1 / 20

CREST Internal

CREST Internal. Yunho Kim Provable Software Laboratory CS Dept. KAIST. CREST. CREST is a concolic testing tool for C programs Generate test inputs automatically Execute target under test on generated test inputs Explore all possible execution paths of a target systematically

yered
Download Presentation

CREST Internal

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CREST Internal Yunho Kim Provable Software Laboratory CS Dept. KAIST

  2. CREST • CREST is a concolic testing tool for C programs • Generate test inputs automatically • Execute target under test on generated test inputs • Explore all possible execution paths of a target systematically • CREST is a open-source re-implementation of CUTE • mainly written in C++ • CREST’s instrumentation is implemented as a module of CIL(C Intermetiate Language) written in Ocaml

  3. Overview of CREST code C source code CIL EXT cil/src/ext/crestInstrument.ml src/libcrest/crest.cc src/base/symbolic_interpreter.cc src/base/symbolic_execution.cc src/base/symbolic_expression.cc src/base/symbolic_path.cc src/base/symbolic_predicate.cc Instrumented code CREST symbolic execution library Legend Source code GCC External tool src/run_crest/run_crest.cc src/run_crest/concolic_search.cc src/base/yices_solver.cc src/base/symbolic_execution.cc src/base/symbolic_expression.cc src/base/symbolic_path.cc src/base/symbolic_predicate.cc src/base/basic_types.cc CREST constraint yices run_crest next input

  4. Directory Structure • src/ base/ libcrest/ process_cfg/ run_crest/ tools/ • cil/src/ext/crestInstrument.ml • A CIL module for instrumentation • : Base libraries for symbolic execution • : Probe code for collecting symbolic states • : CFG generator for CFG-based search heuristic • : Main function of run_crest and search algorithms • : A tool for printing execution path from szd_execution

  5. CREST Code Metrics

  6. Symbolic Execution Component • Symbolic execution component collects symbolic states during concrete execution and manages symbolic execution paths • Related files

  7. Symbolic Interpreter • Symbolic interpreter performs dynamic symbolic execution during execution of a target program • Symbolic interpreter implements a symbolic machine which has stack-architecture • 4 types of statements • Symbolic variable initialization • Assignments • Applying operators • Branches

  8. Symbolic Machine • Symbolic machine has a symbolic stack, symbolic memory and a symbolic predicate register • Symbolic memory stores symbolic expressions • Symbolic stack element: <symbolic expr, concrete value> • If the top of the stack is a predicate, the predicate is stored in the symbolic predicate register Symbolic predicate register Symbolic stack Symbolic memory

  9. Example Revisited • int a, b, c; • #line 4 /* Initializes symbolic variables a, b, c */ • __CrestInt(& a); __CrestInt(& b); __CrestInt(& c); • … omitted … #line 10 { /* Creates symbolic expression a==b */ __CrestLoad(36, (unsigned long )(& a), (long long )a); __CrestLoad(35, (unsigned long )(& b), (long long )b); __CrestApply2(34, 12, (long long )(a == b)); if (a == b) { • //extern void __CrestBranch(int id , int bid , unsigned char b ) __CrestBranch(37, 11, 1); • /* Creates symbolic expression match = match = 1; */ __CrestLoad(41, (unsigned long )(& match), (long long )match); __CrestLoad(40, (unsigned long )0, (long long )1); __CrestApply2(39, 0, (long long )(match + 1)); __CrestStore(42, (unsigned long )(& match)); match ++; } else { __CrestBranch(38, 12, 0); } } 1 #include <crest.h> 2 main() { 3 inta,b,c, match=0; 4 CREST_int(a); \ CREST_int(b); \ CREST_int(c); 5~9 … omitted… 10 if(a==b) match=match+1; 10~32 … omitted … 33 }

  10. Symbolic Variable Initialization • Creates a symbolic memory element in symbolic memory • A concrete address of a variable is used as a symbolic address • Suppose that we start with the input a = b = c = 0; Symbolic memory • Symbolic variable initialization • int a, b, c; • #line 4 /* Initializes symbolic variables a, b, c */ • __CrestInt(& a); __CrestInt(& b); __CrestInt(& c); Symbolic stack Symbolic predicate register

  11. Symbolic Compare Operator(1/4) • Symbolic compare operator is used for a branch condition and results in a symbolic predicate • The predicate is store in a symbolic predicate register Symbolic memory Symbolic stack • #line 10 • { /* Creates symbolic expression a==b */ • __CrestLoad(36, (unsigned long)(&a), • (long long )a); • __CrestLoad(35, (unsigned long)(&b), • (long long )b); • __CrestApply2(34, 12, (long long )(a == b)); • if (a == b) { Symbolic PC Symbolic predicate register

  12. Symbolic Compare Operator(2/4) • __CrestLoad(int id, unsigned long *ptr, long longval) function loads a symbolic expression which ptr points to and pushes <loaded expr, val> to the stack • If *ptr is a concrete variable, the function pushes <NULL, val> to the stack Symbolic memory Symbolic stack • #line 10 • { /* Creates symbolic expression a==b */ • __CrestLoad(36, (unsigned long)(&a), • (long long )a); • __CrestLoad(35, (unsigned long)(&b), • (long long )b); • __CrestApply2(34, 12, (long long )(a == b)); • if (a == b) { Symbolic PC Symbolic predicate register <a, 0>

