Boost Symbolic Execution Using Dynamic State Merging and Forking

Symbolic execution has achieved wide application in software testing and analysis. However, path explosion remains the bottleneck limiting scalability of most symbolic execution engines in practice. One of the promising solutions to address this issue is to merge explored states and decrease number of paths. Nevertheless, state merging leads to increase in complexity of path predicates at the same time, especially in the situation where variables with concrete values are turned symbolic and chances of concretely executing some statements are dissipated. As a result, calculating expressions and constraints becomes much more timeconsuming and thus, the performance of symbolic execution is weakened in contrast. To resolve the problem, we propose a merge-fork framework enabling states under exploration to switch automatically between merging mode and forking mode. First, active state forking is introduced to enable forking a state into multiple ones as if a certain merging action taken before were eliminated. Second, we perform dynamic mergefork analysis to cut source code into pieces and continuously evaluate efficiency of different merging strategies for each piece. Our approach dynamically combines paths under exploration to maximize opportunities for concrete execution and ease the burden on underlying solvers. We implement the framework on the foundation of the symbolic execution engine KLEE, and conduct experiments on GNU Coreutils code using our prototype to present the effect of our proposition. Experiments show up to 30% speedup and 80% decrease in queries compared to existing works.

[1]  Mingzhe Wang,et al.  Fuzz testing in practice: Obstacles and solutions , 2018, 2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER).

[2]  David Brumley,et al.  Enhancing symbolic execution with veritesting , 2014, ICSE.

[3]  Lui Sha,et al.  Dependable Model-driven Development of CPS , 2018, ACM Trans. Cyber Phys. Syst..

[4]  Sarfraz Khurshid,et al.  Symbolic execution for software testing in practice: preliminary assessment , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[5]  Yue Zhao,et al.  DLFuzz: differential fuzzing testing of deep learning systems , 2018, ESEC/SIGSOFT FSE.

[6]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[7]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[8]  Lori A. Clarke,et al.  A System to Generate Test Data and Symbolically Execute Programs , 1976, IEEE Transactions on Software Engineering.

[9]  Yu Jiang,et al.  SAFL: Increasing and Accelerating Testing Coverage with Symbolic Execution and Guided Fuzzing , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering: Companion (ICSE-Companion).

[10]  Koushik Sen,et al.  Symbolic execution for software testing: three decades later , 2013, CACM.

[11]  Koushik Sen,et al.  Heuristics for Scalable Dynamic Test Generation , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[12]  David L. Dill,et al.  A Decision Procedure for Bit-Vectors and Arrays , 2007, CAV.

[13]  Yu Jiang,et al.  VulSeeker: A Semantic Learning Based Vulnerability Seeker for Cross-Platform Binary , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[14]  Qinghua Zheng,et al.  Dependence Guided Symbolic Execution , 2017, IEEE Transactions on Software Engineering.

[15]  George Candea,et al.  Efficient state merging in symbolic execution , 2012, Software Engineering.

[16]  George Candea,et al.  S2E: a platform for in-vivo multi-path analysis of software systems , 2011, ASPLOS XVI.

[17]  Peter Schachte,et al.  State Joining and Splitting for the Symbolic Execution of Binaries , 2009, RV.

[18]  Dawson R. Engler,et al.  EXE: Automatically Generating Inputs of Death , 2008, TSEC.

[19]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[20]  Ting Chen,et al.  State of the art: Dynamic symbolic execution for automated test generation , 2013, Future Gener. Comput. Syst..

[21]  Nikolai Tillmann,et al.  Fitness-guided path exploration in dynamic symbolic execution , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[22]  Yu Jiang,et al.  Weak-Assert: A Weakness-Oriented Assertion Recommendation Toolkit for Program Analysis , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering: Companion (ICSE-Companion).

[23]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[24]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[25]  Jia-Guang Sun,et al.  PAFL: extend fuzzing optimizations of single mode to industrial parallel mode , 2018, ESEC/SIGSOFT FSE.

[26]  Sarfraz Khurshid,et al.  Generalized Symbolic Execution for Model Checking and Testing , 2003, TACAS.

[27]  Chao Wang,et al.  Eliminating Path Redundancy via Postconditioned Symbolic Execution , 2018, IEEE Transactions on Software Engineering.