Symbolic Execution with Mixed ConcreteSymbolic Solving Sym Crete

Symbolic Execution with Mixed Concrete-Symbolic Solving (Sym. Crete Execution) Jonathan Manos

About the Paper • Article found on ACM Digital Library • Title: Symbolic Execution with Mixed Concrete-Symbolic Solving • Published in: ISSTA '11 Proceedings of the 2011 International Symposium on Software Testing and Analysis • Authors: – Corina S. Pӑsӑreanu – Neha Rungta – Willem Visser

What is Symbolic Execution? • A method of analyzing a program to determine what inputs cause each part of a program to execute • Used extensively in program testing void test(int y) { if (y == 2) S 1; else S 2; }

Symbolic Execution Testing void test(int y) { if (y == 2) S 1; else S 2; } • When [y == 2] we get to S 1 • When [y != 2] we get to S 2 • These rules are known as Path Conditions

Symbolic Execution in practice • Many testing tools make use of symbolic execution • Microsoft uses Pex, SAGE, YOGI, and PREfix • IBM uses Apollo • NASA and Fujitsu use Symbolic (Java) Path. Finder • Others: – UIUC’s CUTE and j. CUTE – Stanford’s KLEE – UC Berkeley’s CREST – Bit. Blaze

Symbolic Execution Testing void test(int x, int y) { if (y == hash(x)) S 1; else S 2; } • There is no code available for hash(x) – Therefore we cannot have any definitive path conditions or constraints • Therefore Symbolic Execution is not possible

Directed Automated Random Testing (DART) • Also known as Concolic Execution • Combination of concrete and symbolic execution – Executes programs concretely – Collects the path condition – Runs and executes again with newly found solutuions • Conquers the incompleteness of symbolic execution

DART Testing Aim: n/a void test(int x, int y) { if (x > 0){ if (y == hash(x)) S 0; else S 1; if (x > 3 && y > 10) S 3; else S 4; } } test(1, 0) [X > 0] [X > 0 & Y != 10 & X <= 3] Reached: S 1 and S 4

DART Testing (cont. . ) Aim: to reach S 3; void test(int x, int y) { if (x > 0){ if (y == hash(x)) S 0; else S 1; if (x > 3 && y > 10) S 3; else S 4; } } TEST: [X > 0 & Y != 10 & X > 3] test(4, 0) [X > 0] [X > 0 & Y != 40 & X > 3 & Y <= 10] Reached: S 1 and S 4

DART Testing (cont. . ) Aim: to reach S 3; void test(int x, int y) { if (x > 0){ if (y == hash(x)) S 0; else S 1; if (x > 3 && y > 10) S 3; else S 4; } } TEST: [X > 0 & Y > 10 & Y != 10 & X > 3] test(4, 11) [X > 0] [X > 0 & Y != 40 & X > 3 & Y > 10] Reached: S 1 and S 3

DART Testing (cont. . ) Aim: to reach S 0; void test(int x, int y) { if (x > 0){ if (y == hash(x)) S 0; else S 1; if (x > 3 && y > 10) S 3; else S 4; } } TEST: [X > 0 & Y = 40 & Y != 10 & X > 3] test(4, 40) [X > 0] [X > 0 & Y = 40 & X > 3 & Y > 10] Reached: S 0 and S 3

DART Testing (cont. . ) Aim: to reach S 0 and S 4 void test(int x, int y) { if (x > 0){ if (y == [40]hash(x)) S 0; else S 1; if (x > 3 && y > 10) S 3; else S 4; } } TEST: [X > 0 & Y = 40 & Y != 10 & X <= 3] test(1, 40) [X > 0] [X > 0 & Y != 10 & X <= 3 & Y > 10] Reached: S 1 and S 4 DIVERGENCE! Cannot ever finish

Flaws of Execution Strategies • Symbolic Execution – Sound method, but incomplete functionality – Cannot solve problems when: • there is no access to code • The decision procedures do not work • DART Execution – Complete method, but unsound performance – Can fail when: • functions are unpredictable

Symbolic Execution with Mixed Concrete-Symbolic Solving • (DART) Concolic = Concrete + Symbolic – Concrete execution that produces symbolic path conditions • Sym. Crete = Symbolic + Concrete – Symbolic execution that falls back to concrete execution as it is needed

Sym. Crete Execution Methodology 1. Split the Path Condition into two parts: – EASY: Part you can solve symbolically – HARD: Part you cannot solve symbolically 2. Solve the easy part symbolically and evaluate the hard part with concrete execution 3. Replace the hard part with the evaluated results and check if results are SAT • SAT – Satisfies the given boolean formula – or Satisfiable

void test(int x, int y) { if (x > 0){ if (y == hash(x)) S 0; else S 1; if (x > 3 && y > 10) S 3; else S 4; } } native int hash(x) { if (0<=x<=10) return x*10; else return 0; } Sym. Crete Execution [X > 0] [X > 0 & Y = hash(X) ] S 0 Easy hard 1. X > 0 Y = hash(X) 2. X = 1 Y = hash(1) = 10 3. [X > 0 & Y = 10] is SAT [X > 0 & Y != hash(X) ] S 1 [X>0 & Y != 10] is SAT

void test(int x, int y) { if (x > 0){ if (y == hash(x)) S 0; else S 1; if (x > 3 && y > 10) S 3; else S 4; } } native int hash(x) { if (0<=x<=10) return x*10; else return 0; } Sym. Crete Execution [X > 0] [X > 0 & Y = hash(X) ] S 0 [X > 3 & Y = hash(X) & Y > 10]S 0 and S 3 1. X > 3 & Y > 10 Y = hash(X) 2. X = 4 & Y = 11 Y = hash(4) = 40 3. [X > 3 & Y = 40 & Y > 10] is SAT [X > 0 & Y = hash(X) & X <= 3]S 0 and S 4 1. X > 0 & X <= 3 Y = hash(X) 2. X = 1 Y = hash(1) 3. [X > 0 & Y = 10 & X <= 3] is SAT

Why Sim. Crete > DART • Sim. Crete avoids the problem of being unsound – Checks if boolean path condition is SAT – If not SAT, Sim. Crete will not continue with that path condition • DART would continue with the found path condition and diverge • Sim. Crete’s Benefits: – uses the simplicity of symbolic execution – Adds the additional features of DART (concrete execution)

Implementation of Sym. Crete ex. Symbolic Path. Finder SPF -Willem Visser’s Power. Point • Symbolic Execution extension for Java’s Path. Finder called jpf-symbc • Model Checker for Java Open Source http: //babelfish. arc. nasa. gov/trac/jpf -Willem Visser’s Power. Point

Works Cited 1. Păsăreanu, Corina S. , Neha Rungta, and Willem Visser. "Symbolic Execution with Mixed Concrete-symbolic Solving. " ISSTA '11 Proceedings of the 2011 International Symposium on Software Testing and Analysis Table of Contents (2011): 34 -44. ACM Digital Library. ACM, 17 July 2011. Web. 1 Mar. 2015. 2. Powerpoint from one of the authors (Willem Visser)