Abstract
Symbolic execution, a well-known and widely studied software testing technique, faces scalability issues due to path explosion that limits its effectiveness. Recent work on chopped symbolic execution introduced the Chopper technique that allows the user to specify uninteresting parts of code that the symbolic analysis can try to ignore by focusing first on the essential parts. If necessary, the ignored parts are later explored once their impact on the main code under analysis becomes unavoidable. We introduce a parallel approach to chopped symbolic execution that integrates path-based partitioning with Chopper. Our tool, called PChop, speeds up chopped symbolic exploration by allowing multiple participating workers to explore non-overlapping regions of the code in parallel. We demonstrate the impact of our technique in a failure reproduction scenario, where we use both PChop and Chopper to re-create security vulnerabilities in the GNU libtasn1. The experimental results show that PChop is beneficial in situations where Chopper requires more than a minute to find the vulnerability when using a specific search strategy. For two vulnerabilities, PChop identified a previously undocumented code location to manifest each of them.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Adve, V., Lattner, C., Brukman, M., Shukla, A., Gaeke, B.: LLVA: a low-level virtual instruction set architecture. In: Proceedings of the 36th Annual ACM/IEEE International Symposium on Microarchitecture (MICRO-36), San Diego, California, December 2003
Avgerinos, T., Cha, S.K., Rebert, A., Schwartz, E.J., Woo, M., Brumley, D.: Automatic exploit generation. Commun. ACM 57(2), 74–84 (2014). https://doi.org/10.1145/2560217.2560219. http://doi.acm.org/10.1145/2560217.2560219
Bethea, D., Cochran, R.A., Reiter, M.K.: Server-side verification of client behavior in online games. ACM Trans. Inf. Syst. Secur. 14(4), 32:1–32:27 (2008). https://doi.org/10.1145/2043628.2043633. http://doi.acm.org/10.1145/2043628.2043633
Boyer, R.S., Elspas, B., Levitt, K.N.: SELECT—a formal system for testing and debugging programs by symbolic execution. In: Proceedings of the International Conference on Reliable Software, pp. 234–245. ACM, New York (1975). https://doi.org/10.1145/800027.808445. http://doi.acm.org/10.1145/800027.808445
Bucur, S., Ureche, V., Zamfir, C., Candea, G.: Parallel symbolic execution for automated real-world software testing. In: Proceedings of the Sixth Conference on Computer Systems, EuroSys 2011, pp. 183–198. ACM, New York (2011). https://doi.org/10.1145/1966445.1966463. http://doi.acm.org/10.1145/1966445.1966463
Burnim, J., Sen, K.: Heuristics for scalable dynamic test generation. In: 2008 23rd IEEE/ACM International Conference on Automated Software Engineering, pp. 443–446, September 2008. https://doi.org/10.1109/ASE.2008.69
Cadar, C., Dunbar, D., Engler, D.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, OSDI 2008, pp. 209–224. USENIX Association, Berkeley (2008). http://dl.acm.org/citation.cfm?id=1855741.1855756
Cadar, C., Engler, D.: Execution generated test cases: how to make systems code crash itself. In: Godefroid, P. (ed.) SPIN 2005. LNCS, vol. 3639, pp. 2–23. Springer, Heidelberg (2005). https://doi.org/10.1007/11537328_2
Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: EXE: automatically generating inputs of death. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, pp. 322–335. ACM, New York (2006). https://doi.org/10.1145/1180405.1180445. http://doi.acm.org/10.1145/1180405.1180445
Chipounov, V., Candea, G.: Reverse engineering of binary device drivers with RevNic. In: Proceedings of the 5th European Conference on Computer Systems, EuroSys 2010, pp. 167–180. ACM, New York (2010). https://doi.org/10.1145/1755913.1755932. http://doi.acm.org/10.1145/1755913.1755932
Ciortea, L., Zamfir, C., Bucur, S., Chipounov, V., Candea, G.: Cloud9: a software testing service. SIGOPS Oper. Syst. Rev. 43(4), 5–10 (2010). https://doi.org/10.1145/1713254.1713257. http://doi.acm.org/10.1145/1713254.1713257
Collingbourne, P., Cadar, C., Kelly, P.H.: Symbolic crosschecking of floating-point and SIMD code. In: Proceedings of the Sixth Conference on Computer Systems, EuroSys 2011, pp. 315–328. ACM, New York (2011). https://doi.org/10.1145/1966445.1966475. http://doi.acm.org/10.1145/1966445.1966475
Cui, H., Wu, J., Tsai, C.C., Yang, J.: Stable deterministic multithreading through schedule memoization. In: OSDI (2010)
Godefroid, P.: Compositional dynamic test generation. In: Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2007, pp. 47–54. ACM, New York (2007). https://doi.org/10.1145/1190216.1190226. http://doi.acm.org/10.1145/1190216.1190226
Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. SIGPLAN Not. 40(6), 213–223 (2005). https://doi.org/10.1145/1064978.1065036. http://doi.acm.org/10.1145/1064978.1065036
King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976). https://doi.org/10.1145/360248.360252. http://doi.acm.org/10.1145/360248.360252
Lagniez, J.M., Marquis, P.: An improved decision-DNNF compiler. In: Proceedings of the 26th International Joint Conference on Artificial Intelligence, IJCAI 2017, pp. 667–673. AAAI Press (2017). http://dl.acm.org/citation.cfm?id=3171642.3171738
Lagniez, J.M., Marquis, P., Szczepanski, N.: DMC: a distributed model counter. In: Proceedings of the 27th International Joint Conference on Artificial Intelligence, IJCAI 2018, pp. 1331–1338. AAAI Press (2018). http://dl.acm.org/citation.cfm?id=3304415.3304604
Li, G., Li, P., Sawaya, G., Gopalakrishnan, G., Ghosh, I., Rajan, S.: GKLEE: concolic verification and test generation for GPUs. ACM SIGPLAN Not. 47(8), 215–224 (2012). https://doi.org/10.1145/2370036.2145844
Person, S., Yang, G., Rungta, N., Khurshid, S.: Directed incremental symbolic execution. In: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2011, pp. 504–515. ACM, New York (2011). https://doi.org/10.1145/1993498.1993558. http://doi.acm.org/10.1145/1993498.1993558
Pǎsǎreanu, C.S., et al.: Combining unit-level symbolic execution and system-level concrete execution for testing NASA software. In: Proceedings of the 2008 International Symposium on Software Testing and Analysis, ISSTA 2008, pp. 15–26. ACM, New York (2008). https://doi.org/10.1145/1390630.1390635. http://doi.acm.org/10.1145/1390630.1390635
Sasnauskas, R., Link, J.A.B., Alizai, M.H., Wehrle, K.: KleeNet: automatic bug hunting in sensor network applications. In: Proceedings of the 6th ACM Conference on Embedded Network Sensor Systems, SenSys 2008, pp. 425–426. ACM, New York (2008). https://doi.org/10.1145/1460412.1460485. http://doi.acm.org/10.1145/1460412.1460485
Sen, K., Agha, G.: CUTE and jCUTE: concolic unit testing and explicit path model-checking tools. In: Ball, T., Jones, R.B. (eds.) CAV 2006. LNCS, vol. 4144, pp. 419–423. Springer, Heidelberg (2006). https://doi.org/10.1007/11817963_38
Sen, K., Marinov, D., Agha, G.: CUTE: a concolic unit testing engine for C. In: Proceedings of the 10th European Software Engineering Conference Held Jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering, ESEC/FSE-13, pp. 263–272. ACM, New York (2005). https://doi.org/10.1145/1081706.1081750. http://doi.acm.org/10.1145/1081706.1081750
Siddiqui, J.H., Khurshid, S.: ParSym: parallel symbolic execution. In: 2010 2nd International Conference on Software Technology and Engineering, vol. 1, pp. V1-405–V1-409, October 2010. https://doi.org/10.1109/ICSTE.2010.5608866
Siddiqui, J.H., Khurshid, S.: Scaling symbolic execution using ranged analysis. In: Proceedings of the ACM International Conference on Object Oriented Programming Systems Languages and Applications, OOPSLA 2012, pp. 523–536. ACM, New York (2012). https://doi.org/10.1145/2384616.2384654. http://doi.acm.org/10.1145/2384616.2384654
Staats, M., Pǎsǎreanu, C.: Parallel symbolic execution for structural test generation. In: Proceedings of the 19th International Symposium on Software Testing and Analysis, ISSTA 2010, pp. 183–194. ACM, New York (2010). https://doi.org/10.1145/1831708.1831732. http://doi.acm.org/10.1145/1831708.1831732
Trabish, D., Mattavelli, A., Rinetzky, N., Cadar, C.: Chopped symbolic execution. In: Proceedings of the 40th International Conference on Software Engineering, ICSE 2018, pp. 350–360. ACM, New York (2018). https://doi.org/10.1145/3180155.3180251. http://doi.acm.org/10.1145/3180155.3180251
Zamfir, C., Candea, G.: Execution synthesis: a technique for automated software debugging. In: Proceedings of the 5th European Conference on Computer Systems, EuroSys 2010, pp. 321–334. ACM, New York (2010). https://doi.org/10.1145/1755913.1755946. http://doi.acm.org/10.1145/1755913.1755946
Acknowledgements
This research was partially supported by the US National Science Foundation under Grant No. CCF-1704790.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Singh, S., Khurshid, S. (2020). Parallel Chopped Symbolic Execution. In: Lin, SW., Hou, Z., Mahony, B. (eds) Formal Methods and Software Engineering. ICFEM 2020. Lecture Notes in Computer Science(), vol 12531. Springer, Cham. https://doi.org/10.1007/978-3-030-63406-3_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-63406-3_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-63405-6
Online ISBN: 978-3-030-63406-3
eBook Packages: Computer ScienceComputer Science (R0)