Skip to main content
40 questions
Newest Active Bountied Unanswered
Filter by
Sorted by
Tagged with
0 votes
0 answers
37 views

I am studying the V# Symbolic Execution Engine for .NET (https://github.com/VSharp-team/VSharp). I'm using it to auto-generate unit tests. And it looks like V# does not drill into nested calls made ...
user3346684's user avatar
  • 111
1 vote
1 answer
202 views

I am working on a simple symbolic execution problem. The code is as follows // odd_even.c #include <stdio.h> int main(void) { int x; //yes x is uninitialized here, but that won't matter ...
Rinkesh P's user avatar
  • 722
1 vote
1 answer
152 views

I am trying to solve the CTF example as given at 04_angr_symbolic_stack. As per the instructions, we have to setup the stack before proceeding with symbolic execution. Using binary ninja for ...
Rinkesh P's user avatar
  • 722
-1 votes
1 answer
38 views

A common issue in symbolic execution is path explosion. Would using pruning and other heuristic strategies lead to decreased coverage and thus affect its effectiveness?
RJ J's user avatar
  • 25
3 votes
0 answers
137 views

I am trying to obtain code coverage information from KLEE executions. Does KLEE support gcov? I know KLEE provides general coverage information in the istats files, but I want to combine the coverage ...
fabCic's user avatar
  • 41
0 votes
1 answer
255 views

I have spent two days researching on Formal Methods and formal Verification to be more specific. I also came across Symbolic Execution and I don't know whether this is a formal verification technique? ...
user avatar
0 votes
2 answers
963 views

In Angr, I have a code like this #include <stdio.h> typedef struct A_struct { int data1; int data2; } A; void bar(A* a){ a->data2 += 1; } void foo(A* a) { a->data1 += ...
damaoooo's user avatar
  • 1
0 votes
1 answer
85 views

I am trying to translate Z3::expr into a bit representation of a number in order to find out how many bits 1 the number contains and if the number of bits 1 is even, then I raise the flag. I wrote the ...
Leo Galante's user avatar
  • 15
1 vote
1 answer
123 views

For example, KLEE works on LLVM bitcode. Can we build symbolic execution directly on C source code?
RJ J's user avatar
  • 25
0 votes
1 answer
60 views

I try to "dynamic symbolic execution" with klee. How do I create a testcase that targets a specified branch? int a = 0; klee_make_symbolic(&a, sizeof(a), "a"); if (a == 0) ...
bam's user avatar
  • 5
0 votes
1 answer
130 views

I am researching symbolic execution based on the klee tool. I am running klee via docker. I create a directory and save c program file in that directory. But after exiting from klee, and again If I ...
Julie's user avatar
  • 1
1 vote
1 answer
242 views

I'm currently testing out a few approaches on how to test and fuzz a C API. In the process thereof I found KLEE which runs the code symbolically, meaning that it tries to cover all branches that ...
NikLeberg's user avatar
  • 65
0 votes
1 answer
201 views

Intro Given a simple function written in C++ as below: int func(int x, int y) { if (x < 3) { y = 4; if (x < 4) { y = y + 2; } else ...
Farzan's user avatar
  • 934
1 vote
0 answers
516 views

I'm trying to use angr to verify a function's behavior by deriving the correct input for a given result. The function modifies a buffer, in this case it simply copies the input to it, so I set up ...
ragingSloth's user avatar
  • 1,104
1 vote
1 answer
755 views

I do not understand how symbolic execution is different from Whitebox fuzzing? From what I understand, Whitebox Fuzzers symbolically execute the code with some initial input format. Additionally, it ...
Madhuparna Bhowmik's user avatar
  • 2,300
0 votes
1 answer
606 views

I am trying to generate test cases using a symbolic execution logic based on the SMT Solver Z3. I have the following code. void foo(int a, int b, int c){ int x = 0, y = 0, z = 0; if(a){ ...
user avatar
0 votes
0 answers
96 views

In which circumstances one cannot use symbolic execution for assertion checking? To illustrate, take the following example: int a = A, b = B, c = C; \\symbolic int x = 0, y = 0, z = 0; if (a){ x = -...
Elahe's user avatar
  • 1,399
0 votes
0 answers
255 views

I'm adding support for instrumenting invokedynamic in a concolic engine and the way we currently instrument is by using a custom classloader that finds the resource related to that class in the class ...
Ignacio Lebrero's user avatar
  • 71
3 votes
0 answers
2k views

I'm new to angr, trying to solve a simple executable, it reads 3 characters and compare to string 'abc'. #include <iostream> using namespace std; int main() { char v[3]; scanf("%3s&...
aj3423's user avatar
  • 3,171
0 votes
1 answer
662 views

