Concolic testing explained

Concolic testing (a portmanteau of concrete and symbolic, also known as dynamic symbolic execution) is a hybrid software verification technique that performs symbolic execution, a classical technique that treats program variables as symbolic variables, along a concrete execution (testing on particular inputs) path. Symbolic execution is used in conjunction with an automated theorem prover or constraint solver based on constraint logic programming to generate new concrete inputs (test cases) with the aim of maximizing code coverage. Its main focus is finding bugs in real-world software, rather than demonstrating program correctness.

A description and discussion of the concept was introduced in "DART: Directed Automated Random Testing" by Patrice Godefroid, Nils Klarlund, and Koushik Sen.[1] The paper "CUTE: A concolic unit testing engine for C",[2] by Koushik Sen, Darko Marinov, and Gul Agha, further extended the idea to data structures, and first coined the term concolic testing. Another tool, called EGT (renamed to EXE and later improved and renamed to KLEE), based on similar ideas was independently developed by Cristian Cadar and Dawson Engler in 2005, and published in 2005 and 2006.[3] PathCrawler[4] [5] first proposed to perform symbolic execution along a concrete execution path, but unlike concolic testing PathCrawler does not simplify complex symbolic constraints using concrete values. These tools (DART and CUTE, EXE) applied concolic testing to unit testing of C programs and concolic testing was originally conceived as a white box improvement upon established random testing methodologies. The technique was later generalized to testing multithreaded Java programs with,[6] and unit testing programs from their executable codes (tool OSMOSE).[7] It was also combined with fuzz testing and extended to detect exploitable security issues in large-scale x86 binaries by Microsoft Research's SAGE.[8] [9]

The concolic approach is also applicable to model checking. In a concolic model checker, the model checker traverses states of the model representing the software being checked, while storing both a concrete state and a symbolic state. The symbolic state is used for checking properties on the software, while the concrete state is used to avoid reaching unreachable state. One such tool is ExpliSAT by Sharon Barner, Cindy Eisner, Ziv Glazberg, Daniel Kroening and Ishai Rabinovitz[10]

Birth of concolic testing

Implementation of traditional symbolic execution based testing requires the implementation of a full-fledged symbolic interpreter for a programming language. Concolic testing implementors noticed that implementation of full-fledged symbolic execution can be avoided if symbolic execution can be piggy-backed with the normal execution of a program through instrumentation. This idea of simplifying implementation of symbolic execution gave birth to concolic testing.

Development of SMT solvers

An important reason for the rise of concolic testing (and more generally, symbolic-execution based analysis of programs) in the decade since it was introduced in 2005 is the dramatic improvement in the efficiency and expressive power of SMT Solvers. The key technical developments that lead to the rapid development of SMT solvers include combination of theories, lazy solving, DPLL(T) and the huge improvements in the speed of SAT solvers. SMT solvers that are particularly tuned for concolic testing include Z3, STP, Z3str2, and Boolector.

Example

Consider the following simple example, written in C:

void f(int x, int y)

Simple random testing, trying random values of x and y, would require an impractically large number of tests to reproduce the failure.

We begin with an arbitrary choice for x and y, for example x = y = 1. In the concrete execution, line 2 sets z to 2, and the test in line 3 fails since 1 ≠ 100000. Concurrently, the symbolic execution follows the same path but treats x and y as symbolic variables. It sets z to the expression 2y and notes that, because the test in line 3 failed, x ≠ 100000. This inequality is called a path condition and must be true for all executions following the same execution path as the current one.

Since we'd like the program to follow a different execution path on the next run, we take the last path condition encountered, x ≠ 100000, and negate it, giving x = 100000. An automated theorem prover is then invoked to find values for the input variables x and y given the complete set of symbolic variable values and path conditions constructed during symbolic execution. In this case, a valid response from the theorem prover might be x = 100000, y = 0.

Running the program on this input allows it to reach the inner branch on line 4, which is not taken since 100000 (x) is not less than 0 (z = 2y). The path conditions are x = 100000 and xz. The latter is negated, giving x < z. The theorem prover then looks for x, y satisfying x = 100000, x < z, and z = 2y; for example, x = 100000, y = 50001. This input reaches the error.

Algorithm

Essentially, a concolic testing algorithm operates as follows:

  1. Classify a particular set of variables as input variables. These variables will be treated as symbolic variables during symbolic execution. All other variables will be treated as concrete values.
  2. Instrument the program so that each operation which may affect a symbolic variable value or a path condition is logged to a trace file, as well as any error that occurs.
  3. Choose an arbitrary input to begin with.
  4. Execute the program.
  5. Symbolically re-execute the program on the trace, generating a set of symbolic constraints (including path conditions).
  6. Negate the last path condition not already negated in order to visit a new execution path. If there is no such path condition, the algorithm terminates.
  7. Invoke an automated satisfiability solver on the new set of path conditions to generate a new input. If there is no input satisfying the constraints, return to step 6 to try the next execution path.
  8. Return to step 4.

