Guiding Dynamic Symbolic Execution toward Unverified Program Executions

@article{Christakis2016GuidingDS,
  title={Guiding Dynamic Symbolic Execution toward Unverified Program Executions},
  author={Maria Christakis and Peter M{\"u}ller and Valentin W{\"u}stholz},
  journal={2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE)},
  year={2016},
  pages={144-155}
}
Most techniques to detect program errors, such as testing, code reviews, and static program analysis, do not fully verify all possible executions of a program. They leave executions unverified when they do not check certain properties, fail to verify properties, or check properties under certain unsound assumptions such as the absence of arithmetic overflow. In this paper, we present a technique to complement partial verification results by automatic test case generation. In contrast to… 

Figures from this paper

Employing Run-time Static Analysis to Improve Concolic Execution
TLDR
This position paper proposes to increase the precision of static analysis of dynamic symbolic execution by not only performing an initial static analysis before starting concolic testing of the program, but also by launching incremental static analyses over the program at run time, and incorporating into the analyses run-time information observed by the tester.
Dynamic Symbolic Execution with Descriptive and Prescriptive Relations
TLDR
This thesis proposes a conceptual framework for a comparative analysis of program analysis techniques, and uses it to define proposed techniques in this thesis to support Dynamic Symbolic Execution (DSE), and suggests enhancing fault detection effectiveness of DSE, in the context of functional testing, by using domain specific relations that prescribe how inputs and outputs should be related.
Leveraging abstract interpretation for efficient dynamic symbolic execution
TLDR
A method to increase the coverage achieved by DSE in the presence of input-data dependent loops and loop dependent branches is proposed, which combines DSE with abstract interpretation to find indirect control dependencies, including loop and branch indirect dependencies.
Abstraction-driven Concolic Testing
TLDR
This paper presents a novel method that iteratively combines concolic testing and model checking to find a test suite for a given coverage criterion, and observes an improvement in branch coverage.
Verifying Numerical Programs via Iterative Abstract Testing
TLDR
This paper proposes iterative abstract testing, to create a property-oriented verification approach based on abstract interpretation, and leverages bounded exhaustive testing to verify bounded small sub-spaces, as a means to complement abstract testing based verification.
Targeted Greybox Fuzzing with Static Lookahead Analysis
TLDR
A novel technique for targeted greybox fuzzing using an online static analysis that guides the fuzzer toward a set of target locations, for instance, located in recently modified parts of the program.
Executable Counterexamples in Software Model Checking
TLDR
In Software Model Checking (SMC), counterexamples take the form of a textual or semi-structured report, which complicates the debugging process by preventing developers from using existing processes and tools such as debuggers, fault localization, and fault minimization.
IDVE: an integrated development and verification environment for JavaScript
TLDR
The goal of IDVE is to provide a development tool that assists users with program verification analogous to how interactive step-by-step debugging avoids manual "printf debugging", and IDVE enables programmers to interactively manipulate assumptions and assertions of verification conditions with a novel verification inspector.
SCSE: Boosting Symbolic Execution via State Concretization
TLDR
Through experimental evaluation on real programs, it is shown that state concretization helps to speed up symbolic execution significantly and avoids invoking the constraint solver to check path feasibility at conditional instructions.
On narrowing the gap between verification and systematic testing
  • M. Christakis
  • Computer Science, Materials Science
    it Inf. Technol.
  • 2017
TLDR
This verification attempt required no static analysis or source code annotations; the purely dynamic techniques targeted the verification of the parser implementation, including complicated assembly patterns that most static analyses cannot handle.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 49 REFERENCES
Partial Verification Results
TLDR
Several novel use cases for expressing partial verification results from diverse areas of program analysis—such as test case generation, specification inference, counterexample-based error reporting, and static analysis are described.
Compositional dynamic test generation
TLDR
This paper introduces a new algorithm, dubbed SMART for Systematic Modular Automated Random Testing, that extends DART by testing functions in isolation, encoding test results as function summaries expressed using input preconditions and output postconditions, and then re-using those summaries when testing higher-level functions.
GuideSE: Annotations for Guiding Concolic Testing
TLDR
This paper proposes a simple annotation mechanism, called Guide SE, that enables a programmer to guide concolic testing by annotating the program under test by identifying three mechanisms for providing these annotations: control annotations, equivalence annotations, and data annotations.
Automated Whitebox Fuzz Testing
TLDR
This work presents an alternative whitebox fuzz testing approach inspired by recent advances in symbolic execution and dynamic test generation, and implemented this algorithm in SAGE (Scalable, Automated, Guided Execution), a new tool employing x86 instruction-level tracing and emulation for white box fuzzing of arbitrary file-reading Windows applications.
An Experimental Evaluation of Deliberate Unsoundness in a Static Program Analyzer
TLDR
This paper developed a code instrumentation that reflects the sources of deliberate unsoundness in the .NET static analyzer Clousot and applied it to code from six open-source projects and found that 33% of the instrumented methods were analyzed soundly.
DyTa: dynamic symbolic execution guided with static verification results
TLDR
This work presents an automated defect-detection tool, called DyTa, that combines both static verification and dynamic test generation and reduces the number of false positives compared to static verification, and performs more efficiently compared to dynamic testgeneration.
Collaborative Verification and Testing with Explicit Assumptions
TLDR
This work proposes a technique for collaborative verification and testing that makes compromises of static checkers explicit such that they can be compensated for by complementary checkers or testing.
Execution Generated Test Cases: How to Make Systems Code Crash Itself
This paper presents a technique that uses code to automatically generate its own test cases at run time by using a combination of symbolic and concrete (i.e regular) execution The input values to a
Static Contract Checking with Abstract Interpretation
TLDR
An overview of Clousot, the current tool to statically check CodeContracts, which embodies other techniques, such as iterative domain refinement, goal-directed backward propagation, precondition and postcondition inference, and message prioritization.
Efficient state merging in symbolic execution
TLDR
A way to automatically choose when and how to merge states such that the performance of symbolic execution is significantly increased and query count estimation, a method for statically estimating the impact that each symbolic variable has on solver queries that follow a potential merge point, is presented.
...
1
2
3
4
5
...