survey

A Survey of Symbolic Execution Techniques

Authors:

Roberto Baldoni,

Daniele Cono D’elia,

Camil Demetrescu, and

Irene FinocchiAuthors Info & Claims

ACM Computing Surveys (CSUR), Volume 51, Issue 3

Article No.: 50, Pages 1 - 39

https://doi.org/10.1145/3182657

Published: 23 May 2018 Publication History

Abstract

Many security and software testing applications require checking whether certain properties of a program hold for any possible usage scenario. For instance, a tool for identifying software vulnerabilities may need to rule out the existence of any backdoor to bypass a program’s authentication. One approach would be to test the program using different, possibly random inputs. As the backdoor may only be hit for very specific program workloads, automated exploration of the space of possible inputs is of the essence. Symbolic execution provides an elegant solution to the problem, by systematically exploring many possible execution paths at the same time without necessarily requiring concrete inputs. Rather than taking on fully specified input values, the technique abstractly represents them as symbols, resorting to constraint solvers to construct actual instances that would cause property violations. Symbolic execution has been incubated in dozens of tools developed over the past four decades, leading to major practical breakthroughs in a number of prominent software reliability applications. The goal of this survey is to provide an overview of the main ideas, challenges, and solutions developed in the area, distilling them for a broad audience.

Supplementary Material

a50-baldoni-apndx.pdf (baldoni.zip)

Supplemental movie, appendix, image and software files for, A Survey of Symbolic Execution Techniques

Download
149.31 KB

References

[1]

Erika Abraham. 2015. Building bridges between symbolic computation and satisfiability checking. In Proceedings of the 2015 ACM on International Symposium on Symbolic and Algebraic Computation (ISSAC’15). ACM, 1--6.

Digital Library

[2]

Erika Abraham, John Abbott, Bernd Becker, Anna M. Bigatti, Martin Brain, Bruno Buchberger, Alessandro Cimatti, James H. Davenport, Matthew England, Pascal Fontaine, Stephen Forrest, Alberto Griggio, Daniel Kroening, Werner M. Seiler, and Thomas Sturm. 2016. SC2: Satisfiability checking meets symbolic computation. In Proceedings of the 9th International Conference on Intelligent Computer Math. (CICM’16). Springer, 28--43.

[3]

Saswat Anand. 2012. Techniques to Facilitate Symbolic Execution of Real-world Programs. Ph.D. Dissertation. Atlanta, GA.

Digital Library

[4]

Saswat Anand, Patrice Godefroid, and Nikolai Tillmann. 2008. Demand-driven compositional symbolic execution. In Proceedings of the Theory and Practice of Software, 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’08/ETAPS’08). 367--381.

Digital Library

[5]

Saswat Anand, Alessandro Orso, and Mary Jean Harrold. 2007. Type-dependence analysis and program transformation for symbolic execution. In Proceedings of the 13th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’07). 117--133.

Digital Library

[6]

Saswat Anand, Corina S. Pasareanu, and Willem Visser. 2009. Symbolic execution with abstraction. Int. J. Software Tools Technol. Transf. 11, 1 (2009), 53--67.

Digital Library

[7]

Thanassis Avgerinos. 2014. Exploiting Trade-offs in Symbolic Execution for Identifying Security Bugs. Ph.D. Dissertation. Retrieved from http://repository.cmu.edu/cgi/viewcontent.cgi?article=1478&context===dissertations.

[8]

Thanassis Avgerinos, Sang Kil Cha, Brent Lim Tze Hao, and David Brumley. 2011. AEG: Automatic exploit generation. In Proceedings of the Network and Distributed System Security Symposium (NDSS’11).

[9]

Thanassis Avgerinos, Alexandre Rebert, Sang Kil Cha, and David Brumley. 2014. Enhancing symbolic execution with veritesting. In Proceedings of the 36th International Conference on Software Engineering (ICSE’14). ACM, 1083--1094.

Digital Library

[10]

Domagoj Babic and Alan J. Hu. 2008. Calysto: Scalable and precise extended static checking. In Proceedings of the 30th International Conference on Software Engineering (ICSE’08). ACM, 211--220.

Digital Library

[11]

David F. Bacon, Susan L. Graham, and Oliver J. Sharp. 1994. Compiler transformations for high-performance computing. ACM Comput. Surveys 26, 4 (1994), 345--420.

