Article

Under-constrained symbolic execution: correctness checking for real code

Authors:

David A. Ramos,

Dawson EnglerAuthors Info & Claims

SEC'15: Proceedings of the 24th USENIX Conference on Security Symposium

Pages 49 - 64

Published: 12 August 2015 Publication History

Abstract

Software bugs are a well-known source of security vulnerabilities. One technique for finding bugs, symbolic execution, considers all possible inputs to a program but suffers from scalability limitations. This paper uses a variant, under-constrained symbolic execution, that improves scalability by directly checking individual functions, rather than whole programs. We present UC-KLEE, a novel, scalable framework for checking C/C++ systems code, along with two use cases. First, we use UC-KLEE to check whether patches introduce crashes. We check over 800 patches from BIND and OpenSSL and find 12 bugs, including two OpenSSL denial-of-service vulnerabilities. We also verify (with caveats) that 115 patches do not introduce crashes. Second, we use UC-KLEE as a generalized checking framework and implement checkers to find memory leaks, uninitialized data, and unsafe user input. We evaluate the checkers on over 20,000 functions from BIND, OpenSSL, and the Linux kernel, find 67 bugs, and verify that hundreds of functions are leak free and that thousands of functions do not access uninitialized data.

References

[1]

Alert (TA14-098A): OpenSSL 'Heartbleed' vulnerability (CVE- 2014-0160). https://www.us-cert.gov/ncas/alerts/TA14-098A, April 2014.

[2]

BACKES, J., PERSON, S., RUNGTA, N., AND TKACHUK, O. Regression verification using impact summaries. In Proc. of SPIN Symposium on Model Checking of Software (SPIN) (2013).

[3]

BIND. https://www.isc.org/downloads/bind/.

[4]

BOYER, R. S., ELSPAS, B., AND LEVITT, K. N. Select - a formal system for testing and debugging programs by symbolic execution. ACM SIGPLAN Notices 10, 6 (June 1975), 234-45.

Digital Library

[5]

CADAR, C., DUNBAR, D., AND ENGLER, D. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proc. of Symp. on Operating Systems Design and Impl (OSDI) (2008).

Digital Library

[6]

CHOU, A. On detecting heartbleed with static analysis. http://security.coverity.com/blog/2014/Apr/ on-detecting-heartbleed-with-static-analysis.html, 2014.

[7]

CLAUSE, J., LI, W., AND ORSO, A. Dytan: a generic dynamic taint analysis framework. In Proc. of Intl. Symp. on Software Testing and Analysis (ISSTA) (2007).

Digital Library

[8]

CUI, H., HU, G., WU, J., AND YANG, J. Verifying systems rules using rule-directed symbolic execution. In Proc. of Intl. Conf. on Architectural Support for Programming Languages and Operating Systems (ASPLOS) (2013).

Digital Library

[9]

CVE-2008-1447: DNS Cache Poisoning Issue ("Kaminsky bug"). https://kb.isc.org/article/AA-00924.

[10]

CVE-2012-3868. https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2012-3868, Jul 2012.

[11]

CVE-2014-0160. https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2014-0160, April 2014.

[12]

CVE-2014-0198. https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2014-0198, May 2014.

[13]

CVE-2014-3513. https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2014-3513, Oct 2014.

[14]

CVE-2015-0206. https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2015-0206, Jan 2015.

[15]

CVE-2015-0291. https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2015-0291, Mar 2015.

[16]

CVE-2015-0292. https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2015-0292, Mar 2015.

[17]

DENG, X., LEE, J., AND ROBBY. Bogor/kiasan: A k-bounded symbolic execution for checking strong heap properties of open systems. In Proc. of the 21st IEEE International Conference on Automated Software Engineering (2006), pp. 157-166.

Digital Library

[18]

ENGLER, D., AND DUNBAR, D. Under-constrained execution: making automatic code destruction easy and scalable. In Proc. of the Intl. Symposium on Software Testing and Analysis (ISSTA) (2007).

