Presentation is loading. Please wait.

Presentation is loading. Please wait.

Heming Cui, Gang Hu, Jingyue Wu, Junfeng Yang Columbia University

Published byBeatrice Janice Wilkins Modified over 9 years ago

Similar presentations

Presentation on theme: "Heming Cui, Gang Hu, Jingyue Wu, Junfeng Yang Columbia University"— Presentation transcript:

1 Heming Cui, Gang Hu, Jingyue Wu, Junfeng Yang Columbia University
Woodpecker: Verifying Systems Rules Using Rule-Directed Symbolic Execution Heming Cui, Gang Hu, Jingyue Wu, Junfeng Yang Columbia University

2 Systems Programs Must Obey Rules
E.g., assert(x); p = malloc(len);  free(p); fp = fopen(f);  fclose(fp); Atomic file update fp = fopen(/etc/passwd’); fwrite(fp, …); fsync(fp); // must do fsync() before rename() // can not unlink(/etc/passwd) Rename(/etc/passwd’, /etc/passwd);

3 Verifying Rules: Static Analysis
strcmp(s,“-”)!=0 High coverage Do not miss bugs Too many false positives Much labor to inspect T F fp=fopen(s,“r”); fp=stdin; s[0]!=‘-’ || s[1] T F fclose(fp); exit(0);

4 Verifying Rules: Symbolic Execution
strcmp(s,“-”)!=0 Pros No false positives Bounded verification Detect serious bugs E.g., [KLEE OSDI ‘08] [S2E ASPLOS ‘11] [DyTa ICSE ‘11] T F fp=fopen(s,“r”); fp=stdin; s[0]!=‘-’ || s[1] T F fclose(fp); exit(0);

5 Symbolic Execution (cont.)
strcmp(s,“-”)!=0 Problem: path explosion Hard to explore all Heuristics: miss bugs T F fp=fopen(s,“r”); fp=stdin; (c=fgetc(fp))!=EOF F T putchar(c); BOMB! !isprint(c) F c+=64; T s[0]!=‘-’ || s[1] T F fclose(fp); exit(0);

6 Our Key Insight strcmp(s,“-”)!=0 Although the number of program paths is enormous, only a small portion of the paths are relevant to a checked rule T F fp=fopen(s,“r”); fp=stdin; (c=fgetc(fp))!=EOF F T putchar(c); !isprint(c) F c+=64; T s[0]!=‘-’ || s[1] T F fclose(fp); exit(0);

7 Our Key Insight strcmp(s,“-”)!=0 Although the number of program paths is enormous, only a small portion of the paths are relevant to a checked rule Challenge: how to soundly prune paths? T F fp=fopen(s,“r”); fp=stdin; (c=fgetc(fp))!=EOF F T putchar(c); !isprint(c) F c+=64; T s[0]!=‘-’ || s[1] T F fclose(fp); exit(0);

8 Rule-Directed Symbolic Execution
Soundly prune redundant paths w.r.t. rules Explore one path, and statically peek into the off-the-path branches Woodpecker Leverage a path slicing algo [PEREGRINE SOSP ‘11] Integrated with [KLEE OSDI ‘08] Can leverage powerful techniques in KLEE Builtin + user-written checkers

9 Sneak Preview of Results
136 popular systems programs, 545K LOC coreutils, shadow, cvs, git, … Five rule checkers Assert, MemLeak, OpenClose, File, DataLoss Verified 3.4x more programs and 4.6x more paths than KLEE, for quick 1H runs. 17x more paths for 4H Detected 113 bugs, including 10 serious data loss errors git: 7 (same pattern) confirmed (corrupting source repositories) useradd: 1 fix (missing /etc/default/useradd file)

10 Outline Example Evaluation Conclusion

11 Example T F F T F T T F strcmp(s,“-”)!=0 fp=fopen(s,“r”); fp=stdin;
(c=fgetc(fp))!=EOF F T putchar(c); !isprint(c) F c+=64; T s[0]!=‘-’ || s[1] T F fclose(fp); exit(0);

12 Recording an Execution Trace
symbolic name and data strcmp(s,“-”)!=0 $ cat foo.txt T F Execution Trace fp=fopen(s,“r”); fp=stdin; Branch Statements executed True strcmp(s, “-”) fp = fopen(s); True (c = fgetc(fp)) != EOF False c < 32 && c != ‘\n’ putchar(c); False (c = fgetc(fp)) != EOF True s[0] != ‘-’ || ![1] fclose(fp); (c=fgetc(fp))!=EOF F T putchar(c); !isprint(c) F c+=64; T s[0]!=‘-’ || s[1] Do all these branches relevant??? T F fclose(fp); exit(0);