Digital Library

[12]

Thomas Ball, Ella Bounimova, Byron Cook, Vladimir Levin, Jakob Lichtenberg, Con McGarvey, Bohus Ondrusek, Sriram K. Rajamani, and Abdullah Ustuner. 2006. Thorough static analysis of device drivers. In Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems (EuroSys’06). ACM, 73--85.

Digital Library

[13]

Clark Barrett, Daniel Kroening, and Thomas Melham. 2014. Problem Solving for the 21st Century: Efficient Solver for Satisfiability Modulo Theories. London Mathematical Society and Smith Institute.

[14]

Peter Boonstoppel, Cristian Cadar, and Dawson R. Engler. 2008. RWset: Attacking path explosion in constraint-based test generation. In Proceedings of the 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’08). 351--366.

Digital Library

[15]

Matko Botinčan, Matthew Parkinson, and Wolfram Schulte. 2009. Separation logic verification of C programs with an SMT solver. Electron. Notes Theoret. Comput. Sci. 254 (2009), 5--23.

Digital Library

[16]

Robert S. Boyer, Bernard Elspas, and Karl N. Levitt. 1975. SELECT—A formal system for testing and debugging programs by symbolic execution. In Proceedings of the of International Conference on Reliable Software. ACM, 234--245.

Digital Library

[17]

David Brumley, Ivan Jager, Thanassis Avgerinos, and Edward J. Schwartz. 2011. BAP: A binary analysis platform. In Proceedings of the 23rd International Conference on Computer Aided Verification (CAV’11). 463--469.

Digital Library

[18]

Stefan Bucur, Vlad Ureche, Cristian Zamfir, and George Candea. 2011. Parallel symbolic execution for automated real-world software testing. In Proceedings of the 6th Conference on Computer Systems (EuroSys’11). 183--198.

Digital Library

[19]

Cristian Cadar. 2015. Targeted program transformations for symbolic execution. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering (ESEC/FSE’15). ACM, 906--909.

Digital Library

[20]

Cristian Cadar, Daniel Dunbar, and Dawson R. Engler. 2008. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation (OSDI’08). USENIX Association, 209--224.

Digital Library

[21]

Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, and Dawson R. Engler. 2006. EXE: Automatically generating inputs of death. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS’06). ACM, 322--335.

Digital Library

[22]

Cristian Cadar and Koushik Sen. 2013. Symbolic execution for software testing: Three decades later. Commun. ACM 56, 2 (2013), 82--90.

Digital Library

[23]

Cristiano Calcagno, Dino Distefano, Peter W. O’Hearn, and Hongseok Yang. 2011. Compositional shape analysis by means of Bi-abduction. J. ACM 58, 6, Article 26 (2011).

Digital Library

[24]

Matteo Ceccarello and Oksana Tkachuk. 2014. Automated generation of model classes for java pathfinder. SIGSOFT Software Eng. Notes 39, 1 (2014), 1--5.

Digital Library

[25]

Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert, and David Brumley. 2012. Unleashing mayhem on binary code. In Proceedings of the 2012 IEEE Symposium on Sec. and Privacy (SP’12). IEEE Computer Society, 380--394.

Digital Library

[26]

Satish Chandra, Stephen J. Fink, and Manu Sridharan. 2009. Snugglebug: A powerful approach to weakest preconditions. In Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’09). ACM, 363--374.

Digital Library

[27]

Ting Chen, Xiaodong Lin, Jin Huang, Abel Bacchus, and Xiaosong Zhang. 2015. An empirical investigation into path divergences for concolic execution using CREST. Secur. Commun. Networks 8, 18 (2015), 3667--3681.

Digital Library

[28]

Ting Chen, Xiao-Song Zhang, Shi-Ze Guo, Hong-Yuan Li, and Yue Wu. 2013. State of the art: Dynamic symbolic execution for automated test generation. Future Gen. Comput. Syst. 29, 7 (2013), 1758--1773.

Digital Library

[29]

Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. 2012. The S2E platform: Design, implementation, and applications. ACM Trans. Comput. Syst. 30, 1 (2012), 2:1--2:49.

Digital Library

[30]

Peter Collingbourne, Cristian Cadar, and Paul H. J. Kelly. 2011. Symbolic crosschecking of floating-point and SIMD code. In Proceedings of the 6th Conference on Computer Systems (EuroSys’11). ACM, 315--328.

Digital Library

[31]

Byron Cook, Andreas Podelski, and Andrey Rybalchenko. 2006. Termination proofs for systems code. In Proceedings of the 27th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’06). 415--426.