Digital Library

[19]

ENGLER, D., YU CHEN, D., HALLEM, S., CHOU, A., AND CHELF, B. Bugs as deviant behavior: A general approach to inferring errors in systems code. In Proc. of the 18th ACM Symposium on Operating Systems Principles (SOSP '01) (2001).

Digital Library

[20]

FREIER, A. RFC 6101: The Secure Sockets Layer (SSL) Protocol Version 3.0. Internet Engineering Task Force (IETF), Aug 2011.

[21]

GODLIN, B., AND STRICHMAN, O. Regression verification: proving the equivalence of similar programs. Software Testing, Verification and Reliability 23, 3 (2013), 241-258.

[22]

GOODIN, D. OpenSSL warns of two high-severity bugs, but no Heartbleed. Ars Technica (March 2015).

[23]

HASTINGS, R., AND JOYCE, B. Purify: Fast detection of memory leaks and access errors. In Proc. of the USENIX Winter Technical Conference (USENIX Winter '92) (Dec. 1992), pp. 125-138.

[24]

HAUSWIRTH, M., AND CHILIMBI, T. M. Low-overhead memory leak detection using adaptive statistical profiling. In Proc. of the Intl. Conf. on Architectural Support for Programming Languages and Operating Systems (ASPLOS) (2004).

Digital Library

[25]

INTERNATIONAL TELECOMMUNICATION UNION. ITU-T Recommendation X.680: Abstract Syntax Notation One (ASN.1): Specification of basic notation, Nov 2008.

[26]

KHURSHID, S., PASAREANU, C. S., AND VISSER, W. Generalized symbolic execution for model checking and testing. In Proc. of Intl. Conf. on Tools and Algos. for the Construction and Analysis of Sys. (2003).

Digital Library

[27]

LAHIRI, S., HAWBLITZEL, C., KAWAGUCHI, M., AND REBELO, H. SymDiff: A language-agnostic semantic diff tool for imperative programs. In Proc. of Intl. Conf. on Computer Aided Verification (CAV) (2012).

Digital Library

[28]

LAHIRI, S. K., MCMILLAN, K. L., SHARMA, R., AND HAWBLITZEL, C. Differential assertion checking. In Proc. of Joint Meeting on Foundations of Software Engineering (FSE) (2013).

Digital Library

[29]

LATTNER, C., AND ADVE, V. LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In Proc. of the Intl. Symp. on Code Generation and Optimization (CGO) (2004).

Digital Library

[30]

LUK, C.-K., COHN, R., MUTH, R., PATIL, H., KLAUSER, A., LOWNEY, G., WALLACE, S., REDDI, V. J., AND HAZELWOOD, K. Pin: building customized program analysis tools with dynamic instrumentation. In Proc. of ACM SIGPLAN Conf. on Programming Language Design and Implementation (PLDI) (2005).

Digital Library

[31]

MARINESCU, P. D., AND CADAR, C. High-coverage symbolic patch testing. In Proc. of Intl. SPIN Symp. on Model Checking Software (2012).

Digital Library

[32]

MARINESCU, P. D., AND CADAR, C. KATCH: High-coverage testing of software patches. In Proc. of 9th Joint Mtg. on Foundations of Software Engineering (FSE) (2013).

Digital Library

[33]

NECULA, G. C., MCPEAK, S., AND WEIMER, W. Ccured: type-safe retrofitting of legacy code. In Proc. of Symp. on Principles of Programming Languages (POPL) (2002).

Digital Library

[34]

NETHERCOTE, N., AND SEWARD, J. Valgrind: a framework for heavyweight dynamic binary instrumentation. In Proc. of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation (PLDI '07) (June 2007), pp. 89-100.

Digital Library

[35]

NEWSOME, J., AND SONG, D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proc. of Network and Distributed Systems Security Symp. (NDSS) (2005).

