From Tareq.Nazir at aau.at Wed Oct 5 10:26:35 2022 From: Tareq.Nazir at aau.at (Nazir, Tareq Mohammed) Date: Wed, 5 Oct 2022 09:26:35 +0000 Subject: [klee-dev] Regarding getting variable names from KLEE Message-ID: Hi, I would like to know if I can get variable names of the source code in KLEE engine. Would also like to know if KLEE engine is storing the variable name information while executing the llvm bitcode symbolically. For example : From the below C code I want to get the buffer variable name is it possible or not. int main(int argc, char *argv[]) { char *buffer = malloc(5); buffer[6] = 'a'; return 0; } Thanks and Regards, Tareq Mohammed Nazir -------------- next part -------------- HTML attachment scrubbed and removed From f.busse at imperial.ac.uk Wed Oct 5 12:05:43 2022 From: f.busse at imperial.ac.uk (Frank Busse) Date: Wed, 5 Oct 2022 12:05:43 +0100 Subject: [klee-dev] Regarding getting variable names from KLEE In-Reply-To: References: Message-ID: <20221005120543.509b6da2@gyali> Hi, On Wed, 5 Oct 2022 09:26:35 +0000 "Nazir, Tareq Mohammed" wrote: > I would like to know if I can get variable names of the source code > in KLEE engine. Would also like to know if KLEE engine is storing the > variable name information while executing the llvm bitcode > symbolically. > > > For example : From the below C code I want to get the buffer variable > name is it possible or not. > > > int main(int argc, char *argv[]) > { > char *buffer = malloc(5); > buffer[6] = 'a'; > return 0; > } There are at least two options: 1) you compile your code with debug information (-g) and recover the information from there (LLVM API): !15 = !DILocalVariable(name: "buffer", scope: !10, file: !1, line: 4, type: !16) 2) or you tell clang to keep variable names (-fno-discard-value-names) and it will generate bitcode like: %buffer = alloca i8*, align 8 store i8* %call, i8** %buffer, align 8 %0 = load i8*, i8** %buffer, align 8 instead of: %2 = alloca i8*, align 8 store i8* %3, i8** %2, align 8 %4 = load i8*, i8** %2, align 8 Kind regards, Frank From jryans at gmail.com Wed Oct 5 13:59:43 2022 From: jryans at gmail.com (J. Ryan Stinnett) Date: Wed, 5 Oct 2022 13:59:43 +0100 Subject: [klee-dev] Regarding getting variable names from KLEE In-Reply-To: References: Message-ID: On Wed, 5 Oct 2022 at 10:28, Nazir, Tareq Mohammed wrote: > I would like to know if I can get variable names of the source code in KLEE engine. Would also like to know if KLEE engine is storing the variable name information while executing the llvm bitcode symbolically. KLEE currently thinks in terms of names at the LLVM IR level only, so this means it does not know about source-level local variables such as `buffer` in your example. When you compile with debug info enabled (e.g. the `-g` option with Clang), the IR does include additional DWARF-like metadata that maps back to source-level concepts. My current research involves using KLEE to test this debug info, and as part of that work, I've been enhancing KLEE so that it can think in terms of source-level info using this metadata. I hope to eventually add this enhancement to upstream KLEE, but it may be a few months before I can do so. It sounds like this enhancement would be useful to you as well. Do you need only the source-level variable names, or other source-level info as well? - Ryan From Tareq.Nazir at aau.at Wed Oct 5 14:10:02 2022 From: Tareq.Nazir at aau.at (Nazir, Tareq Mohammed) Date: Wed, 5 Oct 2022 13:10:02 +0000 Subject: [klee-dev] Regarding getting variable names from KLEE In-Reply-To: References: , Message-ID: Hi Ryan, Thanks for the reply, Yes I would be needing the source-level variable names and source-level info. We are currently trying to understand the vulnerabilities such as heap overflow that can be present in the source code. We are able to understand the how KLEE engine is able to detect a vulnerability. But we need a map between the information available to us from Memory space of KLEE to the source code. It would be really helpful if I can get this map between the KLEE memory space and source code. Thanks and Best Regards, Tareq