Symbolic Security Predicates: Hunt Program Weaknesses

by   Alexey Vishnyakov, et al.

Dynamic symbolic execution (DSE) is a powerful method for path exploration during hybrid fuzzing and automatic bug detection. We propose security predicates to effectively detect undefined behavior and memory access violation errors. Initially, we symbolically execute program on paths that don't trigger any errors (hybrid fuzzing may explore these paths). Then we construct a symbolic security predicate to verify some error condition. Thus, we may change the program data flow to entail null pointer dereference, division by zero, out-of-bounds access, or integer overflow weaknesses. Unlike static analysis, dynamic symbolic execution does not only report errors but also generates new input data to reproduce them. Furthermore, we introduce function semantics modeling for common C/C++ standard library functions. We aim to model the control flow inside a function with a single symbolic formula. This assists bug detection, speeds up path exploration, and overcomes overconstraints in path predicate. We implement the proposed techniques in our dynamic symbolic execution tool Sydr. Thus, we utilize powerful methods from Sydr such as path predicate slicing that eliminates irrelevant constraints. We present Juliet Dynamic to measure dynamic bug detection tools accuracy. The testing system also verifies that generated inputs trigger sanitizers. We evaluate Sydr accuracy for 11 CWEs from Juliet test suite. Sydr shows 95.59 overall accuracy. We make Sydr evaluation artifacts publicly available to facilitate results reproducibility.



There are no comments yet.


page 1

page 2

page 3

page 4


Towards Symbolic Pointers Reasoning in Dynamic Symbolic Execution

Dynamic symbolic execution is a widely used technique for automated soft...

Failure-Directed Program Trimming (Extended Version)

This paper describes a new program simplification technique called progr...

Badger: Complexity Analysis with Fuzzing and Symbolic Execution

Hybrid testing approaches that involve fuzz testing and symbolic executi...

TracerX: Dynamic Symbolic Execution with Interpolation

Dynamic Symbolic Execution (DSE) is an important method for the testing ...

Evaluating Manual Intervention to Address the Challenges of Bug Finding with KLEE

Symbolic execution has shown its ability to find security-relevant flaws...

Sydr: Cutting Edge Dynamic Symbolic Execution

The security development lifecycle (SDL) is becoming an industry standar...

An Exploratory Survey of Hybrid Testing Techniques Involving Symbolic Execution and Fuzzing

Recent efforts in practical symbolic execution have successfully mitigat...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.