Symbolic Execution Flashcards
What are the steps of symbolic execution?
Replacing inputs with symbolic values
Executing along a path using the symbolic values to build a formula over the input symbols
Solve for the symbolic symbols to find inputs that yield the path
______ symbolic execution works over traces. In this one, it’s driven by one program execution
dynamic
CBMC is an example of _________ symbolic execution
Static
Using symbolic execution can also determine satisfiable inputs in one program but not the other. This represents a _______
regression
What do SMT solvers do? What are some examples?
They solve constraints.
SAT
SMTLIB2
What are 2 ways to traverse the execution tree? Describe them
Concolic (dynamic symbolic): Given a first input, construct the symbolic formula while execution. It’s essentially depth first search. After finishing a branch, negate the very last conjunct to take the other path.
Execution Generated Testing: Set some inputs to be symbolic, then execute forward. At the next split, solve the formula for each branch to create a frontier of explored paths
What are some applications for symbolic execution?
Creating test suites via path and branch coverage
Targeted tests: ask for inputs that drive execution through areas of interest
Automated exploit discovery: Extension of the above point. You could encode the constraints of an error in the program path. You could inject shell code into your initial inputs
What are some challenges with symbolic execution?
Path explosion (loops, many ifs) Challenging constraints (we cannot solve all constraints, ex password hashes) Constraint representation on domain knowledge (how can we represent memory?)
How can we alleviate the issues of path explosion?
Search heuristics
Memoization
How can we alleviate the issues of challenging constraints?
Observe the actual values of variables in runs we have and reuse these values
