KLEE

KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs, OSDI 2008

Question

Consider the following C program:

int main(void)
{
    int x, y;
    make_symbolic(&x, sizeof(x));
    if (x % 2 == 0) {
        y = 42 / x;
    } else if (x <= 10) {
        return 0;
    } else {
        y = x - 1;
    }
    printf("%d\n", y);
    return 0;
}

How many paths will reach the printf line, and what are their path conditions?

Question

List two types of bugs that can be caught by KLEE, as well as two types of bugs that cannot be caught by KLEE.

Question

Why do you think KLEE perform better than a simple enumeration strategy (e.g., checking all 2³² possible values of x in the above program)?

Question

Provide a list of questions you would like to discuss in class. Feel free to provide any comments on the paper and related topics (e.g., which parts you like and which parts you find confusing).

If you are interested, check the mini checker (the core part consists of ~10 lines of Python code) along with some examples.

demo: mini checker/fuzzer:
- examples: test_me, bad, find-first-bit (ffs) impls, optimized modulo
- bug finding vs verification?
history
- truth table, binary decision tree, binary decision diagram (BDD)
- 1962: DPLL algorithm
- 1971: SAT is NP-complete (The Complexity of Theorem-Proving Procedures, Stephen Cook)
- 1986: BDD (Graph-Based Algorithms for Boolean Function Manipulation, Randal Bryant)
- 2001: zChaff SAT solver
- 200x: SMT (SAT + theories)
building block for modern software
- many products: MS Office (FlashFill), Visual Studio (IntelliTest, StaticDV), …
- many tools: bug finding (e.g., STACK), cryptanalysis, verification (next lecture), OS kernel scalability & commutativity (in two weeks)
how to test systems code
- user/community testing
- standardized tests: SPEC, NIST crypto test vectors
- testsuites by developers
- tool-generated tests
challenges of test generation
- what spec to test against
- coverage
- comprehensible output
- environment modeling
- performance
two examples
- OS kernel: complex input sources & state transitions
- compiler: deep pipeline
- q: use random bytes to test syscalls/gcc?
problem: generate “useful” tests
- blackbox: infinite monkey theorem
- domain knowledge: Csmith, trinity (syscalls), qemu img fuzzer
- whitebox (implementation knowledge): KLEE, SAGE, Catchconv
optimizations
- algorithms & heuristics
- implementation: data structures (immutable/functional - recall RCU), caching, parallel checking, IR choice, symbolic-concrete trade-off, …
optimization: input equivalence
- observation: if two inputs cause a program to go through the same path (i.e., the same jumps), then it’s a waste of time
- use symbolic execution to find distinctive inputs - how?
approach A
- run with symbolic input
- invoke the scheduler at each branch
- scheduler: fork the world & prune infeasible branch
- q: how exactly does the fork-and-prune optimization work?
approach B
- run with concrete input
- track symbolic branch conditions
- choose new input by flipping branch
- start over until no more new input
- q: how exactly does the optimization work?
heuristics
- space is huge & often cannot exhaust
- prioritize important/likely bugs
- domain-specific heuristics
- q: what would you do to test kernels? distributed systems?