Mohammed Nazir ________________________________ From: J. Ryan Stinnett Sent: Wednesday, 5 October 2022 14:59:43 To: Nazir, Tareq Mohammed Cc: klee-dev at imperial.ac.uk Subject: Re: [klee-dev] Regarding getting variable names from KLEE On Wed, 5 Oct 2022 at 10:28, Nazir, Tareq Mohammed wrote: > I would like to know if I can get variable names of the source code in KLEE engine. Would also like to know if KLEE engine is storing the variable name information while executing the llvm bitcode symbolically. KLEE currently thinks in terms of names at the LLVM IR level only, so this means it does not know about source-level local variables such as `buffer` in your example. When you compile with debug info enabled (e.g. the `-g` option with Clang), the IR does include additional DWARF-like metadata that maps back to source-level concepts. My current research involves using KLEE to test this debug info, and as part of that work, I've been enhancing KLEE so that it can think in terms of source-level info using this metadata. I hope to eventually add this enhancement to upstream KLEE, but it may be a few months before I can do so. It sounds like this enhancement would be useful to you as well. Do you need only the source-level variable names, or other source-level info as well? - Ryan -------------- next part -------------- HTML attachment scrubbed and removed From jryans at gmail.com Wed Oct 5 18:24:57 2022 From: jryans at gmail.com (J. Ryan Stinnett) Date: Wed, 5 Oct 2022 18:24:57 +0100 Subject: [klee-dev] Regarding getting variable names from KLEE In-Reply-To: References: Message-ID: On Wed, 5 Oct 2022 at 14:10, Nazir, Tareq Mohammed wrote: > Yes I would be needing the source-level variable names and source-level info. We are currently trying to understand the vulnerabilities such as heap overflow that can be present in the source code. We are able to understand the how KLEE engine is able to detect a vulnerability. But we need a map between the information available to us from Memory space of KLEE to the source code. It would be really helpful if I can get this map between the KLEE memory space and source code. Makes sense, thanks for the additional detail. This sounds like my in-progress enhancement should indeed help you follow source-level state. As Frank mentioned elsewhere in the thread, you may be able to use `-fno-discard-value-names` as a workaround for the moment, but that doesn't encode any of the source-level semantics that e.g. a debugger would follow; for proper source-level info, KLEE needs to make use of the debug info when present in the IR. I did not see any existing issues about this in the KLEE repo, so I have filed one just now (https://github.com/klee/klee/issues/1552). We can use that issue to gauge interest in this enhancement and discuss any finer details as needed. Thanks, Ryan From Tareq.Nazir at aau.at Wed Oct 5 20:58:47 2022 From: Tareq.Nazir at aau.at (Nazir, Tareq Mohammed) Date: Wed, 5 Oct 2022 19:58:47 +0000 Subject: [klee-dev] Regarding getting variable names from KLEE In-Reply-To: <20221005120543.509b6da2@gyali> References: , <20221005120543.509b6da2@gyali> Message-ID: Hi Frank, Thanks for the reply, Yes I have used the second option and -fno-discard-value-names and I am able to see the variable name in the llvm bitcode .ll file. But what I need is the access to this variables in KLEE engine. Also I am trying to use DILocalVariable. I would like to know if it is possible to share any example where DILocalVariable can be used to extract the variable name. This would be really helpful. Thanks and Best Regards, Tareq Mohammed Nazir ________________________________ From: klee-dev-bounces at imperial.ac.uk on behalf of Frank Busse Sent: Wednesday, 5 October 2022 13:05 Cc: klee-dev at imperial.ac.uk Subject: Re: [klee-dev] Regarding getting variable names from KLEE Hi, On Wed, 5 Oct 2022 09:26:35 +0000 "Nazir, Tareq Mohammed" wrote: > I would like to know if I can get variable names of the source code > in KLEE engine. Would also like to know if KLEE engine is storing the > variable name information while executing the llvm bitcode > symbolically. > > > For example : From the below C code I want to get the buffer variable > name is it possible or not. > > > int main(int argc, char *argv[]) > { > char *buffer = malloc(5); > buffer[6] = 'a'; > return 0; > } There are at least two options: 1) you compile your code with debug information (-g) and recover the information from there (LLVM API): !15 = !DILocalVariable(name: "buffer", scope: !10, file: !1, line: 4, type: !16) 2) or you tell clang to keep variable names (-fno-discard-value-names) and it will generate bitcode like: %buffer = alloca i8*, align 8 store i8* %call, i8** %buffer, align 8 %0 = load i8*, i8** %buffer, align 8 instead of: %2 = alloca i8*, align 8 store i8* %3, i8** %2, align 8 %4 = load i8*, i8** %2, align 8 Kind regards, Frank _______________________________________________ klee-dev mailing list klee-dev at imperial.ac.uk https://mailman.ic.ac.uk/mailman/listinfo/klee-dev -------------- next part -------------- HTML attachment scrubbed and removed From davidblubaugh2000 at yahoo.com Wed Oct 5 22:49:24 2022 From: davidblubaugh2000 at yahoo.com (David Blubaugh) Date: Wed, 5 Oct 2022 21:49:24 +0000 (UTC) Subject: [klee-dev] Video games and embedded systems??? References: <641253981.2896764.1665006564326.ref@mail.yahoo.com> Message-ID: <641253981.2896764.1665006564326@mail.yahoo.com> KLEE dev question.? I was wondering if the KLEE environment has ever been used for a large application like a modern video game or for development or testing of an embedded system such as a microcontroller or FPGA?? Is this feasible???? Thanks David -------------- next part -------------- HTML attachment scrubbed and removed From m.nowack at imperial.ac.uk Thu Oct 6 11:42:38 2022 From: m.nowack at imperial.ac.uk (Nowack, Martin) Date: Thu, 6 Oct 2022 10:42:38 +0000 Subject: [klee-dev] Video games and embedded systems??? In-Reply-To: <641253981.2896764.1665006564326@mail.yahoo.com> References: <641253981.2896764.1665006564326.ref@mail.yahoo.com> <641253981.2896764.1665006564326@mail.yahoo.com> Message-ID: <2F56FCA1-4F83-49D5-8227-1DF52FBB10DC@imperial.ac.uk> Hi David, Have a look at https://klee.github.io/publications for a multitude of use cases that KLEE has been used successfully: That said, the larger your application is the more challenging it becomes to test it with any method. In those cases it becomes useful to test parts of the application independently instead of focusing on the full application at once. Best, Martin > On 5. Oct 2022, at 22:49, David Blubaugh wrote: > > KLEE dev question. I was > wondering if the KLEE environment has > ever been used for a large application like a modern video game or > for > development or testing of an embedded system such as a > microcontroller or > FPGA? Is this feasible???? > > > Thanks > > > David > > > > > _______________________________________________ > klee-dev mailing list > klee-dev at imperial.ac.uk > https://mailman.ic.ac.uk/mailman/listinfo/klee-dev From m.nowack at imperial.ac.uk Thu Oct 6 12:08:02 2022 From: m.nowack at imperial.ac.uk (Nowack, Martin) Date: Thu, 6 Oct 2022 11:08:02 +0000 Subject: [klee-dev] Regarding getting variable names from KLEE In-Reply-To: References: <20221005120543.509b6da2@gyali> Message-ID: <43133B80-4EB9-4956-B667-BE7E53339CFC@imperial.ac.uk> Hi Tareq, I can highly recommend you the following documents to get an understanding of the internal details of debug information and LLVM that KLEE uses in the first place: * https://llvm.org/docs/SourceLevelDebugging.html * https://llvm.org/docs/HowToUpdateDebugInfo.html For the examples that you asked for, a good starting point for me are often the transformation passes of LLVM, i.e. (llvm-project/llvm/lib/Transforms/) to get an idea how different concepts are implemented and might work. (Just one example: https://github.com/llvm/llvm-project/blob/53dc0f107877acad44824b1426986c7f88f4bc50/llvm/lib/Transforms/IPO/MergeFunctions.cpp#L566) A good IDE support makes a huge difference in working through the source code and makes it slightly less painful. Best, Martin > On 5. Oct 2022, at 20:58, Nazir, Tareq Mohammed