Soteria: Efficient Symbolic Execution as a Functional Library
Sacha-Élie Ayoun, Opale Sjöstedt, Azalea Raad
TL;DR
Soteria tackles the trade-offs of IL-based symbolic execution by arguing for language-specific SE engines built directly over source semantics. The paper introduces Soteria, an OCaml library with a monadic SE interface that enables constructing engines like Soteriarust for Rust (including Tree Borrows) and Soteriac for C (WPST and bi-abduction) while maintaining soundness proofs and practical performance. Through formalisation, it shows that symbolic interpreters built on Soteria can achieve competitive or superior results to state-of-the-art IL-based tools, with demonstrations across real benchmarks and real-world code. The results suggest that direct-language SE, coupled with modular solvers and reusable data structures, can yield scalable, accurate, and configurable analyses with robust logging and verification guarantees, advancing the practicality of symbolic testing for systems languages. The work lays a foundation for broader language coverage (e.g., Python, concurrency) and solver automation, highlighting the potential of monadic, compositional SE frameworks over traditional IL approaches.
Abstract
Symbolic execution (SE) tools often rely on intermediate languages (ILs) to support multiple programming languages, promising reusability and efficiency. In practice, this approach introduces trade-offs between performance, accuracy, and language feature support. We argue that building SE engines \emph{directly} for each source language is both simpler and more effective. We present Soteria, a lightweight OCaml library for writing SE engines in a functional style, without compromising on performance, accuracy or feature support. Soteria enables developers to construct SE engines that operate directly over source-language semantics, offering \emph{configurability}, compositional reasoning, and ease of implementation. Using Soteria, we develop Soteria$^{\text{Rust}}$, the \emph{first} Rust SE engine supporting Tree Borrows (the intricate aliasing model of Rust), and Soteria$^{\text{C}}$, a compositional SE engine for C. Both tools are competitive with or outperform state-of-the-art tools such as Kani, Pulse, CBMC and Gillian-C in performance and the number of bugs detected. We formalise the theoretical foundations of Soteria and prove its soundness, demonstrating that sound, efficient, accurate, and expressive SE can be achieved without the compromises of ILs.