CREST Internal Yunho Kim Provable Software Laboratory CS Dept. KAIST.

CREST Internal

Yunho KimProvable Software

LaboratoryCS Dept. KAIST

CREST

Yunho Kim Prov-able SW Lab2/20

• CREST is a concolic testing tool for C programs– Generate test inputs automatically– Execute target under test on generated test inputs– Explore all possible execution paths of a target systemati-

cally

• CREST is a open-source re-implementation of CUTE– mainly written in C++

• CREST’s instrumentation is implemented as a module of CIL(C Intermetiate Language) written in Ocaml

Overview of CREST code

Yunho Kim Prov-able SW Lab

C sourcecode

Instrumentedcode

CIL

GCC

yices run_crest

cil/src/ext/crestInstrument.ml

src/libcrest/crest.ccsrc/base/symbolic_interpreter.ccsrc/base/symbolic_execution.ccsrc/base/symbolic_expression.ccsrc/base/symbolic_path.ccsrc/base/symbolic_predicate.cc

CREST symbolic execution library

src/run_crest/run_crest.ccsrc/run_crest/concolic_search.ccsrc/base/yices_solver.ccsrc/base/symbolic_execution.ccsrc/base/symbolic_expression.ccsrc/base/symbolic_path.ccsrc/base/symbolic_predicate.ccsrc/base/basic_types.cc

constraint

next input

Sourcecode

Externaltool

CREST

Legend

3/20

EXT

Directory Structure


• src/base/libcrest/process_cfg/run_crest/tools/

• cil/src/ext/crestInstrument.ml– A CIL module for instrumentation

: Base libraries for symbolic execution: Probe code for collecting symbolic states: CFG generator for CFG-based search heuristic: Main function of run_crest and search algorithms: A tool for printing execution path from szd_execution

CREST Code Metrics


Name Value

# of files.h 9.cc 12

Total 21

# of linesCode 2,210

Others 1,595Total 3,805

# of classes 14

# of functions 147

Symbolic Execution Component


• Symbolic execution component collects symbolic states during concrete execution and manages symbolic execution paths

• Related files

File Contentsrc/libcrest/crest.cc Probe functions inserted into instrumented targetsrc/base/symbolic_interpreter.cc Main symbolic execution engine for CRESTsrc/base/symbolic_execution.cc A class for a symbolic execution which consists of symbolic

path and inputssrc/base/symbolic_path.cc A class for a symbolic path which is a sequence of symbolic

predicates at taken branchessrc/base/symbolic_predicate.cc A class for a symbolic predicate which consists of a symbolic

expression and a comparatorsrc/base/symbolic_expression.cc A class for a symbolic expression

Symbolic Interpreter


• Symbolic interpreter performs dynamic symbolic exe-cution during execution of a target program

• Symbolic interpreter implements a symbolic machine which has stack-architecture

• 4 types of statements– Symbolic variable initialization– Assignments– Applying operators– Branches

Symbolic Machine


• Symbolic machine has a symbolic stack, symbolic memory and a symbolic predicate register– Symbolic memory stores symbolic expressions– Symbolic stack element: <symbolic expr, concrete value>– If the top of the stack is a predicate, the predicate is stored

in the symbolic predicate register

Address Symbolic expression

Symbolic memorySymbolic stack Symbolic predicate register

Example Revisited


1 #include <crest.h> 2 main() { 3 int a,b,c, match=0; 4 CREST_int(a); \ CREST_int(b); \ CREST_int(c);5~9 … omitted… 10 if(a==b) match=match+1;10~32 … omitted … 33 }

int a, b, c;#line 4 /* Initializes symbolic variables a, b, c */ __CrestInt(& a); __CrestInt(& b); __CrestInt(& c);… omitted … #line 10 { /* Creates symbolic expression a==b */ __CrestLoad(36, (unsigned long )(& a), (long long )a); __CrestLoad(35, (unsigned long )(& b), (long long )b); __CrestApply2(34, 12, (long long )(a == b)); if (a == b) { //extern void __CrestBranch(int id , int bid , unsigned char b ) __CrestBranch(37, 11, 1); /* Creates symbolic expression match = match = 1; */ __CrestLoad(41, (unsigned long )(& match), (long

long )match); __CrestLoad(40, (unsigned long )0, (long long )1); __CrestApply2(39, 0, (long long )(match + 1)); __CrestStore(42, (unsigned long )(& match)); match ++; } else { __CrestBranch(38, 12, 0); } }

Symbolic Variable Initialization


• Creates a symbolic memory element in symbolic mem-ory– A concrete address of a variable is used as a symbolic address

• Suppose that we start with the input a = b = c = 0;


&a a

&b b

&c c

Symbolic memorySymbolic stackSymbolic variable initializationint a, b, c;#line 4 /* Initializes symbolic variables a, b, c */ __CrestInt(& a); __CrestInt(& b); __CrestInt(& c);

Symbolic predicate register

Symbolic Compare Operator(1/4)


• Symbolic compare operator is used for a branch condi-tion and results in a symbolic predicate– The predicate is store in a symbolic predicate register


&a a

&b b

&c c

Symbolic memorySymbolic stack#line 10 { /* Creates symbolic expression a==b */ __CrestLoad(36, (unsigned long)(&a), (long long )a); __CrestLoad(35, (unsigned long)(&b), (long long )b); __CrestApply2(34, 12, (long long )(a == b)); if (a == b) { Symbolic predicate register

