Skip to main content
SpringerLink
Log in

Symbolic object code analysis

  • Regular Paper
  • Published:
International Journal on Software Tools for Technology Transfer Aims and scope Submit manuscript

Abstract

Software model checkers quickly reach their limits when being applied to verifying pointer safety properties in source code that includes function pointers and inlined assembly. This article introduces a novel technique for checking pointer safety violations, called symbolic object code analysis (SOCA), which is based on bounded symbolic execution, incorporates path-sensitive slicing, and employs the SMT solver Yices as its execution and verification engine. Extensive experimental results of a prototypic SOCA Verifier, using the Verisec suite and almost 10,000 Linux device driver functions as benchmarks, show that SOCA performs competitively to modern source-code model checkers, scales well when applied to real operating systems code and pointer safety issues, and effectively explores niches of pointer-complex software that current software verifiers do not reach.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

References

  1. Balakrishnan, G., Reps, T.: Recency-abstraction for heap-allocated storage. In: SAS ’06. LNCS, vol. 4134, pp. 221–239. Springer, Berlin (2006)

  2. Balakrishnan, G., Reps, T., Melski, D., Teitelbaum, T.: WYSINWYX: what you see is not what you execute. In: VSTTE ’08. LNCS, vol. 4171, pp. 202–213. Springer, Berlin (2008)

  3. Ball, T., Bounimova, E., Cook, B., Levin, V., Lichtenberg, J., McGarvey, C., Ondrusek, B., Rajamani, S.K., Ustuner, A.: Thorough static analysis of device drivers. SIGOPS Oper. Syst. Rev. 40(4), 73–85 (2006)

    Article  Google Scholar 

  4. Ball, T., Rajamani, S.K.: Automatically validating temporal safety properties of interfaces. In: SPIN ’01. LNCS, vol. 2057, pp. 103–122. Springer, Berlin (2001)

  5. Barry, R.: FreeRTOS: A portable, open source, mini real time kernel (2010) http://www.freertos.org/

  6. Boyer, R.S., Yu, Y.: Automated proofs of object code for a widely used microprocessor. J. ACM 43(1), 166–192 (1996)

    Article  MATH  MathSciNet  Google Scholar 

  7. Brummayer, R., Biere, A., Lonsing, F.: BTOR: bit-precise modelling of word-level problems for model checking. In: SMT ’08/BPR ’08, pp. 33–38. ACM, New York (2008)

  8. Calcagno, C., Distefano, D., O’Hearn, P., Yang, H.: Compositional shape analysis by means of bi-abduction. SIGPLAN Not. 44(1), 289–300 (2009)

    Article  Google Scholar 

  9. Chou, A., Yang, J., Chelf, B., Hallem, S., Engler, D.R.: An empirical study of operating system errors. In: SOSP ’01, pp. 73–88. ACM, New York (2001)

  10. Clarke, E., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: TACAS ’04. LNCS, vol. 2988, pp. 168–176. Springer, Berlin (2004)

  11. Clarke, E.M., Kroening, D., Sharygina, N., Yorav, K.: SATABS: SAT-based predicate abstraction for ANSI-C. In: TACAS ’05. LNCS, vol. 3440, pp. 570–574. Springer, Berlin (2005)

  12. Cohen, E., Dahlweid, M., Hillebrand, M., Leinenbach, D., Moskal, M., Santen, T., Schulte, W., Tobies, S.: VCC: a practical system for verifying concurrent C. In: TPHOLs ’09. LNCS, vol. 5674, pp. 23–42. Springer, Berlin (2009)

  13. D’Silva, V., Kroening, D., Weissenbacher, G.A.: A survey of automated techniques for formal software verification. IEEE Trans. Comput. Aided Design Integr. Circuits Syst. 27(7), 1165–1178 (2008)

    Article  Google Scholar 

  14. Dutertre, B., de Moura, L.: The Yices SMT solver. Technical Report 01/2006, SRI (2006). http://yices.csl.sri.com/tool-paper.pdf

  15. Flanagan, C., Godefroid, P.: Dynamic partial-order reduction for model checking software. In: POPL ’05, pp. 110–121. ACM, New York (2005)

  16. Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. In: PLDI ’05, pp. 213–223. ACM, New York (2005)

  17. Godefroid, P., Levin, M.Y., Molnar, D.: Automated whitebox fuzz testing. In: NDSS ’08. Internet Society (ISOC) (2008)

  18. Hansen, T., Schachte, P., Søndergaard, H.: State joining and splitting for the symbolic execution of binaries. In: RV ’09. LNCS, vol. 5779, pp. 76–92. Springer, Berlin (2009)

  19. Henzinger, T.A., Jhala, R., Majumdar, R., Necula, G.C., Sutre, G., Weimer, W.: Temporal-safety proofs for systems code. In: CAV ’02. LNCS, vol. 2402, pp. 526–538. Springer, Berlin (2002)

  20. Horspool, R.N., Marovac, N.: An approach to the problem of detranslation of computer programs. Comput. J. 23(3), 223–229 (1980)

    Article  Google Scholar 

  21. Horwitz, S., Reps, T., Binkley, D.: Interprocedural slicing using dependence graphs. ACM TOPLAS 12(1), 26–60 (1990)

    Article  Google Scholar 

  22. International Organization for Standardization: The C99 standard, ISO/IEC 9899:1999. Technical Report 9899:1999, International Organization for Standardization (1999)

  23. Jacobs, B., Smans, J., Piessens, F.: A quick tour of the VeriFast program verifier. In: APLAS ’10. LNCS, vol. 6461, pp. 304–311. Springer, Berlin (2010)

  24. Jhala, R., Majumdar, R.: Path slicing. SIGPLAN Not. 40(6), 38–47 (2005)

    Article  Google Scholar 

  25. Josh Berdine, C.C., O’Hearn, P.W.: Symbolic execution with separation logic. In: APLAS ’05. LNCS, vol. 3780, pp. 52–68. Springer, Berlin (2005)

  26. Kim, M., Kim, Y.: Concolic testing of the multi-sector read operation for flash memory file system. In: SBMF ’09. LNCS, vol. 5902, pp. 251–265. Springer, Berlin (2009)

  27. Kinder, J., Veith, H.: Precise static analysis of untrusted driver binaries. In: FMCAD ’10, pp. 43–50. IEEE (2010)

  28. King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)

    Article  MATH  Google Scholar 

  29. Korel, B., Laski, J.: Dynamic slicing of computer programs. J. Syst. Softw. 13(3), 187–195 (1990)

    Article  Google Scholar 

  30. Koshy, J.: LibElf: http://wiki.freebsd.org/LibElf (2009)

  31. Kroening, D., Sharygina, N., Tonetta, S., Tsitovich, A., Wintersteiger, C.M.: Loop summarization using abstract transformers. In: ATVA ’08. LNCS, vol. 5311, pp. 111–125. Springer, Berlin (2008)

  32. Kroening, D., Strichman, O.: Decision Procedures, Springer, Berlin (2008)

  33. Ku, K.: Software model-checking: benchmarking and techniques for buffer overflow analysis. Master’s thesis, U. Toronto (2008)

  34. Leung, A., George, L.: Static single assignment form for machine code. In: PLDI ’99, pp. 204–214. ACM, New York (1999)

  35. Leven, P., Mehler, T., Edelkamp, S.: Directed error detection in C++ with the assembly-level model checker StEAM. In: Model Checking Software. LNCS, vol. 2989, pp. 39–56. Springer, Berlin (2004)

  36. Mühlberg, J.T.: Model Checking Pointer Safety in Compiled Programs. PhD thesis, U. York http://etheses.whiterose.ac.uk/841/ (2009)

  37. Mühlberg, J.T., Freitas, L.: Verifying FreeRTOS: from requirements to binary code. In: AVoCS ’11, vol. CS-TR-1272 of Computing Science Technical Reports, Newcastle University. Short paper (2011)

  38. Mühlberg, J.T., Lüttgen, G.: BLASTing Linux code. In: FMICS ’06. LNCS, vol. 4346, pp. 211–226. Springer, Berlin (2006)

  39. Mühlberg, J.T., Lüttgen, G.: Verifying compiled file system code. In: SBMF ’09. LNCS, vol. 5902, pp. 306–320. Springer, Berlin (2009). A full version has been accepted for publication in Springer’s Formal Aspects of Computing journal

  40. Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. SIGPLAN Not. 42(6), 89–100 (2007)

    Article  Google Scholar 

  41. Nielson, F., Nielson, H.R., Hankin, C.: Principles of Program Analysis. Springer, Berlin (1999)

  42. Noll, T., Schlich, B.: Delayed nondeterminism in model checking embedded systems assembly code. In: Hardware and Software: Verification and Testing. LNCS, vol. 4899, pp. 185–201. Springer, Berlin (2008)

