Skip to main content
SpringerLink
Log in
Book cover

International Conference on Formal Engineering Methods

ICFEM 2020: Formal Methods and Software Engineering pp 107–125Cite as

Parallel Chopped Symbolic Execution

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 12531))

Abstract

Symbolic execution, a well-known and widely studied software testing technique, faces scalability issues due to path explosion that limits its effectiveness. Recent work on chopped symbolic execution introduced the Chopper technique that allows the user to specify uninteresting parts of code that the symbolic analysis can try to ignore by focusing first on the essential parts. If necessary, the ignored parts are later explored once their impact on the main code under analysis becomes unavoidable. We introduce a parallel approach to chopped symbolic execution that integrates path-based partitioning with Chopper. Our tool, called PChop, speeds up chopped symbolic exploration by allowing multiple participating workers to explore non-overlapping regions of the code in parallel. We demonstrate the impact of our technique in a failure reproduction scenario, where we use both PChop and Chopper to re-create security vulnerabilities in the GNU libtasn1. The experimental results show that PChop is beneficial in situations where Chopper requires more than a minute to find the vulnerability when using a specific search strategy. For two vulnerabilities, PChop identified a previously undocumented code location to manifest each of them.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    https://github.com/Shikhar8990/pChop.

  2. 2.

    https://www.open-mpi.org/.

  3. 3.

    https://www.gnu.org/software/libtasn1/.

References

  1. Adve, V., Lattner, C., Brukman, M., Shukla, A., Gaeke, B.: LLVA: a low-level virtual instruction set architecture. In: Proceedings of the 36th Annual ACM/IEEE International Symposium on Microarchitecture (MICRO-36), San Diego, California, December 2003

    Google Scholar 

  2. Avgerinos, T., Cha, S.K., Rebert, A., Schwartz, E.J., Woo, M., Brumley, D.: Automatic exploit generation. Commun. ACM 57(2), 74–84 (2014). https://doi.org/10.1145/2560217.2560219. http://doi.acm.org/10.1145/2560217.2560219

  3. Bethea, D., Cochran, R.A., Reiter, M.K.: Server-side verification of client behavior in online games. ACM Trans. Inf. Syst. Secur. 14(4), 32:1–32:27 (2008). https://doi.org/10.1145/2043628.2043633. http://doi.acm.org/10.1145/2043628.2043633

  4. Boyer, R.S., Elspas, B., Levitt, K.N.: SELECT—a formal system for testing and debugging programs by symbolic execution. In: Proceedings of the International Conference on Reliable Software, pp. 234–245. ACM, New York (1975). https://doi.org/10.1145/800027.808445. http://doi.acm.org/10.1145/800027.808445

  5. Bucur, S., Ureche, V., Zamfir, C., Candea, G.: Parallel symbolic execution for automated real-world software testing. In: Proceedings of the Sixth Conference on Computer Systems, EuroSys 2011, pp. 183–198. ACM, New York (2011). https://doi.org/10.1145/1966445.1966463. http://doi.acm.org/10.1145/1966445.1966463

  6. Burnim, J., Sen, K.: Heuristics for scalable dynamic test generation. In: 2008 23rd IEEE/ACM International Conference on Automated Software Engineering, pp. 443–446, September 2008. https://doi.org/10.1109/ASE.2008.69

  7. Cadar, C., Dunbar, D., Engler, D.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, OSDI 2008, pp. 209–224. USENIX Association, Berkeley (2008). http://dl.acm.org/citation.cfm?id=1855741.1855756

  8. Cadar, C., Engler, D.: Execution generated test cases: how to make systems code crash itself. In: Godefroid, P. (ed.) SPIN 2005. LNCS, vol. 3639, pp. 2–23. Springer, Heidelberg (2005). https://doi.org/10.1007/11537328_2

    Chapter  Google Scholar 

  9. Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: EXE: automatically generating inputs of death. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, pp. 322–335. ACM, New York (2006). https://doi.org/10.1145/1180405.1180445. http://doi.acm.org/10.1145/1180405.1180445

  10. Chipounov, V., Candea, G.: Reverse engineering of binary device drivers with RevNic. In: Proceedings of the 5th European Conference on Computer Systems, EuroSys 2010, pp. 167–180. ACM, New York (2010). https://doi.org/10.1145/1755913.1755932. http://doi.acm.org/10.1145/1755913.1755932

  11. Ciortea, L., Zamfir, C., Bucur, S., Chipounov, V., Candea, G.: Cloud9: a software testing service. SIGOPS Oper. Syst. Rev. 43(4), 5–10 (2010). https://doi.org/10.1145/1713254.1713257. http://doi.acm.org/10.1145/1713254.1713257

  12. Collingbourne, P., Cadar, C., Kelly, P.H.: Symbolic crosschecking of floating-point and SIMD code. In: Proceedings of the Sixth Conference on Computer Systems, EuroSys 2011, pp. 315–328. ACM, New York (2011). https://doi.org/10.1145/1966445.1966475. http://doi.acm.org/10.1145/1966445.1966475

  13. Cui, H., Wu, J., Tsai, C.C., Yang, J.: Stable deterministic multithreading through schedule memoization. In: OSDI (2010)

    Google Scholar 

  14. Godefroid, P.: Compositional dynamic test generation. In: Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2007, pp. 47–54. ACM, New York (2007). https://doi.org/10.1145/1190216.1190226. http://doi.acm.org/10.1145/1190216.1190226

  15. Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. SIGPLAN Not. 40(6), 213–223 (2005). https://doi.org/10.1145/1064978.1065036. http://doi.acm.org/10.1145/1064978.1065036

