425 Hits in 4.3 sec

Constraints in Dynamic Symbolic Execution: Bitvectors or Integers? [chapter]

Timotej Kapus, Martin Nowack, Cristian Cadar
2019 Lecture Notes in Computer Science  
Dynamic symbolic execution is a technique that analyses programs by gathering mathematical constraints along execution paths. To achieve bit-level precision, one must use the theory of bitvectors.  ...  In this paper, we explore the impact of using the theory of integers on the precision and performance of dynamic symbolic execution of C programs.  ...  To illustrate how dynamic symbolic execution works, consider the program shown in Figure 1a .  ... 
doi:10.1007/978-3-030-31157-5_3 fatcat:vjtzswdbz5dqrpsuk6vmj33b44

A Symbolic Execution Framework for JavaScript

Prateek Saxena, Devdatta Akhawe, Steve Hanna, Feng Mao, Stephen McCamant, Dawn Song
2010 2010 IEEE Symposium on Security and Privacy  
In this paper, we describe the first system for exploring the execution space of JavaScript code using symbolic execution.  ...  Exploring a program's execution space has a number of applications in the security of client-side web applications.  ...  Symbolic inputs may be strings, integers, or booleans. Symbolic execution proceeds on the JASIL instructions in the order they are recorded in the execution trace.  ... 
doi:10.1109/sp.2010.38 dblp:conf/sp/SaxenaAHMMS10 fatcat:wdfkmpebcbeapcg6esllmartzi

Floating-point symbolic execution: A case study in N-version programming

Daniel Liew, Daniel Schemmel, Cristian Cadar, Alastair F. Donaldson, Rafael Zahl, Klaus Wehrle
2017 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE)  
Recent support for floating-point constraint solving has made it feasible to support floating-point reasoning in symbolic execution tools.  ...  Symbolic execution is a well-known program analysis technique for testing software, which makes intensive use of constraint solvers.  ...  base (typically 10 or 2), and e is an integer exponent.  ... 
doi:10.1109/ase.2017.8115670 dblp:conf/kbse/LiewSCDZW17 fatcat:2mzqrrregjaxhiug5ujg3cf6pa

Multi-solver Support in Symbolic Execution [chapter]

Hristina Palikareva, Cristian Cadar
2013 Lecture Notes in Computer Science  
A key decision in the design of a symbolic execution tool is the choice of a constraint solver.  ...  In this paper, we argue that symbolic execution tools can, and should, make use of multiple constraint solvers.  ...  We are grateful to the metaSMT developers, in particular Heinz Riener and Finn Haedicke for their help with metaSMT. We would also like to thank Armin Biere for his help with Boolector.  ... 
doi:10.1007/978-3-642-39799-8_3 fatcat:bdlvv4rj75hm3cloqaefhqmc4q

Towards Symbolic Pointers Reasoning in Dynamic Symbolic Execution [article]

Daniil Kuts
2021 arXiv   pre-print
We implement symbolic addresses reasoning on memory reads in our dynamic symbolic execution tool Sydr.  ...  Dynamic symbolic execution is a widely used technique for automated software testing, designed for execution paths exploration and program errors detection.  ...  When address value goes outside the lower bound, the symbolic index expression used in formula wraps around due to bitvector integer logic.  ... 
arXiv:2109.03698v1 fatcat:wrlas2jxrjapbotpcr4ic5ej4y

OSMOSE: automatic structural testing of executables

Sébastien Bardin, Philippe Herrmann
2011 Software testing, verification & reliability  
However in certain circumstances verification is more relevant when performed at the machine code level. This paper focuses on automatic test data generation from a standalone executable.  ...  Verification is usually performed on a high-level view of the software, either specification or program source code.  ...  A major improvement of symbolic execution is the concept of concolic execution [23, 45] , also referred to as mixed execution [16] or dynamic symbolic execution [47] .  ... 
doi:10.1002/stvr.423 fatcat:m65u7avye5dobizq3xajt553za

Automatically generating malicious disks using symbolic execution

Junfeng Yang, Can Sar, P. Twohey, C. Cadar, D. Engler
2006 2006 IEEE Symposium on Security and Privacy (S&P'06)  
This paper shows how to automatically find bugs in such code using symbolic execution.  ...  We generate test cases by solving these constraints for concrete values.  ...  If y or z (or both) are symbolic, EXE instead just adds the constraint x = y + z and records that x corresponds to a symbolic value.  ... 
doi:10.1109/sp.2006.7 dblp:conf/sp/YangSTCE06 fatcat:rxnhqwgbhfacvi2yztgsw2bgha

Symbolic Execution and Debugging Synchronization [article]

Andrea Fioraldi
2020 arXiv   pre-print
In this thesis, we introduce the idea of combining symbolic execution with dynamic analysis for reverse engineering.  ...  After that, the user can also transfer back the correct input values found with symbolic execution in order to continue the debugging.  ...  Dynamic Symbolic Execution A main limitation of symbolic execution is exploring paths with very complex constraints.  ... 
arXiv:2006.16601v1 fatcat:mj4bfsbrmja3dc6dryoqhd4kpu

