A Survey of Symbolic Execution Techniques (1610.00502v3)

Abstract: Many security and software testing applications require checking whether certain properties of a program hold for any possible usage scenario. For instance, a tool for identifying software vulnerabilities may need to rule out the existence of any backdoor to bypass a program's authentication. One approach would be to test the program using different, possibly random inputs. As the backdoor may only be hit for very specific program workloads, automated exploration of the space of possible inputs is of the essence. Symbolic execution provides an elegant solution to the problem, by systematically exploring many possible execution paths at the same time without necessarily requiring concrete inputs. Rather than taking on fully specified input values, the technique abstractly represents them as symbols, resorting to constraint solvers to construct actual instances that would cause property violations. Symbolic execution has been incubated in dozens of tools developed over the last four decades, leading to major practical breakthroughs in a number of prominent software reliability applications. The goal of this survey is to provide an overview of the main ideas, challenges, and solutions developed in the area, distilling them for a broad audience. The present survey has been accepted for publication at ACM Computing Surveys. If you are considering citing this survey, we would appreciate if you could use the following BibTeX entry: http://goo.gl/Hf5Fvc

• The paper demonstrates how symbolic execution systematically explores execution paths to reveal software vulnerabilities.
• It employs techniques such as state merging, loop summarization, and concolic execution to mitigate state space explosion and constraint solving complexity.
• The study highlights symbolic execution’s pivotal role in security testing, with practical impacts in Microsoft testing and DARPA challenges.

Overview of Symbolic Execution Techniques

The paper, "A Survey of Symbolic Execution Techniques" by Roberto Baldoni et al., provides a comprehensive examination of symbolic execution, a significant method in program analysis deployed since the mid-1970s. The technique is instrumental in verifying whether certain properties of software can be breached, such as avoiding division by zero or bypassing authentication mechanisms.

Core Concepts in Symbolic Execution

Symbolic execution systematically analyzes numerous execution paths without necessitating concrete input values. It abstracts inputs as symbols and utilizes constraint solvers to identify instances violating properties. This approach enables a rich exploration of possible execution states, crucially supporting fields like security analysis and software testing. The paper underscores the popularity of symbolic execution in various applications, notably in the DARPA Cyber Grand Challenge and its integration in major systems like Microsoft's software testing processes.

Challenges and Strategies

The survey identifies several challenges inherent to symbolic execution:

1. State Space Explosion: The combinatorial explosion of possible execution states, especially due to loops and recursive calls, poses scalability challenges. Innovative techniques like function and loop summarization, state merging, and path selection heuristics are employed to mitigate this issue.
2. Memory Modeling: Accurately modeling memory, especially with pointers and complex data structures, is essential. Solutions include fully symbolic memory approaches, partial memory modeling, and lazy initialization for object-oriented constructs.
3. Complexity of Constraint Solving: Constraint solving remains a bottleneck due to the complexity of generated path constraints. Employing efficient solvers, caching solutions, and utilizing both symbolic and concrete execution (concolic execution) help alleviate these constraints.

Numerical Results and Findings

The paper details practical implementations where symbolic execution significantly contributes to identifying software bugs and ensuring security compliance. For instance, Microsoft's usage of symbolic execution in product testing led to discovering a significant proportion of bugs through the process of file fuzzing.

Implications and Future Directions

Symbolic execution has extensively influenced automated testing and verification methodologies. Looking forward, the development of more robust SMT solvers and improved memory abstraction techniques would further enhance its efficacy. Moreover, merging symbolic execution with other techniques like fuzzing, taint analysis, and program synthesis opens promising avenues for future research.

Conclusion

Symbolic execution remains an indispensable tool in rigorous software testing and security verification. While challenges like path explosion and constraint solving complexity persist, ongoing research and advancements offer solutions to expand its applicability and efficiency across diverse computing landscapes. This survey serves as a substantial resource for researchers aiming to explore and contribute to this dynamic field.