Digital Library

[32]

Emilio Coppa, Daniele Cono D’Elia, and Camil Demetrescu. 2017. Rethinking pointer reasoning in symbolic execution. In Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE’17). 613--618.

Digital Library

[33]

Florian Corzilius, Gereon Kremer, Sebastian Junges, Stefan Schupp, and Erika Abraham. 2015. SMT-RAT: An open source C++ toolbox for strategic and parallel SMT solving. In Proceedings of the 18th International Conference on Theory and Applications of Satisfiability Testing (SAT’15), Marijn Heule and Sean Weaver (Eds.). 360--368.

[34]

William Craig. 1957. Three uses of the Herbrand-Gentzen theorem in relating model theory and proof theory. J. Symbolic Logic 22, 3 (1957), 269--285.

[35]

Christoph Csallner and Yannis Smaragdakis. 2005. Check ‘N’ crash: Combining static checking and testing. In Proceedings of the 27th International Conference on Software Engineering (ICSE’05). ACM, 422--431.

Digital Library

[36]

Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMT solver. In Proceedings of the Theory and Practice of Software, 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’08/ETAPS’08). 337--340.

Digital Library

[37]

Leonardo De Moura and Nikolaj Bjørner. 2011. Satisfiability modulo theories: Introduction and applications. Commun. ACM 54, 9 (2011), 69--77.

Digital Library

[38]

Xianghua Deng, Jooyong Lee, and Robby. 2012. Efficient and formal generalized symbolic execution. Auto. Software Eng. 19, 3 (2012), 233--301.

Digital Library

[39]

Peter Dinges and Gul Agha. 2014. Solving complex path conditions through heuristic search on induced polytopes. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering. 425--436.

Digital Library

[40]

Peter Dinges and Gul Agha. 2014. Targeted test input generation using symbolic-concrete backward execution. In Proceedings of the 29th ACM/IEEE International Conference on Automated Software Engineering (ASE’14). 31--36.

Digital Library

[41]

Shiyu Dong, Oswaldo Olivo, Lingming Zhang, and Sarfraz Khurshid. 2015. Studying the influence of standard compiler optimizations on symbolic execution. In Proceedings of the 2015 IEEE 26th International Symposium on Software Reliability Engineering. 205--215.

Digital Library

[42]

Evelyn Duesterwald (Ed.). 2004. Analyzing Memory Accesses in x86 Executables. Springer.

[43]

Bassem Elkarablieh, Patrice Godefroid, and Michael Y. Levin. 2009. Precise pointer reasoning for dynamic test generation. In Proceedings of the 18th International Symposium on Software Testing and Analysis (ISSTA’09). ACM, 129--140.

Digital Library

[44]

Dawson R. Engler and Ken Ashcraft. 2003. RacerX: Effective, static detection of race conditions and deadlocks. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP’03). ACM, 237--252.

Digital Library

[45]

Dawson R. Engler and Daniel Dunbar. 2007. Under-constrained execution: Making automatic code destruction easy and scalable. In Proceedings of the of 2007 International Symposium on Software Testing and Analysis (ISSTA’07). 1--4.

Digital Library

[46]

Cormac Flanagan and Shaz Qadeer. 2002. Predicate abstraction for software verification. In Proceedings of the of 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Language (POPL’02). ACM, 191--202.

Digital Library

[47]

Carlo A. Furia, Bertrand Meyer, and Sergey Velder. 2014. Loop invariants: Analysis, classification, and examples. ACM Computing Surveys (CSUR) 46, 3, Article 34 (2014).

Digital Library

[48]

Juan P. Galeotti, Carlo A. Furia, Eva May, Gordon Fraser, and Andreas Zeller. 2015. Inferring loop invariants by mutation, dynamic analysis, and static checking. IEEE Trans. Software Eng. 41, 10 (2015), 1019--1037.

Digital Library

[49]

Vijay Ganesh and David L. Dill. 2007. A decision procedure for bit-vectors and arrays. In Proceedings of the 19th International Conference on Computer Aided Verification (CAV’07). 519--531.

Digital Library

[50]

Patrice Godefroid. 2007. Compositional dynamic test generation. In Proceedings of the 34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Language (POPL’07). 47--54.

Digital Library

[51]

Patrice Godefroid, Nils Klarlund, and Koushik Sen. 2005. DART: Directed automated random testing. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’05). 213--223.

Digital Library

[52]

Patrice Godefroid, Michael Y. Levin, and David A. Molnar. 2008. Automated whitebox fuzz testing. In Proceedings of the Network and Distributed System Security Symposium (NDSS’08).

[53]

Patrice Godefroid, Michael Y. Levin, and David A. Molnar. 2012. SAGE: Whitebox fuzzing for security testing. Queue 10, 1, Article 20 (2012), 20:20--20:27 pages.

Digital Library

[54]

Patrice Godefroid and Daniel Luchaup. 2011. Automatic partial loop summarization in dynamic test generation. In Proceedings of the 2011 International Symposium on Software Testing and Analysis (ISSTA’11). ACM, 23--33.

Digital Library

[55]

Laure Gonnord, David Monniaux, and Gabriel Radanne. 2015. Synthesis of ranking functions using extremal counterexamples. In Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’15). ACM, 608--618.

Digital Library

[56]

Johannes Grabmeier, Erich Kaltofen, and Volker Weispfenning. 2003. Computer Algebra Handbook: Foundations, Applications, Systems. Vol. 1. Springer Science 8 Business Media, 109--124.

[57]

Trevor Hansen, Peter Schachte, and Harald Søndergaard. 2009. Runtime verification. Chapter State Joining and Splitting for the Symbolic Execution of Binaries, 76--92.

[58]

William E. Howden. 1977. Symbolic testing and the DISSECT symbolic evaluation system. IEEE Trans. Software Eng. 3, 4 (1977), 266--278.

Digital Library

[59]

Joxan Jaffar, Vijayaraghavan Murali, and Jorge A. Navas. 2013. Boosting concolic testing via interpolation. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering (ESEC/FSE’13). ACM, 48--58.

Digital Library

[60]

Joxan Jaffar, Vijayaraghavan Murali, Jorge A. Navas, and Andrew E. Santosa. 2012. TRACER: A symbolic execution tool for verification. In Proceedings of the 24th International Conference on Comp. Aided Verification (CAV’12). 758--766.

Digital Library

[61]

Joxan Jaffar, Jorge A. Navas, and Andrew E. Santosa. 2012. Unbounded symbolic execution for program verification. In Proceedings of the 2nd International Conference on Runtime Verification (RV’11). 396--411.

Digital Library

[62]

Joxan Jaffar, Andrew E. Santosa, and Rǎzvan Voicu. 2009. An interpolation method for CLP traversal. In Proceedings of the 15th International Conference on Principles and Practice of Constraint Programming (CP’09). 454--469.

Digital Library

[63]

Jinseong Jeon, Xiaokang Qiu, Jonathan Fetter-Degges, Jeffrey S. Foster, and Armando Solar-Lezama. 2016. Synthesizing framework models for symbolic execution. In Proceedings of the 38th International Conference on Software Engineering (ICSE’16). ACM, 156--167.

Digital Library

[64]

Xiangyang Jia, Carlo Ghezzi, and Shi Ying. 2015. Enhancing reuse of constraint solutions to improve symbolic execution. In Proceedings of the 2015 International Symposium on Software Testing and Analysis (ISSTA’15). 177--187.

Digital Library

[65]

Yit Phang Khoo, Bor-Yuh Evan Chang, and Jeffrey S. Foster. 2010. Mixing type checking and symbolic execution. In Proceedings of the 31st ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’10). 436--447.

Digital Library

[66]

Sarfraz Khurshid, Corina S. Pasareanu, and Willem Visser. 2003. Generalized symbolic execution for model checking and testing. In Proceedings of the 9th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’03). Springer-Verlag, 553--568.

Digital Library

[67]

James C. King. 1975. A new approach to program testing. In Proceedings of the International Conference on Reliable Software. ACM, 228--233.

Digital Library

[68]

James C. King. 1976. Symbolic execution and program testing. Commun. ACM 19, 7 (1976), 385--394.

Digital Library

[69]

Daniel Kroening, Natasha Sharygina, Stefano Tonetta, Aliaksei Tsitovich, and Christoph M. Wintersteiger. 2008. Loop summarization using abstract transformers. In Proceedings of the 6th International Symposium on Automated Technology for Verification and Analysis (ATVA’08). 111--125.

Digital Library

[70]

Volodymyr Kuznetsov, Johannes Kinder, Stefan Bucur, and George Candea. 2012. Efficient state merging in symbolic execution. In Proceedings of the 33rd ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’12). ACM, 193--204.

