system analysis & symbolic execution (celeste,caberio,arboleda)
TRANSCRIPT
-
7/31/2019 System Analysis & Symbolic Execution (Celeste,Caberio,Arboleda)
1/21
STATIC ANALYSIS
&
SYMBOLIC EXECUTION
-
7/31/2019 System Analysis & Symbolic Execution (Celeste,Caberio,Arboleda)
2/21
STATIC ANALYSIS
> is the analysis of source code without execution
> is usually conducted by looking for error
signatures or patterns that have cause problems
in earlier programs.
Static program analysis is the analysis of
computer software that is performed without
actually executing programs built from thatsoftware (analysis performed on executing
programs is known as dynamic analysis).
-
7/31/2019 System Analysis & Symbolic Execution (Celeste,Caberio,Arboleda)
3/21
Static program analysis
The term is usually applied to the analysis
performed by an automated tool, with human
analysis being called program understanding,
program comprehension or code review.
-
7/31/2019 System Analysis & Symbolic Execution (Celeste,Caberio,Arboleda)
4/21
-
7/31/2019 System Analysis & Symbolic Execution (Celeste,Caberio,Arboleda)
5/21
Some of the implementation
techniques of formal static
analysis include: Model checking considers systems that have
finite state or may be reduced to finite state by
abstraction; Data-flow analysis is a lattice-based technique for
gathering information about the possible set ofvalues;
Abstract interpretation models the effect thatevery statement has on the state of an abstractmachine (i.e., it 'executes' the software based on themathematical properties of each statement anddeclaration).
-
7/31/2019 System Analysis & Symbolic Execution (Celeste,Caberio,Arboleda)
6/21
Use of assertions in program code asfirst suggested by Hoare logic. There is tool
support for some programming languages
(e.g., the SPARK programming language (a
subset of Ada) and the Java Modeling
Language JML using ESC/Java and
ESC/Java2, ANSI/ISO C Specification
Language for the C language).
-
7/31/2019 System Analysis & Symbolic Execution (Celeste,Caberio,Arboleda)
7/21
-
7/31/2019 System Analysis & Symbolic Execution (Celeste,Caberio,Arboleda)
8/21
In the area of static analyses we continuouslyassign project-, seminar-, Bachelor- and
Mastertheses. If none of the open topics suits
your particular interests then just come to our
offices or write me an email (Michael
Eichberg), we may find a topic in which we are
both interested.
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
7/31/2019 System Analysis & Symbolic Execution (Celeste,Caberio,Arboleda)
9/21
Symbolic Execution
-
7/31/2019 System Analysis & Symbolic Execution (Celeste,Caberio,Arboleda)
10/21
Figure 1 the path condition (PC) is
initially true. If the program takes
the if statement's then branch, the path
condition will be X
-
7/31/2019 System Analysis & Symbolic Execution (Celeste,Caberio,Arboleda)
11/21
This JPF extension performs symbolic
execution of Java programs. One of the
main applications is automated generation
of test inputs that obtain high coverage
(e.g. path coverage) of code. Otherapplications include error detection in
concurrent programs that take inputs from
unbounded domains and lightweighttheorem proving.
-
7/31/2019 System Analysis & Symbolic Execution (Celeste,Caberio,Arboleda)
12/21
-
7/31/2019 System Analysis & Symbolic Execution (Celeste,Caberio,Arboleda)
13/21
Symbolic execution, sometimes referred to as
symbolic evaluation, does not execute a
program in the traditional sense of the word,
The notion of execution requires that a
selection of paths through the program are
exercised by a set of data values. A programwhich is executed using actual data results in
the output of a series of values. In symbolic
execution the data is replaced by symbolicvalues. A set of expressions, one expression
per output variable, is produced.
-
7/31/2019 System Analysis & Symbolic Execution (Celeste,Caberio,Arboleda)
14/21
The most common approach to symbolic
execution is to perform an analysis of the
program, resulting in the creationof a flow graph.
-
7/31/2019 System Analysis & Symbolic Execution (Celeste,Caberio,Arboleda)
15/21
Difficulties facing symbolic execution
There are four areas which give rise toconsiderable difficulty
for symbolic execution: the evaluation of
loops; a dilemma over how to process modulecalls (calls to functions, procedures,subroutines and subprograms) ; theevaluation of array references dependent oninput values; and checking the feasibility ofpaths.
-
7/31/2019 System Analysis & Symbolic Execution (Celeste,Caberio,Arboleda)
16/21
The first problem concerns loops.
Symbolic execution cannot proceed beyond aloop unless the number of iterations is known.
When the number of iterations is dependent
upon the input variables, determining thenumber of iterations requires the solution of
recurrence relations. Such a solution, if
derivable, is likely to yield a symbolic
expression as opposed to an actual value.
-
7/31/2019 System Analysis & Symbolic Execution (Celeste,Caberio,Arboleda)
17/21
The second problem involves module calls. The term
module call is used here to refer to the invocation ofany
out-of-line code. This includes subprograms that arecompiled
separately from the invoking program, internalsubroutines,
procedures and functions. The dilemma concerning
module calls is whether to treat them using the
macroexpansion approach or the lemma approach
-
7/31/2019 System Analysis & Symbolic Execution (Celeste,Caberio,Arboleda)
18/21
Test data generation:
The symbolic input values in the expressions produced
for each output variable can be substituted with actual
values. The values substituted constitute a test case and the
evaluation of the expression provides the correspondingoutput value. The creation of such values may be automated
by using a numerical optimiSer. The PC is used as a set
of constraints and the solution to an arbitrary objective
function is used as a test case. This method of automatically
generating comprehensive test data is likely to yield a
smaller test set than other approaches, such as random
testing.
-
7/31/2019 System Analysis & Symbolic Execution (Celeste,Caberio,Arboleda)
19/21
Partition analysis :
Partition analysis is another technique that
makes use ofthe output from symbolic
execution to determine test data. It uses
symbolic execution to identify sub-domains
of the input data domain
-
7/31/2019 System Analysis & Symbolic Execution (Celeste,Caberio,Arboleda)
20/21
Program reduction :
King describes how symbolic execution can be used to
achieve program reduction . This is the act of
taking a program and producing another program containing
fewer statements. The result is a simpler program consistent
with the original, but operating over a smallerdomain . This is useful when re-using software
where only a sub-set of the cases handled are required. A
major step forward will have taken place in softwareengineering
when the re-use of software is normal practice.
Program reduction is a step towards this goal.
-
7/31/2019 System Analysis & Symbolic Execution (Celeste,Caberio,Arboleda)
21/21