-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Concolic execution mode? #381
Comments
I had a look at the paper, thanks! The tool's high-level descriptionIt seems that what the tool is doing is:
This makes sense. Kinda interesting. I haven't worked on the concrete fuzzing part of HEVM, though, so I can't comment. But this would indeed be a valid way to make use of the symbolic execution capabilities of HEVM in the concrete fuzzing case. Essentially, analyzing the current set of explored paths, take the most interesting ones to give to the symbolic framework [1], and checking if it can be mutated into a path/coverage that hasn't been seen before. Here, [1] is:
Which is basically the most obvious thing to do given how AFL works,, but it does indeed make sense. A cool trick (something to think about!)Something that I found interesting in the paper, and may help with symbolic execution is that
This is something worth thinking about -- doing a more "loose" approach, where we don't guarantee completeness but can explore more. It'd be not symbolic/concolic or concrete, but rather a loose-symbolic, but it could be good enough to find counterexamples when things explode. Side-noteI don't quite agree with the authors' view of "compartments":
I understand that it's easy to think of code as if they had some "wide" holes and some "tiny" holes that fuzzers need to pass through, but I think that's quite a simplistic view of executables. It probably helps in some cases, but I am not convinced. Perhaps I'm wrong. |
This is possible today. Currently symbolic execution proceeds as follows:
Given the above framework, one approach to achieve what you want would be to insert a concretization step before simplification, where you would substitute symbolic variables in the summary with concrete values. Simplification should then reduce the term to it's most concrete form, giving less branches and simplier queries. As a side note I would be very happy to discuss integration of hevm's symbolic features into echidna on a call if you're interested. I think there is a lot of potential there, and it's not something that we really have the bandwidth to explore at the EF right now. |
Ended up including concolic execution in echidna in this PR. Had to hack it in, by feeding a custom |
I was wondering if hevm plans to support a symbolic execution mode where concrete inputs can be used to refine or prune the exploration. The typical example is what is explained in the Driller paper:
The text was updated successfully, but these errors were encountered: