11. Dynamic Symbollic Execution Flashcards

1
Q

Dynamic Symbolic Execution

A

Stores program state concretely and symbollically
Solves constraints to guide execution at branch points
Explores all execution paths of the unit tested

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Computation tree

A

each node represents the execution of a conditional statement
Each edge represents the execution of a sequence of non-conditional statements
Each path in the tree represents an equivalence class of inputs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Node left child is

right child is

A

false path

true path

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Random testing approach

A

Generate random inputs, execute the program on those concrete inputs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Random testing approach problem

A

PRobablility of reaching error could be astronomically small

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Symbolic execution approach

A

Use symbolic values for input
Execute program symbolically on symbolic input values
Collect symbolic path constraints
Use theorem prover to check if a branch can be taken

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Symbolic execution problem

A

does not scale for large programs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Combined approach - Dynamic Symbolic Execution (DSE)

A

Start with random input values
Keep track of both concrete values and symbolic constraints
Use concrete values to simplify symbolic constraints

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Incomplete theorem prover

A

never declare an unsatisfiable constraint as satisfiable but may not be able to satisfy a satisfiable constraint

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

DSE overvieW

A
  1. init concrete values and establish symbolic state.
  2. go through program with values and record the results. If a conditional is passed, write it as a path condition. Keep adding these on.
  3. Once a path ends, have the last path condition written be inversed and have the concrete state values be replaced by values that adhere to the inversed last path condition as well as the path conditions before that
  4. repeat forever
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

When the DSE may be complex

A

So like if I have x = ? and y = 7 and z = hash(y)
then hit the condition that z !=x and I want to inverse that
no problem, instead of mixing all the numbers the solver can just keep y constant so z is constant and set x to z

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

DSE false negative example

A

if(x!=y)
if( hash(x) == hash(y)) ERROR
can’t find a value to satisfy the conditions for that branch so its marked as unsatisfiable and we continue on the true path.

Because of this we fail to find the ERROR in the program creating a false negative

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

DSE is complete/incomplete

A

complete, it will never return false positives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

DSE is sound/unsound

A

unsound, it can miss actual runs of code that lead to errors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

symbolic execution is complete/incomplete

A

incomplete as it may model runs of the program that could never happen, sometimes returning spurious errors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

symbolic execution is sound/unsound

A

sound, it will take all reachable branches, so it will never incorrectly declare a program to be error-free