Relational Symbolic Execution

@article{Farina2019RelationalSE,
  title={Relational Symbolic Execution},
  author={Gian Pietro Farina and Stephen Chong and Marco Gaboardi},
  journal={Proceedings of the 21st International Symposium on Principles and Practice of Declarative Programming},
  year={2019}
}
Symbolic execution is a classical program analysis technique used to show that programs satisfy or violate given specifications. [] Key Method We design a relational symbolic execution engine, named RelSym which supports interactive refutation, as well as proving of relational properties for programs written in a language with arrays and for-like loops.

Figures and Tables from this paper

Symbolic execution for randomized programs

This work proposes a symbolic execution method that can verify randomized programs with unknown inputs and can prove probabilistic properties that universally quantify over all possible inputs, and implements it on top of the KLEE symbolic execution engine.

Checking equivalence in a non-strict language

A calculus based on symbolic execution and coinduction to check the equivalence of programs in a non-strict functional language and describes a fully automated approach for finding both equivalence proofs and counterexamples.

Coupled Relational Symbolic Execution for Differential Privacy

This work designs a relational symbolic execution technique which supports reasoning about probabilistic coupling, a formal notion that has been shown useful to structure proofs of differential privacy.

Incremental Vulnerability Detection via Back-Propagating Symbolic Execution of Insecurity Separation Logic

We present the first compositional, incremental static analysis for detecting memory-safety and information leakage vulnerabilities in C-like programs. To do so, we develop the first

Binsec/Rel: Efficient Relational Symbolic Execution for Constant-Time at Binary-Level

This work tackles the problem of designing an efficient binary-level verification tool for CT providing both bug-finding and bounded-verification and discovered that gcc -O0 and backend passes of clang introduce violations of CT in implementations that were previously deemed secure by a state-of-the-art CT verification tool operating at LLVM level.

Incremental Vulnerability Detection with Insecurity Separation Logic

We present the first compositional, incremental static analysis for detecting memory-safety and information leakage vulnerabilities in C-like programs. To do so, we develop the first

Vivienne: Relational Verification of Cryptographic Implementations in WebAssembly

This work designs and implements Vivienne, an open-source tool to automatically analyze WebAssembly cryptographic libraries for constant-time violations, and evaluates Vivienne on 57 real-world cryptographic implementations, including a previously unverified implementation of the HACL* library in WebAssembly.

Compositional Vulnerability Detection with Insecurity Separation Logic

This paper designs and implements an under-approximate relational program logic for soundly detecting information leakage and memory-safety issues in interactive programs, and shows how InsecSL can be soundly automated by bi-abduction based symbolic execution.

Reflections on the Experimental Evaluation of a Binary-Level Symbolic Analyzer for Spectre

The challenge is to optimize this exploration of transient execution introduced by the speculative semantics in order to make the analysis applicable to real code.

Binsec/Rel: Symbolic Binary Analyzer for Security with Applications to Constant-Time and Secret-Erasure

This paper implements a prototype, Binsec/Rel, for bug-finding and bounded-verification of constant-time and secret-erasure, and performs extensive experiments on a set of 338 cryptographic implementations, demonstrating the benefits of the approach.

References

SHOWING 1-10 OF 67 REFERENCES

Relational Verification Using Product Programs

This work provides a general notion of product program that supports a direct reduction of relational verification to standard verification, and illustrates the benefits of the method with selected examples, including non-interference, standard loop optimizations, and a state-of-the-art optimization for incremental computation.

Symbolic execution and program testing

A particular system called EFFIGY which provides symbolic execution for program testing and debugging is described, which interpretively executes programs written in a simple PL/I style programming language.

Using symbolic execution for verification of Ada tasking programs

A method is presented for using symbolic execution to generate the verification conditions required for proving correctness of programs written in a tasking subset of Ada, derived from proof systems that allow tasks to be verified independently in local proofs.

Generalized Symbolic Execution for Model Checking and Testing

A source to source translation to instrument a program is defined, which enables standard model checkers to perform symbolic execution of the program, and a novel symbolic execution algorithm is given that handles dynamically allocated structures, method preconditions and concurrency.

Exploiting Synchrony and Symmetry in Relational Verification

This work proposes to exploit relational specifications for simplifying the generated verification subtasks by maximizing opportunities for synchronizing code fragments and compute symmetries in the specifications to reveal and avoid redundant subtasks.

Simple relational correctness proofs for static analyses and program transformations

We show how some classical static analyses for imperative programs, and the optimizing transformations which they enable, may be expressed and proved correct using elementary logical and

Relational cost analysis

This work proposes a relational cost analysis technique that is capable of establishing precise bounds on the difference in the execution cost of two programs by making use of relational properties of programs and inputs, and develops a refinement type and effect system for a higher-order functional language with recursion and subtyping.

Modular Product Programs

This work presents modular product programs, a novel kind of product program that permits hyperproperties in procedure specifications and, thus, can reason about calls modularly and demonstrates its expressiveness by applying it to information flow security with advanced features such as declassification and termination-sensitivity.

Symbolic Execution Debugger (SED)

The Symbolic Execution Debugger for sequential Java programs is presented, which is based on symbolic execution and its functionality goes beyond that of traditional interactive debuggers.

Differential symbolic execution

A novel extension and application of symbolic execution techniques that computes a precise behavioral characterization of a program change that exploits the fact that program versions are largely similar to reduce cost and improve the quality of analysis results is introduced.
...