University of Minnesota
Program Analysis for Security
index.php

Symbolic execution, part 3

Patrice Godefroid, Adam Kiezun, and Michael Y. Levin. “Grammar-based whitebox fuzzing”. In Programming Language Design and Implementation (PLDI), pages 206–215, Tucson, AZ, USA, June 2008.
[ACM]

Kin-Keung Ma, Khoo Yit Phang, Jeffrey S. Foster, and Michael Hicks. “Directed symbolic execution”. In Static Analysis Symposium (SAS), pages 95–111, Venice, Italy, September 2011.
[Springer]

Question: One of the papers referenced in the second of the main readings is a somewhat older one by J. M. Morris on “A general axiom of assignment”. Because of its age, it isn't as easily available online as more recent CS papers tend to be. If you wanted to read this paper, what would you need to do to get a copy? Do a little preliminary research on the web to see what your options would be: they might differ in terms of the cost or the time before you got access. (As of this writing I was able to find “3 and a half” possibilities.)

Optional

Domagoj Babić, Lorenzo Martignoni, Stephen McCamant, and Dawn Song. “Statically-directed dynamic automated test generation”. In International Symposium on Software Testing and Analysis (ISSTA), pages 12–22, Toronto, ON, Canada, July 2011.
[ACM]

This paper describes a technique using symbolic execution to create test cases for warnings found by static analysis of a dynamically disassembled binary representation. It also represents another example (along with the SAS paper in the main readings) of a technique for guiding symbolic execution to a particular program location.

Patrice Godefroid and Daniel Luchaup. “Automatic partial loop summarization in dynamic test generation”. In International Symposium on Software Testing and Analysis (ISSTA), pages 23–33, Toronto, ON, Canada, July 2011.
[ACM]

Another important research question in symbolic execution, exemplified by this paper, is how to deal more efficiently with loops than just unrolling every iteration as a separate branch.

Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert, and David Brumley. “Unleashing Mayhem on binary code”. In IEEE Symposium on Security and Privacy “Oakland”, pages 380–394, San Francisco, CA, USA, May 2012.
[IEEE Xplore]

In addition to focusing more explicitly on security vulnerabilities, this paper describes some techniques for dealing efficiently with lookup tables.