  13. Symbolic Compare Operator(3/4) Symbolic memory Symbolic stack • #line 10 • { /* Creates symbolic expression a==b */ • __CrestLoad(36, (unsigned long)(&a), • (long long )a); • __CrestLoad(35, (unsigned long)(&b), • (long long )b); • __CrestApply2(34, 12, (long long )(a == b)); • if (a == b) { <b, 0> Symbolic PC Symbolic predicate register <a, 0>

  14. Symbolic Compare Operator(4/4) • __CrestApply2(int ID, intop_type, long longval) 1. pops two elements from the stack, 2. applies a binary operator corresponding to op_type to the popped elements, 3. pushes a result to the stack if the result is not a predicate • A predicate is stored in the register Symbolic memory Symbolic stack • #line 10 • { /* Creates symbolic expression a==b */ • __CrestLoad(36, (unsigned long)(&a), • (long long )a); • __CrestLoad(35, (unsigned long)(&b), • (long long )b); • __CrestApply2(34, 12, (long long )(a == b)); • if (a == b) {//extern void __CrestBranch(int id , int bid , unsigned char b ) • __CrestBranch(37, 11, 1); Symbolic predicate register Symbolic PC <a==b, 1>

  15. Symbolic Branch(1/2) • Whenever a branch statement is executed, CREST stores which branch is taken by calling __CrestBranch() function. Symbolic stack Symbolic memory • #line 10 • { /* Creates symbolic expression a==b */ • __CrestLoad(36, (unsigned long)(&a), • (long long )a); • __CrestLoad(35, (unsigned long)(&b), • (long long )b); • __CrestApply2(34, 12, (long long )(a == b)); • if (a == b) { • //extern void __CrestBranch(int id , int bid , unsigned char b ) • __CrestBranch(37, 11, 1); Symbolic predicate register <a==b, 1> Symbolic PC

  16. Symbolic Branch(2/2) • Symbolic path is a sequence of <symbolic pred, branch ID> • __CrestBranch(int id, int bid, unsigned char b) function appends a new element <symbolic pred, bid> to the current symbolic path • Symbolic pred comes from the register • If b == 0, negated predicate is appended Symbolic memory Symbolic stack • if (a == b) { • //extern void __CrestBranch(int id , int bid , unsigned char b ) • __CrestBranch(37, 11, 1); • /* Creates symbolic expression match = match = 1; */ • __CrestLoad(41, (unsigned long )(& match), (long long )match); Symbolic PC Symbolic predicate register Symbolic path: <a==b, 11>

  17. Symbolic Arithmetic Operator (1/2) • Symbolic arithmetic operator is similar to symbolic compare operator • Pops operands from the stack, applies operator to the operands, and pushes the result to the stack • if (a == b) { • __CrestBranch(37, 11, 1); • /* Creates symbolic expression match = match = 1; */ • __CrestLoad(41, (unsigned long )(& match), (long long )match); • __CrestLoad(40, (unsigned long )0, • (long long )1); • __CrestApply2(39, 0, (long long )(match + 1)); • __CrestStore(42, (unsigned long )(& match)); • match ++; Symbolic memory Symbolic stack Symbolic PC <NULL, 1> Symbolic predicate register <NULL, 0> Symbolic path: <a==b, 11>

  18. Symbolic Arithmetic Operator (2/2) • If at least one of operands is symbolic, the result is also symbolic • Otherwise, the result is concrete • if (a == b) { • __CrestBranch(37, 11, 1); • /* Creates symbolic expression match = match = 1; */ • __CrestLoad(41, (unsigned long )(& match), (long long )match); • __CrestLoad(40, (unsigned long )0, • (long long )1); • __CrestApply2(39, 0, (long long )(match + 1)); • __CrestStore(42, (unsigned long )(& match)); • match ++; Symbolic memory Symbolic stack Symbolic predicate register <NULL, 2> Symbolic PC Symbolic path: <a==b, 11>

  19. Symbolic Assignment (1/1) • __CrestStore(int id, unsigned long *ptr) function pops one element from the stack and update symbolic memory • If the popped element is concrete, just ignore it • If the element is symbolic • If ptr has an entry in symbolic memory, the corresponding symbolic expression is updated • Otherwise, a new entry is added to symbolic memory Symbolic memory Symbolic stack • __CrestApply2(39, 0, (long long )(match + 1)); • __CrestStore(42, (unsigned long )(& match)); • match ++; Symbolic PC Symbolic predicate register Symbolic path: <a==b, 11>

  20. Conclusion • CREST does not support full ANSI-C semantics • No symbolic pointer dereference • Only linear integer arithmetic • No bit-wise operator • And so on • To support them, we need to improve CREST’s dynamic symbolic interpreter engine • I hope this presentation will be a good starting point

More Related