Exploiting Undefined Behaviors for Efficient Symbolic Execution Asankhaya

Exploiting Undefined Behaviors for Efficient Symbolic Execution Asankhaya Sharma National University of Singapore

Motivation 10/9/2021 ICSE SRC 2014 2

Rainbow Pony 10/9/2021 ICSE SRC 2014 3

Software Engineering Works Hall, Anthony. "Realising the Benefits of Formal Methods. " J. UCS 13. 5 (2007): 669 -678. 10/9/2021 ICSE SRC 2014 4

Symbolic Execution • Software engineering tools (KLEE, PEX, Klover etc. ) routinely use symbolic execution for – Test case generation – Bug finding – Debugging – Performance analysis – Verification • Improving the performance can have big impact 10/9/2021 ICSE SRC 2014 5

Efficient Symbolic Execution • Bottlenecks for performance – Path explosion – Complexity of generated constraints • Existing approaches – Constraint subsumption and simplification – Concoclic execution – State merging, caching and reusing constraints – Static analysis 10/9/2021 ICSE SRC 2014 6

Key Idea • Compilers are really good at optimization based on undefined behaviors • Design a static analysis (Change Value Analysis) to introduce undefined behaviors in programs • Use the optimized binaries for symbolic execution 10/9/2021 ICSE SRC 2014 7

Main Benefits • Does not require any change in the underlying symbolic execution engine to use the results from static analysis for dynamic path exploration • Allows reduction in size of compiled binaries and prevents generation of irrelevant constraints 10/9/2021 ICSE SRC 2014 8

Overview of Approach Change Value Analysis of Program 10/9/2021 Program with Undefined Behaviors Compiler Optimizations ICSE SRC 2014 Binary for Symbolic Execution 9

Change Value Analysis int foo (int x, int y, int z) { int a; a = z; if (x – y > 0) a = x; else a = y; if (z > a) printf(“z is max”); return a; } 10/9/2021 Changed Unchanged Undefined ICSE SRC 2014 10

Change Value Analysis int foo (int x, int y, int z) { int a; a = z; if (x – y > 0) a = x; else a = y; if (z > a) printf(“z is max”); return a; } 10/9/2021 Changed a Unchanged Undefined ICSE SRC 2014 11

Change Value Analysis int foo (int x, int y, int z) { int a; a = z; if (x – y > 0) a = x; else a = y; if (z > a) printf(“z is max”); return a; } 10/9/2021 Changed a, x, y Unchanged z Undefined ICSE SRC 2014 12

Introduce Undefined Behaviors int foo (int x, int y, int z) { int a; a = *; if (x – y > 0) a = x; else a = y; if (* > a) printf(“z is max”); return a; } 10/9/2021 Changed a, x, y Unchanged z Undefined Replace Unchanged variables with nondeterministic value * ICSE SRC 2014 13

After Compiler Optimizations int foo (int x, int y, int z) { int a; a = *; if (x – y > 0) a = x; else a = y; if (* > a) printf(“z is max”); return a; } 10/9/2021 int foo (int x, int y, int z) { int a; if (x – y > 0) a = x; else a = y; return a; } Eliminates 3 lines from the program ICSE SRC 2014 14

Experiments • Change Value Analysis implemented as a compiler pass in LLVM • Use an existing tool Fuzzgrind for symbolic execution of binaries • Benchmarks from Software-artifact Infrastructure Repository (SIR) 10/9/2021 ICSE SRC 2014 15

Results 30% Reduction in Number of Constraints 1200 1000 800 600 Constraints (Num) 400 Constraints with CVA 200 10/9/2021 ICSE SRC 2014 d Se x Fle Ta Sc cas he du le 2 Re pl ac e To Pr in tinf t. T o ok en s 2 Sp ac e Gr ep 0 16

Results 48% Reduction in Time taken for Symbolic Execution 200 180 160 140 120 100 80 60 40 20 0 Time (Secs) d Se x Fle ep Gr ac e Sp ok en s 2 fo t. T Pr in To tin e Re pl ac 2 le du Sc he Ta ca s Time with CVA 10/9/2021 ICSE SRC 2014 17

Conclusions • Systematically introducing undefined behaviors in programs can speed up symbolic execution • Compilers already optimize code for efficiency and size, we show that they can also optimize code for use in symbolic execution and testing 10/9/2021 ICSE SRC 2014 18

Thank You ! • Questions ? • Source Code (GPL 3) – https: //github. com/codelion/pathgrind – https: //github. com/codelion/pa. llvm • Contact – asankhaya@nus. edu. sg 10/9/2021 ICSE SRC 2014 19

Comparison with Slicing x = a; y = 5; if (a > 0) b = x + y; if (*) x = 1; else y = 0; if (y > 0) z = x; 10/9/2021 Slicing w. r. t variable z x = a; y = 5; if (a > 0) b = x + y; if (*) x = 1; else y = 0; if (y > 0) z = x; Slicing may include dependencies from infeasible paths Using Change Value analysis - “a” is in Unchanged set Jaffar, Joxan, et al. "Path-sensitive backward slicing. " Static Analysis. Springer Berlin Heidelberg, 2012. 231 -247. ICSE SRC 2014 20