Symbolic PathFinder: integrating symbolic execution with model checking for Java bytecode analysis

Corina S. Păsăreanu, Willem Visser, David Bushnell, Jaco Geldenhuys, Peter Mehlitz, Neha Rungta
2013 Automated Software Engineering : An International Journal  
Symbolic execution was introduced in the 70s, but only recently it has found wider applicability in practice.  ...  The technique systematically collects input constraints along the executed program paths while computing the program effects as algebraic expressions in terms of the symbolic values.  ...  Conclusions We have described Symbolic PathFinder, a tool that combines symbolic execution with model checking and constraint solving for the automated error detection and test case generation for Java  ... 
doi:10.1007/s10515-013-0122-2 fatcat:6ot64jpzpvcmno5oiz4a7guj4q

Binsec/Rel: Efficient Relational Symbolic Execution for Constant-Time at Binary-Level [article]

Lesly-Ann Daniel, Sébastien Bardin, Tamara Rezk
2020 arXiv   pre-print
The technique builds on relational symbolic execution enhanced with new optimizations dedicated to information flow and binary-level analysis, yielding a dramatic improvement over prior work based on symbolic  ...  execution.  ...  These techniques include statistical analysis [84] , dynamic binary instrumentation [18] , [21] , and dynamic symbolic execution (DSE) [19] . X.  ... 
arXiv:1912.08788v2 fatcat:3paj3qietve5xmpnbuulrasdn4

Modeling Software Execution Environment

Dawei Qi, William N. Sumner, Feng Qin, Mai Zheng, Xiangyu Zhang, Abhik Roychoudhury
2012 2012 19th Working Conference on Reverse Engineering  
Software analysis ought to take the execution environment into consideration.  ...  Moreover, our experiments have shown that the constructed models can improve dynamic test generation and failure tolerance.  ...  Symbolic execution engines [3] , [4] need to have appropriate models for library and system calls in order to construct correct symbolic constraints.  ... 
doi:10.1109/wcre.2012.51 dblp:conf/wcre/QiSQZZR12 fatcat:oadfuyj5jvdlfjxo44fu4fck4m

A symbolic execution framework for algorithm-level modelling

Ziyad Hanna, Tom Melham
2009 2009 IEEE International High Level Design Validation and Test Workshop  
We aim to show the utility of our language and symbolic execution framework for exploring microarchitectural algorithm and to validate designs using dynamic or formal techniques, yielding more productive  ...  We describe an experimental framework for direct symbolic execution of models in this language, intended as a basis for both property and refinement verification, as well as design exploration.  ...  ACKNOWLEDGMENTS We are grateful to the Microsoft Research team, including Yuri Gurevich and Wolfram Schulte, for their initial support in AsmL and Spec Explorer.  ... 
doi:10.1109/hldvt.2009.5340168 dblp:conf/hldvt/HannaM09 fatcat:s7ugbceedjf4hgpvmtfpr3yyoe

Checksum-Aware Fuzzing Combined with Dynamic Taint Analysis and Symbolic Execution

Tielei Wang, Tao Wei, Guofei Gu, Wei Zou
2011 ACM Transactions on Privacy and Security  
This article presents TaintScope, an automatic fuzzing system using dynamic taint analysis and symbolic execution techniques, to tackle the above problem.  ...  Furthermore, it can fix checksum values in generated inputs using combined concrete and symbolic execution techniques. (2) TaintScope is a taint-based fuzzing tool working at the x86 binary level.  ...  Dynamic Symbolic Execution and Constraint Solving.  ... 
doi:10.1145/2019599.2019600 fatcat:7lxi63myd5hsfe7scxnxi5nouy

Lazy Symbolic Execution for Enhanced Learning [chapter]

Duc-Hiep Chu, Joxan Jaffar, Vijayaraghavan Murali
2014 Lecture Notes in Computer Science  
Symbolic execution by default is eager, that is, execution along a symbolic path stops the moment when infeasibility is detected in the logical constraints describing the path so far.  ...  For instance, assuming forward symbolic execution, we can ignore the constraint from the most recent guard that caused the infeasibility, in order make it a feasible state.  ...  Second, we note that though the search strategies used in modern dpll-based smt solvers would be more dynamic and different from the forward symbolic execution presented in this paper, it is safe to classify  ... 
doi:10.1007/978-3-319-11164-3_27 fatcat:yopj6u4rbnhmnmywuo7fuvwpwe

Indexing Operators to Extend the Reach of Symbolic Execution [article]

Earl T. Barr, David Clark, Mark Harman, Alexandru Marginean
2018 arXiv   pre-print
For a restricted class of inputs, Indexify permits the symbolic execution of program paths unreachable with previous techniques: it covers more than twice as many branches in coreutils as Klee.  ...  We seek to exploit this difference: for a given program, we apply a bespoke program transformation Indexify to convert expressions that current SMT solvers do not, in general, handle, such as constraints  ...  Indexify does not require any existing integer implementation. ] implements dynamic symbolic execution and uses bit-blasting.  ... 
arXiv:1806.10235v1 fatcat:kbhbdevwrzhbhnvdnf2xi2elda
« Previous Showing results 1 — 15 out of 425 results