wrote: > > Hi Frank, > > Thanks for the reply, > > Yes I have used the second option and -fno-discard-value-names and I am able to see the variable name in the llvm bitcode .ll file. But what I need is the access to this variables in KLEE engine. Also I am trying to use DILocalVariable. I would like to know if it is possible to share any example where DILocalVariable can be used to extract the variable name. This would be really helpful. > > Thanks and Best Regards, > Tareq Mohammed Nazir > From: klee-dev-bounces at imperial.ac.uk on behalf of Frank Busse > Sent: Wednesday, 5 October 2022 13:05 > Cc: klee-dev at imperial.ac.uk > Subject: Re: [klee-dev] Regarding getting variable names from KLEE > > Hi, > > > On Wed, 5 Oct 2022 09:26:35 +0000 > "Nazir, Tareq Mohammed" wrote: > > > I would like to know if I can get variable names of the source code > > in KLEE engine. Would also like to know if KLEE engine is storing the > > variable name information while executing the llvm bitcode > > symbolically. > > > > > > For example : From the below C code I want to get the buffer variable > > name is it possible or not. > > > > > > int main(int argc, char *argv[]) > > { > > char *buffer = malloc(5); > > buffer[6] = 'a'; > > return 0; > > } > > There are at least two options: > > 1) you compile your code with debug information (-g) and recover the > information from there (LLVM API): > > !15 = !DILocalVariable(name: "buffer", scope: !10, file: !1, line: 4, type: !16) > > 2) or you tell clang to keep variable names (-fno-discard-value-names) > and it will generate bitcode like: > > %buffer = alloca i8*, align 8 > store i8* %call, i8** %buffer, align 8 > %0 = load i8*, i8** %buffer, align 8 > > instead of: > > %2 = alloca i8*, align 8 > store i8* %3, i8** %2, align 8 > %4 = load i8*, i8** %2, align 8 > > > Kind regards, > > Frank > > _______________________________________________ > klee-dev mailing list > klee-dev at imperial.ac.uk > https://mailman.ic.ac.uk/mailman/listinfo/klee-dev > _______________________________________________ > klee-dev mailing list > klee-dev at imperial.ac.uk > https://mailman.ic.ac.uk/mailman/listinfo/klee-dev From davidblubaugh2000 at yahoo.com Thu Oct 6 15:36:52 2022 From: davidblubaugh2000 at yahoo.com (David Blubaugh) Date: Thu, 6 Oct 2022 14:36:52 +0000 (UTC) Subject: [klee-dev] Video games and embedded systems??? In-Reply-To: <2F56FCA1-4F83-49D5-8227-1DF52FBB10DC@imperial.ac.uk> References: <641253981.2896764.1665006564326.ref@mail.yahoo.com> <641253981.2896764.1665006564326@mail.yahoo.com> <2F56FCA1-4F83-49D5-8227-1DF52FBB10DC@imperial.ac.uk> Message-ID: <764854200.3054056.1665067012194@mail.yahoo.com> ?Martin, ? ?Ok thank you very much for your response. ? ? I greatly appreciate it. ? ? I was wondering is there any verified and validated methodology to divide a large application such as a modern video game into more testable sub systems??? Then once you combine those separate components back together that there are no errors in the interface or interaction of those separately tested sub programs??? Thanks David Blubaugh? ? ? On Thursday, October 6, 2022, 06:42:45 AM EDT, Nowack, Martin wrote: Hi David, Have a look at https://klee.github.io/publications for a multitude of use cases that KLEE has been used successfully: That said, the larger your application is the more challenging it becomes to test it with any method. In those cases it becomes useful to test parts of the application independently instead of focusing on the full application at once. Best, Martin > On 5. Oct 2022, at 22:49, David Blubaugh wrote: > > KLEE dev question.? I was > wondering if the KLEE environment has > ever been used for a large application like a modern video game or > for > development or testing of an embedded system such as a > microcontroller or > FPGA?? Is this feasible???? > > > Thanks > > > David > > > > > _______________________________________________ > klee-dev mailing list > klee-dev at imperial.ac.uk > https://mailman.ic.ac.uk/mailman/listinfo/klee-dev -------------- next part -------------- HTML attachment scrubbed and removed From fighter9010 