Concolic Execution
Qualit¨ atssicherung in der Softwareentwicklung
VU 9
DI Dr. Bernhard K. Aichernig
Institut f¨ur Softwaretechnologie (IST) TU Graz
Sommersemester 2012
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
1
Symbolic Execution
2
Concolic Execution
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
Concolic Execution
Literatur: Symbolic Execution
James C. King. Symbolic Execution and Program Testing, Communications of the ACM, Volume 19, Issue 7. July 1976, Pages 385–394.
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
Instead of normal program inputs
one supplies symbols representing arbitrary values.
Execution proceeds like normal execution,
except that values may be symbolic formulas over the input values.
Interesting: symbolic execution of branching statements (e.g.
if-statements)
A technique between testing and formal proofs.
Testing: execution with some concrete input values Proofs: no execution
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
Concolic Execution
Bsp. Sum
1 i n t sum ( i n t a , i n t b , i n t c ) 2 {
3 i n t x , y , z ; 4 x = a + b ; 5 y = b + c ; 6 z = x + y − b ; 7 r e t u r n z ; 8 }
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
1 i n t sum ( i n t a , i n t b , i n t c ) ← a = α
a, b = α
b, c = α
c2 {
3 i n t x , y , z ; 4 x = a + b ; 5 y = b + c ; 6 z = x + y − b ; 7 r e t u r n z ; 8 }
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
Concolic Execution
Bsp. Sum
1 i n t sum ( i n t a , i n t b , i n t c ) ← a = α
a, b = α
b, c = α
c2 {
3 i n t x , y , z ; ← x = 0, y = 0, z = 0
4 x = a + b ; 5 y = b + c ; 6 z = x + y − b ; 7 r e t u r n z ; 8 }
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
1 i n t sum ( i n t a , i n t b , i n t c ) ← a = α
a, b = α
b, c = α
c2 {
3 i n t x , y , z ; ← x = 0, y = 0, z = 0
4 x = a + b ; ← x = α
a+ α
b, y = 0, z = 0 5 y = b + c ;
6 z = x + y − b ; 7 r e t u r n z ; 8 }
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
Concolic Execution
Bsp. Sum
1 i n t sum ( i n t a , i n t b , i n t c ) ← a = α
a, b = α
b, c = α
c2 {
3 i n t x , y , z ; ← x = 0, y = 0, z = 0
4 x = a + b ; ← x = α
a+ α
b, y = 0, z = 0 5 y = b + c ; ← x = α
a+ α
b, y = α
b+ α
c, z = 0 6 z = x + y − b ;
7 r e t u r n z ; 8 }
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
1 i n t sum ( i n t a , i n t b , i n t c ) ← a = α
a, b = α
b, c = α
c2 {
3 i n t x , y , z ; ← x = 0, y = 0, z = 0
4 x = a + b ; ← x = α
a+ α
b, y = 0, z = 0 5 y = b + c ; ← x = α
a+ α
b, y = α
b+ α
c, z = 0
6 z = x + y − b ; ← x = α
a+ α
b, y = α
b+ α
c, z = α
a+ α
b+ α
c7 r e t u r n z ; 8 }
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
Concolic Execution
Bsp. Sum
1 i n t sum ( i n t a , i n t b , i n t c ) ← a = α
a, b = α
b, c = α
c2 {
3 i n t x , y , z ; ← x = 0, y = 0, z = 0
4 x = a + b ; ← x = α
a+ α
b, y = 0, z = 0 5 y = b + c ; ← x = α
a+ α
b, y = α
b+ α
c, z = 0
6 z = x + y − b ; ← x = α
a+ α
b, y = α
b+ α
c, z = α
a+ α
b+ α
c7 r e t u r n z ; return α
a+ α
b+ α
c8 }
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
1 i n t min ( i n t x , i n t y ) 2 {
3 i n t z ;
4 i f ( x<y )
5 z=x ;
6 e l s e
7 z=y ;
8 r e t u r n z ; 9 }
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
Concolic Execution
Path Condition
Symbolic execution of if-statement requires path condition (pc).
pc is a Boolean expression over symbolic inputs.
pc never contains program variables!
pc is a conjunction of branching conditions.