  43. Pǎsǎreanu, C.S., Mehlitz, P.C., Bushnell, D.H., Gundy-Burlet, K., Lowry, M., Person, S., Pape, M.: Combining unit-level symbolic execution and system-level concrete execution for testing NASA software. In: ISSTA ’08, pp. 15–26. ACM, New York (2008)

  44. Pǎsǎreanu, C.S., Visser, W.: A survey of new trends in symbolic execution for software testing and analysis. STTT 11(4), 339–353 (2009)

    Article  Google Scholar 

  45. Rational Purify. IBM Corp., http://www.ibm.com/software/awdtools/purify/

  46. Reynolds, J.C.: Separation logic: A logic for shared mutable data structures. In : LICS ’02, pp. 55–74. IEEE (2002)

  47. Rungta, N., Mercer, E.G., Visser, W.: Efficient testing of concurrent programs with abstraction-guided symbolic execution. In: SPIN ’09. LNCS, vol. 5578, pp. 174–191. Springer, Berlin (2009)

  48. Schlich, B., Kowalewski, S.: [mc]square: a model checker for microcontroller code. In: ISOLA ’06, pp. 466–473. IEEE (2006)

  49. Sen, K., Marinov, D., Agha, G.: CUTE: a concolic unit testing engine for C. In: ESEC/FSE-13, pp. 263–272. ACM, New York (2005)

  50. Tool Interface Standards (TIS) Committee: Executable and Linking Format (ELF) specification version 1.2 (1995). http://refspecs.freestandards.org/elf/

  51. Valgrind—debugging and profiling Linux programs. http://valgrind.org/

  52. Visser, W., Havelund, K., Brat, G., Park, S.J., Lerda, F.: Model checking programs. FMSD 10(2), 203–232 (2003)

    Google Scholar 

  53. Weiser, M.: Program slicing. In: ICSE ’81, pp. 439–449. IEEE (1981)

  54. Wilhelm, R., Sagiv, M., Reps, T.: Shape analysis. In: CC ’00. LNCS, vol. 1781, pp. 1–16. Springer, Berlin (2000)

  55. Xie, Y., Aiken, A.: SATURN: a scalable framework for error detection using boolean satisfiability. ACM TOPLAS 29(3), 16 (2007)

    Google Scholar 

  56. Yu, D., Shao, Z.: Verification of safety properties for concurrent assembly code. In: ICFP ’04, pp. 175–188. ACM, New York (2004)

  57. Zhu, H., Hall, P.A.V., May, J.H.R.: Software unit test coverage and adequacy. ACM Comput. Surv. 29, 366–427 (1997)

    Article  Google Scholar 

  58. Zitser, M., Lippmann, R., Leek, T.: Testing static analysis tools using exploitable buffer overflows from open source code. SIGSOFT Softw. Eng. Notes 29(6), 97–106 (2004)

    Article  Google Scholar 

Download references

Acknowledgments

We thank Bart Jacobs from KU Leuven and the anonymous reviewers of Software Tools for Technology Transfer and SPIN 2010 for their valuable comments on on this article and the previously published extended abstract, respectively, especially for pointing out some recent related work. We also thank Jim Woodcock and Daniel Kroening for their insightful remarks made at the first author’s PhD examination. This research is partially funded by the Interuniversity Attraction Poles Programme Belgian State, Belgian Science Policy, and by the Research Fund KU Leuven.

Author information

Authors and Affiliations

  1. IBBT-DistriNet, KU Leuven, Celestijnenlaan 200A, 3001,  Leuven, Belgium

    Jan Tobias Mühlberg

  2. Software Technologies Research Group, University of Bamberg, 96045,  Bamberg, Germany

    Gerald Lüttgen

Authors
  1. Jan Tobias Mühlberg
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gerald Lüttgen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jan Tobias Mühlberg.

Additional information

An extended abstract of this article appeared in the proceedings of SPIN 2010: “Model Checking Software”, volume 6349 of Lecture Notes in Computer Science, pages 4–21, Springer, 2010.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Mühlberg, J.T., Lüttgen, G. Symbolic object code analysis. Int J Softw Tools Technol Transfer 16, 81–102 (2014). https://doi.org/10.1007/s10009-012-0256-8

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10009-012-0256-8

Keywords

Search

Navigation