Exact heap summaries for symbolic execution abstract a recent trend in the analysis of objectoriented programs is the modeling of references as sets of guarded values, enabling multiple heap shapes to be represented in a single state. Automatic testing of symbolic execution engines via program generation and differential testing timotej kapus cristian cadar imperial college london united kingdom ft. Version differencing information can be used to perform version merging, infer change characteristics, produce program documentation, and guide program revalidation. This technique, differential symbolic execution dse, exploits program version similarities to improve the quality of change information and reduce analysis cost. To this end we built hydiffs differential symbolic execution dse component by extending shadow symbolic execution sse 33, a differential analysis technique which represents two program versions in one annotated program and uses fourway forking to explore all four decisions resulting from the combined branching behavior of both versions. Pasareanu, marcel bohme, youcheng sun, hoang lam nguyen, and lars grunske. This paper presents hydiff, the first hybrid approach for differential software analysis.
If the correctness criteria for the given program is described by a set of test cases, we will show that. Partnered with differential to drive sales through a custom platform tailored to their sales team and process. Revalidation of an updated system, before it is released, is a critical component of the software. Differential testing, also known as differential fuzzing, is a popular software testing technique that attempts to detect bugs, by providing the same input to a series of similar applications or to different implementations of the same application, and observing differences in their execution. The path conditions computed by dise then characterize the differences between two related program versions. Software security introducing symbolic execution youtube. Verifying systems rules using ruledirected symbolic execution. I think symbolic execution can be used in many other interesting ways next. At the end of a symbolic execution along an execution path of the program, pcis solved using a constraint solver to generate concrete input values. Differential testing complements traditional software testing, because it is wellsuited to find. Corina pasareanu, quocsang phan, pasquale malacaria. First, symbolic execution is used in a lightweight approach to generate qualified initial seeds.
Two executions are said to be diverging if the observable. We define the foundational concepts of dse, describe costeffective tool support for dse, and illustrate its potential benefit through an exploratory study. Hydiff performs a hybrid analysis by running fuzzing and symbolic execution in parallel. Symbolic and concolic execution play important roles in a variety of security and software testing applications, e. Differential program analysis, symbolic execution, fuzzing acm reference format. Valuable explore directions are learned from the seeds, thus the later fuzzing process can reach deep paths in program state space earlier and easier. An interpreter follows the program, assuming symbolic values for inputs rather than obtaining actual inputs as normal execution of the program would, a case of abstract interpretation. Partnered with differential to engage their community through the worlds first spiritualfitness app. Software updates often introduce new bugs to existing code bases.
Modern technology has come a long way in aiding programmers with these aspects of development, and at the heart of this technology lies software analysis. An interpreter follows the program, assuming symbolic values for inputs rather than obtaining actual inputs as normal execution of the program would. In computer science, symbolic execution also symbolic evaluation is a means of analyzing a program to determine what inputs cause each part of a program to execute. To this end we built hydiffs differential symbolic execution dse component by extending shadow symbolic execution sse 34, a differential analysis technique which represents two program versions in one annotated program and uses fourway forking to explore all four decisions resulting from the combined branching behavior of both versions. Dec 09, 20 software testingdebugging is extremely time consuming, and hence techniques to automate debugging or program repair are of value. Directly applying an offtheshelf symbolic execution engine on ssltls libraries is, however, not practical due to the problem. Dsc uses asm to instrument java classes at loadtime. Citeseerx document details isaac councill, lee giles, pradeep teregowda. Importantly, we take a build security in mentality, considering techniques at each phase of the development cycle that can be used to strengthen the security of software systems. Concurrency debugging with differential schedule projections. For more information on what klee is and what it can do, see the osdi 2008 paper. Differential symbolic execution dse and currie 11, 33 handle pointer aliasing soundly, but model common parts of programs with uninterpreted functions to reduce the complexity of the. Detecting and characterizing the effects of software changes is a fundamental component of software maintenance. Symbolic execution has attracted significant attention in recent years, with applications in software testing, security, networking and more.
Detecting regression bugs in software evolution, analyzing sidechannels in programs and evaluating robustness in deep neural networks dnns can all be seen as instances of differential software analysis, where the goal is to generate diverging executions of program paths. Although recentwork onrelational symbolic execution22 aims for simpler versions of this task like detecting incorrect calcula tions of sensitivity, it is not yet powerful enough to reason about. Differential program analysis with fuzzing and symbolic execution. Dynamic symbolic execution visual studio microsoft docs. The numerical solution of differentialalgebraic systems.
I concrete execution versus symbolic execution i symbolic execution tree i applications of symbolic execution. Symbolic execution is a software testing technique that is useful to aid the generation of test data and in proving the program quality. Especially the symbolic execution side needs to be designed to not only solve constraints for unexplored paths, but to also choose promising paths that likely lead to a measurable difference. Feedbackdirected greybox fuzzing for efficient program testing and shadow symbolic execution for systematic program exploration. This technique, which we call differential symbolic execution dse, exploits the fact that program versions are largely similar to reduce cost and improve the quality of analysis results. Sven apel, alessandro garcia, christian kastner, david lo, alessandra russo, paolo tonella, andreas zeller, andrea zisman. As a result, the outputs computed by a program are expressed as a function of the symbolic inputs.
