Symbolic Security Predicates: Hunt Program Weaknesses

by   Alexey Vishnyakov, et al.

Dynamic symbolic execution (DSE) is a powerful method for path exploration during hybrid fuzzing and automatic bug detection. We propose security predicates to effectively detect undefined behavior and memory access violation errors. Initially, we symbolically execute program on paths that don't trigger any errors (hybrid fuzzing may explore these paths). Then we construct a symbolic security predicate to verify some error condition. Thus, we may change the program data flow to entail null pointer dereference, division by zero, out-of-bounds access, or integer overflow weaknesses. Unlike static analysis, dynamic symbolic execution does not only report errors but also generates new input data to reproduce them. Furthermore, we introduce function semantics modeling for common C/C++ standard library functions. We aim to model the control flow inside a function with a single symbolic formula. This assists bug detection, speeds up path exploration, and overcomes overconstraints in path predicate. We implement the proposed techniques in our dynamic symbolic execution tool Sydr. Thus, we utilize powerful methods from Sydr such as path predicate slicing that eliminates irrelevant constraints. We present Juliet Dynamic to measure dynamic bug detection tools accuracy. The testing system also verifies that generated inputs trigger sanitizers. We evaluate Sydr accuracy for 11 CWEs from Juliet test suite. Sydr shows 95.59 overall accuracy. We make Sydr evaluation artifacts publicly available to facilitate results reproducibility.


page 1

page 2

page 3

page 4


Towards Symbolic Pointers Reasoning in Dynamic Symbolic Execution

Dynamic symbolic execution is a widely used technique for automated soft...

Failure-Directed Program Trimming (Extended Version)

This paper describes a new program simplification technique called progr...

Augmented Symbolic Execution for Information Flow in Hardware Designs

We present SEIF, a methodology that combines static analysis with symbol...

TracerX: Dynamic Symbolic Execution with Interpolation

Dynamic Symbolic Execution (DSE) is an important method for the testing ...

PEM: Representing Binary Program Semantics for Similarity Analysis via a Probabilistic Execution Model

Binary similarity analysis determines if two binary executables are from...

Dynamic Symbolic Execution of Higher-Order Functions

The effectiveness of concolic testing deteriorates as the size of progra...

Targeted Control-flow Transformations for Mitigating Path Explosion in Dynamic Symbolic Execution

Dynamic symbolic execution (DSE) suffers from path explosion problem whe...

Please sign up or login with your details

Forgot password? Click here to reset