crest internal

CREST Internal

Yunho KimProvable Software Lab-

oratoryCS Dept. KAIST

CREST

Yunho Kim Prov-able SW Lab2/20

• CREST is a concolic testing tool for C programs– Generate test inputs automatically– Execute target under test on generated test inputs– Explore all possible execution paths of a target systemati-

cally

• CREST is a open-source re-implementation of CUTE– mainly written in C++

• CREST’s instrumentation is implemented as a module of CIL(C Intermetiate Language) written in Ocaml

Overview of CREST code

Yunho Kim Prov-able SW Lab

C sourcecode

Instrumentedcode

CIL

GCC

yices run_crest

cil/src/ext/crestInstrument.ml

src/libcrest/crest.ccsrc/base/symbolic_interpreter.ccsrc/base/symbolic_execution.ccsrc/base/symbolic_expression.ccsrc/base/symbolic_path.ccsrc/base/symbolic_predicate.cc

CREST symbolic execution library

src/run_crest/run_crest.ccsrc/run_crest/concolic_search.ccsrc/base/yices_solver.ccsrc/base/symbolic_execution.ccsrc/base/symbolic_expression.ccsrc/base/symbolic_path.ccsrc/base/symbolic_predicate.ccsrc/base/basic_types.cc

constraint

next input

Sourcecode

Externaltool

CREST

Legend

3/20

EXT

Directory Structure


• src/base/libcrest/process_cfg/run_crest/tools/

• cil/src/ext/crestInstrument.ml– A CIL module for instrumentation

: Base libraries for symbolic execution: Probe code for collecting symbolic states: CFG generator for CFG-based search heuristic: Main function of run_crest and search algorithms: A tool for printing execution path from szd_execution

CREST Code Metrics


Name Value

# of files.h 9.cc 12

Total 21

# of linesCode 2,210

Others 1,595Total 3,805

# of classes 14

# of functions 147

Symbolic Execution Component


• Symbolic execution component collects symbolic states during concrete execution and manages symbolic execution paths

• Related files

File Contentsrc/libcrest/crest.cc Probe functions inserted into instrumented targetsrc/base/symbolic_interpreter.cc Main symbolic execution engine for CRESTsrc/base/symbolic_execution.cc A class for a symbolic execution which consists of symbolic

path and inputssrc/base/symbolic_path.cc A class for a symbolic path which is a sequence of symbolic

predicates at taken branchessrc/base/symbolic_predicate.cc A class for a symbolic predicate which consists of a symbolic

expression and a comparatorsrc/base/symbolic_expression.cc A class for a symbolic expression

Symbolic Interpreter


• Symbolic interpreter performs dynamic symbolic exe-cution during execution of a target program

• Symbolic interpreter implements a symbolic machine which has stack-architecture

• 4 types of statements– Symbolic variable initialization– Assignments– Applying operators– Branches

Symbolic Machine


• Symbolic machine has a symbolic stack, symbolic memory and a symbolic predicate register– Symbolic memory stores symbolic expressions– Symbolic stack element: <symbolic expr, concrete value>– If the top of the stack is a predicate, the predicate is stored

in the symbolic predicate register

Address Symbolic expression

Symbolic memorySymbolic stack Symbolic predicate register

Example Revisited


1 #include <crest.h> 2 main() { 3 int a,b,c, match=0; 4 CREST_int(a); \ CREST_int(b); \ CREST_int(c);5~9 … omitted… 10 if(a==b) match=match+1;10~32 … omitted … 33 }

int a, b, c;#line 4 /* Initializes symbolic variables a, b, c */ __CrestInt(& a); __CrestInt(& b); __CrestInt(& c);… omitted … #line 10 { /* Creates symbolic expression a==b */ __CrestLoad(36, (unsigned long )(& a), (long long )a); __CrestLoad(35, (unsigned long )(& b), (long long )b); __CrestApply2(34, 12, (long long )(a == b)); if (a == b) { //extern void __CrestBranch(int id , int bid , unsigned char b ) __CrestBranch(37, 11, 1); /* Creates symbolic expression match = match = 1; */ __CrestLoad(41, (unsigned long )(& match), (long

long )match); __CrestLoad(40, (unsigned long )0, (long long )1); __CrestApply2(39, 0, (long long )(match + 1)); __CrestStore(42, (unsigned long )(& match)); match ++; } else { __CrestBranch(38, 12, 0); } }

Symbolic Variable Initialization


• Creates a symbolic memory element in symbolic mem-ory– A concrete address of a variable is used as a symbolic address

• Suppose that we start with the input a = b = c = 0;


&a a&b b&c c

Symbolic memorySymbolic stackSymbolic variable initializationint a, b, c;#line 4 /* Initializes symbolic variables a, b, c */ __CrestInt(& a); __CrestInt(& b); __CrestInt(& c);

Symbolic predicate register

Symbolic Compare Operator(1/4)


• Symbolic compare operator is used for a branch condi-tion and results in a symbolic predicate– The predicate is store in a symbolic predicate register


&a a&b b&c c

Symbolic memorySymbolic stack#line 10 { /* Creates symbolic expression a==b */ __CrestLoad(36, (unsigned long)(&a), (long long )a); __CrestLoad(35, (unsigned long)(&b), (long long )b); __CrestApply2(34, 12, (long long )(a == b)); if (a == b) { Symbolic predicate register