Digital Library

[71]

You Li, Zhendong Su, Linzhang Wang, and Xuandong Li. 2013. Steering symbolic execution to less traveled paths. in Proceedings of the ACM SIGPLAN Conference on Object Oriented Programming Systems Languages 8 Applications (OOPSLA’13). 19--32.

Digital Library

[72]

Kin-Keung Ma, Khoo Yit Phang, Jeffrey S. Foster, and Michael Hicks. 2011. Directed symbolic execution. In Proceedings of the 18th International Conference on Static Analysis (SAS’11). 95--111.

Digital Library

[73]

Rupak Majumdar and Koushik Sen. 2007. Hybrid concolic testing. In Proceedings of the 29th International Conference on Software Engineering (ICSE’07). IEEE Computer Society, 416--426.

Digital Library

[74]

Rupak Majumdar and Ru-Gang Xu. 2009. Reducing test inputs using information partitions. In Proceedings of the 21st International Conference on Computer Aided Verification (CAV’09). Springer-Verlag, Berlin, Heidelberg, 555--569.

Digital Library

[75]

Kenneth L. McMillan. 2010. Lazy annotation for program testing and verification. In Proceedings of the 22nd International Conference on Computer Aided Verification (CAV’10). 104--118.

Digital Library

[76]

Phil McMinn. 2004. Search-based software test data generation: A survey. Software Testing, Verification 8 Reliability 14, 2 (2004), 105--156.

Digital Library

[77]

Corina S. Pasareanu and Neha Rungta. 2010. Symbolic pathfinder: Symbolic execution of java bytecode. In Proceedings of the IEEE/ACM International Conference on Automated Software Engineering (ASE’10). ACM, 179--180.

Digital Library

[78]

Corina S. Pasareanu, Neha Rungta, and Willem Visser. 2011. Symbolic execution with mixed concrete-symbolic solving. In Proceedings of the 2011 International Symposium on Software Testing and Analysis (ISSTA’11). ACM, 34--44.

Digital Library

[79]

Corina S. Pasareanu and Willem Visser. 2009. A survey of new trends in symbolic execution for software testing and analysis. Int. J. Software Tools Technol. Transfer 11, 4 (2009), 339--353.

[80]

David M. Perry, Andrea Mattavelli, Xiangyu Zhang, and Cristian Cadar. 2017. Accelerating array constraints in symbolic execution. In Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA’17). ACM, 68--78.

Digital Library

[81]

Ruzica Piskac, Thomas Wies, and Damien Zufferey. 2013. Automating separation logic using SMT. In Proceedings of the 25th International Conference on Computer Aided Verification (CAV’13). 773--789.

[82]

Amir Pnueli and Roni Rosner. 1989. On the synthesis of a reactive module. In Proceedings of the 16th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Language (POPL’89). ACM, 179--190.

Digital Library

[83]

Charles Prud’homme, Jean-Guillaume Fages, and Xavier Lorca. 2015. Choco Documentation. TASC, INRIA Rennes, LINA CNRS UMR 6241, COSLING S.A.S. Retrieved from http://www.choco-solver.org.

[84]

Dawei Qi, Hoang D. T. Nguyen, and Abhik Roychoudhury. 2013. Path exploration based on symbolic output. ACM Trans. Software Eng. Methodol. 22, 4, Article 32 (2013).

Digital Library

[85]

David A. Ramos and Dawson R. Engler. 2015. Under-constrained symbolic execution: Correctness checking for real code. In Proceedings of the 24th USENIX Conference on Security Symposium (SEC’15). USENIX Association, 49--64.

Digital Library

[86]

John C. Reynolds. 2002. Separation logic: A logic for shared mutable data structures. In Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science (LICS’02). IEEE Computer Society, 55--74.

Digital Library

[87]

Nicolas Rosner, Jaco Geldenhuys, Nazareno M. Aguirre, Willem Visser, and Marcelo F. Frias. 2015. BLISS: Improved symbolic execution by bounded lazy initialization with SAT support. IEEE Trans. Software Eng. 41, 7 (2015), 639--660.

Digital Library

[88]

Prateek Saxena, Pongsin Poosankam, Stephen McCamant, and Dawn Song. 2009. Loop-extended symbolic execution on binary programs. In Proceedings of the 18th International Symposium on Software Testing and Analysis. 225--236.

Digital Library

[89]

Edward J. Schwartz, Thanassis Avgerinos, and David Brumley. 2010. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Proceedings of the 2010 IEEE Symposium on Security and Privacy (SP’10). IEEE Computer Society, 317--331.