[36]

OpenSSL. https://www.openssl.org/source.

[37]

PARTUSH, N., AND YAHAV, E. Abstract semantic differencing for numerical programs. In Proc. of Intl. Static Analysis Symposium (SAS) (2013).

[38]

PERSON, S., DWYER, M. B., ELBAUM, S., AND PASAREANU, C. S. Differential symbolic execution. In Proc. of ACM SIGSOFT Intl. Symposium on Foundations of Software Engineering (FSE) (2008), pp. 226-237.

Digital Library

[39]

PERSON, S., YANG, G., RUNGTA, N., AND KHURSHID, S. Directed incremental symbolic execution. In Proc. of ACM SIGPLAN Conf. on Programming Language Design and Implementation (PLDI) (2011).

Digital Library

[40]

PASAREANU, C. S., AND RUNGTA, N. Symbolic PathFinder: Symbolic execution of java bytecode. In Proc. of the IEEE/ACM International Conf. on Automated Software Engineering (ASE) (2010).

Digital Library

[41]

QI, D., ROYCHOUDHURY, A., AND LIANG, Z. Test generation to expose changes in evolving programs. In Proc. of IEEE/ACM Intl. Conf. on Automated Software Engineering (ASE) (2010).

Digital Library

[42]

RAMOS, D. A. Under-constrained symbolic execution: correctness checking for real code. PhD thesis, Stanford University, 2015.

[43]

RAMOS, D. A., AND ENGLER, D. R. Practical, low-effort equivalence verification of real code. In Proc. of Intl. Conf. on Computer Aided Verification (CAV) (2011).

Digital Library

[44]

UNANGST, T. Commit e76e308f (tedu): on today's episode of things you didn't want to learn. http://anoncvs.estpak. ee/cgi-bin/cgit/openbsd-src/commit/lib/libssl?id=e76e308f, Apr 2014.

[45]

XIE, Y., AND AIKEN, A. Context- and path-sensitive memory leak detection. In Proc. of the Intl. Symp. on Foundations of Software Engineering (FSE) (2005).

Digital Library

[46]

XIE, Y., AND AIKEN, A. Scalable error detection using boolean satisfiability. In Proc. of the 32nd ACM SIGPLAN-SIGACT Symp. on Principles of Programming Languages (POPL) (2005), pp. 351-363.

Digital Library

Cited By

Alrabaee SDebbabi MWang L(2022)A Survey of Binary Code Fingerprinting Approaches: Taxonomy, Methodologies, and FeaturesACM Computing Surveys10.1145/348686055:1(1-41)Online publication date: 17-Jan-2022
https://dl.acm.org/doi/10.1145/3486860
Li PMeng WLu KLuo C(2021)On the Feasibility of Automated Built-in Function Modeling for PHP Symbolic ExecutionProceedings of the Web Conference 202110.1145/3442381.3450002(58-69)Online publication date: 19-Apr-2021
https://dl.acm.org/doi/10.1145/3442381.3450002
Lu KPakki AWu QHeninger NTraynor P(2019)Detecting missing-check bugs via semantic- and context-aware criticalness and constraints inferencesProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361461(1769-1786)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361461
Show More Cited By

Index Terms

Under-constrained symbolic execution: correctness checking for real code

Index terms have been assigned to the content through auto-classification.

Recommendations

Theoretical aspects of compositional symbolic execution
FASE'11/ETAPS'11: Proceedings of the 14th international conference on Fundamental approaches to software engineering: part of the joint European conferences on theory and practice of software

Given a program and an assertion in that program, determining if the assertion can fail is one of the key applications of program analysis. Symbolic execution is a well-known technique for finding such assertion violations that can enjoy the following ...
Enhancing spark's contract checking facilities using symbolic execution
SIGAda '11: Proceedings of the 2011 ACM annual international conference on Special interest group on the ada programming language

