An Approach to Reachability Determination for Static Analysis Defects with the Help of Dynamic Symbolic Execution

Program analysis methods for error detection are conventionally divided into two groups: static analysis methods and dynamic analysis methods. In this paper, we present a combined approach that allows one to determine reachability for defects found by static program analysis techniques through applying dynamic symbolic execution to a program. This approach is an extension of our previous approach to determining the reachability of specific program instructions by using dynamic symbolic execution. The approach is sequentially applied to several points in the program: a defect source point, a defect sink point, and additional intermediate conditional jumps related to a defect under analysis. Our approach can be briefly described as follows. First, static analysis of the program executable code is carried out to gather information about execution paths that guide dynamic symbolic execution to the source point of a defect. Then, dynamic symbolic execution is performed to generate an input dataset for reaching the defect source point and the defect sink point through intermediate conditional jumps. Dynamic symbolic execution is guided by the heuristic of the minimum distance from the previous path to the next defect trace point when selecting execution paths. The distance metric is computed using an extended call graph of the program, which combines its call graph and portions of its control flow graph that include all paths leading to the defect sink point. We evaluate our approach by using several open-source command line programs from Debian Linux. The evaluation confirms that the proposed approach can be used for classification of defects found by static program analysis. However, we found some limitations that prevent deploying this approach to industrial program analyzers. Mitigating these limitations is one of the possible directions for future research.

[1]  Zhenkai Liang,et al.  BitBlaze: A New Approach to Computer Security via Binary Analysis , 2008, ICISS.

[2]  Dawson R. Engler,et al.  A few billion lines of code later , 2010, Commun. ACM.

[3]  D. V. Sidorov,et al.  The use of dynamic analysis for generation of input data that demonstrates critical bugs and vulnerabilities in programs , 2010, Programming and Computer Software.

[4]  Peter Müller,et al.  An Experimental Evaluation of Deliberate Unsoundness in a Static Program Analyzer , 2015, VMCAI.

[5]  Robert W. Bowdidge,et al.  Why don't software developers use static analysis tools to find bugs? , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[6]  Dawson R. Engler,et al.  ARCHER: using symbolic, path-sensitive analysis to detect memory access errors , 2003, ESEC/FSE-11.

[7]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[8]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[9]  Nikolai Kosmatov,et al.  Combining Static Analysis and Test Generation for C Program Debugging , 2010, TAP@TOOLS.

[10]  George Candea,et al.  The S2E Platform: Design, Implementation, and Applications , 2012, TOCS.

[11]  Nikolai Tillmann,et al.  DyTa: dynamic symbolic execution guided with static verification results , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[12]  Jonghyun Park,et al.  Concolic Testing Framework for Industrial Embedded Software , 2014, 2014 21st Asia-Pacific Software Engineering Conference.

[13]  Xiaochun Yang,et al.  A Synergy between Static and Dynamic Analysis for the Detection of Software Security Vulnerabilities , 2009, OTM Conferences.

[14]  Nikolai Kosmatov,et al.  Program slicing enhances a verification technique combining static and dynamic analysis , 2012, SAC '12.

[15]  Moonzoo Kim,et al.  Automated unit testing of large industrial embedded software using concolic testing , 2013, 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[16]  Julian Schütte,et al.  ConDroid: Targeted Dynamic Analysis of Android Applications , 2015, 2015 IEEE 29th International Conference on Advanced Information Networking and Applications.

[17]  Andreas Vogelsang,et al.  Software Metrics in Static Program Analysis , 2010, ICFEM.

[18]  Richard M. Stallman,et al.  Using The Gnu Compiler Collection: A Gnu Manual For Gcc Version 4.3.3 , 2009 .

[19]  David Brumley,et al.  Automatic exploit generation , 2014, CACM.

[20]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[21]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[22]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[23]  Tao Xie,et al.  DSD-Crasher: A hybrid analysis tool for bug finding , 2008 .

[24]  Armin Biere,et al.  Combined Static and Dynamic Analysis , 2005, AIOOL@VMCAI.

[25]  Manu Sridharan,et al.  PSE: explaining program failures via postmortem static analysis , 2004, SIGSOFT '04/FSE-12.

[26]  Dawson R. Engler,et al.  Checking system rules using system-specific, programmer-written compiler extensions , 2000, OSDI.

[27]  Yannis Smaragdakis,et al.  Check 'n' crash: combining static checking and testing , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[28]  Ondrej Lhoták,et al.  In defense of soundiness , 2015, Commun. ACM.