Digital Library

[90]

Daniel Schwartz-Narbonne, Martin Schaf, Dejan Jovanovic, Philipp Rümmer, and Thomas Wies. 2015. Conflict-directed graph coverage. In Proceedings of the 7th International Symposium on NASA Formal Methods. 327--342.

[91]

Koushik Sen, Darko Marinov, and Gul Agha. 2005. CUTE: A concolic unit testing engine for C. In Proceedings of the 10th European Software Engineering Conference Held Jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering (ESEC/FSE’13). ACM, 263--272.

Digital Library

[92]

Ondrej Sery, Grigory Fedyukovich, and Natasha Sharygina. 2012. Incremental upgrade checking by means of interpolation-based function summaries. In Proceedings of the 2012 Conference on Formal Methods in Computer-Aided Design (FMCAD’12). 114--121.

[93]

Ondrej Sery, Grigory Fedyukovich, and Natasha Sharygina. 2012. Interpolation-based function summaries in bounded model checking. In Proceedings of the 7th International Haifa Verification Conference on Hardware and Software: Verification and Testing (HVC’11). 160--175.

Digital Library

[94]

Yan Shoshitaishvili, Ruoyu Wang, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2015. Firmalice - Automatic detection of authentication bypass vulnerabilities in binary firmware. In Proceedings of the 22nd Annual Network and Distributed System Security Symposium (NDSS’15).

[95]

Yan Shoshitaishvili, Ruoyu Wang, Christopher Salls, Nick Stephens, Mario Polino, Andrew Dutcher, John Grosen, Siji Feng, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2016. SOK: (State of) the art of war: Offensive techniques in binary analysis. In Proceedings of the IEEE Symposium on Security and Privacy (SP’16). 138--157.

[96]

Jiri Slaby, Jan Strejcek, and Marek Trtik. 2013. Compact symbolic execution. In Proceedings of the 11th International Symposium on Automated Technology for Verification and Analysis (ATVA’13). 193--207.

[97]

Armando Solar Lezama. 2008. Program Synthesis By Sketching. Ph.D. Dissertation. EECS Department, University of California, Berkeley. Retrieved from http://www2.eecs.berkeley.edu/Pubs/TechRpts/2008/EECS-2008-177.html.

[98]

Dawn Song, David Brumley, Heng Yin, Juan Caballero, Ivan Jager, Min Gyung Kang, Zhenkai Liang, James Newsome, Pongsin Poosankam, and Prateek Saxena. 2008. BitBlaze: A new approach to computer security via binary analysis. In Proceedings of the 4th International Conference on Information Systems Security (ICISS’08). 1--25.

Digital Library

[99]

Litong Song and Krishna Kavi. 2004. What can we gain by unfolding loops? SIGPLAN Notices 39, 2 (2004), 26--33.

Digital Library

[100]

Matheus Souza, Mateus Borges, Marcelo d’Amorim, and Corina S. Pasareanu. 2011. CORAL: Solving complex constraints for symbolic pathfinder. In Proceedings of the 3rd International NASA Formal Methods Symposium. 359--374.

Digital Library

[101]

Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2016. Driller: Augmenting fuzzing through selective symbolic execution. In Proceedings of the 23nd Annual Network and Distributed System Security Symposium (NDSS’16).

[102]

Aditya Thakur, Junghee Lim, Akash Lal, Amanda Burton, Evan Driscoll, Matt Elder, Tycho Andersen, and Thomas Reps. 2010. Directed proof generation for machine code. In Proceedings of the 22nd International Conference on Computer Aided Verification (CAV’10). Springer-Verlag, 288--305.

Digital Library

[103]

Marek Trtik and Jan Strejček. 2014. Symbolic Memory with Pointers. Springer International Publishing, 380--395.

[104]

Aliaksei Tsitovich, Natasha Sharygina, Christoph M. Wintersteiger, and Daniel Kroening. 2011. Loop summarization and termination analysis. In Proceedings of the Conference on Theory and Practice of Software and the 17th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’11/ETAPS’11). 81--95.

Digital Library

[105]

Heila van der Merwe, Oksana Tkachuk, Brink van der Merwe, and Willem Visser. 2015. Generation of library models for verification of android applications. SIGSOFT Software Eng. Notes 40, 1 (2015), 1--5.