Suzette person differential symbolic execution adam kiezun effective software testing with a stringconstraint solver defense slides rugang xu symbolic execution algorithms for test generation. Aug 30, 2016 importantly, we take a build security in mentality, considering techniques at each phase of the development cycle that can be used to strengthen the security of software systems. Finally, we give a short survey of interesting new applications, such as predictive testing, invariant inference, program repair, analysis of parallel numerical programs and differential symbolic execution. This folder includes the modified badger project, which enables the differential hybrid analysis, incl. Symbolic execution is a wellknown program analysis technique which represents program inputs with symbolic values instead of concrete, initialized, data and executes the program by manipulating program expressions involving the symbolic values. Successful software systems tend to be long lived and evolve over time as requirements change and faults are detected. Symbolic execution and program testing virginia tech. Role of symbolic execution in software testing, debugging and. If the program is executed on these concrete input values, it will take exactly the same path as the symbolic execution and terminate in the same way. This concept is based on badger, which provides the technical basis for our implementation. A fundamental problem with using these guarded value sets is the inability to generate test inputs in a manner. Differential program analysis, fuzzing, symbolic execution acm reference format. Home browse by title theses differential symbolic execution.
Symbolic execution tree of function foobar given in figure 1. Conference proceedings produced as a result of this research xu, zh. Our second contribution is the w system with a simple yet expressive checker interface, a set of builtin checkers, and a sound, checker and. Directed test suite augmentation, in 16th asiapacific software engineering conference. Differential symbolic execution proceedings of the 16th. Multirun sidechannel analysis using symbolic execution and maxsmt. Symbolic execution 25 explores the space of possible executions of a program by emulating or directly executing its statements. In computer science, symbolic execution also symbolic evaluation or symbex is a means of analyzing a program to determine what inputs cause each part of a program to execute.
Automatic testing of symbolic execution engines via. Dse is not sensitive to formatting and syntactic changes because it is based on a comparison of program semantics. In this talk, i will discuss the use of symbolic execution for software testing, debugging and repair. Hydiff integrates and extends two very successful testing techniques. In proceedings of the 2018 33rd acmieee international conference on automated software engineering ase 18, september 3 7, 2018, montpellier, france. Each execution state, labeled with an upper case letter, shows the statement to be executed, the symbolic store. Symbolic execution as empirical studies tool web application security checker enhancement to abstractionbased static analysis program synthesis tool all of these take advantage of sym exec strengths, and try to avoid drawbacks 7. A survey of new trends in symbolic execution for software testing and analysis. Differential program analysis needs a multidimensional approach with more sophisticated cost functions. The number of times a system is updated and redeployed may be in the hundreds, or even thousands. Intellitest generates inputs for parameterized unit tests by analyzing the branch conditions in the program. Dsc uses the instrumentation code to build and maintain a symbolic shadow representation of the dynamic program state call stack, operand stacks, and. Automated circular assumeguarantee reasoning with nway decomposition and alphabet refinement. Automatic testing of symbolic execution engines via program generation and differential testing.
Differential program analysis with fuzzing and symbolic. Dsc is a dynamic symbolic execution engine and test case generator for java bytecode programs. Citeseerx citation query differential symbolic execution. Symbolic execution can also be used to generate input for differential testing. Symbolic execution umd department of computer science. Klee is a symbolic virtual machine built on top of the llvm compiler infrastructure, and available under the uiuc open source license. Prior regression testing tools focus mainly on test case selection and prioritization whereas symbolic execution.
We define the foundational concepts of dse, describe costeffective tool support for dse, and illustrate its potential benefit through an exploratory study that considers version histories of two java code bases. We observe that symbolic execution, a technique proven to be effective in. Partnered with differential to automatically track strokes and deliver insights so their customers can improve. Nov 09, 2008 differential symbolic execution suzette person, matthew b. A survey of new trends in symbolic execution for software. We give most of our presentation in terms of java because. Some insights about symbolic execution i execute programs with symbols. Symbolic execution has been proposed over three decades ago but recently it has found renewed interest in the research community, due in. Verlag 2009 abstract symbolic execution is a wellknown program analysis technique which represents program inputs with symbolic values instead of concrete, initialized, data and. Carving and replaying differential unit test cases from system test cases, ieee transactions on software engineering, v. In directed incremental symbolic execution dise, our insight is to combine the ef. Incremental symbolic execution of concurrent software. In 42nd international conference on software engineering icse 20, may 2329, 2020, seoul, republic of.
Directed incremental symbolic execution by suzette person, guowei yang, neha rungta, sarfraz khurshid in pldi, 2011 the last few years have seen a resurgence of interest in the use of symbolic execution a program analysis technique developed more than three decades ago to analyze program execution paths. In this paper, we propose the first incremental symbolic execution method for concurrent software to generate new tests by exploring only the executions affected by code changes between two. Selecta formal system for testing and debugging programs by symbolic execution. Automatic testing of symbolic execution engines via program.
Although recentwork onrelational symbolic execution 22 aims for simpler versions of this task like detecting incorrect calcula tions of sensitivity, it is not yet powerful enough to reason about. During symbolic execution, some variables have concrete values e. The execution requires a selection of paths that are exercised by a set of data values. Comput, 1997 we describe the new software package gelda for the numerical solution of linear differentialalgebraic equations with variable coefficients. Differential symbolic execution proceedings of the 16th acm. Aspects of software development besides programming, such as diagnosing bugs, testing, and debugging, comprise over 50% of development costs.