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
1 i n t min ( i n t x , i n t y ) ← x = α
x, y = α
y, pc = true 2 {
3 i n t z ;
4 i f ( x<y )
5 z=x ;
6 e l s e
7 z=y ;
8 r e t u r n z ; 9 }
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
Concolic Execution
Bsp. Min
1 i n t min ( i n t x , i n t y ) ← x = α
x, y = α
y, pc = true 2 {
3 i n t z ; ← x = α
x, y = α
y, z = 0, pc = true 4 i f ( x<y )
5 z=x ;
6 e l s e
7 z=y ;
8 r e t u r n z ; 9 }
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
1 i n t min ( i n t x , i n t y ) ← x = α
x, y = α
y, pc = true 2 {
3 i n t z ; ← x = α
x, y = α
y, z = 0, pc = true
4 i f ( x<y ) ← Case 1: x = α
x, y = α
y, z = 0, pc = α
x< α
y5 z=x ;
6 e l s e
7 z=y ;
8 r e t u r n z ; 9 }
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
Concolic Execution
Bsp. Min
1 i n t min ( i n t x , i n t y ) ← x = α
x, y = α
y, pc = true 2 {
3 i n t z ; ← x = α
x, y = α
y, z = 0, pc = true
4 i f ( x<y ) ← Case 1: x = α
x, y = α
y, z = 0, pc = α
x< α
y5 z=x ; ← x = α
x, y = α
y, z = α
x, pc = α
x< α
y6 e l s e
7 z=y ;
8 r e t u r n z ; 9 }
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
1 i n t min ( i n t x , i n t y ) ← x = α
x, y = α
y, pc = true 2 {
3 i n t z ; ← x = α
x, y = α
y, z = 0, pc = true
4 i f ( x<y ) ← Case 1: x = α
x, y = α
y, z = 0, pc = α
x< α
y5 z=x ; ← x = α
x, y = α
y, z = α
x, pc = α
x< α
y6 e l s e ← Case 2: x = α
x, y = α
y, z = 0, pc = ¬α
x< α
y7 z=y ;
8 r e t u r n z ; 9 }
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
Concolic Execution
Bsp. Min
1 i n t min ( i n t x , i n t y ) ← x = α
x, y = α
y, pc = true 2 {
3 i n t z ; ← x = α
x, y = α
y, z = 0, pc = true
4 i f ( x<y ) ← Case 1: x = α
x, y = α
y, z = 0, pc = α
x< α
y5 z=x ; ← x = α
x, y = α
y, z = α
x, pc = α
x< α
y6 e l s e ← Case 2: x = α
x, y = α
y, z = 0, pc = ¬α
x< α
y7 z=y ; ← x = α
x, y = α
y, z = α
y, pc = ¬α
x< α
y8 r e t u r n z ; 9 }
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
1 i n t min ( i n t x , i n t y ) ← x = α
x, y = α
y, pc = true 2 {
3 i n t z ; ← x = α
x, y = α
y, z = 0, pc = true
4 i f ( x<y ) ← Case 1: x = α
x, y = α
y, z = 0, pc = α
x< α
y5 z=x ; ← x = α
x, y = α
y, z = α
x, pc = α
x< α
y6 e l s e ← Case 2: x = α
x, y = α
y, z = 0, pc = ¬α
x< α
y7 z=y ; ← x = α
x, y = α
y, z = α
y, pc = ¬α
x< α
y8 r e t u r n z ; ← return(z = α
x∧ α
x< α
y) ∨ (z = α
y∧ ¬α
x< α
y) 9 }
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
Concolic Execution
Bsp. Min(a,b,c)
1 i n t min ( i n t a , i n t b , i n t c ) 2 {
3 r e t u r n
4 min (
5 min ( a , b ) ,
6 c
7 ) ;
8 }
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
1 i n t min ( i n t a , i n t b , i n t c )
2 { ← a = α
a, b = α
b, c = α
c, pc = true 3 r e t u r n
4 min (
5 min ( a , b ) ,
6 c
7 ) ;
8 }
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
Concolic Execution
Bsp. Min(a,b,c)
1 i n t min ( i n t a , i n t b , i n t c )