at gmail.com Sun Oct 23 06:44:43 2022 From: fighter9010 at gmail.com (hb wang) Date: Sun, 23 Oct 2022 13:44:43 +0800 Subject: [klee-dev] Is it possible to implement compositional symbolic execution in KLEE Message-ID: Hi, I'm currently planning to verify an idea about compositional symbolic execution (CSE). But CSE is not officially supported by KLEE now as far as I know. So I am eager to know whether it is possible to implement CSE in KLEE. If so, please give some suggestions about how to implement that. Thank you very much~ -------------- next part -------------- HTML attachment scrubbed and removed From Tareq.Nazir at aau.at Sun Oct 23 13:44:02 2022 From: Tareq.Nazir at aau.at (Nazir, Tareq Mohammed) Date: Sun, 23 Oct 2022 12:44:02 +0000 Subject: [klee-dev] Is it possible to implement compositional symbolic execution in KLEE In-Reply-To: References: Message-ID: <0642a42a5e924a0a914023bd55fd1d8b@aau.at> Hi, Please find the below paper is this related to the topic : https://dl.acm.org/doi/abs/10.1145/2970276.2970281 [https://dl.acm.org/cms/asset/53e7485c-29f4-4b88-b12f-3ac86ec74c11/2970276.cover.jpg] MACKE: compositional analysis of low-level vulnerabilities with symbolic execution | Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering dl.acm.org Thanks and Best Regards, Tareq Mohammed Nazir ________________________________ From: klee-dev-bounces at imperial.ac.uk on behalf of hb wang Sent: Sunday, 23 October 2022 07:44:43 To: klee-dev at imperial.ac.uk Subject: [klee-dev] Is it possible to implement compositional symbolic execution in KLEE Hi, I'm currently planning to verify an idea about compositional symbolic execution (CSE). But CSE is not officially supported by KLEE now as far as I know. So I am eager to know whether it is possible to implement CSE in KLEE. If so, please give some suggestions about how to implement that. Thank you very much~ -------------- next part -------------- HTML attachment scrubbed and removed From fighter9010 at gmail.com Mon Oct 24 02:50:40 2022 From: fighter9010 at gmail.com (hb wang) Date: Mon, 24 Oct 2022 09:50:40 +0800 Subject: [klee-dev] Is it possible to implement compositional symbolic execution in KLEE In-Reply-To: <0642a42a5e924a0a914023bd55fd1d8b@aau.at> References: <0642a42a5e924a0a914023bd55fd1d8b@aau.at> Message-ID: Thank you. I have read the paper you recommended. I know now that compositional analysis can be achieved in KLEE but the details are not discussed in that paper. Is there any open source code for this? Nazir, Tareq Mohammed ?2022?10?23??? 20:44??? > Hi, > > > Please find the below paper is this related to the topic : > https://dl.acm.org/doi/abs/10.1145/2970276.2970281 > > MACKE: compositional analysis of low-level vulnerabilities with symbolic > execution | Proceedings of the 31st IEEE/ACM International Conference on > Automated Software Engineering > > dl.acm.org > Thanks and Best Regards, > > Tareq Mohammed Nazir > ------------------------------ > *From:* klee-dev-bounces at imperial.ac.uk > on behalf of hb wang > *Sent:* Sunday, 23 October 2022 07:44:43 > *To:* klee-dev at imperial.ac.uk > *Subject:* [klee-dev] Is it possible to implement compositional symbolic > execution in KLEE > > Hi, I'm currently planning to verify an idea about compositional symbolic > execution (CSE). > But CSE is not officially supported by KLEE now as far as I know. > So I am eager to know whether it is possible to implement CSE in KLEE. > If so, please give some suggestions about how to implement that. Thank you > very much~ > > -------------- next part -------------- HTML attachment scrubbed and removed From Tareq.Nazir at aau.at Mon Oct 24 08:17:44 2022 From: Tareq.Nazir at aau.at (Nazir, Tareq Mohammed) Date: Mon, 24 Oct 2022 07:17:44 +0000 Subject: [klee-dev] Is it possible to implement compositional symbolic execution in KLEE In-Reply-To: References: <0642a42a5e924a0a914023bd55fd1d8b@aau.at>, Message-ID: Hi, Found below link https://github.com/tum-i4/macke [https://opengraph.githubassets.com/8e0dac6e7d018e975a14a12be73f158f99de4c22b0fa610dc0502b0245c3b249/tum-i4/macke] GitHub - tum-i4/macke: Modular