Skip to main content
SpringerLink
Log in

An Approach to Reachability Determination for Static Analysis Defects with the Help of Dynamic Symbolic Execution

  • Published:
Programming and Computer Software Aims and scope Submit manuscript

Abstract

Program analysis methods for error detection are conventionally divided into two groups: static analysis methods and dynamic analysis methods. In this paper, we present a combined approach that allows one to determine reachability for defects found by static program analysis techniques through applying dynamic symbolic execution to a program. This approach is an extension of our previous approach to determining the reachability of specific program instructions by using dynamic symbolic execution. The approach is sequentially applied to several points in the program: a defect source point, a defect sink point, and additional intermediate conditional jumps related to a defect under analysis. Our approach can be briefly described as follows. First, static analysis of the program executable code is carried out to gather information about execution paths that guide dynamic symbolic execution to the source point of a defect. Then, dynamic symbolic execution is performed to generate an input dataset for reaching the defect source point and the defect sink point through intermediate conditional jumps. Dynamic symbolic execution is guided by the heuristic of the minimum distance from the previous path to the next defect trace point when selecting execution paths. The distance metric is computed using an extended call graph of the program, which combines its call graph and portions of its control flow graph that include all paths leading to the defect sink point. We evaluate our approach by using several open-source command line programs from Debian Linux. The evaluation confirms that the proposed approach can be used for classification of defects found by static program analysis. However, we found some limitations that prevent deploying this approach to industrial program analyzers. Mitigating these limitations is one of the possible directions for future research.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.

Similar content being viewed by others

REFERENCES

  1. Vogelsang, A., Fehnker, A., Huuck, R., and Reif, W., Software metrics in static program analysis, Proc. 12th Int. Conf. Formal Engineering Methods and Software Engineering, Shanghai, 2010, pp. 485–500.

  2. Kim, Y., Kim, Y., Kim, T., Lee, G., Jang, Y., and Kim, M., Automated unit testing of large industrial embedded software using concolic testing, Proc. 28th IEEE/ACM Int. Conf. Automated Software Engineering, Silicon Valley, 2013, pp. 519–528.

  3. Xie, Y., Chou, A., and Engler, D., ARCHER: Using symbolic, path-sensitive analysis to detect memory access errors, Proc. 9th European Software Engineering Conf. held jointly with 11th ACM Sigsoft Int. Symp. Foundations of Software Engineering (ESEC/FSE), Helsinki, 2003, pp. 327–336.

  4. Bessey, A., Block, K., Chelf, B., Chow, A., Fulton, B., Hallem, S., Henri-Gros, C., Kamsky, A., McPeak, S., and Engler, D., A few billion lines of code later: Using static analysis to find bugs in the real world, Commun. ACM, 2010, vol. 53, no. 2, pp. 66–75.

    Article  Google Scholar 

  5. Ivannikov, V.P., Belevantsev, A.A., Borodin, A.E., Ignat’ev, V.N., Zhurikhin, D.M., Avetisyan, A.I., and Leonov, M.I., Static analyzer Svace for finding defects in source code of programs, Tr. Inst. Sistemnogo Program. Ross. Akad. Nauk, 2014, vol. 26, no. 1, pp. 231–250.

    Google Scholar 

  6. Engler, D., Chelf, B., Chou, A., and Hallen, S., Checking system rules using system-specific, programmer-written compiler extensions, Proc. 4th Conf. Operating System Design and Implementation (OSDI), San-Diego, 2000, vol. 4.

  7. Johnson, B., Song, Y., Murphy-Hill, E., and Bowdidge, R., Why don’t software developers use static analysis tools to find bugs? Proc. Int. Conf. Software Engineering (ICSE), San Francisco, 2013.

  8. Christakis, M., Muller, P., and Wustholz, V., An experimental evaluation of deliberate unsoundness in a static program analyzer, Proc. Int. Workshop Verification, Model Checking, and Abstract Interpretation (VMCAI), Springer, 2015, pp. 336–354.

  9. Livshits, B., Sridharan, M., Smaragdakis, Y., Lhotak, O., Amaral, J.N., Chang, B.-Y.E., Guyer, S.Z., Khedker, U.P., Mohler, A., and Vardoulakis, D., In defense of soundness: A manifesto, Commun. ACM, 2015, vol. 58, no. 2.

  10. Cadar, C., Dunbar, D., and Endger, D., KLEE: Unassisted and automatic generation of high-coverage tests for complex systems, Proc. 8th USENIX Conf. Operating Systems Design and Implementation (OSDI), San Diego, 2008, pp. 209–224.

  11. Averginos, T., Cha, S.K., Revert, A., Schwartz, E.J., Woo, M., and Brumley, D., Automatic exploit generation, Commun. ACM, 2014, vol. 57, no. 2, pp. 74–84.

    Google Scholar 

  12. Chipunov, V., Kuznetsov, V., and Candea, G., The S2E platform: Design, implementation, and applications, ACM Trans. Comput. Syst., 2012, vol. 30, no.1.

  13. Manevich, R., Sridharan, M., Adams, S., Das, M., and Yang, Z., PSE: Explaining program failures via post-mortem static analysis, Proc. 12th ACM SIGSOFT Int. Symp. Foundations of Software Engineering, New York, 2004, pp. 63–72.

  14. Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., and Saxena, P., BitBlaze: A new approach to computer security via binary analysis, Proc. 4th Int. Conf. Information Systems Security (ICISS), Hydarabad, India, 2008, pp. 1–25.

  15. Sen, K., Marinov, D., and Agha, G., CUTE: A concolic unit testing engine for C, Proc. 10th European Software Engineering Conf. held jointly with 13th ACM SIGSOFT Int. Symp. Foundations of Software Engineering (ESEC/FSE), Lisbon, 2005, pp. 263–272.

  16. King, J.C., Symbolic execution and program testing, Commun. ACM, 1976, vol. 19, no. 7, pp. 385–394.

    Article  MathSciNet  MATH  Google Scholar 

  17. Cadar, C., Ganesh, V., Pawlowski, P., Dill, D.L., and Engler, D.R., EXE: Automatically generating inputs of death, Proc. 13th ACM Conf. Computer and Communications Security (CCS), Alexandria, USA, 2006, pp. 322–335.

  18. Schwartz, E.J., Averginos, T., and Brumley, D., All you ever wanted to know about dynamic tait analysis and forward symbolic execution (but might have been afraid to ask), Proc. IEEE Symp. Security and Privacy (SP), Oakland, 2010, pp. 317–331.

  19. Csallner, C. and Smaragdakis, Y., Check’N’Crash: Combining static checking and testing, Proc. 27th Int. Conf. Software Engineering (ICSE), St. Louis, 2005, pp. 422–431.

  20. Chebaro, O., Kosmatov, N., Giorgetti, A., and Julliand, J., Programs slicing enhances a verification technique combining static and dynamic analysis, Proc. 27th Annual ACM Symp. Applied Computing, Trento, 2012, pp. 1284–1291.

  21. Kim, T., Park, J., Kulinda, I., and Jang, Y., Concolic testing framework for industrial embedded software, Proc. 21st Asia-Pacific Software Engineering Conf. (APSEC), Jeju, South Korea, 2014, vol. 2, pp. 7–10.

  22. Hanna, A., Ling, H.Z., Yang, X., and Debbabi, M., A synergy between static and dynamic analysis or the detection of software security vulnerabilities, Proc. Confederated Int. Congress CoopIS, DOA, IS, and ADBASE on the Move to Meaningful Internet Systems: Part 2, Vilamoura, 2009, pp. 815–832.

  23. Csallner, C. and Smaragdakis, Y., DSD-Crasher: A hybrid analysis tool for bug finding, Proc. Int. Symp. Software Testing and Analysis (ISSTA), Portland, 2006, pp. 245–254.

  24. Artho, C. and Biere, A., Combined static and dynamic analysis, Electron. Notes Theor. Comput. Sci., 2005, vol. 131, pp. 3–14.

    Article  Google Scholar 

  25. Chebaro, O., Kostomarov, N., Giorgetti, A., and Julliand, J., Combining static analysis and test generation for C program debugging, Proc. 4th Int. Conf. Tests and Proofs (TAP), Malaga, 2010, pp. 94–100.

  26. Schutte, J., Fedler, R., and Tetze, D., ConDroid: Targeted dynamic analysis of Android applications, Proc. 26th IEEE Int. Conf. Advanced Information Networking and Applications (AINA), Gwangui, South Korea, 2015.

  27. Ge, X., Taneja, K., Xie, T., and Tillmann, N., DyTa: Dynamic symbolic execution guided with static verification results, Proc. 33rd Int. Conf. Software Engineering (ICSE), Honolulu, 2011, pp. 992–994.

  28. Gerasimov, A.Yu. and Kruglov, L.V., Computation of input data to reach a particular function in a program by the method of iterative dynamic analysis, Tr. Inst. Sistemnogo Program. Ross. Akad. Nauk, 2016, vol. 28, no. 5, pp. 159–174.

    Google Scholar 

  29. Stallman, R.M., Using the GNU compiler collection: A GNU manual for GCC version 4.3.3, Free Software Foundation Inc., 2004.

    Google Scholar 

  30. Isaev, I.K. and Sidorov, D.V., The use of dynamic analysis for generation of input data that demonstrates critical bugs and vulnerabilities in programs, Program. Comput. Software, 2010, vol. 36, no. 4, pp. 225–236.

    Article  MathSciNet  Google Scholar 

  31. Free Software Foundation, GNU binutils. http:// www.gnu.org/software/binutils. Accessed November 1, 2017.

Download references

Author information

Authors and Affiliations

  1. Institute for System Programming, Russian Academy of Sciences, ul. Solzhenitsyna 25, Moscow, Russia

    A. Yu. Gerasimov, L. V. Kruglov, M. K. Ermakov & S. P. Vartanov

Authors
  1. A. Yu. Gerasimov
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. L. V. Kruglov
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. M. K. Ermakov
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. S. P. Vartanov
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to A. Yu. Gerasimov, L. V. Kruglov, M. K. Ermakov or S. P. Vartanov.

Additional information

Translated by Yu. Kornienko

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Gerasimov, A.Y., Kruglov, L.V., Ermakov, M.K. et al. An Approach to Reachability Determination for Static Analysis Defects with the Help of Dynamic Symbolic Execution. Program Comput Soft 44, 467–475 (2018). https://doi.org/10.1134/S0361768818060051

Download citation

  • Received:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1134/S0361768818060051

Search

Navigation