ABSTRACT
Symbolic execution is a popular software testing technique that can help developers identify complex bugs in real-world applications. Unfortunately, symbolic execution may struggle at analyzing programs containing memory-intensive operations, such as memcpy and memset, whenever these operations are carried out over memory blocks whose size or address is symbolic, i.e., input-dependent.
In this paper, we devise MInt, a memory model for symbolic execution that can support reasoning over such operations. The key new idea behind our proposal is to make the memory model aware of these memory-intensive operations, deferring any symbolic reasoning on their effects to the time where the program actually manipulates the symbolic data affected by these operations. We show that a preliminary implementation of MInt based on the symbolic framework angr can effectively analyze applications taken from the DARPA Cyber Grand Challenge.
- Marco Angelini, Graziano Blasilli, Luca Borzacchiello, Emilio Coppa, Daniele Cono D’Elia, Simone Lenti, Simone Nicchi, and Giuseppe Santucci. 2019. SymNav: Visually Assisting Symbolic Execution. In Proc. of the 16th IEEE Symposium on Visualization for Cyber Security(VizSec ’19). https://doi.org/10.1109/VizSec48167.2019.9161524Google ScholarCross Ref
- Thanassis Avgerinos, Alexandre Rebert, Sang Kil Cha, and David Brumley. 2014. Enhancing Symbolic Execution with Veritesting. In Proc. of the 36th Int. Conf. on Soft. Eng.(ICSE ’14). 1083–1094. https://doi.org/10.1145/2568225.2568293Google ScholarDigital Library
- Roberto Baldoni, Emilio Coppa, Daniele Cono D’Elia, and Camil Demetrescu. 2017. Assisting Malware Analysis with Symbolic Execution: A Case Study. In Proc. of the 1st Int. Conf. on Cyber Security Cryptography and Machine Learning(CSCML ’17). https://doi.org/10.1007/978-3-319-60080-2_12Google ScholarCross Ref
- Roberto Baldoni, Emilio Coppa, Daniele Cono D’Elia, Camil Demetrescu, and Irene Finocchi. 2018. A Survey of Symbolic Execution Techniques. ACM Computer Surveys 51, 3, Article 50 (5 2018), 39 pages. https://doi.org/10.1145/3182657Google ScholarDigital Library
- Luca Borzacchiello, Emilio Coppa, Daniele Cono D’Elia, and Camil Demetrescu. 2019. Memory models in symbolic execution: key ideas and new thoughts. Soft. Testing, Verification and Reliability(2019). https://doi.org/10.1002/stvr.1722Google ScholarCross Ref
- Luca Borzacchiello, Emilio Coppa, Daniele Cono D’Elia, and Camil Demetrescu. 2019. Reconstructing C2 Servers for Remote Access Trojans with Symbolic Execution. In Cyber Security Cryptography and Machine Learning(CSCML ’19). https://doi.org/10.1007/978-3-030-20951-3_12Google ScholarCross Ref
- Luca Borzacchiello, Emilio Coppa, and Camil Demetrescu. 2021. Fuzzing Symbolic Expressions. In Proceedings of the 43rd International Conference on Software Engineering(ICSE ’21). https://doi.org/10.1109/ICSE43902.2021.00071Google ScholarDigital Library
- Luca Borzacchiello, Emilio Coppa, and Camil Demetrescu. 2021. FUZZOLIC: mixing fuzzing and concolic execution. Computers & Security(2021). https://doi.org/10.1016/j.cose.2021.102368Google ScholarDigital Library
- Cristian Cadar, Daniel Dunbar, and Dawson Engler. 2008. KLEE: Unassisted and Automatic Generation of High-coverage Tests for Complex Systems Programs. In 8th USENIX Conf. on Operating Systems Design and Implem.(OSDI ’08). 209–224. http://dl.acm.org/citation.cfm?id=1855741.1855756Google Scholar
- Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, and Dawson R. Engler. 2006. EXE: Automatically Generating Inputs of Death. In Proc. of the 13th ACM Conf. on Computer and Communications Security(CCS ’06). https://doi.org/10.1145/1180405.1180445Google ScholarDigital Library
- Cristian Cadar and Koushik Sen. 2013. Symbolic Execution for Software Testing: Three Decades Later. Commun. ACM 56, 2 (Feb. 2013), 82–90. https://doi.org/10.1145/2408776.2408795Google ScholarDigital Library
- Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert, and David Brumley. 2012. Unleashing Mayhem on Binary Code. In Proceedings of the 2012 IEEE Symposium on Security and Privacy(SP ’12). https://doi.org/10.1109/SP.2012.31Google ScholarDigital Library
- Emilio Coppa, Daniele C. D’Elia, and Camil Demetrescu. 2017. Rethinking pointer reasoning in symbolic execution. In Proc. of the 32nd IEEE/ACM Int. Conf. on Automated Software Engineering(ASE ’17). 613–618. https://doi.org/10.1109/ASE.2017.8115671Google ScholarCross Ref
- Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: An Efficient SMT Solver. In Proceedings of the Theory and Practice of Software, 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems(TACAS ’08/ETAPS ’08). 337–340. https://doi.org/10.1007/978-3-540-78800-3_24Google ScholarCross Ref
- Leonardo De Moura and Nikolaj Bjørner. 2011. Satisfiability Modulo Theories: Introduction and Applications. Commun. ACM 54(2011), 69–77. https://doi.org/10.1145/1995376.1995394Google ScholarDigital Library
- Bassem Elkarablieh, Patrice Godefroid, and Michael Y. Levin. 2009. Precise Pointer Reasoning for Dynamic Test Generation. In Proc. 18th Int. Symp. on Soft. Test. and Analysis(ISSTA ’09). https://doi.org/10.1145/1572272.1572288Google ScholarDigital Library
- Stephan Falke, Florian Merz, and Carsten Sinz. 2014. Extending the Theory of Arrays: memset, memcpy, and Beyond. In Verified Software: Theories, Tools, Experiments, Ernie Cohen and Andrey Rybalchenko (Eds.). 108–128.Google Scholar
- Stephan Falke, Carsten Sinz, and Florian Merz. 2013. A Theory of Arrays with set and copy Operations. In SMT 2012. 10th International Workshop on Satisfiability Modulo Theories(EPiC Series in Computing, Vol. 20), Pascal Fontaine and Amit Goel (Eds.). 98–108. https://doi.org/10.29007/q58tGoogle ScholarCross Ref
- Vijay Ganesh and David L. Dill. 2007. A Decision Procedure for Bit-vectors and Arrays(Proceedings of the 19th International Conference on Computer Aided Verification (CAV ’07)). 519–531. http://dl.acm.org/citation.cfm?id=1770351.1770421Google Scholar
- Timotej Kapus and Cristian Cadar. 2019. A Segmented Memory Model for Symbolic Execution. In Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering(ESEC/FSE 2019). 774–784. https://doi.org/10.1145/3338906.3338936Google ScholarDigital Library
- Lorenzo Martignoni, Stephen McCamant, Pongsin Poosankam, Dawn Song, and Petros Maniatis. 2012. Path-exploration Lifting: Hi-fi Tests for Lo-fi Emulators(Proceedings of the Seventeenth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS XVII)). 337–348. https://doi.org/10.1145/2150976.2151012Google ScholarDigital Library
- Sebastian Poeplau and Aurélien Francillon. 2020. Symbolic execution with SymCC: Don’t interpret, compile!. In Proceedings of the 29th USENIX Security Symposium. USENIX Association, 181–198. https://www.usenix.org/conference/usenixsecurity20/presentation/poeplauGoogle Scholar
- Corina S. Păsăreanu and Willem Visser. 2009. A Survey of New Trends in Symbolic Execution for Software Testing and Analysis. International Journal on Software Tools for Technology Transfer 11 (2009), 339–353. https://doi.org/10.1007/s10009-009-0118-1Google ScholarCross Ref
- Edward J. Schwartz, Thanassis Avgerinos, and David Brumley. 2010. All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask). In Proceedings of the 2010 IEEE Symposium on Security and Privacy(SP ’10). https://doi.org/10.1109/SP.2010.26Google ScholarDigital Library
- Yan Shoshitaishvili, Ruoyu Wang, Christopher Salls, Nick Stephens, Mario Polino, Andrew Dutcher, John Grosen, Siji Feng, Christophe Hauser, Christopher Krügel, and Giovanni Vigna. 2016. SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis. In Proceedings of the 2016 IEEE Symposium on Security and Privacy(SP ’16). 138–157. https://doi.org/10.1109/SP.2016.17Google ScholarCross Ref
- Jia Song and Jim Alves-Foss. 2015. The DARPA Cyber Grand Challenge: A Competitor’s Perspective. IEEE Security Privacy 13, 6 (2015), 72–76. https://doi.org/10.1109/MSP.2015.132Google ScholarDigital Library
- David Trabish and Noam Rinetzky. 2020. Relocatable Addressing Model for Symbolic Execution. In Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis(ISSTA 2020). 51–62. https://doi.org/10.1145/3395363.3397363Google ScholarDigital Library
- Marek Trtík and Jan Strejček. 2014. Symbolic Memory with Pointers. In Proceedings of 12th International Symposium on Automated Technology for Verification and Analysis(ATVA ’14). 380–395. https://doi.org/10.1007/978-3-319-11936-6_27Google ScholarCross Ref
Index Terms
- Handling Memory-Intensive Operations in Symbolic Execution
Recommendations
Enhancing symbolic execution with veritesting
ICSE 2014: Proceedings of the 36th International Conference on Software EngineeringWe present MergePoint, a new binary-only symbolic execution system for large-scale and fully unassisted testing of commodity off-the-shelf (COTS) software. MergePoint introduces veritesting, a new technique that employs static symbolic execution to ...
A segmented memory model for symbolic execution
ESEC/FSE 2019: Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software EngineeringSymbolic execution is an effective technique for exploring paths in a program and reasoning about all possible values on those paths. However, the technique still struggles with code that uses complex heap data structures, in which a pointer is allowed ...
Scaling symbolic execution using staged analysis
Recent advances in constraint solving technology and raw computation power have led to a substantial increase in the effectiveness of techniques based on symbolic execution for systematic bug finding. However, scaling symbolic execution remains a ...
Comments