From burhan_250 at live.de  Fri Apr 25 16:46:51 2025
From: burhan_250 at live.de (Burhan Akin Y)
Date: Fri, 25 Apr 2025 15:46:51 +0000
Subject: [klee-dev] Is running KLEE on arbitrary programs safe?
Message-ID: <AM8P194MB1140DFB059A68BBA3A938EC8A9842@AM8P194MB1140.EURP194.PROD.OUTLOOK.COM>

Dear KLEE Community,

I am using KLEE to generate test cases for arbitrary programs on GitHub. This includes generating test cases for potential malware infected/related repositories.
>From my understanding of the original paper, KLEE does static code analysis and uses a theorem prover in the backend.
Does KLEE do anything else beyond making variables symbolic, exploring paths and solving constraints?

>From my understanding the only potential danger to generate test cases is, when encountering compiler bombs, or any other ressource intensive programs which can be limited by ulimit. Once the test cases are generated, I would like to get coverage metrics using klee-stats and gcov.

Klee-stats is a python script which only reads stats from the produced files during symbolic execution. There is no security risk involved here too.
But to use gcov we explicitly have to execute the program using klee-replay or setting the KTEST_FILE variable and running the program. Only at this point one should use a virtual environment to take into account that any malware will be executed.

I would like to have some confirmation with my security concerns when using KLEE. I am not interested about repositories which explicitly target exploits in KLEE and make even test generation a dangerous operation.

Best regards

Akin Y.

-------------- next part --------------
HTML attachment scrubbed and removed

From f.busse17 at imperial.ac.uk  Fri Apr 25 17:27:33 2025
From: f.busse17 at imperial.ac.uk (Frank Busse)
Date: Fri, 25 Apr 2025 18:27:33 +0200
Subject: [klee-dev] Is running KLEE on arbitrary programs safe?
In-Reply-To: <AM8P194MB1140DFB059A68BBA3A938EC8A9842@AM8P194MB1140.EURP194.PROD.OUTLOOK.COM>
References: <AM8P194MB1140DFB059A68BBA3A938EC8A9842@AM8P194MB1140.EURP194.PROD.OUTLOOK.COM>
Message-ID: <20250425182733.6789c755@lemmy>

Hi,


On Fri, 25 Apr 2025 15:46:51 +0000
Burhan Akin Y <burhan_250 at live.de> wrote:

> From my understanding of the original paper, KLEE does static code
> analysis and uses a theorem prover in the backend. Does KLEE do
> anything else beyond making variables symbolic, exploring paths and
> solving constraints?

KLEE does dynamic analysis and works roughly like an interpreter for
LLVM bitcode. That means, when your program under test does funny
things KLEE will do funny things.


Kind regards,

Frank