Symbolic PC



• __CrestLoad(int id, unsigned long *ptr, long long val) function loads a symbolic expression which ptr points to and pushes <loaded expr, val> to the stack– If *ptr is a concrete variable, the function pushes <NULL, val> to the stack


&a a

&b b

&c c

Symbolic memorySymbolic stack#line 10 { /* Creates symbolic expression a==b */ __CrestLoad(36, (unsigned long)(&a), (long long )a); __CrestLoad(35, (unsigned long)(&b), (long long )b); __CrestApply2(34, 12, (long long )(a == b)); if (a == b) { Symbolic predicate register

Symbolic PC

<a, 0>




&a a

&b b

&c c

Symbolic memorySymbolic stack#line 10 { /* Creates symbolic expression a==b */ __CrestLoad(36, (unsigned long)(&a), (long long )a); __CrestLoad(35, (unsigned long)(&b), (long long )b); __CrestApply2(34, 12, (long long )(a == b)); if (a == b) { Symbolic predicate registerSymbolic PC

<a, 0>

<b, 0>



• __CrestApply2(int ID, int op_type, long long val) 1. pops two elements from the stack,2. applies a binary operator corresponding to op_type to the popped elements, 3. pushes a result to the stack if the result is not a predicate– A predicate is stored in the register


&a a

&b b

&c c

Symbolic memorySymbolic stack#line 10 { /* Creates symbolic expression a==b */ __CrestLoad(36, (unsigned long)(&a), (long long )a); __CrestLoad(35, (unsigned long)(&b), (long long )b); __CrestApply2(34, 12, (long long )(a == b)); if (a == b) {//extern void __CrestBranch(int id

, int bid , unsigned char b ) __CrestBranch(37, 11, 1);


Symbolic PC <a==b, 1>

Symbolic Branch(1/2)


• Whenever a branch statement is executed, CREST stores which branch is taken by calling __CrestBranch() function.


&a a

&b b

&c c

Symbolic memorySymbolic stack#line 10 { /* Creates symbolic expression a==b */ __CrestLoad(36, (unsigned long)(&a), (long long )a); __CrestLoad(35, (unsigned long)(&b), (long long )b); __CrestApply2(34, 12, (long long )(a == b)); if (a == b) {//extern void __CrestBranch(int id , int bid ,

unsigned char b ) __CrestBranch(37, 11, 1);


Symbolic PC<a==b, 1>

Symbolic Branch(2/2)


• Symbolic path is a sequence of <symbolic pred, branch ID> • __CrestBranch(int id, int bid, unsigned char b) function appends a

new element <symbolic pred, bid> to the current symbolic path– Symbolic pred comes from the register– If b == 0, negated predicate is appended


&a a

&b b

&c c

Symbolic memorySymbolic stackif (a == b) {//extern void __CrestBranch(int id , int bid ,

unsigned char b ) __CrestBranch(37, 11, 1); /* Creates symbolic expression match =

match = 1; */ __CrestLoad(41, (unsigned long )(&

match), (long long )match);Symbolic predicate register

Symbolic PC

Symbolic path: <a==b, 11>

Symbolic Arithmetic Operator (1/2)


• Symbolic arithmetic operator is similar to symbolic compare oper-ator– Pops operands from the stack, applies operator to the operands, and

pushes the result to the stack


&a a

&b b

&c c

Symbolic memorySymbolic stack if (a == b) {__CrestBranch(37, 11, 1); /* Creates symbolic expression match =

match = 1; */__CrestLoad(41, (unsigned long )(& match),

(long long )match);__CrestLoad(40, (unsigned long )0, (long long )1);__CrestApply2(39, 0, (long long )(match + 1));__CrestStore(42, (unsigned long )(& match)); match ++;


Symbolic PC


<NULL, 0>

<NULL, 1>

Symbolic Arithmetic Operator (2/2)


• If at least one of operands is symbolic, the result is also symbolic– Otherwise, the result is concrete


&a a

&b b

&c c

Symbolic memorySymbolic stack if (a == b) {__CrestBranch(37, 11, 1); /* Creates symbolic expression match = match

= 1; */__CrestLoad(41, (unsigned long )(& match),

(long long )match);__CrestLoad(40, (unsigned long )0, (long long )1);__CrestApply2(39, 0, (long long )(match + 1));__CrestStore(42, (unsigned long )(& match)); match ++;


Symbolic PC


<NULL, 2>

Symbolic Assignment (1/1)


• __CrestStore(int id, unsigned long *ptr) function pops one ele-ment from the stack and update symbolic memory– If the popped element is concrete, just ignore it– If the element is symbolic

• If ptr has an entry in symbolic memory, the corresponding symbolic expression is updated• Otherwise, a new entry is added to symbolic memory


&a a

&b b

&c c

Symbolic memorySymbolic stack

__CrestApply2(39, 0, (long long )(match + 1));__CrestStore(42, (unsigned long )(& match)); match ++;


Symbolic PC


Conclusion


• CREST does not support full ANSI-C semantics– No symbolic pointer dereference– Only linear integer arithmetic– No bit-wise operator– And so on

• To support them, we need to improve CREST’s dy-namic symbolic interpreter engine

• I hope this presentation will be a good starting point

CREST Internal Yunho Kim Provable Software Laboratory CS Dept. KAIST.

Documents

symbolic path

symbolic states

dynamic symbolic execution

symbolic expression

execution slide

crest srcbasesymbolic

concrete execution

crest tools