2 { ← a = α
a, b = α
b, c = α
c, pc = true 3 r e t u r n
4 min (
5 min ( a , b ) , ← (= α
a∧ pc = α
a< α
b) ∨ (= α
b∧ pc = α
a≥ α
b)
6 c
7 ) ;
8 }
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
1 i n t min ( i n t a , i n t b , i n t c )
2 { ← a = α
a, b = α
b, c = α
c, pc = true 3 r e t u r n
4 min (
5 min ( a , b ) , ← (= α
a∧ pc = α
a< α
b) ∨ (= α
b∧ pc = α
a≥ α
b)
6 c ← c = α
c7 ) ;
8 }
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
Concolic Execution
Bsp. Min(a,b,c)
1 i n t min ( i n t a , i n t b , i n t c )
2 { ← a = α
a, b = α
b, c = α
c, pc = true 3 r e t u r n
4 min (
5 min ( a , b ) , ← (= α
a∧ α
a< α
b) ∨ (= α
b∧ α
a≥ α
b)
6 c ← c = α
c7 ) ; ← (= α
a∧ pc = α
a< α
b∧ α
a< α
c) 8 }
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
1 i n t min ( i n t a , i n t b , i n t c )
2 { ← a = α
a, b = α
b, c = α
c, pc = true 3 r e t u r n
4 min (
5 min ( a , b ) , ← (= α
a∧ α
a< α
b) ∨ (= α
b∧ α
a≥ α
b)
6 c ← c = α
c7 ) ; ← (= α
a∧ pc = α
a< α
b∧ α
a< α
c) ∨ 8 } (= α
b∧ pc = α
a≥ α
b∧ α
b< α
c)
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
Concolic Execution
Bsp. Min(a,b,c)
1 i n t min ( i n t a , i n t b , i n t c )
2 { ← a = α
a, b = α
b, c = α
c, pc = true 3 r e t u r n
4 min (
5 min ( a , b ) , ← (= α
a∧ α
a< α
b) ∨ (= α
b∧ α
a≥ α
b)
6 c ← c = α
c7 ) ; ← (= α
a∧ pc = α
a< α
b∧ α
a< α
c) ∨ 8 } (= α
b∧ pc = α
a≥ α
b∧ α
b< α
c) ∨ 9 (= α
c∧ pc = α
a< α
b∧ α
a≥ α
c)
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
1 i n t min ( i n t a , i n t b , i n t c )
2 { ← a = α
a, b = α
b, c = α
c, pc = true 3 r e t u r n
4 min (
5 min ( a , b ) , ← (= α
a∧ α
a< α
b) ∨ (= α
b∧ α
a≥ α
b)
6 c ← c = α
c7 ) ; ← (= α
a∧ pc = α
a< α
b∧ α
a< α
c) ∨ 8 } (= α
b∧ pc = α
a≥ α
b∧ α
b< α
c) ∨ 9 (= α
c∧ pc = α
a< α
b∧ α
a≥ α
c) ∨
10 (= α
c∧ pc = α
a≥ α
b∧ α
b≥ α
c)
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
Concolic Execution
Symbolic Execution Tree
Symbolic execution forcs at each if-statement:
α
a< α
bα
a< α
cmin = α
aT
min = α
cF T
α
b< α
cmin = α
bT
min = α
cF F
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
Calculation: pc
2= true ∧ α
a< α
b∧ ¬(α
a< α
c)
Path condition represents equivalence class for all concrete values taking a path.
Concrete test cases: find concrete values satisifying pc e.g. for pc
2: a = 0, b = 1, c = 0
Result: path coverage
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
Concolic Execution
Limitations
infinite number of paths (loops) infeasible paths (pc = false )
limitations of solvers and theorem provers all code must be accessible (white-box) only for single-threaded programs
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
Concolic = Concrete + Symbolic
also called Dynamic Symbolic Execution (Microsoft) Concrete and Symbolic Execution in parallel
Due to concrete execution:
No infeasable paths!
Integration of black-box components possible.
