canada) (PLDI 2021). Association for Computing Machinery, New York, NY, USA, 651--664.
[47]
Carter Yagemann, Simon P. Chung, Brendan Saltaformaggio, and Wenke Lee. 2021. Automated Bug Hunting With Data-Driven Symbolic Root Cause Analysis. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (Virtual Event, Republic of Korea) (CCS '21). Association for Computing Machinery, New York, NY, USA, 320--336.
[48]
Carter Yagemann, Matthew Pruett, Simon Pak Ho Chung, Kennon Bittick, Brendan Saltaformaggio, and Wenke Lee. 2021. ARCUS: Symbolic Root Cause Analysis of Exploits in Production Systems. In USENIX Security Symposium.
[49]
Guowei Yang, Corina S. Păsăreanu, and Sarfraz Khurshid. 2012. Memoized Symbolic Execution. In Proceedings of the 2012 International Symposium on Software Testing and Analysis (Minneapolis, MN, USA) (ISSTA 2012). Association for Computing Machinery, New York, NY, USA, 144--154.
[50]
Guowei Yang, Rui Qiu, Sarfraz Khurshid, Corina S. Păsăreanu, and Junye Wen. 2019. A synergistic approach to improving symbolic execution using test ranges. Innovations in Systems and Software Engineering 15, 3, 325--342.
[51]
Peisen Yao, Qingkai Shi, Heqing Huang, and Charles Zhang. 2020. Fast Bit-Vector Satisfiability. In Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis (Virtual Event, USA) (ISSTA 2020). Association for Computing Machinery, New York, NY, USA, 38--50.
[52]
Qiuping Yi and Guowei Yang. 2022. Feedback-Driven Incremental Symbolic Execution. In 2022 IEEE 33rd International Symposium on Software Reliability Engineering (ISSRE). 505--516.
[53]
Qiuping Yi, Zijiang Yang, Shengjian Guo, Chao Wang, Jian Liu, and Chen Zhao. 2015. Postconditioned Symbolic Execution. In 2015 IEEE 8th International Conference on Software Testing, Verification and Validation (ICST). 1--10.
[54]
Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang, and Taesoo Kim. 2018. QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing. In Proceedings of the 27th USENIX Conference on Security Symposium (Baltimore, MD, USA) (SEC'18). USENIX Association, USA, 745--761.
[55]
Cen Zhang, Xingwei Lin, Yuekang Li, Yinxing Xue, Jundong Xie, Hongxu Chen, Xinlei Ying, Jiashui Wang, and Yang Liu. 2021. APICraft: Fuzz Driver Generation for Closed-source SDK Libraries. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 2811--2828.
[56]
Shunfan Zhou, Zhemin Yang, Dan Qiao, Peng Liu, Min Yang, Zhe Wang, and Chenggang Wu. 2022. Ferry: State-Aware Symbolic Execution for Exploring State-Dependent Program Paths. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 4365--4382.
[57]
Wei Zhou, Le Guan, Peng Liu, and Yuqing Zhang. 2021. Automatic Firmware Emulation through Invalidity-guided Knowledge Inference. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association.
Index Terms
- Concrete Constraint Guided Symbolic Execution
Recommendations
Verifying systems rules using rule-directed symbolic execution
ASPLOS '13Systems code must obey many rules, such as "opened files must be closed." One approach to verifying rules is static analysis, but this technique cannot infer precise runtime effects of code, often emitting many false positives. An alternative is ...
Shadow Symbolic Execution with Java PathFinder
Regression testing ensures that a software system when it evolves still performs correctly and that the changes introduce no unintended side-effects. However, the creation of regression test cases that show divergent behavior needs a lot of effort. A ...
Assertion guided symbolic execution of multithreaded programs
ESEC/FSE 2015: Proceedings of the 2015 10th Joint Meeting on Foundations of Software EngineeringSymbolic execution is a powerful technique for systematic testing of sequential and multithreaded programs. However, its application is limited by the high cost of covering all feasible intra-thread paths and inter-thread interleavings. We propose a ...
Comments
Information & Contributors
Information
Published In
May 2024
2942 pages
ISBN:9798400702174
DOI:10.1145/3597503
- Co-chairs:
- Ana Paiva,
- Rui Abreu,
- Program Co-chairs:
- Abhik Roychoudhury,
- Margaret Storey
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
In-Cooperation
- Faculty of Engineering of University of Porto
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 12 April 2024
Check for updates
Badges
Author Tags
Qualifiers
- Research-article
Funding Sources
- National Key R&D Program of Ministry of Science and Technology
- Projects from the Ministry of Industry and Information Technology of China
Conference
ICSE '24
Sponsor:
ICSE '24: IEEE/ACM 46th International Conference on Software Engineering
April 14 - 20, 2024
Lisbon, Portugal
Acceptance Rates
Overall Acceptance Rate 276 of 1,856 submissions, 15%
Upcoming Conference
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 564Total Downloads
- Downloads (Last 12 months)564
- Downloads (Last 6 weeks)113
Reflects downloads up to 01 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in