Digital Library

[106]

Willem Visser, Jaco Geldenhuys, and Matthew B. Dwyer. 2012. Green: Reducing, reusing and recycling constraints in program analysis. In Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering (FSE’12). ACM, Article 58.

Digital Library

[107]

Willem Visser, Corina S. Pasareanu, and Sarfraz Khurshid. 2004. Test input generation with java pathfinder. In Proceedings of the 2004 ACM SIGSOFT International Symposium on Software Testing and Analysis. ACM, 97--107.

Digital Library

[108]

Jonas Wagner, Volodymyr Kuznetsov, and George Candea. 2013. Overify: Optimizing programs for fast verification. In Proceedings of the 14th USENIX Conference on Hot Topics in Operating Systems. USENIX Association.

Digital Library

[109]

Haijun Wang, Ting Liu, Xiaohong Guan, Chao Shen, Qinghua Zheng, and Zijiang Yang. 2017. Dependence guided symbolic execution. IEEE Trans. Software Eng. 43, 3 (2017), 252--271.

Digital Library

[110]

Mark Weiser. 1984. Program slicing. IEEE Trans. Software Eng. SE-10, 4 (1984), 352--357.

Digital Library

[111]

Xusheng Xiao, Tao Xie, Nikolai Tillmann, and Jonathan de Halleux. 2011. Precise identification of problems for structural test generation. In Proceedings of the 33rd International Conference on Software Engineering (ICSE’11). 611--620.

Digital Library

[112]

Tao Xie, Nikolai Tillmann, Jonathan de Halleux, and Wolfram Schulte. 2009. Fitness-guided path exploration in dynamic symbolic execution. In Proceedings of the 2009 IEEE/IFIP International Conference on Dependable Systems and Networks (DSN’09). 359--368.

[113]

Xiaofei Xie, Bihuan Chen, Yang Liu, Wei Le, and Xiaohong Li. 2016. Proteus: Computing disjunctive loop summary via path dependency analysis. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE’16). 61--72.

Digital Library

[114]

Yichen Xie and Alex Aiken. 2005. Scalable error detection using boolean satisfiability. In Proceedings of the 32nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Language (POPL’05). ACM, 351--363.

Digital Library

[115]

Guowei Yang, Corina S. Pasareanu, and Sarfraz Khurshid. 2012. Memoized symbolic execution. In Proceedings of the 2012 International Symposium on Software Testing and Analysis (ISSTA’12). ACM, 144--154.

Digital Library

[116]

Guowei Yang, Suzette Person, Neha Rungta, and Sarfraz Khurshid. 2014. Directed incremental symbolic execution. ACM Trans. Software Eng. Methodol. 24, 1, Article 3 (2014).

Digital Library

[117]

Qiuping Yi, Zijiang Yang, Shengjian Guo, Chao Wang, Jian Liu, and Chen Zhao. 2015. Postconditioned symbolic execution. In Proceedings of the 2015 IEEE 8th International Conference on Software Testing, Verification and Validation (ICST’15).

[118]

Yufeng Zhang, Zhenbang Chen, Ji Wang, Wei Dong, and Zhiming Liu. 2015. Regular property guided dynamic symbolic execution. In Proceedings of the 37th International Conference on Software Engineering (ICSE’15). 643--653.

Digital Library

[119]

Yunhui Zheng, Xiangyu Zhang, and Vijay Ganesh. 2013. Z3-str: A Z3-based string solver for web application analysis. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering. ACM, 114--124.

Digital Library

Cited By

Alshmrany KAldughaim MBhayat ACordeiro L(2024)FuSeBMC v4: Improving Code Coverage with Smart Seeds via BMC, Fuzzing and Static AnalysisFormal Aspects of Computing10.1145/366533736:2(1-25)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3665337
Jain RTihanyi NNdhlovu MFerrag MCordeiro Ld'Amorim M(2024)Rapid Taint Assisted Concolic Execution (TACE)Companion Proceedings of the 32nd ACM International Conference on the Foundations of Software Engineering10.1145/3663529.3663812(627-631)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3663529.3663812
Show More Cited By

Index Terms

A Survey of Symbolic Execution Techniques
1. Security and privacy
  1. Software and application security
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging
  2. Software organization and properties
    1. Software functional properties
      1. Formal methods
        Dynamic analysis
        Software verification

