Enhancing Dynamic Symbolic Execution by Automatically Learning Search Heuristics

TL;DR

This paper introduces a method to automatically learn effective search heuristics for dynamic symbolic execution, significantly improving code coverage and bug detection over manually designed heuristics.

Contribution

It proposes a parametric search heuristic and an algorithm to automatically find the optimal heuristic for each program, enhancing symbolic execution performance.

Findings

Outperforms existing heuristics in branch coverage

Achieves higher bug detection rates

Effective with industrial-strength tools like KLEE

Abstract

We present a technique to automatically generate search heuristics for dynamic symbolic execution. A key challenge in dynamic symbolic execution is how to effectively explore the program's execution paths to achieve high code coverage in a limited time budget. Dynamic symbolic execution employs a search heuristic to address this challenge, which favors exploring particular types of paths that are most likely to maximize the final coverage. However, manually designing a good search heuristic is nontrivial and typically ends up with suboptimal and unstable outcomes. The goal of this paper is to overcome this shortcoming of dynamic symbolic execution by automatically learning search heuristics. We define a class of search heuristics, namely a parametric search heuristic, and present an algorithm that efficiently finds an optimal heuristic for each subject program. Experimental results with industrial-strength symbolic execution tools (e.g., KLEE) show that our technique can successfully generate search heuristics that significantly outperform existing manually-crafted heuristics in terms of branch coverage and bug-finding.