Spark, a subset of Ada for engineering safety and security-critical systems, is one of the best commercially available frameworks for formal-methods-supported development of critical software. Spark is designed for verification and includes a software ...
Sound Gradual Verification with Symbolic Execution

Gradual verification, which supports explicitly partial specifications and verifies them with a combination of static and dynamic checks, makes verification more incremental and provides earlier feedback to developers. While an abstract, weakest ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

SEC'15: Proceedings of the 24th USENIX Conference on Security Symposium

August 2015

1072 pages

ISBN:9781931971232

Editor:
Jaeyeon Jung
Microsoft Research

Sponsors

USENIX Assoc: USENIX Assoc

Publisher

USENIX Association

United States

Publication History

Published: 12 August 2015

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

23
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 11 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Alrabaee SDebbabi MWang L(2022)A Survey of Binary Code Fingerprinting Approaches: Taxonomy, Methodologies, and FeaturesACM Computing Surveys10.1145/348686055:1(1-41)Online publication date: 17-Jan-2022
https://dl.acm.org/doi/10.1145/3486860
Li PMeng WLu KLuo C(2021)On the Feasibility of Automated Built-in Function Modeling for PHP Symbolic ExecutionProceedings of the Web Conference 202110.1145/3442381.3450002(58-69)Online publication date: 19-Apr-2021
https://dl.acm.org/doi/10.1145/3442381.3450002
Lu KPakki AWu QHeninger NTraynor P(2019)Detecting missing-check bugs via semantic- and context-aware criticalness and constraints inferencesProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361461(1769-1786)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361461
Dumitrescu DStoenescu RPopovici MNegreanu LRaiciu CLorch JYu M(2019)Dataplane equivalence and its applicationsProceedings of the 16th USENIX Conference on Networked Systems Design and Implementation10.5555/3323234.3323290(683-697)Online publication date: 26-Feb-2019
https://dl.acm.org/doi/10.5555/3323234.3323290
Hauser CMenon JShoshitaishvili YWang RVigna GKruegel CBalenson D(2019)SleakProceedings of the 35th Annual Computer Security Applications Conference10.1145/3359789.3359820(190-202)Online publication date: 9-Dec-2019
https://dl.acm.org/doi/10.1145/3359789.3359820
Zhou YZhang LLi H(2019)SYMACProceedings of the 2nd International Conference on Computer Science and Software Engineering10.1145/3339363.3339379(126-131)Online publication date: 24-May-2019
https://dl.acm.org/doi/10.1145/3339363.3339379
Fragoso Santos JMaksimović PSampaio GGardner P(2019)JaVerT 2.0: compositional symbolic execution for JavaScriptProceedings of the ACM on Programming Languages10.1145/32903793:POPL(1-31)Online publication date: 2-Jan-2019
https://dl.acm.org/doi/10.1145/3290379
Rutledge RPark SKhan HOrso APrvulovic MZajic AAtlee JBultan TWhittle J(2019)Zero-overhead path prediction with progressive symbolic executionProceedings of the 41st International Conference on Software Engineering10.1109/ICSE.2019.00039(234-245)Online publication date: 25-May-2019
https://dl.acm.org/doi/10.1109/ICSE.2019.00039
Kim YLee DBaek JKim MSharp HWhalen M(2019)Concolic testing for high test coverage and reduced human effort in automotive industryProceedings of the 41st International Conference on Software Engineering: Software Engineering in Practice10.1109/ICSE-SEIP.2019.00024(151-160)Online publication date: 27-May-2019
https://dl.acm.org/doi/10.1109/ICSE-SEIP.2019.00024
Gu ZWu JLi CZhou MJiang YGu MSun JMussbacher GAtlee JBultan T(2019)Vetting API usages in C programs with IMCheckerProceedings of the 41st International Conference on Software Engineering: Companion Proceedings10.1109/ICSE-Companion.2019.00046(91-94)Online publication date: 25-May-2019
https://dl.acm.org/doi/10.1109/ICSE-Companion.2019.00046
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents