Symbolic Execution CS252r Spring 2011 Contains content from slides by Jeff Foster Static analysis •Static analysis allows us to reason about all possible executions of a program •Gives assurance about any execution, prior to deployment •Lots of interesting static analysis ideas and tools •But difficult for developers to use •Commercial tools spend a lot of effort dealing with developer confusion, false positives, etc. • See A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World in CACM 53(2), 2010 ‣http://bit.ly/aedM3k © 2011 Stephen Chong, Harvard University 2 One issue is abstraction •Abstraction lets us scale and model all possible runs •But must be conservative •Try to balance precision and scalability • Flow-sensitive, context-sensitive, path-sensitivity, … •And static analysis abstractions do not cleanly match developer abstractions © 2011 Stephen Chong, Harvard University 3 Testing •Fits well with developer intuitions •In practice, most common form of bug-detection •But each test explores only one possible execution of the system •Hopefully, test cases generalize © 2011 Stephen Chong, Harvard University 4 Symbolic execution •King, CACM 1976. •Key idea: generalize testing by using unknown symbolic variables in evaluation •Symbolic executor executes program, tracking symbolic state. •If execution path depends on unknown, we fork symbolic executor •at least, conceptually © 2011 Stephen Chong, Harvard University 5 SymbolicSymbolicSymbolic Execution Execution execution ExampleExample example WhyWhy Is Is This This Possible? Possible? x=0, y=0, z=0 • There are very powerful SMT/SAT solvers today 1.1.intint a a= =α α, b, b= = β β, ,c c = = γ γ;; x=0, y=0, z=0 • There are very powerful SMT/SAT solvers today 2.2. // // symbolic symbolic α ■ SMT = Satisfiability Modulo Theories = SAT++ tt α f ■ SMT = Satisfiability Modulo Theories = SAT++ 3.3.intint x x= =0, 0, y y= = 0, 0, z z = = 0; 0; x=-2 β<5 ■ Can solve very large instances, very quickly 4. if (a) { x=-2 t β<5 f ■ Can solve very large instances, very quickly 4. if (a) { t f 5. x = -2; - Lets us check assertions, prune infeasible paths 5. x = -2; β<5 ¬α∧γ ! - Lets us check assertions, prune infeasible paths 6. } tβ<5 f ¬α∧γ ! 6. } t f t f ¬α∧(β≥5) ■ We’ve used Z3, STP, and Yices 7. if (b < 5) { z=2 ! t f ¬α∧(β≥5) ■ We’ve used Z3, STP, and Yices 7. if (b < 5) { z=2 ! y=1 z=2 8. if (!a && c) { y = 1; } y=1 z=2 8. if (!a && c) { y = 1; } α∧(β≥5) • Recent success: bug finding 9. z = 2; ! α∧(β≥5) • Recent success: bug finding 9. z = 2; ! z=2 ! 10.} α∧(β<5) z=2 ! ■ Heuristic search through space of possible executions 10.} α (β<5) ■ Heuristic search through space of possible executions 11.assert(x+y+z!=3) ∧ ¬α∧(β<5)∧¬γ " ¬α∧(β<5)∧¬γ ■ 11.assert(x+y+z!=3) " Find really interesting bugs ¬α∧(β<5)∧γ ■ Find really interesting bugs ¬α∧(β<5)∧γ path condition path condition 5 6 5 6 © 2011 Stephen Chong, Harvard University 6 Sym Exec Can Do Much More Rubyx: Symbolic Execution for Rails Sym Exec Can Do Much More Rubyx: Symbolic Execution for Rails • I think symbolic execution can be used in many • I otherthink symbolicinteresting execution ways can be used in many other interesting ways !"#$%&'(%)*+,-.+./%'01/2 !"#$%&'(%)*+,-.+./%'01/2 1.23%4.&5&647&,4.84. !3,.(45('01/$2 !"#$%&'(%)*+,-.+./%'01/2 • Next: Symbolic execution as !"#$%&'() • Next: Symbolic execution as !"#$%&'(%)*+,-.+./%'01/2 1.23%4.&5&647&,4.84. !3,.(45('01/$2 ■ Empirical studies tool !"#$%&'() ■ 1":&%0"04%&.4"-;"7$4< ■Empirical studies tool '//$#-"92* Web application security checker 1":&%0"04%&.4"-;"7$4< ■ ■WebEnhancement application to security abstraction-based checker static analysis '//$#-"92* ■ ■EnhancementProgram synthesis to abstraction-based tool static analysis '*"$+%#%&,-.#/0 !3,.(45('01/$6)4/(-7)&1-.$2 •■AllProgram of these synthesis take advantage tool of sym exec '*"$+%#%&,-.#/0 !3,.(45('01/$6)4/(-7)&1-.$2 • Allstrengths, of these and take try advantage to avoid drawbacksof sym exec strengths, and try to avoid drawbacks 7 8 7 8 SymbolicSymbolicSymbolic Execution Execution execution ExampleExample example WhyWhy Is Is This This Possible? Possible? x=0, y=0, z=0 • There are very powerful SMT/SAT solvers today 1.1.intint a a= =α α, b, b= = β β, ,c c = = γ γ;; x=0, y=0, z=0 • There are very powerful SMT/SAT solvers today 2.2. // // symbolic symbolic α ■ SMT = Satisfiability Modulo Theories = SAT++ tt α f ■ SMT = Satisfiability Modulo Theories = SAT++ 3.3.intint x x= =0, 0, y y= = 0, 0, z z = = 0; 0; x=-2 β<5 ■ Can solve very large instances, very quickly 4. if (a) { x=-2 t β<5 f ■ Can solve very large instances, very quickly 4. if (a) { t f 5. x = -2; - Lets us check assertions, prune infeasible paths 5. x = -2; β<5 ¬α∧γ ! - Lets us check assertions, prune infeasible paths 6. } tβ<5 f ¬α∧γ ! 6. } t f t f ¬α∧(β≥5) ■ We’ve used Z3, STP, and Yices 7. if (b < 5) { z=2 ! t f ¬α∧(β≥5) ■ We’ve used Z3, STP, and Yices 7. if (b < 5) { z=2 ! y=1 z=2 8. if (!a && c) { y = 1; } y=1 z=2 8. if (!a && c) { y = 1; } α∧(β≥5) • Recent success: bug finding 9. z = 2; ! α∧(β≥5) • Recent success: bug finding 9. z = 2; ! z=2 ! 10.} α∧(β<5) z=2 ! ■ Heuristic search through space of possible executions 10.} α (β<5) ■ Heuristic search through space of possible executions 11.assert(x+y+z!=3) ∧ ¬α∧(β<5)∧¬γ " ¬α∧(β<5)∧¬γ ■ 11.assert(x+y+z!=3) " Find really interesting bugs ¬α∧(β<5)∧γ ■ Find really interesting bugs ¬α∧(β<5)∧γ path condition path condition 5 6 5 6 © 2011 Stephen Chong, Harvard University 7 Sym Exec Can Do Much More Rubyx: Symbolic Execution for Rails Sym Exec Can Do Much More Rubyx: Symbolic Execution for Rails • I think symbolic execution can be used in many • I otherthink symbolicinteresting execution ways can be used in many other interesting ways !"#$%&'(%)*+,-.+./%'01/2 !"#$%&'(%)*+,-.+./%'01/2 1.23%4.&5&647&,4.84. !3,.(45('01/$2 !"#$%&'(%)*+,-.+./%'01/2 • Next: Symbolic execution as !"#$%&'() • Next: Symbolic execution as !"#$%&'(%)*+,-.+./%'01/2 1.23%4.&5&647&,4.84. !3,.(45('01/$2 ■ Empirical studies tool !"#$%&'() ■ 1":&%0"04%&.4"-;"7$4< ■Empirical studies tool '//$#-"92* Web application security checker 1":&%0"04%&.4"-;"7$4< ■ ■WebEnhancement application to security abstraction-based checker static analysis '//$#-"92* ■ ■EnhancementProgram synthesis to abstraction-based tool static analysis '*"$+%#%&,-.#/0 !3,.(45('01/$6)4/(-7)&1-.$2 •■AllProgram of these synthesis take advantage tool of sym exec '*"$+%#%&,-.#/0 !3,.