Path-Exploration Lifting: Hi-Fi Tests for Lo-Fi Emulators

摘要

Processor emulators arc widely used to provide isolation and insi.ru-menlation of binary software. However they have proved dilfieult to implement correctly: processor specilicalions have many coiner cases that are not exercised by common workloads. It is untenable to base other system security properties on the correctness of emulators that have received only ad-hoc testing. To obtain emulators that are worthy of the required trust, we propose a technique to explore a high-fidelity emulator with symbolic execution, and then lift those test eases to test a lower-fidelity emulator. The high fidelity emulator serves as a proxy for the hardware specification, but we can also further validate by running the tests on real hardware. We implement our approach and apply it to generate about 610.000 test cases; for about 95% of the instructions we achieve complete path coverage. The tests reveal thousands of individual differences: we analyze those differences to shed light on a number of root causes, such as atomicity violations and missing security features.