Abstract
Symbolic execution is widely used to detect vulnerabilities in software. The idea is to symbolically execute the program in order to find an executable path to a target instruction. For the analysis to be fully accurate, it must be performed on the binary code, which makes the well-known issue of state explosion even more critical. In this paper, we introduce a novel exploration strategy for symbolic execution aiming to limit the number of explored paths. Our strategy is inspired from the A\(^*\) algorithm and steered towards least explored parts of the program. We compare our approach, using the Binsec tool, to three other classical strategies: depth-first (DFS), breadth-first (BFS) and non-uniform random (NURS). Our experiments on real-size programs show that our approach is promising.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Due to non-determinism, there may be several runs from c to \(c'\) with trace w.
- 2.
To faithfully mimic A\(^*\), \(\mathop {\textrm{depth}}\limits (u)\) should be compared with the depths of all processed nodes having the same region as u. But this would require checking equality between regions, which is computationally costly in general.
- 3.
Similar definitions of the syntax and semantics of binary programs can be found in the literature. Our definition is intentionally simple and tailored to our purposes.
- 4.
Recall that \(\inf X = \min X\) for every non-empty subset \(X \subseteq \mathbb {N}\) and that \(\inf \emptyset = +\infty \).
- 5.
French National Cybersecurity Agency.
References
ANSSI: Wookey (2018). https://wookey-project.github.io/
Babić, D., Martignoni, L., McCamant, S., Song, D.: Statically-directed dynamic automated test generation. In: Proceedings of the 2011 International Symposium on Software Testing and Analysis, pp. 12–22 (2011)
Biere, A., Cimatti, A., Clarke, E.M., Strichman, O., Zhu, Y.: Bounded model checking. Handbook of satisfiability 185(99), 457–481 (2009)
Blondin, M., Haase, C., Offtermatt, P.: Directed reachability for infinite-state systems. In: TACAS 2021. LNCS, vol. 12652, pp. 3–23. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-72013-1_1
Cadar, C., Dunbar, D., Engler, D.R., et al.: Klee: unassisted and automatic generation of high-coverage tests for complex systems programs. In: OSDI, vol. 8, pp. 209–224 (2008)
Chess, B., McGraw, G.: Static analysis for security. IEEE Secur. Privacy 2(6), 76–79 (2004)
Clarke Jr, E.M., Grumberg, O., Kroening, D., Peled, D., Veith, H.: Model checking. MIT press (2018)
Cousot, P.: Abstract interpretation. ACM Comput. Surv. (CSUR) 28(2), 324–328 (1996)
David, R., et al.: Binsec/se: a dynamic symbolic execution toolkit for binary-level analysis. In: 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER), vol. 1, pp. 653–656. IEEE (2016)
De Castro Pinto, T., Rollet, A., Sutre, G., Tobor, I.: Replication package for “Guiding Symbolic Execution with A-star” (2023). DOI: https://doi.org/10.5281/zenodo.8169445
Djoudi, A., Bardin, S.: BINSEC: binary code analysis with low-level regions. In: Baier, C., Tinelli, C. (eds.) TACAS 2015. LNCS, vol. 9035, pp. 212–217. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46681-0_17
Ducousso, S., Bardin, S., Potet, M.L.: Adversarial reachability for program-level security analysis. In: Programming Languages and Systems. LNCS, p. 59. (2023). https://doi.org/10.1007/978-3-031-30044-8_3
Hart, P.E., Nilsson, N.J., Raphael, B.: A formal basis for the heuristic determination of minimum cost paths. IEEE Trans. Syst. Sci. Cybern. 4(2), 100–107 (1968)
King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385–394 (1976)
Kirchner, F., Kosmatov, N., Prevosto, V., Signoles, J., Yakobowski, B.: Frama-c: a software analysis perspective. Formal Aspects Comput. 27(3), 573–609 (2015)
Li, J., Zhao, B., Zhang, C.: Fuzzing: a survey. Cybersecurity 1(1), 1–13 (2018)
Li, Y., Su, Z., Wang, L., Li, X.: Steering symbolic execution to less traveled paths. ACM SigPlan Notices 48(10), 19–32 (2013)
Ma, K.-K., Yit Phang, K., Foster, J.S., Hicks, M.: Directed symbolic execution. In: Yahav, E. (ed.) SAS 2011. LNCS, vol. 6887, pp. 95–111. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23702-7_11
MIASM: Cea-sec (2015). https://github.com/cea-sec/miasm
NoraCodes: crackmes (2017). https://github.com/NoraCodes/crackmes/blob/master/crackme03.c
NoraCodes: crackmes (2017). https://github.com/NoraCodes/crackmes/blob/master/crackme05.c
NoraCodes: crackmes (2017). https://github.com/NoraCodes/crackmes/blob/master/crackme09.c
Potet, M.L., Mounier, L., Puys, M., Dureuil, L.: Lazart: a symbolic approach for evaluation the robustness of secured codes against control flow injections. In: 2014 IEEE Seventh International Conference on Software Testing, Verification and Validation, pp. 213–222. IEEE (2014)
Shoshitaishvili, Y., et al.: SoK: (State of) the art of war: offensive techniques in binary analysis. In: IEEE Symposium on Security and Privacy (2016)
Stephens, N., et al.: Driller: augmenting fuzzing through selective symbolic execution. In: NDSS, vol. 16, pp. 1–16 (2016)
Xie, T., Tillmann, N., De Halleux, J., Schulte, W.: Fitness-guided path exploration in dynamic symbolic execution. In: 2009 IEEE/IFIP International Conference on Dependable Systems & Networks, pp. 359–368. IEEE (2009)
Acknowledgements
This work was supported by the French ANRT CIFRE 2021/1673 Project. We also would like to thank Guillaume Baud-Berthier, Julien Bernet and Michael Grand for their helpful discussions.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
De Castro Pinto, T., Rollet, A., Sutre, G., Tobor, I. (2023). Guiding Symbolic Execution with A-Star. In: Ferreira, C., Willemse, T.A.C. (eds) Software Engineering and Formal Methods. SEFM 2023. Lecture Notes in Computer Science, vol 14323. Springer, Cham. https://doi.org/10.1007/978-3-031-47115-5_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-47115-5_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-47114-8
Online ISBN: 978-3-031-47115-5
eBook Packages: Computer ScienceComputer Science (R0)