Recommendations

Scaling symbolic execution using staged analysis

Recent advances in constraint solving technology and raw computation power have led to a substantial increase in the effectiveness of techniques based on symbolic execution for systematic bug finding. However, scaling symbolic execution remains a ...
Read More
RELEASE: Generating Exploits Using Loop-Aware Concolic Execution
SSIRI '11: Proceedings of the 2011 Fifth International Conference on Secure Software Integration and Reliability Improvement

Automatically finding vulnerabilities and even generating exploits are desirable for software testing. For the protection of intellectual property and copyright, programs being tested may be lack of source code and symbol table information. Concolic ...
Read More
Combining static analysis error traces with dynamic symbolic execution (experience paper)
ISSTA 2022: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis

This paper reports on our experience implementing a technique for sifting through static analysis reports using dynamic symbolic execution. Our insight is that if a static analysis tool produces a partial trace through the program under analysis, ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Computing Surveys

ACM Computing Surveys Volume 51, Issue 3

May 2019

796 pages

ISSN:0360-0300

EISSN:1557-7341

DOI:10.1145/3212709

Editor:
Sartaj Sahni
Department of Computer and Information Science and Engineering / University of Florida / Gainesville, FL 32611

Issue’s Table of Contents

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 May 2018

Accepted: 01 January 2018

Revised: 01 December 2017

Received: 01 October 2016

Published in CSUR Volume 51, Issue 3

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Survey
Research
Refereed

Funding Sources

CINI (Consorzio Interuniversitario Nazionale Informatica) National Laboratory of Cyber Security
Italian Presidency of the Council of Ministers

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

362
Total Citations
View Citations
5,777
Total Downloads

Downloads (Last 12 months)821
Downloads (Last 6 weeks)108

Other Metrics

View Author Metrics

Citations

Cited By

Alshmrany KAldughaim MBhayat ACordeiro L(2024)FuSeBMC v4: Improving Code Coverage with Smart Seeds via BMC, Fuzzing and Static AnalysisFormal Aspects of Computing10.1145/366533736:2(1-25)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3665337
Jain RTihanyi NNdhlovu MFerrag MCordeiro Ld'Amorim M(2024)Rapid Taint Assisted Concolic Execution (TACE)Companion Proceedings of the 32nd ACM International Conference on the Foundations of Software Engineering10.1145/3663529.3663812(627-631)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3663529.3663812
Shuai ZChen ZMa KLiu KZhang YSun JWang J(2024)Partial Solution Based Constraint Solving Cache in Symbolic ExecutionProceedings of the ACM on Software Engineering10.1145/36608171:FSE(2493-2514)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3660817
Ryan GJain SShang MWang SMa XRamanathan MRay B(2024)Code-Aware Prompting: A Study of Coverage-Guided Test Generation in Regression Setting using LLMProceedings of the ACM on Software Engineering10.1145/36437691:FSE(951-971)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3643769
Gao CYang WYe JXue YSun J(2024)sGuard+: Machine Learning Guided Rule-Based Automated Vulnerability Repair on Smart ContractsACM Transactions on Software Engineering and Methodology10.1145/364184633:5(1-55)Online publication date: 4-Jun-2024
https://dl.acm.org/doi/10.1145/3641846
Wang XHu RGao CWen XChen YLiao QRoychoudhury APaiva AAbreu RStorey M(2024)ReposVul: A Repository-Level High-Quality Vulnerability DatasetProceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings10.1145/3639478.3647634(472-483)Online publication date: 14-Apr-2024
https://dl.acm.org/doi/10.1145/3639478.3647634
Ding YGervais AWattenhofer RSato HRoychoudhury APaiva AAbreu RStorey M(2024)Hunting DeFi Vulnerabilities via Context-Sensitive Concolic VerificationProceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings10.1145/3639478.3643105(324-325)Online publication date: 14-Apr-2024
https://dl.acm.org/doi/10.1145/3639478.3643105
Glock JRoychoudhury APaiva AAbreu RStorey M(2024)Aiding Developer Understanding of Software Changes via Symbolic Execution-based Semantic DifferencingProceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings10.1145/3639478.3639783(142-144)Online publication date: 14-Apr-2024
https://dl.acm.org/doi/10.1145/3639478.3639783
Hu GWang ZTang CShen JDong ZYao SChen H(2024)WeBridge: Synthesizing Stored Procedures for Large-Scale Real-World Web ApplicationsProceedings of the ACM on Management of Data10.1145/36393192:1(1-29)Online publication date: 26-Mar-2024
https://dl.acm.org/doi/10.1145/3639319
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents