11. Dynamic Symbollic Execution Flashcards
Dynamic Symbolic Execution
Stores program state concretely and symbollically
Solves constraints to guide execution at branch points
Explores all execution paths of the unit tested
Computation tree
each node represents the execution of a conditional statement
Each edge represents the execution of a sequence of non-conditional statements
Each path in the tree represents an equivalence class of inputs
Node left child is
right child is
false path
true path
Random testing approach
Generate random inputs, execute the program on those concrete inputs.
Random testing approach problem
PRobablility of reaching error could be astronomically small
Symbolic execution approach
Use symbolic values for input
Execute program symbolically on symbolic input values
Collect symbolic path constraints
Use theorem prover to check if a branch can be taken
Symbolic execution problem
does not scale for large programs
Combined approach - Dynamic Symbolic Execution (DSE)
Start with random input values
Keep track of both concrete values and symbolic constraints
Use concrete values to simplify symbolic constraints
Incomplete theorem prover
never declare an unsatisfiable constraint as satisfiable but may not be able to satisfy a satisfiable constraint
DSE overvieW
- init concrete values and establish symbolic state.
- go through program with values and record the results. If a conditional is passed, write it as a path condition. Keep adding these on.
- Once a path ends, have the last path condition written be inversed and have the concrete state values be replaced by values that adhere to the inversed last path condition as well as the path conditions before that
- repeat forever
When the DSE may be complex
So like if I have x = ? and y = 7 and z = hash(y)
then hit the condition that z !=x and I want to inverse that
no problem, instead of mixing all the numbers the solver can just keep y constant so z is constant and set x to z
DSE false negative example
if(x!=y)
if( hash(x) == hash(y)) ERROR
can’t find a value to satisfy the conditions for that branch so its marked as unsatisfiable and we continue on the true path.
Because of this we fail to find the ERROR in the program creating a false negative
DSE is complete/incomplete
complete, it will never return false positives
DSE is sound/unsound
unsound, it can miss actual runs of code that lead to errors.
symbolic execution is complete/incomplete
incomplete as it may model runs of the program that could never happen, sometimes returning spurious errors