Skip to main content
Springer Nature Link
Log in

Symbolic Object Code Analysis

  • Conference paper
Model Checking Software (SPIN 2010)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 6349))

Included in the following conference series:

Abstract

Current software model checkers quickly reach their limits when being applied to verifying pointer safety properties in source code that includes function pointers and inlined assembly. This paper introduces an alternative technique for checking pointer safety violations, called Symbolic Object Code Analysis (SOCA), which is based on bounded symbolic execution, incorporates path-sensitive slicing, and employs the SMT solver Yices as its execution and verification engine. Experimental results of a prototypic SOCA Verifier, using the Verisec suite and almost 10,000 Linux device driver functions as benchmarks, show that SOCA performs competitively to source-code model checkers and scales well when applied to real operating systems code and pointer safety issues.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Balakrishnan, G., Reps, T.: Recency-abstraction for heap-allocated storage. In: Yi, K. (ed.) SAS 2006. LNCS, vol. 4134, pp. 221–239. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  2. Balakrishnan, G., Reps, T., Melski, D., Teitelbaum, T.: WYSINWYX: What You See Is Not What You eXecute. In: Meyer, B., Woodcock, J. (eds.) VSTTE 2005. LNCS, vol. 4171, pp. 202–213. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  3. Ball, T., Bounimova, E., Cook, B., Levin, V., Lichtenberg, J., McGarvey, C., Ondrusek, B., Rajamani, S.K., Ustuner, A.: Thorough static analysis of device drivers. SIGOPS Oper. Syst. Rev. 40, 73–85 (2006)

    Article  Google Scholar 

  4. Ball, T., Rajamani, S.: Automatically validating temporal safety properties of interfaces. In: Dwyer, M.B. (ed.) SPIN 2001. LNCS, vol. 2057, pp. 103–122. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  5. Brummayer, R., Biere, A., Lonsing, F.: BTOR: Bit-precise modelling of word-level problems for model checking. In: SMT 2008, pp. 33–38. ACM, New York (2008)

    Google Scholar 

  6. Chou, A., Yang, J., Chelf, B., Hallem, S., Engler, D.: An empirical study of operating system errors. In: SOSP 2001, pp. 73–88. ACM, New York (2001)

    Google Scholar 

  7. Clarke, E., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 168–176. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  8. Clarke, E., Kroening, D., Sharygina, N., Yorav, K.: SATABS: SAT-based predicate abstraction for ANSI-C. In: Halbwachs, N., Zuck, L.D. (eds.) TACAS 2005. LNCS, vol. 3440, pp. 570–574. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  9. D’Silva, V., Kroening, D., Weissenbacher, G.: A survey of automated techniques for formal software verification. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 27(7), 1165–1178 (2008)

    Article  Google Scholar 

  10. Dutertre, B., de Moura, L.: The Yices SMT solver. Technical Report 01/2006, SRI (2006), http://yices.csl.sri.com/tool-paper.pdf

  11. Godefroid, P., Klarlund, N., Sen, K.: DART: Directed automated random testing. In: PLDI 2005, pp. 213–223. ACM, New York (2005)

    Google Scholar 

  12. Godefroid, P., Levin, M.Y., Molnar, D.: Automated whitebox fuzz testing. In: NDSS 2008, Internet Society (2008)

    Google Scholar 

  13. Henzinger, T., Jhala, R., Majumdar, R., Necula, G., Sutre, G., Weimer, W.: Temporal-safety proofs for systems code. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 526–538. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  14. Horwitz, S., Reps, T., Binkley, D.: Interprocedural slicing using dependence graphs. ACM TOPLAS 12(1), 26–60 (1990)

    Article  Google Scholar 

  15. Jhala, R., Majumdar, R.: Path slicing. SIGPLAN Not. 40, 38–47 (2005)

    Article  Google Scholar 

  16. Kim, M., Kim, Y.: Concolic testing of the multi-sector read operation for flash memory file system. In: Oliveira, M.V.M., Woodcock, J. (eds.) SBMF 2009. LNCS, vol. 5902, pp. 251–265. Springer, Heidelberg (2009)

    Google Scholar 

  17. King, J.: Symbolic execution and program testing. ACM Commun. 19(7), 385–394 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  18. Korel, B., Laski, J.: Dynamic slicing of computer programs. J. Syst. Softw. 13(3), 187–195 (1990)

    Article  MATH  Google Scholar 

  19. Kroening, D., Sharygina, N., Tonetta, S., Tsitovich, A., Wintersteiger, C.: Loop summarization using abstract transformers. In: Cha, S(S.), Choi, J.-Y., Kim, M., Lee, I., Viswanathan, M. (eds.) ATVA 2008. LNCS, vol. 5311, pp. 111–125. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  20. Kroening, D., Strichman, O.: Decision Procedures. Springer, Heidelberg (2008)

    MATH  Google Scholar 

  21. Ku, K.: Software model-checking: Benchmarking and techniques for buffer overflow analysis. Master’s thesis, University of Toronto (2008)

    Google Scholar 

  22. Leung, A., George, L.: Static single assignment form for machine code. In: PLDI 1999, pp. 204–214. ACM, New York (1999)

    Google Scholar 

  23. Leven, P., Mehler, T., Edelkamp, S.: Directed error detection in C++ with the assembly-level model checker StEAM. In: Graf, S., Mounier, L. (eds.) SPIN 2004. LNCS, vol. 2989, pp. 39–56. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  24. Mühlberg, J.T.: Model Checking Pointer Safety in Compiled Programs. PhD thesis, Department of Computer Science, University of York (2009)

    Google Scholar 

  25. Mühlberg, J.T., Lüttgen, G.: BLASTing Linux code. In: Brim, L., Haverkort, B.R., Leucker, M., van de Pol, J. (eds.) FMICS 2006 and PDMC 2006. LNCS, vol. 4346, pp. 211–226. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  26. Mühlberg, J.T., Lüttgen, G.: Verifying compiled file system code. In: Oliveira, M.V.M., Woodcock, J. (eds.) SBMF 2009. LNCS, vol. 5902, pp. 306–320. Springer, Heidelberg (2009)

    Google Scholar 

  27. Nethercote, N., Seward, J.: Valgrind: A framework for heavyweight dynamic binary instrumentation. SIGPLAN Not. 42(6), 89–100 (2007)

    Article  Google Scholar 

  28. Noll, T., Schlich, B.: Delayed nondeterminism in model checking embedded systems assembly code. In: Yorav, K. (ed.) HVC 2007. LNCS, vol. 4899, pp. 185–201. Springer, Heidelberg (2008)

    Google Scholar 

  29. Pǎsǎreanu, C., Mehlitz, P., Bushnell, D., Gundy-Burlet, K., Lowry, M., Person, S., Pape, M.: Combining unit-level symbolic execution and system-level concrete execution for testing NASA software. In: ISSTA 2008, pp. 15–26. ACM, New York (2008)

    Google Scholar 

  30. Pǎsǎreanu, C., Visser, W.: A survey of new trends in symbolic execution for software testing and analysis. Software Tools for Technology Transfer 11(4), 339–353 (2009)

    Article  Google Scholar 

  31. Rational Purify IBM Corp., http://www.ibm.com/software/awdtools/purify/

  32. Rungta, N., Mercer, E., Visser, W.: Efficient testing of concurrent programs with abstraction-guided symbolic execution. In: Păsăreanu, C.S. (ed.) SPIN 2009. LNCS, vol. 5578, pp. 174–191. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  33. Schlich, B., Kowalewski, S.: [mc]square: A model checker for microcontroller code. In: ISOLA 2006, pp. 466–473. IEEE, Los Alamitos (2006)

    Google Scholar 

  34. Sen, K., Marinov, D., Agha, G.: CUTE: A concolic unit testing engine for C. In: ESEC/FSE-13, pp. 263–272. ACM, New York (2005)

    Chapter  Google Scholar 

  35. Visser, W., Havelund, K., Brat, G., Joon, S., Lerda, F.: Model checking programs. Formal Methods in System Design 10(2), 203–232 (2003)

    Google Scholar 

  36. Weiser, M.: Program slicing. In: ICSE 1981, pp. 439–449. IEEE, Los Alamitos (1981)

    Google Scholar 

  37. Xie, Y., Aiken, A.: SATURN: A scalable framework for error detection using boolean satisfiability. ACM TOPLAS 29(3), 16 (2007)

    Article  Google Scholar 

  38. Zitser, M., Lippmann, R., Leek, T.: Testing static analysis tools using exploitable buffer overflows from open source code. SIGSOFT Softw. Eng. Notes 29(6), 97–106 (2004)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Software Technologies Research Group, University of Bamberg, 96045, Bamberg, Germany

    Jan Tobias Mühlberg & Gerald Lüttgen

Authors
  1. Jan Tobias Mühlberg
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gerald Lüttgen
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Formal Methods and Tools, Department of Computer Science, University of Twente, P.O. Box 217, 7500AE, Enschede, The Netherlands

    Jaco van de Pol  & Michael Weber  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Mühlberg, J.T., Lüttgen, G. (2010). Symbolic Object Code Analysis. In: van de Pol, J., Weber, M. (eds) Model Checking Software. SPIN 2010. Lecture Notes in Computer Science, vol 6349. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-16164-3_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-16164-3_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-16163-6

  • Online ISBN: 978-3-642-16164-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics