Input Validation with Symbolic Execution

TL;DR

This paper introduces InVaSion, a system that enhances symbolic execution by using a new input specification language to better handle complex, structured inputs, significantly improving code coverage.

Contribution

The paper presents InVaSion, a novel approach with an expressive input specification language that improves symbolic execution for complex input formats without requiring special theory solvers.

Findings

InVaSion increased branch coverage from 24.97% to 67.84%.

The input specification language can model complex formats like TIFF with about 35 states.

InVaSion works with any forking-based symbolic execution engine.

Abstract

Symbolic execution has always been plagued by the inability to handle programs that require highly structured inputs. Most often, the symbolic execution engine gets overwhelmed by the sheer number of infeasible paths and fails to explore enough feasible paths to gain any respectable coverage. In this paper, we propose a system, InVaSion, that attempts to solve this problem for forking-based symbolic execution engines. We propose an input specification language (ISL) that is based on a finite-state automaton but includes guarded transitions, a set of registers and a set of commands to update the register states. We demonstrate that our language is expressive enough to handle complex input specifications, like the Tiff image format, while not requiring substantial human effort; even the Tiff image specification could be specified in our language with an automaton of about 35 states. InVaSion translates the given program and the input specification into a non-deterministic program and uses symbolic execution to instantiate the non-determinism. This allows our tool to work with any forking-based symbolic execution engine and with no requirement of any special theory solver. Over our set of benchmarks, on an average, InVaSion was able to increase branch coverage from 24.97% to 67.84% over baseline KLEE.