I want to use angr to analyze IoT firmware file. I have read the documentation of angr,however, I could not find solution to analyze firmware file. So how can angr generate CFG file of Firmware? or ...
Ali's user avatar
  • 13
1 vote
1 answer
56 views

I am looking for a way to turn an SInt16 into an SString. For my use case, it is enough that it does the right thing for concrete values, i.e. I will only be looking at the SString result for concrete ...
Cactus's user avatar
  • 27.8k
0 votes
1 answer
197 views

Based on this very helpful answer I rewrote my solver-for-a-stateful-program to use the Query monad and an ever-increasing list of SMT variables standing for the inputs. I expected one of two outcomes ...
Cactus's user avatar
  • 27.8k
2 votes
1 answer
158 views

I have a stateful process that is modelled as an i -> RWS r w s a. I want to feed it an input cmds :: [i]; currently I do that wholesale: let play = runGame theGame . go where ...
Cactus's user avatar
  • 27.8k
3 votes
1 answer
151 views

I have a static-length list of values ks :: [SInt16] and an index x :: SInt16. I'd like to index into the list using x: (.!) :: (Mergeable a) => [a] -> SInt16 -> a xs .! i = select xs (error &...
Cactus's user avatar
  • 27.8k
1 vote
2 answers
228 views

I am trying to understand how Symbolic Execution engines work. This paper surveys the techniques using C. They mention about symbolic memory: 3.1 Fully Symbolic Memory At the highest level of ...
Lance Pollard's user avatar
  • 80.5k
0 votes
1 answer
225 views

What is the best technique of symbolic execution? Would you please help me to find pure symbolic execution and pure concolic testing tool (I mean, e.g. it is not including model checking,etc.) with ...
any's user avatar
  • 365
0 votes
1 answer
454 views

What is the application of symbolic execution? Do symbolic execution only generate path condition? How can I use symbolic execution to verify contract?
any's user avatar
  • 365
2 votes
1 answer
315 views

How can I implement symbolic execution for particular language without using model checking and Finite State Machine (FSM) for example not such as Java Path Finder? I need a detail about it. for ...
any's user avatar
  • 365
9 votes
2 answers
3k views

What is the difference between symbolic execution and model checking (for example in model transformation)? I don't understand difference of them. Are they the same?!
any's user avatar
  • 365
4 votes
2 answers
5k views

What is the difference between implementation of static analysis and symbolic execution?
any's user avatar
  • 365
1 vote
1 answer
508 views

what kind of errors static analysis (e.g. compiler) can detect and symbolic execution can not detect? and what kind of errors that symbolic execution can detect and static analysis can not detect? for ...
any's user avatar
  • 365
0 votes
1 answer
125 views

I am using Angr, a framework for symbolic execution. It only accepts 'read' function in C for getting input. It solves a program in C and converts its symbolic value to concrete value and I get this ...
Mohammad Reza Dehghani Tafti's user avatar
  • 161
0 votes
3 answers
480 views

are there any tools for symbolic execution on binaries. i mean using which, we do not require to modify the source code - like klee_make_symbolic or we can do such changes in IR (llvm ir etc.) thanks ...
hilly's user avatar
  • 57
13 votes
4 answers
3k views

I recently read a paper titling "All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask)" by Dr. EJ Schwartz. In the paper, he ...
Hongxu Chen's user avatar
  • 5,400
10 votes
2 answers
5k views

I came across the terms "concrete & symbolic execution" when I was going through the concept of concolic testing. (The article mentioned there, "CUTE: A concolic unit testing engine for C", uses ...
Suhas Chikkanna's user avatar
  • 1,565
0 votes
1 answer
876 views

Is it possible to run Symbolic execution on Linux Kernel or parts of it? What about Concolic Testing? Thanks!
user3564532's user avatar
  • 27
1 vote
0 answers
70 views

Is there any tool for bit vectors (QF_BV logic) which will symbolically execute the operations and return the outputs in terms of symbolic values of the bit vectors so that I can apply my own ...
user3556033's user avatar
  • 31
2 votes
1 answer
377 views

I want to do points-to anlysis in llvm IR. I want it to be path sensitive, which means that when I print out the result, I need append the condition for the "May" Points-to. I plan to using symbolic ...
blankboy2011's user avatar
  • 389
5 votes
1 answer
1k views

I'm considering using symbolic execution to test the robustness of programs written in a particular language such as java. I've read some papers introducing the basic concepts of symbolic execution. ...
clasnake's user avatar
  • 349
3 votes
3 answers
575 views

Now I am confused about symbolic execution (SE) and reachability analysis (RA). As I know, SE uses symbols to execute some code to reach each branch with branch conditions. And RA can be used to find ...
Eve's user avatar
  • 785