(45('01/$6)4/(-7)&1-.$2 • Allstrengths, of these and take try advantage to avoid drawbacksof sym exec strengths, and try to avoid drawbacks 7 8 7 8 SymbolicSymbolicSymbolic Execution Execution execution ExampleExample example WhyWhy Is Is This This Possible? Possible? x=0, y=0, z=0 • There are very powerful SMT/SAT solvers today 1.1.intint a a= =α α, b, b= = β β, ,c c = = γ γ;; x=0, y=0, z=0 • There are very powerful SMT/SAT solvers today 2.2. // // symbolic symbolic α ■ SMT = Satisfiability Modulo Theories = SAT++ tt α f ■ SMT = Satisfiability Modulo Theories = SAT++ 3.3.intint x x= =0, 0, y y= = 0, 0, z z = = 0; 0; x=-2 β<5 ■ Can solve very large instances, very quickly 4. if (a) { x=-2 t β<5 f ■ Can solve very large instances, very quickly 4. if (a) { t f 5. x = -2; - Lets us check assertions, prune infeasible paths 5. x = -2; β<5 ¬α∧γ ! - Lets us check assertions, prune infeasible paths 6. } tβ<5 f ¬α∧γ ! 6. } t f t f ¬α∧(β≥5) ■ We’ve used Z3, STP, and Yices 7. if (b < 5) { z=2 ! t f ¬α∧(β≥5) ■ We’ve used Z3, STP, and Yices 7. if (b < 5) { z=2 ! y=1 z=2 8. if (!a && c) { y = 1; } y=1 z=2 8. if (!a && c) { y = 1; } α∧(β≥5) • Recent success: bug finding 9. z = 2; ! α∧(β≥5) • Recent success: bug finding 9. z = 2; ! z=2 ! 10.} α∧(β<5) z=2 ! ■ Heuristic search through space of possible executions 10.} α (β<5) ■ Heuristic search through space of possible executions 11.assert(x+y+z!=3) ∧ ¬α∧(β<5)∧¬γ " ¬α∧(β<5)∧¬γ ■ 11.assert(x+y+z!=3) " Find really interesting bugs ¬α∧(β<5)∧γ ■ Find really interesting bugs ¬α∧(β<5)∧γ path condition path condition 5 6 5 6 © 2011 Stephen Chong, Harvard University 8 Sym Exec Can Do Much More Rubyx: Symbolic Execution for Rails Sym Exec Can Do Much More Rubyx: Symbolic Execution for Rails • I think symbolic execution can be used in many • I otherthink symbolicinteresting execution ways can be used in many other interesting ways !"#$%&'(%)*+,-.+./%'01/2 !"#$%&'(%)*+,-.+./%'01/2 1.23%4.&5&647&,4.84. !3,.(45('01/$2 !"#$%&'(%)*+,-.+./%'01/2 • Next: Symbolic execution as !"#$%&'() • Next: Symbolic execution as !"#$%&'(%)*+,-.+./%'01/2 1.23%4.&5&647&,4.84. !3,.(45('01/$2 ■ Empirical studies tool !"#$%&'() ■ 1":&%0"04%&.4"-;"7$4< ■Empirical studies tool '//$#-"92* Web application security checker 1":&%0"04%&.4"-;"7$4< ■ ■WebEnhancement application to security abstraction-based checker static analysis '//$#-"92* ■ ■EnhancementProgram synthesis to abstraction-based tool static analysis '*"$+%#%&,-.#/0 !3,.(45('01/$6)4/(-7)&1-.$2 •■AllProgram of these synthesis take advantage tool of sym exec '*"$+%#%&,-.#/0 !3,.(45('01/$6)4/(-7)&1-.$2 • Allstrengths, of these and take try advantage to avoid drawbacksof sym exec strengths, and try to avoid drawbacks 7 8 7 8 What’s going on here? •During symbolic execution, we are trying to determine if certain formulas are satisfiable •E.g., is a particular program point reachable? • Figure out if the path condition is satisfiable •E.g., is array access a[i] out of bounds? • Figure out if conjunction of path condition and i<0 ∨ i > a.length is satisfiable •E.g., generate concrete inputs that execute the same paths •This is enabled by powerful SMT/SAT solvers •SAT = Satisfiability •SMT = Satisfiability modulo theory = SAT++ • E.g.