OptSE: Toward Optimal Symbolic Execution

IF 5.6 1区计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING

IEEE Transactions on Software Engineering Pub Date : 2025-03-02 DOI:10.1109/TSE.2025.3564666

Shunkai Zhu;Jun Sun;Jingyi Wang;Xingwei Lin;Peng Cheng

{"title":"OptSE: Toward Optimal Symbolic Execution","authors":"Shunkai Zhu;Jun Sun;Jingyi Wang;Xingwei Lin;Peng Cheng","doi":"10.1109/TSE.2025.3564666","DOIUrl":null,"url":null,"abstract":"Symbolic execution is a powerful technique that can accurately synthesize program inputs for program testing. However, the scalability of symbolic execution is often limited by the capability of the constraint solver and time for testing. With limited time budget, it is desirable to optimally select paths for symbolic execution and furthermore variables for symbolization in order to achieve the maximum code coverage. In this work, we make two technical contributions towards solving this problem. First, different from most existing solving strategies based on heuristic path selection, we formally define the ‘optimal’ strategy based on <italic>the reward of executing a given program path considering both possible code coverage and the cost of constraint solving.</i> We further prove that the problem of identifying the optimal strategy for symbolic execution can be reduced to a classic knapsack problem, whose decision problem form is NP-complete. Second, in view of the complexity in identifying the optimal strategy, we design a practical greedy algorithm, named <sc>OptSE</small>, for approximating the optimal strategy. We implemented <sc>OptSE</small> in KLEE and extensively evaluate it on a diverse set of programs. The results show that <sc>OptSE</small> is effective, i.e., achieving 12% more code coverage and detects 17% more security violations than the state-of-the-art symbolic execution tool and outperforming a collection of strategies that only consider either path selection, solving strategies or simply superimpose them.","PeriodicalId":13324,"journal":{"name":"IEEE Transactions on Software Engineering","volume":"51 7","pages":"1934-1949"},"PeriodicalIF":5.6000,"publicationDate":"2025-03-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Software Engineering","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10982522/","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

Symbolic execution is a powerful technique that can accurately synthesize program inputs for program testing. However, the scalability of symbolic execution is often limited by the capability of the constraint solver and time for testing. With limited time budget, it is desirable to optimally select paths for symbolic execution and furthermore variables for symbolization in order to achieve the maximum code coverage. In this work, we make two technical contributions towards solving this problem. First, different from most existing solving strategies based on heuristic path selection, we formally define the ‘optimal’ strategy based on the reward of executing a given program path considering both possible code coverage and the cost of constraint solving. We further prove that the problem of identifying the optimal strategy for symbolic execution can be reduced to a classic knapsack problem, whose decision problem form is NP-complete. Second, in view of the complexity in identifying the optimal strategy, we design a practical greedy algorithm, named OptSE, for approximating the optimal strategy. We implemented OptSE in KLEE and extensively evaluate it on a diverse set of programs. The results show that OptSE is effective, i.e., achieving 12% more code coverage and detects 17% more security violations than the state-of-the-art symbolic execution tool and outperforming a collection of strategies that only consider either path selection, solving strategies or simply superimpose them.

查看原文本刊更多论文

OPTSE：走向最佳符号执行

符号执行是一种强大的技术，可以准确地合成程序测试的程序输入。然而，符号执行的可伸缩性经常受到约束求解器的能力和测试时间的限制。在有限的时间预算下，为了实现最大的代码覆盖率，最好选择符号化执行路径和符号化变量。在这项工作中，我们为解决这个问题做出了两项技术贡献。首先，与大多数现有的基于启发式路径选择的求解策略不同，我们正式定义了基于执行给定程序路径的奖励的“最优”策略，考虑了可能的代码覆盖率和约束求解的成本。进一步证明了符号执行的最优策略识别问题可以简化为一个经典的背包问题，其决策问题的形式是np完全的。其次，考虑到最优策略识别的复杂性，设计了一种实用的贪心算法OptSE来逼近最优策略。我们在KLEE实施了OptSE，并在一系列不同的项目中对其进行了广泛的评估。结果表明，OptSE是有效的，即比最先进的符号执行工具实现12%的代码覆盖率，检测17%的安全违规，并且优于仅考虑路径选择，解决策略或简单叠加策略的策略集合。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Software Engineering 工程技术-工程：电子与电气

CiteScore

9.70

自引率

10.80%

发文量

724

审稿时长

6 months

期刊介绍： IEEE Transactions on Software Engineering seeks contributions comprising well-defined theoretical results and empirical studies with potential impacts on software construction, analysis, or management. The scope of this Transactions extends from fundamental mechanisms to the development of principles and their application in specific environments. Specific topic areas include: a) Development and maintenance methods and models: Techniques and principles for specifying, designing, and implementing software systems, encompassing notations and process models. b) Assessment methods: Software tests, validation, reliability models, test and diagnosis procedures, software redundancy, design for error control, and measurements and evaluation of process and product aspects. c) Software project management: Productivity factors, cost models, schedule and organizational issues, and standards. d) Tools and environments: Specific tools, integrated tool environments, associated architectures, databases, and parallel and distributed processing issues. e) System issues: Hardware-software trade-offs. f) State-of-the-art surveys: Syntheses and comprehensive reviews of the historical development within specific areas of interest.