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
Concolic Execution
Concolic Execution Loop
Algorithm
1
Covered := {} covered set of inputs
2
select new input i 6∈ Covered stop if no one found
3
execute Program(i ) and record path condition C C(i) holds
4
Covered := Covered ∪ {i|C (i )}
5
goto 2
New input i 6∈ Covered after n iterations:
solve ¬C
i1∧ · · · ∧ ¬C
inStop when ¬C
i1∧ · · · ∧ ¬C
in= false
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
1 i n t sum ( i n t a , i n t b , i n t c ) 2 {
3 i n t x , y , z ; 4 x = a + b ; 5 y = b + c ; 6 z = x + y − b ; 7 r e t u r n z ; 8 }
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
Concolic Execution
Bsp. Sum
1 i n t sum ( i n t a , i n t b , i n t c )
2 { ← a = (α
a, 1), b = (α
b, 2), c = (α
c, 3) 3 i n t x , y , z ;
4 x = a + b ; 5 y = b + c ; 6 z = x + y − b ; 7 r e t u r n z ; 8 }
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
1 i n t sum ( i n t a , i n t b , i n t c )
2 { ← a = (α
a, 1), b = (α
b, 2), c = (α
c, 3)
3 i n t x , y , z ; ← x = 0, y = 0, z = 0
4 x = a + b ; 5 y = b + c ; 6 z = x + y − b ; 7 r e t u r n z ; 8 }
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
Concolic Execution
Bsp. Sum
1 i n t sum ( i n t a , i n t b , i n t c )
2 { ← a = (α
a, 1), b = (α
b, 2), c = (α
c, 3)
3 i n t x , y , z ; ← x = 0, y = 0, z = 0
4 x = a + b ; ← x = (α
a+ α
b, 3), y = (0, 0), z = (0, 0) 5 y = b + c ;
6 z = x + y − b ; 7 r e t u r n z ; 8 }
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
1 i n t sum ( i n t a , i n t b , i n t c )
2 { ← a = (α
a, 1), b = (α
b, 2), c = (α
c, 3)
3 i n t x , y , z ; ← x = 0, y = 0, z = 0
4 x = a + b ; ← x = (α
a+ α
b, 3), y = (0, 0), z = (0, 0) 5 y = b + c ; ← x = (α
a+ α
b, 3), y = (α
b+ α
c, 5), z = (0, 0) 6 z = x + y − b ;
7 r e t u r n z ; 8 }
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
Concolic Execution
Bsp. Sum
1 i n t sum ( i n t a , i n t b , i n t c )
2 { ← a = (α
a, 1), b = (α
b, 2), c = (α
c, 3)
3 i n t x , y , z ; ← x = 0, y = 0, z = 0
4 x = a + b ; ← x = (α
a+ α
b, 3), y = (0, 0), z = (0, 0) 5 y = b + c ; ← x = (α
a+ α
b, 3), y = (α
b+ α
c, 5), z = (0, 0) 6 z = x + y − b ; ← x = (α
a+ α
b, 3), y = (α
b+ α
c, 5),
7 z = (α
a+ α
b+ α
c, 6)
8 r e t u r n z ; 9 }
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
1 i n t sum ( i n t a , i n t b , i n t c )
2 { ← a = (α
a, 1), b = (α
b, 2), c = (α
c, 3)
3 i n t x , y , z ; ← x = 0, y = 0, z = 0
4 x = a + b ; ← x = (α
a+ α
b, 3), y = (0, 0), z = (0, 0) 5 y = b + c ; ← x = (α
a+ α
b, 3), y = (α
b+ α
c, 5), z = (0, 0) 6 z = x + y − b ; ← x = (α
a+ α
b, 3), y = (α
b+ α
c, 5),
7 z = (α
a+ α
b+ α
c, 6)
8 r e t u r n z ; ← return(α
a+ α
b+ α
c, 6) 9 }
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
Concolic Execution
Bsp. Min
1 i n t min ( i n t x , i n t y ) ← x = (α
x, 0), y = (α
y, 0), pc = true 2 {
3 i n t z ; ← x = (α
x, 0), y = (α
y, 0), z = (0, 0), pc = true 4 i f ( x<y ) ¬(0 < 0)
5 z=x ;
6 e l s e ← x = (α
x, 0), y = (α
y, 0), z = (0, 0), pc = ¬(α
x< α
y) 7 z=y ; ← x = (α
x, 0), y = (α
y, 0), z = (α
y, 0), pc = ¬(α
x< α
y) 8 r e t u r n z ; ← return z = (α
y, 0), pc = ¬(α
x< α
y)
9 }
Find new input values such that α
x< α
yand execute again, e.g.
min(0, 1)
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
1 i n t min ( i n t x , i n t y ) ← x = (α
x, 0), y = (α
y, 0), pc = true 2 {
3 i n t z ; ← x = (α
x, 0), y = (α
y, 0), z = (0, 0), pc = true 4 i f ( x<y ) ¬(0 < 0)
5 z=x ;
6 e l s e ← x = (α
x, 0), y = (α
y, 0), z = (0, 0), pc = ¬(α
x< α
y) 7 z=y ; ← x = (α
x, 0), y = (α
y, 0), z = (α
y, 0), pc = ¬(α
x< α
y) 8 r e t u r n z ; ← return z = (α
y, 0), pc = ¬(α
x< α
y)
9 }
Find new input values such that α
x< α
yand execute again, e.g.
min(0, 1)
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
Concolic Execution
Limitations
infinite number of paths: upper bounds limitations of solvers and theorem provers for single-threaded programs
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
Cute, jCute Pex (Microsoft)
PathCrawler (see exercise)
DI Dr. Bernhard K. Aichernig Qualit¨atssicherung in der Softwareentwicklung