Symbolic PC



• __CrestLoad(int id, unsigned long *ptr, long long val) function loads a symbolic expression which ptr points to and pushes <loaded expr, val> to the stack– If *ptr is a concrete variable, the function pushes <NULL, val> to the stack


&a a&b b&c c

Symbolic memorySymbolic stack#line 10 { /* Creates symbolic expression a==b */ __CrestLoad(36, (unsigned long)(&a), (long long )a); __CrestLoad(35, (unsigned long)(&b), (long long )b); __CrestApply2(34, 12, (long long )(a == b)); if (a == b) { Symbolic predicate register

Symbolic PC

<a, 0>




&a a&b b&c c

Symbolic memorySymbolic stack#line 10 { /* Creates symbolic expression a==b */ __CrestLoad(36, (unsigned long)(&a), (long long )a); __CrestLoad(35, (unsigned long)(&b), (long long )b); __CrestApply2(34, 12, (long long )(a == b)); if (a == b) { Symbolic predicate registerSymbolic PC

<a, 0>

<b, 0>



• __CrestApply2(int ID, int op_type, long long val) 1. pops two elements from the stack,2. applies a binary operator corresponding to op_type to the popped elements, 3. pushes a result to the stack if the result is not a predicate– A predicate is stored in the register


&a a&b b&c c

Symbolic memorySymbolic stack#line 10 { /* Creates symbolic expression a==b */ __CrestLoad(36, (unsigned long)(&a), (long long )a); __CrestLoad(35, (unsigned long)(&b), (long long )b); __CrestApply2(34, 12, (long long )(a == b)); if (a == b) {//extern void __CrestBranch(int id

, int bid , unsigned char b ) __CrestBranch(37, 11, 1);


Symbolic PC <a==b, 1>

Symbolic Branch(1/2)


• Whenever a branch statement is executed, CREST stores which branch is taken by calling __CrestBranch() function.


&a a&b b&c c

Symbolic memorySymbolic stack#line 10 { /* Creates symbolic expression a==b */ __CrestLoad(36, (unsigned long)(&a), (long long )a); __CrestLoad(35, (unsigned long)(&b), (long long )b); __CrestApply2(34, 12, (long long )(a == b)); if (a == b) {//extern void __CrestBranch(int id , int bid ,

unsigned char b ) __CrestBranch(37, 11, 1);


Symbolic PC<a==b, 1>

Symbolic Branch(2/2)


• Symbolic path is a sequence of <symbolic pred, branch ID> • __CrestBranch(int id, int bid, unsigned char b) function appends a

new element <symbolic pred, bid> to the current symbolic path– Symbolic pred comes from the register– If b == 0, negated predicate is appended


&a a&b b&c c

Symbolic memorySymbolic stackif (a == b) {//extern void __CrestBranch(int id , int bid ,

unsigned char b ) __CrestBranch(37, 11, 1); /* Creates symbolic expression match =

match = 1; */ __CrestLoad(41, (unsigned long )(&

match), (long long )match);Symbolic predicate registerSymbolic PC

Symbolic path: <a==b, 11>

Symbolic Arithmetic Operator (1/2)


• Symbolic arithmetic operator is similar to symbolic compare oper-ator– Pops operands from the stack, applies operator to the operands, and

pushes the result to the stack


&a a&b b&c c

Symbolic memorySymbolic stack if (a == b) {__CrestBranch(37, 11, 1); /* Creates symbolic expression match =

match = 1; */__CrestLoad(41, (unsigned long )(& match),

(long long )match);__CrestLoad(40, (unsigned long )0, (long long )1);__CrestApply2(39, 0, (long long )(match + 1));__CrestStore(42, (unsigned long )(& match)); match ++;


Symbolic PC


<NULL, 0>

<NULL, 1>

Symbolic Arithmetic Operator (2/2)


• If at least one of operands is symbolic, the result is also symbolic– Otherwise, the result is concrete


&a a&b b&c c

Symbolic memorySymbolic stack if (a == b) {__CrestBranch(37, 11, 1); /* Creates symbolic expression match = match

= 1; */__CrestLoad(41, (unsigned long )(& match),

(long long )match);__CrestLoad(40, (unsigned long )0, (long long )1);__CrestApply2(39, 0, (long long )(match + 1));__CrestStore(42, (unsigned long )(& match)); match ++;


Symbolic PC


<NULL, 2>

Symbolic Assignment (1/1)


• __CrestStore(int id, unsigned long *ptr) function pops one ele-ment from the stack and update symbolic memory– If the popped element is concrete, just ignore it– If the element is symbolic

• If ptr has an entry in symbolic memory, the corresponding symbolic expression is updated• Otherwise, a new entry is added to symbolic memory


&a a&b b&c c

Symbolic memorySymbolic stack

__CrestApply2(39, 0, (long long )(match + 1));__CrestStore(42, (unsigned long )(& match)); match ++;


Symbolic PC


Conclusion


• CREST does not support full ANSI-C semantics– No symbolic pointer dereference– Only linear integer arithmetic– No bit-wise operator– And so on

• To support them, we need to improve CREST’s dy-namic symbolic interpreter engine

• I hope this presentation will be a good starting point

crest internal

Documents