  16. King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976). https://doi.org/10.1145/360248.360252. http://doi.acm.org/10.1145/360248.360252

  17. Lagniez, J.M., Marquis, P.: An improved decision-DNNF compiler. In: Proceedings of the 26th International Joint Conference on Artificial Intelligence, IJCAI 2017, pp. 667–673. AAAI Press (2017). http://dl.acm.org/citation.cfm?id=3171642.3171738

  18. Lagniez, J.M., Marquis, P., Szczepanski, N.: DMC: a distributed model counter. In: Proceedings of the 27th International Joint Conference on Artificial Intelligence, IJCAI 2018, pp. 1331–1338. AAAI Press (2018). http://dl.acm.org/citation.cfm?id=3304415.3304604

  19. Li, G., Li, P., Sawaya, G., Gopalakrishnan, G., Ghosh, I., Rajan, S.: GKLEE: concolic verification and test generation for GPUs. ACM SIGPLAN Not. 47(8), 215–224 (2012). https://doi.org/10.1145/2370036.2145844

    Article  Google Scholar 

  20. Person, S., Yang, G., Rungta, N., Khurshid, S.: Directed incremental symbolic execution. In: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2011, pp. 504–515. ACM, New York (2011). https://doi.org/10.1145/1993498.1993558. http://doi.acm.org/10.1145/1993498.1993558

  21. Pǎsǎreanu, C.S., et al.: Combining unit-level symbolic execution and system-level concrete execution for testing NASA software. In: Proceedings of the 2008 International Symposium on Software Testing and Analysis, ISSTA 2008, pp. 15–26. ACM, New York (2008). https://doi.org/10.1145/1390630.1390635. http://doi.acm.org/10.1145/1390630.1390635

  22. Sasnauskas, R., Link, J.A.B., Alizai, M.H., Wehrle, K.: KleeNet: automatic bug hunting in sensor network applications. In: Proceedings of the 6th ACM Conference on Embedded Network Sensor Systems, SenSys 2008, pp. 425–426. ACM, New York (2008). https://doi.org/10.1145/1460412.1460485. http://doi.acm.org/10.1145/1460412.1460485

  23. Sen, K., Agha, G.: CUTE and jCUTE: concolic unit testing and explicit path model-checking tools. In: Ball, T., Jones, R.B. (eds.) CAV 2006. LNCS, vol. 4144, pp. 419–423. Springer, Heidelberg (2006). https://doi.org/10.1007/11817963_38

    Chapter  Google Scholar 

  24. Sen, K., Marinov, D., Agha, G.: CUTE: a concolic unit testing engine for C. In: Proceedings of the 10th European Software Engineering Conference Held Jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering, ESEC/FSE-13, pp. 263–272. ACM, New York (2005). https://doi.org/10.1145/1081706.1081750. http://doi.acm.org/10.1145/1081706.1081750

  25. Siddiqui, J.H., Khurshid, S.: ParSym: parallel symbolic execution. In: 2010 2nd International Conference on Software Technology and Engineering, vol. 1, pp. V1-405–V1-409, October 2010. https://doi.org/10.1109/ICSTE.2010.5608866

  26. Siddiqui, J.H., Khurshid, S.: Scaling symbolic execution using ranged analysis. In: Proceedings of the ACM International Conference on Object Oriented Programming Systems Languages and Applications, OOPSLA 2012, pp. 523–536. ACM, New York (2012). https://doi.org/10.1145/2384616.2384654. http://doi.acm.org/10.1145/2384616.2384654

  27. Staats, M., Pǎsǎreanu, C.: Parallel symbolic execution for structural test generation. In: Proceedings of the 19th International Symposium on Software Testing and Analysis, ISSTA 2010, pp. 183–194. ACM, New York (2010). https://doi.org/10.1145/1831708.1831732. http://doi.acm.org/10.1145/1831708.1831732

  28. Trabish, D., Mattavelli, A., Rinetzky, N., Cadar, C.: Chopped symbolic execution. In: Proceedings of the 40th International Conference on Software Engineering, ICSE 2018, pp. 350–360. ACM, New York (2018). https://doi.org/10.1145/3180155.3180251. http://doi.acm.org/10.1145/3180155.3180251

  29. Zamfir, C., Candea, G.: Execution synthesis: a technique for automated software debugging. In: Proceedings of the 5th European Conference on Computer Systems, EuroSys 2010, pp. 321–334. ACM, New York (2010). https://doi.org/10.1145/1755913.1755946. http://doi.acm.org/10.1145/1755913.1755946

Download references

Acknowledgements

This research was partially supported by the US National Science Foundation under Grant No. CCF-1704790.

Author information

Authors and Affiliations

  1. University of Texas, Austin, USA

    Shikhar Singh & Sarfraz Khurshid

Authors
  1. Shikhar Singh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sarfraz Khurshid
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shikhar Singh .

Editor information

Editors and Affiliations

  1. Nanyang Technological University, Singapore, Singapore

    Shang-Wei Lin

  2. School of Information and Communication Technology, Griffith University, Nathan Campus, QLD, Australia

    Zhe Hou

  3. Defence Science and Technology Group, Denver, CO, USA

    Brendan Mahony

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Singh, S., Khurshid, S. (2020). Parallel Chopped Symbolic Execution. In: Lin, SW., Hou, Z., Mahony, B. (eds) Formal Methods and Software Engineering. ICFEM 2020. Lecture Notes in Computer Science(), vol 12531. Springer, Cham. https://doi.org/10.1007/978-3-030-63406-3_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-63406-3_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-63405-6

  • Online ISBN: 978-3-030-63406-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation