Towards Symbolic Pointers Reasoning in Dynamic Symbolic Execution

TL;DR

This paper enhances dynamic symbolic execution by enabling symbolic reasoning about memory addresses, which improves branch coverage and bug detection in software testing.

Contribution

It introduces symbolic address reasoning in DSE, using new modeling techniques and SMT-based analysis to uncover more program branches.

Findings

Increased program branch coverage through symbolic address reasoning.

Discovery of new symbolic branches not found by previous tools.

Enhanced memory modeling techniques outperform existing methods.

Abstract

Dynamic symbolic execution is a widely used technique for automated software testing, designed for execution paths exploration and program errors detection. A hybrid approach has recently become widespread, when the main goal of symbolic execution is helping fuzzer increase program coverage. The more branches symbolic executor can invert, the more useful it is for fuzzer. A program control flow often depends on memory values, which are obtained by computing address indexes from user input. However, most DSE tools don't support such dependencies, so they miss some desired program branches. We implement symbolic addresses reasoning on memory reads in our dynamic symbolic execution tool Sydr. Possible memory access regions are determined by either analyzing memory address symbolic expressions, or binary searching with SMT-solver. We propose an enhanced linearization technique to model memory accesses. Different memory modeling methods are compared on the set of programs. Our evaluation shows that symbolic addresses handling allows to discover new symbolic branches and increase the program coverage.