There are a few complications to the above procedure:

Commercial success

Symbolic-execution based analysis and testing, in general, has witnessed a significant level of interest from industry . Perhaps the most famous commercial tool that uses dynamic symbolic execution (aka concolic testing) is the SAGE tool from Microsoft. The KLEE and S2E tools (both of which are open-source tools, and use the STP constraint solver) are widely used in many companies including Micro Focus Fortify, NVIDIA, and IBM . Increasingly these technologies are being used by many security companies and hackers alike to find security vulnerabilities.

Limitations

Concolic testing has a number of limitations:

Tools

Many tools, notably DART and SAGE, have not been made available to the public at large. Note however that for instance SAGE is "used daily" for internal security testing at Microsoft.[12]

Notes and References

  1. Patrice Godefroid. Nils Klarlund. Koushik Sen. DART: Directed Automated Random Testing. Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation. 213 - 223. ACM. 2005. New York, NY. 2009-11-09. 0362-1340. https://web.archive.org/web/20080829223442/http://cm.bell-labs.com/who/god/public_psfiles/pldi2005.pdf. 2008-08-29. dead.
  2. Koushik Sen. Darko Marinov. Gul Agha. CUTE: a concolic unit testing engine for C. Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering. 263 - 272. ACM. 2005. New York, NY. 2009-11-09. 1-59593-014-0. https://web.archive.org/web/20100629114645/http://srl.cs.berkeley.edu/~ksen/papers/C159-sen.pdf. 2010-06-29. dead.
  3. Cristian Cadar. Vijay Ganesh. Peter Pawloski. David L. Dill. Dawson Engler. EXE: Automatically Generating Inputs of Death. Proceedings of the 13th International Conference on Computer and Communications Security (CCS 2006). ACM. 2006. Alexandria, VA, USA.
  4. Nicky Williams. Bruno Marre. Patricia Mouy. On-the-Fly Generation of K-Path Tests for C Functions. Proceedings of the 19th IEEE International Conference on Automated Software Engineering (ASE 2004), 20–25 September 2004, Linz, Austria. 290 - 293. IEEE Computer Society. 2004. 0-7695-2131-2.
  5. Nicky Williams. Bruno Marre. Patricia Mouy. Muriel Roger. PathCrawler: Automatic Generation of Path Tests by Combining Static and Dynamic Analysis. Dependable Computing - EDCC-5, 5th European Dependable Computing Conference, Budapest, Hungary, April 20–22, 2005, Proceedings. 281 - 292. Springer. 2005. 3-540-25723-3.
  6. Koushik Sen. Gul Agha. CUTE and jCUTE : Concolic Unit Testing and Explicit Path Model-Checking Tools. Computer Aided Verification: 18th International Conference, CAV 2006, Seattle, WA, USA, August 17–20, 2006, Proceedings. 419 - 423. Springer. August 2006. 2009-11-09. 978-3-540-37406-0. https://web.archive.org/web/20100629124609/http://srl.cs.berkeley.edu/%7Eksen/pubs/paper/cuteTool.ps. 2010-06-29. dead.
  7. Sébastien Bardin. Philippe Herrmann. Structural Testing of Executables. Proceedings of the 1st IEEE International Conference on Software Testing, Verification, and Validation (ICST 2008), Lillehammer, Norway.. 22 - 31. IEEE Computer Society. April 2008. 978-0-7695-3127-4.,
  8. Patrice Godefroid. Michael Y. Levin. David Molnar. Automated Whitebox Fuzz Testing. TR-2007-58. Microsoft Research. 2007.
  9. Patrice Godefroid. Random testing for security: blackbox vs. whitebox fuzzing. Proceedings of the 2nd international workshop on Random testing: co-located with the 22nd IEEE/ACM International Conference on Automated Software Engineering (ASE 2007). 1. ACM. 2007. New York, NY. 2009-11-09. 978-1-59593-881-7.
  10. Sharon Barner, Cindy Eisner, Ziv Glazberg, Daniel Kroening, Ishai Rabinovitz: ExpliSAT: Guiding SAT-Based Software Verification with Explicit States. Haifa Verification Conference 2006: 138-154
  11. Web site: Software.
  12. Web site: Microsoft PowerPoint - SAGE-in-one-slide. SAGE team. 2009. Microsoft Research. 2009-11-10.