Skip to main content
SpringerLink
Log in

State Joining and Splitting for the Symbolic Execution of Binaries

  • Conference paper
Runtime Verification (RV 2009)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 5779))

Included in the following conference series:

Abstract

Symbolic execution can be used to explore the possible run-time states of a program. It makes use of a concept of “state” where a variable’s value has been replaced by an expression that gives the value as a function of program input. Additionally, a state can be equipped with a summary of control-flow history: a “path constraint” keeps track of the class of inputs that would have caused the same flow of control. But even simple programs can have trillions of paths, so a path-by-path analysis is impractical. We investigate a “state joining” approach to making symbolic execution more practical and describe the challenges of applying state joining to the analysis of unmodified Linux x86 executables. The results so far are mixed, with good results for some code. On other examples, state joining produces cumbersome constraints that are more expensive to solve than those generated by normal symbolic execution.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Allen, J.R., Kennedy, K., Porterfield, C., Warren, J.: Conversion of control dependence to data dependence. In: Proceedings of the Tenth ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, pp. 177–189. ACM Press, New York (1983)

    Chapter  Google Scholar 

  2. Babić, D., Hu, A.: Calysto: Scalable and precise extended static checking. In: Proceedings of the Thirtieth International Conference on Software Engineering, pp. 211–220. ACM Press, New York (2008)

    Google Scholar 

  3. Balakrishnan, G.: WYSINWYX: What You See Is Not What You Execute. PhD thesis, University of Wisconsin at Madison, Madison, WI, USA (2007)

    Google Scholar 

  4. Boonstoppel, P., Cadar, C., Engler, D.R.: RWset: Attacking path explosion in constraint-based test generation. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 351–366. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  5. Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: EXE: Automatically generating inputs of death. In: Proceedings of the Thirteenth ACM Conference on Computer and Communications Security, pp. 322–335. ACM Press, New York (2006)

    Google Scholar 

  6. Ganesh, V., Dill, D.L.: A decision procedure for bit-vectors and arrays. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 519–531. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  7. Godefroid, P.: Compositional dynamic test generation. In: Proceedings of the Thirtyfourth ACM Symposium on Principles of Programming Languages, pp. 47–54. ACM Press, New York (2007)

    Google Scholar 

  8. Kinder, J., Zuleger, F., Veith, H.: An abstract interpretation-based framework for control flow reconstruction from binaries. In: Jones, N.D., Müller-Olm, M. (eds.) VMCAI 2009. LNCS, vol. 5403, pp. 214–228. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  9. Kölbl, A., Pixley, C.: Constructing efficient formal models from high-level descriptions using symbolic simulation. International Journal on Parallel Programming 33(6), 645–666 (2005)

    Article  MATH  Google Scholar 

  10. Minato, S.-I.: Generation of BDDs from hardware algorithm descriptions. In: Proceedings of the 1996 IEEE/ACM International Conference on Computer-Aided Design, pp. 644–649. IEEE Comp. Soc., Los Alamitos (1996)

    Google Scholar 

  11. Nanda, S., Li, W., Lam, L.-C., Chiueh, T.-C.: BIRD: Binary interpretation using runtime disassembly. In: Proceedings of the International Symposium on Code Generation and Optimization, pp. 358–370. IEEE Comp. Soc., Los Alamitos (2006)

    Google Scholar 

  12. Nethercote, N., Seward, J.: Valgrind: A framework for heavyweight dynamic binary instrumentation. In: Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation, pp. 89–100. ACM Press, New York (2007)

    Chapter  Google Scholar 

  13. Patterson, J.: Accurate static branch prediction by value range propagation. In: Proceedings of the ACM SIGPLAN 1995 Conference on Programming Language Design and Implementation, pp. 67–78. ACM Press, New York (1995)

    Chapter  Google Scholar 

  14. Rudell, R.L.: Multiple-valued logic minimization for PLA synthesis. Technical Report UCB/ERL M86/65, EECS Department, Berkeley (1986)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Software Engineering, The University of Melbourne, Vic., 3010, Australia

    Trevor Hansen, Peter Schachte & Harald Søndergaard

Authors
  1. Trevor Hansen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Peter Schachte
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Harald Søndergaard
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Verimag Centre Equation, 2 avenue de Vignate, 38610, Gières, France

    Saddek Bensalem

  2. Department of Computer Science, Bar Ilan University, 52900, Ramat Gan, Israel

    Doron A. Peled

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Hansen, T., Schachte, P., Søndergaard, H. (2009). State Joining and Splitting for the Symbolic Execution of Binaries. In: Bensalem, S., Peled, D.A. (eds) Runtime Verification. RV 2009. Lecture Notes in Computer Science, vol 5779. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04694-0_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-04694-0_6

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-04693-3

  • Online ISBN: 978-3-642-04694-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation