Asankhaya Sharma, profile picture
Uploaded byAsankhaya Sharma
PPTX, PDF394 views

Exploiting undefined behaviors for efficient symbolic execution

This document discusses a novel approach for improving symbolic execution efficiency by exploiting undefined behaviors in programs through change value analysis. The method enhances compiler optimizations to reduce the complexity of constraints and the time taken for symbolic execution. Results demonstrate a significant reduction in the number of constraints and execution time, indicating the potential benefits of integrating this approach in software engineering tools.

Technology
Related topics:
Information Security
Download to read offline
Exploiting Undefined Behaviors for Efficient Symbolic Execution Asankhaya Sharma National University of Singapore
Motivation 17/2/2016 ICSE SRC 2014 2
Rainbow Pony 17/2/2016 ICSE SRC 2014 3
Software Engineering Works Hall, Anthony. "Realising the Benefits of Formal Methods." J. UCS 13.5 (2007): 669-678. 17/2/2016 ICSE SRC 2014 4
Symbolic Execution • Software engineering tools (KLEE, PEX, Klover etc.) routinely use symbolic execution for – Test case generation – Bug finding – Debugging – Performance analysis – Verification • Improving the performance can have big impact 17/2/2016 ICSE SRC 2014 5
Efficient Symbolic Execution • Bottlenecks for performance – Path explosion – Complexity of generated constraints • Existing approaches – Constraint subsumption and simplification – Concoclic execution – State merging, caching and reusing constraints – Static analysis 17/2/2016 ICSE SRC 2014 6
Key Idea • Compilers are really good at optimization based on undefined behaviors • Design a static analysis (Change Value Analysis) to introduce undefined behaviors in programs • Use the optimized binaries for symbolic execution 17/2/2016 ICSE SRC 2014 7
Main Benefits • Does not require any change in the underlying symbolic execution engine to use the results from static analysis for dynamic path exploration • Allows reduction in size of compiled binaries and prevents generation of irrelevant constraints 17/2/2016 ICSE SRC 2014 8
Overview of Approach Change Value Analysis of Program Program with Undefined Behaviors Compiler Optimizations Binary for Symbolic Execution 17/2/2016 ICSE SRC 2014 9
Change Value Analysis int foo (int x, int y, int z) { int a; a = z; if (x – y > 0) a = x; else a = y; if (z > a) printf(“z is max”); return a; } Changed Unchanged Undefined 17/2/2016 ICSE SRC 2014 10
Change Value Analysis int foo (int x, int y, int z) { int a; a = z; if (x – y > 0) a = x; else a = y; if (z > a) printf(“z is max”); return a; } Changed Unchanged Undefined a 17/2/2016 ICSE SRC 2014 11
Change Value Analysis int foo (int x, int y, int z) { int a; a = z; if (x – y > 0) a = x; else a = y; if (z > a) printf(“z is max”); return a; } Changed Unchanged Undefined a, x, y z 17/2/2016 ICSE SRC 2014 12
Introduce Undefined Behaviors int foo (int x, int y, int z) { int a; a = *; if (x – y > 0) a = x; else a = y; if (* > a) printf(“z is max”); return a; } Changed Unchanged Undefined a, x, y z Replace Unchanged variables with nondeterministic value * 17/2/2016 ICSE SRC 2014 13
After Compiler Optimizations int foo (int x, int y, int z) { int a; a = *; if (x – y > 0) a = x; else a = y; if (* > a) printf(“z is max”); return a; } int foo (int x, int y, int z) { int a; if (x – y > 0) a = x; else a = y; return a; } Eliminates 3 lines from the program 17/2/2016 ICSE SRC 2014 14
Experiments • Change Value Analysis implemented as a compiler pass in LLVM • Use an existing tool Fuzzgrind for symbolic execution of binaries • Benchmarks from Software-artifact Infrastructure Repository (SIR) 17/2/2016 ICSE SRC 2014 15
Results 0 200 400 600 800 1000 1200 Constraints (Num) Constraints with CVA 30% Reduction in Number of Constraints 17/2/2016 ICSE SRC 2014 16
Results 0 20 40 60 80 100 120 140 160 180 200 Time (Secs) Time with CVA 48% Reduction in Time taken for Symbolic Execution 17/2/2016 ICSE SRC 2014 17
Conclusions • Systematically introducing undefined behaviors in programs can speed up symbolic execution • Compilers already optimize code for efficiency and size, we show that they can also optimize code for use in symbolic execution and testing 17/2/2016 ICSE SRC 2014 18
Thank You ! • Questions ? • Source Code (GPL 3) – https://github.com/codelion/pathgrind – https://github.com/codelion/pa.llvm • Contact – asankhaya@nus.edu.sg 17/2/2016 ICSE SRC 2014 19
Comparison with Slicing 17/2/2016 ICSE SRC 2014 20 x = a; y = 5; if (a > 0) b = x + y; if (*) x = 1; else y = 0; if (y > 0) z = x; Slicing w.r.t variable z x = a; y = 5; if (a > 0) b = x + y; if (*) x = 1; else y = 0; if (y > 0) z = x; Slicing may include dependencies from infeasible paths Jaffar, Joxan, et al. "Path-sensitive backward slicing." Static Analysis. Springer Berlin Heidelberg, 2012. 231-247. Using Change Value analysis - “a” is in Unchanged set

More Related Content

PDF
Introduction to PSPICE
bysyella
 
PPTX
Debugging in .Net
byMuhammad Amir
 
PPTX
Symbexecsearch
byAbhik Roychoudhury
 
PPTX
PROGRAMMING USING C# .NET - SARASWATHI RAMALINGAM
bySaraswathiRamalingam
 
PDF
Relaxed Parsing of Regular Approximations of String-Embedded Languages
bySemyon Grigorev
 
PDF
Tapp 2014 (belhajjame)
byKhalid Belhajjame
 
PPTX
Linking the prospective and retrospective provenance of scripts
byKhalid Belhajjame
 
PPT
PAS 2012
byAbhik Roychoudhury
 
Introduction to PSPICE
bysyella
 
Debugging in .Net
byMuhammad Amir
 
Symbexecsearch
byAbhik Roychoudhury
 
PROGRAMMING USING C# .NET - SARASWATHI RAMALINGAM
bySaraswathiRamalingam
 
Relaxed Parsing of Regular Approximations of String-Embedded Languages
bySemyon Grigorev
 
Tapp 2014 (belhajjame)
byKhalid Belhajjame
 
Linking the prospective and retrospective provenance of scripts
byKhalid Belhajjame
 
PAS 2012
byAbhik Roychoudhury
 

Viewers also liked

PPTX
Code generation
byAparna Nayak
 
PPT
Lexical analyzer
byAshwini Sonawane
 
PPTX
Taking Splunk to the Next Level - Management
bySplunk
 
PPT
Real time debugging: using non-intrusive tracepoints to debug live systems
bymarckhouzam
 
PDF
Symbolic Debugging with DWARF
bySamy Bahra
 
PPTX
Inspiring words from Mr.Suresh Narayanan, Chairman & MD, Nestle India Ltd- Le...
byGreat Lakes Institute of Management
 
PDF
Работа со страхами (упражнение с картами "1000 дорог")
by1000 идей тренинг-центр
 
PDF
Лук и стрелы (ситуационный расклад с картами "1000 идей")
by1000 идей тренинг-центр
 
PDF
Certificate Barista
byNuno Silva
 
PDF
Continuous Delivery su progetti Java: cosa abbiamo imparato facendoci del male
byPietro Di Bello
 
PPTX
DisposaCone B2B Offer
byDisposaCone
 
PDF
Mobile Ad Study
byDaniel Arbizu
 
PDF
AAM 205th
byGarland Diamond Sr
 
PPTX
Informatyka
bypawelpyrzak
 
PPTX
Bib Manager Tutorial
bySwati_UWM
 
PPT
“La educación en la familia”
byAlma Malagon
 
Code generation
byAparna Nayak
 
Lexical analyzer
byAshwini Sonawane
 
Taking Splunk to the Next Level - Management
bySplunk
 
Real time debugging: using non-intrusive tracepoints to debug live systems
bymarckhouzam
 
Symbolic Debugging with DWARF
bySamy Bahra
 
Inspiring words from Mr.Suresh Narayanan, Chairman & MD, Nestle India Ltd- Le...
byGreat Lakes Institute of Management
 
Работа со страхами (упражнение с картами "1000 дорог")
by1000 идей тренинг-центр
 
Лук и стрелы (ситуационный расклад с картами "1000 идей")
by1000 идей тренинг-центр
 
Certificate Barista
byNuno Silva
 
Continuous Delivery su progetti Java: cosa abbiamo imparato facendoci del male
byPietro Di Bello
 
DisposaCone B2B Offer
byDisposaCone
 
Mobile Ad Study
byDaniel Arbizu
 
AAM 205th
byGarland Diamond Sr
 
Informatyka
bypawelpyrzak
 
Bib Manager Tutorial
bySwati_UWM
 
“La educación en la familia”
byAlma Malagon
 

Similar to Exploiting undefined behaviors for efficient symbolic execution

PPTX
Comprehensive Guide to Debugging in Software Testing"
byRahulDas535816
 
PPTX
Automated Program Repair, Distinguished lecture at MPI-SWS
byAbhik Roychoudhury
 
PPTX
Automated Program Repair Keynote talk
byAbhik Roychoudhury
 
PPT
01SoftwEng.pptInnovation technology pptInnovation technology ppt
bysultanahimed3
 
PPTX
Software Testing Introduction (Part 1)
byThapar Institute
 
PPT
AutoTest.ppt
byPrashanthJanakiraman
 
PPT
AutoTest.ppt
byRohit846825
 
PPT
AutoTest.ppt
byCHANDUKAYALA
 
PDF
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...
byStHack
 
PPT
Testing foundations
byNeha Singh
 
PDF
2014-06-26 - A guide to undefined behavior in c and c++
byChen-Han Hsiao
 
PDF
C++ Undefined Behavior (Code::Dive 2016)
bySławomir Zborowski
 
PPTX
Debugging Approaches.pptx
byubaidullah75790
 
PPTX
Abhik-Satish-dagstuhl
byAbhik Roychoudhury
 
PPTX
GCC Summit 2010
byregehr
 
PPTX
Issta13 workshop on debugging
byAbhik Roychoudhury
 
PDF
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
byNoSuchCon
 
DOCX
E2 – Fundamentals, Functions & ArraysPlease refer to announcements.docx
byshandicollingwood
 
PDF
St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...
byJonathan Salwan
 
PPTX
Case Study of the Unexplained
byshannomc
 
Comprehensive Guide to Debugging in Software Testing"
byRahulDas535816
 
Automated Program Repair, Distinguished lecture at MPI-SWS
byAbhik Roychoudhury
 
Automated Program Repair Keynote talk
byAbhik Roychoudhury
 
01SoftwEng.pptInnovation technology pptInnovation technology ppt
bysultanahimed3
 
Software Testing Introduction (Part 1)
byThapar Institute
 
AutoTest.ppt
byPrashanthJanakiraman
 
AutoTest.ppt
byRohit846825
 
AutoTest.ppt
byCHANDUKAYALA
 
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...
byStHack
 
Testing foundations
byNeha Singh
 
2014-06-26 - A guide to undefined behavior in c and c++
byChen-Han Hsiao
 
C++ Undefined Behavior (Code::Dive 2016)
bySławomir Zborowski
 
Debugging Approaches.pptx
byubaidullah75790
 
Abhik-Satish-dagstuhl
byAbhik Roychoudhury
 
GCC Summit 2010
byregehr
 
Issta13 workshop on debugging
byAbhik Roychoudhury
 
NSC #2 - D2 06 - Richard Johnson - SAGEly Advice
byNoSuchCon
 
E2 – Fundamentals, Functions & ArraysPlease refer to announcements.docx
byshandicollingwood
 
St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...
byJonathan Salwan
 
Case Study of the Unexplained
byshannomc
 

More from Asankhaya Sharma

PPTX
Visualizing Symbolic Execution with Bokeh
byAsankhaya Sharma
 
PPTX
Developer-focused Software Security
byAsankhaya Sharma
 
PDF
Securing Open Source Code in Enterprise
byAsankhaya Sharma
 
PPT
Crafting a Successful Engineering Career
byAsankhaya Sharma
 
PPTX
Specifying compatible sharing in data structures
byAsankhaya Sharma
 
PPTX
Verified Subtyping with Traits and Mixins
byAsankhaya Sharma
 
PPTX
Certified Reasoning for Automated Verification
byAsankhaya Sharma
 
PDF
Design and Implementation of the Security Graph Language
byAsankhaya Sharma
 
PPTX
Secure Software Development
byAsankhaya Sharma
 
PPT
DIDAR: Database Intrusion Detection with Automated Recovery
byAsankhaya Sharma
 
PDF
9 types of people you find on your team
byAsankhaya Sharma
 
PDF
Last Days of Academy
byAsankhaya Sharma
 
PPT
SayCheese Ad
byAsankhaya Sharma
 
Visualizing Symbolic Execution with Bokeh
byAsankhaya Sharma
 
Developer-focused Software Security
byAsankhaya Sharma
 
Securing Open Source Code in Enterprise
byAsankhaya Sharma
 
Crafting a Successful Engineering Career
byAsankhaya Sharma
 
Specifying compatible sharing in data structures
byAsankhaya Sharma
 
Verified Subtyping with Traits and Mixins
byAsankhaya Sharma
 
Certified Reasoning for Automated Verification
byAsankhaya Sharma
 
Design and Implementation of the Security Graph Language
byAsankhaya Sharma
 
Secure Software Development
byAsankhaya Sharma
 
DIDAR: Database Intrusion Detection with Automated Recovery
byAsankhaya Sharma
 
9 types of people you find on your team
byAsankhaya Sharma
 
Last Days of Academy
byAsankhaya Sharma
 
SayCheese Ad
byAsankhaya Sharma
 

Recently uploaded

PDF
ODSC West 2025 OpenMetadata Workshop.pdf
byOpenMetadata
 
PDF
How Tridens DevSecOps Ensures Compliance, Security, and Agility
byTridens
 
PDF
What's New in PostgreSQL 18 | Mydbops MyWebinar 47
byMydbops
 
PDF
Unleash AI power with the Dell Pro 14 Plus - Interactive PDF
byPrincipled Technologies
 
PDF
MicroPython presentation - PyConFr Lyon 2025 - Amine Bendahmane
byAmine Bendahmane
 
PDF
API Days Australia - API Management in the AI Era
byNilesh Gule
 
PDF
The Future-Ready PMO: Unlocking Project Success with Copilot and AI Innovatio...
byWellingtone
 
PDF
Session 8 Specialized AI Associate Series: Fundamentals of Model Training
byDianaGray10
 
PPTX
OutSystems ONE 2025-recap presentation.pptx
bymostafaothman27
 
PPTX
UiPath Automation Suite_Community Session_3/3
bysuhanisingh58689
 
PDF
FME Realize in the Real World - The Power of Spatial Computing in Action
bySafe Software
 
PDF
Q8 DIGITAL IDENTITY HUB - WSO2 Oxygenate Italy 2025
byProfesia Srl, Lynx Group
 
PDF
2025 AI Adoption Report: Gen AI Fast-Tracks Into the Enterprise
byRazin Mustafiz
 
PDF
UiPath Community Day UNI - Nuevos productos de UiPath.pdf
byfelixluen
 
PDF
The Smol Training Playbook: The Secrets to Building World-Class LLMs
byRazin Mustafiz
 
PDF
How Generative AI Helps US Healthcare Startups Save 40.pdf
byimoliviabennett
 
PDF
Transcript: Embedding sustainability: Tips for ebook and print production - T...
byBookNet Canada
 
PDF
Unlocking Access: Enriching Public Services with Location Intelligence.pdf
byPrecisely
 
PDF
PromptShelf.ai Is Live: Discover, Create, and Manage AI Prompts That Actually...
byTalavera Solutions
 
PDF
Embedding sustainability: Tips for ebook and print production - Tech Forum 2025
byBookNet Canada
 
ODSC West 2025 OpenMetadata Workshop.pdf
byOpenMetadata
 
How Tridens DevSecOps Ensures Compliance, Security, and Agility
byTridens
 
What's New in PostgreSQL 18 | Mydbops MyWebinar 47
byMydbops
 
Unleash AI power with the Dell Pro 14 Plus - Interactive PDF
byPrincipled Technologies
 
MicroPython presentation - PyConFr Lyon 2025 - Amine Bendahmane
byAmine Bendahmane
 
API Days Australia - API Management in the AI Era
byNilesh Gule
 
The Future-Ready PMO: Unlocking Project Success with Copilot and AI Innovatio...
byWellingtone
 
Session 8 Specialized AI Associate Series: Fundamentals of Model Training
byDianaGray10
 
OutSystems ONE 2025-recap presentation.pptx
bymostafaothman27
 
UiPath Automation Suite_Community Session_3/3
bysuhanisingh58689
 
FME Realize in the Real World - The Power of Spatial Computing in Action
bySafe Software
 
Q8 DIGITAL IDENTITY HUB - WSO2 Oxygenate Italy 2025
byProfesia Srl, Lynx Group
 
2025 AI Adoption Report: Gen AI Fast-Tracks Into the Enterprise
byRazin Mustafiz
 
UiPath Community Day UNI - Nuevos productos de UiPath.pdf
byfelixluen
 
The Smol Training Playbook: The Secrets to Building World-Class LLMs
byRazin Mustafiz
 
How Generative AI Helps US Healthcare Startups Save 40.pdf
byimoliviabennett
 
Transcript: Embedding sustainability: Tips for ebook and print production - T...
byBookNet Canada
 
Unlocking Access: Enriching Public Services with Location Intelligence.pdf
byPrecisely
 
PromptShelf.ai Is Live: Discover, Create, and Manage AI Prompts That Actually...
byTalavera Solutions
 
Embedding sustainability: Tips for ebook and print production - Tech Forum 2025
byBookNet Canada
 

Exploiting undefined behaviors for efficient symbolic execution

  • 1.
    Exploiting Undefined Behaviors forEfficient Symbolic Execution Asankhaya Sharma National University of Singapore
  • 2.
  • 3.
  • 4.
    Software Engineering Works Hall,Anthony. "Realising the Benefits of Formal Methods." J. UCS 13.5 (2007): 669-678. 17/2/2016 ICSE SRC 2014 4
  • 5.
    Symbolic Execution • Softwareengineering tools (KLEE, PEX, Klover etc.) routinely use symbolic execution for – Test case generation – Bug finding – Debugging – Performance analysis – Verification • Improving the performance can have big impact 17/2/2016 ICSE SRC 2014 5
  • 6.
    Efficient Symbolic Execution •Bottlenecks for performance – Path explosion – Complexity of generated constraints • Existing approaches – Constraint subsumption and simplification – Concoclic execution – State merging, caching and reusing constraints – Static analysis 17/2/2016 ICSE SRC 2014 6
  • 7.
    Key Idea • Compilersare really good at optimization based on undefined behaviors • Design a static analysis (Change Value Analysis) to introduce undefined behaviors in programs • Use the optimized binaries for symbolic execution 17/2/2016 ICSE SRC 2014 7
  • 8.
    Main Benefits • Doesnot require any change in the underlying symbolic execution engine to use the results from static analysis for dynamic path exploration • Allows reduction in size of compiled binaries and prevents generation of irrelevant constraints 17/2/2016 ICSE SRC 2014 8
  • 9.
    Overview of Approach ChangeValue Analysis of Program Program with Undefined Behaviors Compiler Optimizations Binary for Symbolic Execution 17/2/2016 ICSE SRC 2014 9
  • 10.
    Change Value Analysis intfoo (int x, int y, int z) { int a; a = z; if (x – y > 0) a = x; else a = y; if (z > a) printf(“z is max”); return a; } Changed Unchanged Undefined 17/2/2016 ICSE SRC 2014 10
  • 11.
    Change Value Analysis intfoo (int x, int y, int z) { int a; a = z; if (x – y > 0) a = x; else a = y; if (z > a) printf(“z is max”); return a; } Changed Unchanged Undefined a 17/2/2016 ICSE SRC 2014 11
  • 12.
    Change Value Analysis intfoo (int x, int y, int z) { int a; a = z; if (x – y > 0) a = x; else a = y; if (z > a) printf(“z is max”); return a; } Changed Unchanged Undefined a, x, y z 17/2/2016 ICSE SRC 2014 12
  • 13.
    Introduce Undefined Behaviors intfoo (int x, int y, int z) { int a; a = *; if (x – y > 0) a = x; else a = y; if (* > a) printf(“z is max”); return a; } Changed Unchanged Undefined a, x, y z Replace Unchanged variables with nondeterministic value * 17/2/2016 ICSE SRC 2014 13
  • 14.
    After Compiler Optimizations intfoo (int x, int y, int z) { int a; a = *; if (x – y > 0) a = x; else a = y; if (* > a) printf(“z is max”); return a; } int foo (int x, int y, int z) { int a; if (x – y > 0) a = x; else a = y; return a; } Eliminates 3 lines from the program 17/2/2016 ICSE SRC 2014 14
  • 15.
    Experiments • Change ValueAnalysis implemented as a compiler pass in LLVM • Use an existing tool Fuzzgrind for symbolic execution of binaries • Benchmarks from Software-artifact Infrastructure Repository (SIR) 17/2/2016 ICSE SRC 2014 15
  • 16.
    Results 0 200 400 600 800 1000 1200 Constraints (Num) Constraints withCVA 30% Reduction in Number of Constraints 17/2/2016 ICSE SRC 2014 16
  • 17.
    Results 0 20 40 60 80 100 120 140 160 180 200 Time (Secs) Time withCVA 48% Reduction in Time taken for Symbolic Execution 17/2/2016 ICSE SRC 2014 17
  • 18.
    Conclusions • Systematically introducingundefined behaviors in programs can speed up symbolic execution • Compilers already optimize code for efficiency and size, we show that they can also optimize code for use in symbolic execution and testing 17/2/2016 ICSE SRC 2014 18
  • 19.
    Thank You ! •Questions ? • Source Code (GPL 3) – https://github.com/codelion/pathgrind – https://github.com/codelion/pa.llvm • Contact – asankhaya@nus.edu.sg 17/2/2016 ICSE SRC 2014 19
  • 20.
    Comparison with Slicing 17/2/2016ICSE SRC 2014 20 x = a; y = 5; if (a > 0) b = x + y; if (*) x = 1; else y = 0; if (y > 0) z = x; Slicing w.r.t variable z x = a; y = 5; if (a > 0) b = x + y; if (*) x = 1; else y = 0; if (y > 0) z = x; Slicing may include dependencies from infeasible paths Jaffar, Joxan, et al. "Path-sensitive backward slicing." Static Analysis. Springer Berlin Heidelberg, 2012. 231-247. Using Change Value analysis - “a” is in Unchanged set