And Compositional analysis with KLEE Engine github.com Modular And Compositional analysis with KLEE Engine - GitHub - tum-i4/macke: Modular And Compositional analysis with KLEE Engine Thanks and Best Regards, Tareq Mohammed Nazir ________________________________ From: hb wang Sent: Monday, 24 October 2022 03:50:40 To: Nazir, Tareq Mohammed Cc: klee-dev at imperial.ac.uk Subject: Re: [klee-dev] Is it possible to implement compositional symbolic execution in KLEE Thank you. I have read the paper you recommended. I know now that compositional analysis can be achieved in KLEE but the details are not discussed in that paper. Is there any open source code for this? Nazir, Tareq Mohammed > ?2022?10?23??? 20:44??? Hi, Please find the below paper is this related to the topic : https://dl.acm.org/doi/abs/10.1145/2970276.2970281 [https://dl.acm.org/cms/asset/53e7485c-29f4-4b88-b12f-3ac86ec74c11/2970276.cover.jpg] MACKE: compositional analysis of low-level vulnerabilities with symbolic execution | Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering dl.acm.org Thanks and Best Regards, Tareq Mohammed Nazir ________________________________ From: klee-dev-bounces at imperial.ac.uk > on behalf of hb wang > Sent: Sunday, 23 October 2022 07:44:43 To: klee-dev at imperial.ac.uk Subject: [klee-dev] Is it possible to implement compositional symbolic execution in KLEE Hi, I'm currently planning to verify an idea about compositional symbolic execution (CSE). But CSE is not officially supported by KLEE now as far as I know. So I am eager to know whether it is possible to implement CSE in KLEE. If so, please give some suggestions about how to implement that. Thank you very much~ -------------- next part -------------- HTML attachment scrubbed and removed From fighter9010 at gmail.com Mon Oct 24 10:46:47 2022 From: fighter9010 at gmail.com (hb wang) Date: Mon, 24 Oct 2022 17:46:47 +0800 Subject: [klee-dev] Is it possible to implement compositional symbolic execution in KLEE In-Reply-To: References: <0642a42a5e924a0a914023bd55fd1d8b@aau.at> Message-ID: Great! will look into the code. Thanks very much for help. Nazir, Tareq Mohammed ?2022?10?24??? 15:17??? > Hi, > > > Found below link > > > https://github.com/tum-i4/macke > > GitHub - tum-i4/macke: Modular And Compositional analysis with KLEE Engine > > github.com > Modular And Compositional analysis with KLEE Engine - GitHub - > tum-i4/macke: Modular And Compositional analysis with KLEE Engine > > Thanks and Best Regards, > > Tareq Mohammed Nazir > ------------------------------ > *From:* hb wang > *Sent:* Monday, 24 October 2022 03:50:40 > *To:* Nazir, Tareq Mohammed > *Cc:* klee-dev at imperial.ac.uk > *Subject:* Re: [klee-dev] Is it possible to implement compositional > symbolic execution in KLEE > > Thank you. I have read the paper you recommended. > I know now that compositional analysis can be achieved in KLEE but the > details are not discussed in that paper. > Is there any open source code for this? > > Nazir, Tareq Mohammed ?2022?10?23??? 20:44??? > >> Hi, >> >> >> Please find the below paper is this related to the topic : >> https://dl.acm.org/doi/abs/10.1145/2970276.2970281 >> >> MACKE: compositional analysis of low-level vulnerabilities with symbolic >> execution | Proceedings of the 31st IEEE/ACM International Conference on >> Automated Software Engineering >> >> dl.acm.org >> Thanks and Best Regards, >> >> Tareq Mohammed Nazir >> ------------------------------ >> *From:* klee-dev-bounces at imperial.ac.uk >> on behalf of hb wang >> *Sent:* Sunday, 23 October 2022 07:44:43 >> *To:* klee-dev at imperial.ac.uk >> *Subject:* [klee-dev] Is it possible to implement compositional symbolic >> execution in KLEE >> >> Hi, I'm currently planning to verify an idea about compositional symbolic >> execution (CSE). >> But CSE is not officially supported by KLEE now as far as I know. >> So I am eager to know whether it is possible to implement CSE in KLEE. >> If so, please give some suggestions about how to implement that. Thank >> you very much~ >> >> -------------- next part -------------- HTML attachment scrubbed and removed