Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Visualizing Symbolic Execution
with Bokeh
Asankhaya Sharma
SRC:CLR
Symbolic Execution (SE)
• Analyzing a program to determine what inputs
cause each part of a program to execute
[Wikipedia]...
Path Condition (PC)
int max(int x, int
y, int z){
int m = x;
if(y>m && y>z)
m = y;
else if(z>m)
m = z;
return m;
}
max(1,3...
10 June 2015 PyData Singapore 4
m = x
m = y
y>m && y>z
z > m
m = z
return m
true
m=x
…∧y>m∧y>z …∧¬(y>m∧y>z)
…∧z>m
…∧¬(z>m)...
Path Exploration
PC: m0=x0∧y0>m0∧y0>z0∧m1=y0
PC1: y0>x0∧y0>z0∧3=y0
Negate first constraint
PC2: y0<=x0∧y0>z0∧3=y0
Check sa...
Why is SE useful?
• Automated Fuzzing
• Test Case Generation
• Debugging Error Traces
• Program Analysis
• …
10 June 2015 ...
Bottlenecks
• Path Explosion
– Loops and recursion
– Unbounded number of paths in a program
• Constraint Solving
– int is ...
Exploiting Undefined Behaviors for
Efficient Symbolic Execution [ICSE 14]
10 June 2015 PyData Singapore 8
Demo 1
• Symbolic execution with Pathgrind
– fuzz/fuzz.py
10 June 2015 PyData Singapore 9
Bokeh
• Bo(w)-Ke(ttle)
10 June 2015 PyData Singapore 10
10 June 2015 PyData Singapore 11
Demo 2
• Plotting with Bokeh
– Line Plot
– Scatter Plot
– Bokeh Server
10 June 2015 PyData Singapore 12
Visualizing SE
• Time Taken
– Generate path conditions (path exploration)
– Generate new inputs (by solving constraints)
1...
Demo 3
• Pathgrind + Bokeh = Visualize SE
– fuzz/plotfuzz.py
10 June 2015 PyData Singapore 14
10 June 2015 PyData Singapore 15
All paths are not equal
• Use Levenshtein distance to measure the
similarity between the path conditions when
represented ...
10 June 2015 PyData Singapore 17
Optimization for SE
• Prune paths that are >90% similar
– As measured using Levenshtein edit distance
10 June 2015 PyData ...
10 June 2015 PyData Singapore 19
10 June 2015 PyData Singapore 20
Take Away
• Symbolic Execution
• Using Bokeh to Visualize SE
• Identify Optimizations for SE
• Future
– Statically Samplin...
We are hiring …
Shape the future of software security at
SourceClear. By joining our team, you can help
define the way mod...
Thank You!
• Questions?
• Contact
– Twitter: @asankhaya
• Links
– Source Code:
https://github.com/codelion/pathgrind
– Sli...
Upcoming SlideShare
Loading in …5
×

Visualizing Symbolic Execution with Bokeh

634 views

Published on

Exploring symbolic execution using Bokeh, a Python based framework for data visualization.

Published in: Technology
  • Be the first to comment

Visualizing Symbolic Execution with Bokeh

  1. 1. Visualizing Symbolic Execution with Bokeh Asankhaya Sharma SRC:CLR
  2. 2. Symbolic Execution (SE) • Analyzing a program to determine what inputs cause each part of a program to execute [Wikipedia] • The idea – Execute the program with an input – Build a symbolic formula during execution which captures the path taken by the input through the program 10 June 2015 PyData Singapore 2
  3. 3. Path Condition (PC) int max(int x, int y, int z){ int m = x; if(y>m && y>z) m = y; else if(z>m) m = z; return m; } max(1,3,2) = 3 Inputs: x0,y0,z0 PC: true PC: m0=x0 PC: m0=x0∧y0>m0∧y0>z0 ∧m1=y0 Output: m1 10 June 2015 PyData Singapore 3
  4. 4. 10 June 2015 PyData Singapore 4 m = x m = y y>m && y>z z > m m = z return m true m=x …∧y>m∧y>z …∧¬(y>m∧y>z) …∧z>m …∧¬(z>m) …∧m=z …∧m=y Execution Tree
  5. 5. Path Exploration PC: m0=x0∧y0>m0∧y0>z0∧m1=y0 PC1: y0>x0∧y0>z0∧3=y0 Negate first constraint PC2: y0<=x0∧y0>z0∧3=y0 Check satisfiability using a constraint solver New Inputs: x0=3, y0=3, z0=2 Repeat SE with new inputs 10 June 2015 PyData Singapore 5
  6. 6. Why is SE useful? • Automated Fuzzing • Test Case Generation • Debugging Error Traces • Program Analysis • … 10 June 2015 PyData Singapore 6
  7. 7. Bottlenecks • Path Explosion – Loops and recursion – Unbounded number of paths in a program • Constraint Solving – int is easy but what about other data types floats, strings, bit vectors etc. – Handling data structures with pointers 10 June 2015 PyData Singapore 7
  8. 8. Exploiting Undefined Behaviors for Efficient Symbolic Execution [ICSE 14] 10 June 2015 PyData Singapore 8
  9. 9. Demo 1 • Symbolic execution with Pathgrind – fuzz/fuzz.py 10 June 2015 PyData Singapore 9
  10. 10. Bokeh • Bo(w)-Ke(ttle) 10 June 2015 PyData Singapore 10
  11. 11. 10 June 2015 PyData Singapore 11
  12. 12. Demo 2 • Plotting with Bokeh – Line Plot – Scatter Plot – Bokeh Server 10 June 2015 PyData Singapore 12
  13. 13. Visualizing SE • Time Taken – Generate path conditions (path exploration) – Generate new inputs (by solving constraints) 10 June 2015 PyData Singapore 13
  14. 14. Demo 3 • Pathgrind + Bokeh = Visualize SE – fuzz/plotfuzz.py 10 June 2015 PyData Singapore 14
  15. 15. 10 June 2015 PyData Singapore 15
  16. 16. All paths are not equal • Use Levenshtein distance to measure the similarity between the path conditions when represented as strings • Scatter plot of similarity using Bokeh 10 June 2015 PyData Singapore 16
  17. 17. 10 June 2015 PyData Singapore 17
  18. 18. Optimization for SE • Prune paths that are >90% similar – As measured using Levenshtein edit distance 10 June 2015 PyData Singapore 18
  19. 19. 10 June 2015 PyData Singapore 19
  20. 20. 10 June 2015 PyData Singapore 20
  21. 21. Take Away • Symbolic Execution • Using Bokeh to Visualize SE • Identify Optimizations for SE • Future – Statically Sampling of Paths – Probabilistic Analysis 10 June 2015 PyData Singapore 21
  22. 22. We are hiring … Shape the future of software security at SourceClear. By joining our team, you can help define the way modern developers identify and fix vulnerabilities in their code. Check out https://jobs.lever.co/sourceclear 10 June 2015 PyData Singapore 22
  23. 23. Thank You! • Questions? • Contact – Twitter: @asankhaya • Links – Source Code: https://github.com/codelion/pathgrind – Slides: http://asankhaya.github.io/ppt/PyDataSing.pptx 10 June 2015 PyData Singapore 23

×