Rethinking pointer reasoning in symbolic execution

Coppa, Emilio; D’Elia, Daniele Cono; Demetrescu, Camil

doi:10.1109/ase.2017.8115671

Cited by 14 publications

(11 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Consider the C code of Figure 1 and assume that our goal is to determine which inputs make the assert at line 8 of function foobar fail. Since each 4-byte input parameter can take as many as 2 32 distinct integer values, the approach of running concretely function foobar on randomly generated inputs will unlikely pick up exactly the assert-failing inputs. By evaluating the code using symbols for its inputs, instead of concrete values, symbolic execution overcomes this limitation and makes it possible to reason on classes of inputs, rather than single input values.…”

Section: A Warm-up Examplementioning

confidence: 99%

“…• Representing memory in a compact form. This approach was taken in [32], which maps symbolic -rather than concrete -address expressions to data, representing the possible alternative states resulting from referencing memory using symbolic addresses in a compact, implicit form. Queries are offloaded to efficient paged interval tree implementations to determine which stored data are possibly referenced by a memory read operation.…”

Section: Fully Symbolic Memorymentioning

confidence: 99%

See 1 more Smart Citation

A Survey of Symbolic Execution Techniques

et al. 2018

Self Cite

View full text Add to dashboard Cite

Many security and software testing applications require checking whether certain properties of a program hold for any possible usage scenario. For instance, a tool for identifying software vulnerabilities may need to rule out the existence of any backdoor to bypass a program's authentication. One approach would be to test the program using different, possibly random inputs. As the backdoor may only be hit for very specific program workloads, automated exploration of the space of possible inputs is of the essence. Symbolic execution provides an elegant solution to the problem, by systematically exploring many possible execution paths at the same time without necessarily requiring concrete inputs. Rather than taking on fully specified input values, the technique abstractly represents them as symbols, resorting to constraint solvers to construct actual instances that would cause property violations. Symbolic execution has been incubated in dozens of tools developed over the last four decades, leading to major practical breakthroughs in a number of prominent software reliability applications. The goal of this survey is to provide an overview of the main ideas, challenges, and solutions developed in the area, distilling them for a broad audience.If you are considering citing this survey, we would appreciate if you could use the following BibTeX entry: http://goo.gl/Hf5Fvc 0:2 R. Baldoni et al.

show abstract

Section: A Warm-up Examplementioning

confidence: 99%

Section: Fully Symbolic Memorymentioning

confidence: 99%

A Survey of Symbolic Execution Techniques

et al. 2018

Self Cite

View full text Add to dashboard Cite

show abstract

“…A preliminary version [7] of this work appeared in the Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE 2017), where we introduced the main idea behind MEMSIGHT (Section 3) and presented a preliminary experimental evaluation related to MEMSIGHT when integrated into ANGR (Section 5.2.2). ‡ For our example to be meaningful, we assume that b resides in memory rather than in a CPU register.…”

Section: Memory Models In Symbolic Execution: Key Ideas and New Thoughtsmentioning

confidence: 99%

“…A crucial design goal for our approach is that it should be general enough not only to support bug detection but also to be valuable in application contexts where users are interested in possible consequences of these bugs, for example, understanding how they can be exploited.Our approach, which we call MEMSIGHT, natively accounts for merging [3,4], a mainstream performance enabler in symbolic executors. We integrated MEMSIGHT into the state-of-the-art symbolic executors ANGR [5] and KLEE [6]: an experimental evaluation shows that MEMSIGHT allows for broader state exploration on prominent benchmarks analysed with ANGR, while it provides valuable run-time speedups when symbolically executing real-world programs under KLEE.A preliminary version [7] of this work appeared in the Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE 2017), where we introduced the main idea behind MEMSIGHT (Section 3) and presented a preliminary experimental evaluation related to MEMSIGHT when integrated into ANGR (Section 5.2.2). ‡ For our example to be meaningful, we assume that b resides in memory rather than in a CPU register.…”

mentioning

confidence: 99%

Memory models in symbolic execution: key ideas and new thoughts

Borzacchiello

Coppa

D’Elia

et al. 2019

Software Testing Verif & Rel

Self Cite

View full text Add to dashboard Cite

Symbolic execution is a popular program analysis technique that allows seeking for bugs by reasoning over multiple alternative execution states at once. As the number of states to explore may grow exponentially, a symbolic executor may quickly run out of space. For instance, a memory access to a symbolic address may potentially reference the entire address space, leading to a combinatorial explosion of the possible resulting execution states. To cope with this issue, state-of-the-art executors either concretize symbolic addresses that span memory intervals larger than some threshold or rely on advanced capabilities of modern satisfiability modulo theories solvers. Unfortunately, concretization may result in missing interesting execution states, for example, where a bug arises, while offloading the entire problem to constraint solvers can lead to very large query times. In this article, we first contribute to systematizing knowledge about memory models for symbolic execution, discussing how four mainstream symbolic executors deal with symbolic addresses. We then introduce MEMSIGHT, a new approach to symbolic memory that reduces the need for concretization: rather than mapping address instances to data as previous approaches do, our technique maps symbolic address expressions to data, maintaining the possible alternative states resulting from the memory referenced by a symbolic address in a compact, implicit form. Experiments on prominent programs show that MEMSIGHT, which we implemented in both ANGR and KLEE, enables the exploration of states that are unreachable for memory models that perform concretization and provides a performance level comparable with memory models relying on advanced solver theories. MEMORY MODELS IN SYMBOLIC EXECUTION: KEY IDEAS AND NEW THOUGHTS3 of 35 used in the context of state-of-the-art symbolic executors. A crucial design goal for our approach is that it should be general enough not only to support bug detection but also to be valuable in application contexts where users are interested in possible consequences of these bugs, for example, understanding how they can be exploited.Our approach, which we call MEMSIGHT, natively accounts for merging [3,4], a mainstream performance enabler in symbolic executors. We integrated MEMSIGHT into the state-of-the-art symbolic executors ANGR [5] and KLEE [6]: an experimental evaluation shows that MEMSIGHT allows for broader state exploration on prominent benchmarks analysed with ANGR, while it provides valuable run-time speedups when symbolically executing real-world programs under KLEE.A preliminary version [7] of this work appeared in the Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE 2017), where we introduced the main idea behind MEMSIGHT (Section 3) and presented a preliminary experimental evaluation related to MEMSIGHT when integrated into ANGR (Section 5.2.2). ‡ For our example to be meaningful, we assume that b resides in memory rather than in a CPU register. § In SMT-LIB [9], the theories of...

show abstract

“…The output is a collection of execution traces enriched with symbolic constraints on the data buffers exchanged throughout communications. Unfortunately, such traces typically encompass at most one command due to scalability issues, and may come in numbers often much greater than the supported commands due to the nature of the symbolic exploration: for instance, multiple paths can be generated for the same command when its handler contains loops or when memory is dereferenced using a symbolic pointer [3,11]. Another problem is that such reports cannot be merged to form longer paths descriptive of communication patterns with the C2 server, as protocol rules may shape subsequent packets differently than in a naive concatenation of recorded communications (consider for instance the use of sequence numbers).…”

Section: Introductionmentioning

confidence: 99%

Reconstructing C2 Servers for Remote Access Trojans with Symbolic Execution

Borzacchiello

Coppa

D’Elia

et al. 2019

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

The analysis of a malicious piece of software that involves a remote counterpart that instructs it can be troublesome for security professionals, as they may have to unravel the communication protocol in use to figure out what actions can be carried out on the victim's machine. The possibility to recur to dynamic analysis hinges on the availability of an active remote counterpart, a requirement that may be difficult to meet in several scenarios. In this paper we explore how symbolic execution techniques can be used to synthesize a command-and-control server for a remote access trojan, enabling in-vivo analysis by malware analysts. We evaluate our ideas against two real-world malware instances.

show abstract

Rethinking pointer reasoning in symbolic execution

Cited by 14 publications

References 11 publications

A Survey of Symbolic Execution Techniques

A Survey of Symbolic Execution Techniques

Memory models in symbolic execution: key ideas and new thoughts

Reconstructing C2 Servers for Remote Access Trojans with Symbolic Execution

Contact Info

Product

Resources

About