Abstract
Symbolic execution can be used to explore the possible run-time states of a program. It makes use of a concept of “state” where a variable’s value has been replaced by an expression that gives the value as a function of program input. Additionally, a state can be equipped with a summary of control-flow history: a “path constraint” keeps track of the class of inputs that would have caused the same flow of control. But even simple programs can have trillions of paths, so a path-by-path analysis is impractical. We investigate a “state joining” approach to making symbolic execution more practical and describe the challenges of applying state joining to the analysis of unmodified Linux x86 executables. The results so far are mixed, with good results for some code. On other examples, state joining produces cumbersome constraints that are more expensive to solve than those generated by normal symbolic execution.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Allen, J.R., Kennedy, K., Porterfield, C., Warren, J.: Conversion of control dependence to data dependence. In: Proceedings of the Tenth ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, pp. 177–189. ACM Press, New York (1983)
Babić, D., Hu, A.: Calysto: Scalable and precise extended static checking. In: Proceedings of the Thirtieth International Conference on Software Engineering, pp. 211–220. ACM Press, New York (2008)
Balakrishnan, G.: WYSINWYX: What You See Is Not What You Execute. PhD thesis, University of Wisconsin at Madison, Madison, WI, USA (2007)
Boonstoppel, P., Cadar, C., Engler, D.R.: RWset: Attacking path explosion in constraint-based test generation. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 351–366. Springer, Heidelberg (2008)
Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: EXE: Automatically generating inputs of death. In: Proceedings of the Thirteenth ACM Conference on Computer and Communications Security, pp. 322–335. ACM Press, New York (2006)
Ganesh, V., Dill, D.L.: A decision procedure for bit-vectors and arrays. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 519–531. Springer, Heidelberg (2007)
Godefroid, P.: Compositional dynamic test generation. In: Proceedings of the Thirtyfourth ACM Symposium on Principles of Programming Languages, pp. 47–54. ACM Press, New York (2007)
Kinder, J., Zuleger, F., Veith, H.: An abstract interpretation-based framework for control flow reconstruction from binaries. In: Jones, N.D., Müller-Olm, M. (eds.) VMCAI 2009. LNCS, vol. 5403, pp. 214–228. Springer, Heidelberg (2009)
Kölbl, A., Pixley, C.: Constructing efficient formal models from high-level descriptions using symbolic simulation. International Journal on Parallel Programming 33(6), 645–666 (2005)
Minato, S.-I.: Generation of BDDs from hardware algorithm descriptions. In: Proceedings of the 1996 IEEE/ACM International Conference on Computer-Aided Design, pp. 644–649. IEEE Comp. Soc., Los Alamitos (1996)
Nanda, S., Li, W., Lam, L.-C., Chiueh, T.-C.: BIRD: Binary interpretation using runtime disassembly. In: Proceedings of the International Symposium on Code Generation and Optimization, pp. 358–370. IEEE Comp. Soc., Los Alamitos (2006)
Nethercote, N., Seward, J.: Valgrind: A framework for heavyweight dynamic binary instrumentation. In: Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation, pp. 89–100. ACM Press, New York (2007)
Patterson, J.: Accurate static branch prediction by value range propagation. In: Proceedings of the ACM SIGPLAN 1995 Conference on Programming Language Design and Implementation, pp. 67–78. ACM Press, New York (1995)
Rudell, R.L.: Multiple-valued logic minimization for PLA synthesis. Technical Report UCB/ERL M86/65, EECS Department, Berkeley (1986)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Hansen, T., Schachte, P., Søndergaard, H. (2009). State Joining and Splitting for the Symbolic Execution of Binaries. In: Bensalem, S., Peled, D.A. (eds) Runtime Verification. RV 2009. Lecture Notes in Computer Science, vol 5779. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04694-0_6
Download citation
DOI: https://doi.org/10.1007/978-3-642-04694-0_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04693-3
Online ISBN: 978-3-642-04694-0
eBook Packages: Computer ScienceComputer Science (R0)