PhD Defense: Framework Synthesis for Symbolic Execution of Event-Driven Frameworks

Symbolic execution is a powerful program analysis technique, but it is very challenging to apply to programs built using event-driven frameworks, such as Android. The main reason is that the framework code itself is too complex to symbolically execute. The standard solution is to manually create a framework model that is simpler and more amenable to symbolic execution. However, developing and maintaining such a model by hand is difficult and error-prone.
We claim that we can leverage program synthesis to introduce a high-degree of automation to the process of framework modeling. To support this thesis, we present three pieces of work. First, we introduce SymDroid, a symbolic executor for Android. While Android apps are written in Java, they are compiled to Dalvik bytecode format. Instead of analyzing an app's Java source, which may not be available, or decompiling from Dalvik back to Java, which requires significant engineering efforts and introduces yet another source of potential bugs in an analysis, SymDroid works directly on Dalvik bytecode.
Second, to scale program synthesis up to framework models, we devise adaptive concretization, a novel program synthesis algorithm that combines the best of the two major synthesis strategies: symbolic search, i.e., using SAT or SMT solvers, and explicit search, e.g., stochastic enumeration of possible solutions. Adaptive concretization parallelizes multiple sub-synthesis problems by partially concretizing highly influential unknowns in the original synthesis problem.
Lastly, we introduce Pasket, a new system that takes a first step forward automatically generating Java framework models to support symbolic execution. Pasket takes as input the framework API, together with tutorial programs that exercise the framework. From these artifacts and Pasket's internal knowledge of design patterns, Pasket synthesizes an executable framework model by instantiating design patterns, such that the behavior of a synthesized model on the tutorial programs matches that of the original framework. Thanks to adaptive concretization, Pasket can generate a large-scale model, e.g., thousands lines of code. In addition, we have used an Android model synthesized by Pasket and found that the model is sufficient to make SymDroid execute a range of apps.
Examining Committee:
Committee Chair: - Dr. Jeffrey S. Foster
Dean's Representative: - Dr. Donald Yeung
Committee Member(s) - Dr. Michael W. Hicks
- Dr. Hal Daume' III
- Dr. Armando Solar-Lezama