13 Challenges in Pruning Branches Soundly
Control dependency Data dependency Events dependency fp=fopen(); fp=fopen(); fp=fopen(); ... s[0]!=‘-’ s[0]!=‘-’ p[0]=‘-’; ... fclose(fp); exit(0); s[0]!=‘-’ T F fclose(fp); fclose(fp); exit(0); fclose(fp);

14 Pruning Irrelevant Paths Soundly
strcmp(s,“-”)!=0 T F Execution Trace fp=fopen(s,“r”); fp=stdin; Branch Statements executed True strcmp(s, “-”) fp = fopen(s); True (c = fgetc(fp)) != EOF False c < 32 && c != ‘\n’ putchar(c); False (c = fgetc(fp)) != EOF True s[0] != ‘-’ || ![1] fclose(fp); (c=fgetc(fp))!=EOF F T putchar(c); !isprint(c) F c+=64; T s[0]!=‘-’ || s[1] Sound and exponential reduction. T F fclose(fp); exit(0);

15 Evaluation Setup Program: 136 widely used systems utilities
coreutils, shadow, cvs, git, tar, sed. Parameters (same as [KLEE OSDI ‘08] when possible) Input bound: three 2-bytes symbolic arguments for coreutils and shadow, four 8-bytes symbolic arguments for others. Time bound: 1 hour for each coreutils and shadow, 12 hours for others. Evaluation question: Verification: how effective is rule-directed symbolic execution? Bug detection: can Woodpecker find serious rule violations?

16 1-hour Verification Results
Checkers # Programs # Programs Verified % Paths Relevant Woodpecker KLEE Assert 57 13 3 56.8 16.2 MemoryLeak 103 32 7 61.3 12.7 OpenClose 72 19 4 59.2 15.3 FileAccess 120 40 12 65.4 20.9 DataLoss 35 89.4 71.1 Total 387 111 33 62.9 16.7 4-hour Verification Results Verified 17x more paths

17 # of Rule Violations Discovered
Detected 113 rule violations, including 10 data loss errors git: 7 (same pattern) confirmed (corrupting source repo) useradd: 1 fix (missing /etc/default/useradd file)

18 Conclusion Insight on verifying systems rules: only a small portion of paths are relevant to a checked rule. Woodpecker: rule-directed symbolic execution. Results Verified more programs and paths. Detected serious bugs.

19 Q & A

Download ppt "Heming Cui, Gang Hu, Jingyue Wu, Junfeng Yang Columbia University"

Similar presentations

PEREGRINE: Efficient Deterministic Multithreading through Schedule Relaxation Heming Cui, Jingyue Wu, John Gallagher, Huayang Guo, Junfeng Yang Software.

PEREGRINE: Efficient Deterministic Multithreading through Schedule Relaxation Heming Cui, Jingyue Wu, John Gallagher, Huayang Guo, Junfeng Yang Software.
Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.

Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.
KLEE: Effective Testing of Systems Programs

KLEE: Effective Testing of Systems Programs
A Survey of Approaches for Automated Unit Testing

A Survey of Approaches for Automated Unit Testing
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.

1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.
Background for “KISS: Keep It Simple and Sequential” cs264 Ras Bodik spring 2005.

Background for “KISS: Keep It Simple and Sequential” cs264 Ras Bodik spring 2005.
Parrot: A Practical Runtime for Deterministic, Stable, and Reliable Threads Heming Cui, Jiri Simsa, Yi-Hong Lin, Hao Li, Ben Blum, Xinan Xu, Junfeng Yang,

Parrot: A Practical Runtime for Deterministic, Stable, and Reliable Threads Heming Cui, Jiri Simsa, Yi-Hong Lin, Hao Li, Ben Blum, Xinan Xu, Junfeng Yang,
Effectively Model Checking Real-World Distributed Systems Junfeng Yang Joint work with Huayang Guo, Ming Wu, Lidong Zhou, Gang Hu, Lintao Zhang, Heming.

Effectively Model Checking Real-World Distributed Systems Junfeng Yang Joint work with Huayang Guo, Ming Wu, Lidong Zhou, Gang Hu, Lintao Zhang, Heming.
Static Technique. Static Technique - Review  A way of testing software work products  Program code, requirement spec., design spec.  Test plan, test.

Static Technique. Static Technique - Review  A way of testing software work products  Program code, requirement spec., design spec.  Test plan, test.
Testing and Analysis of Device Drivers Supervisor: Abhik Roychoudhury Author: Pham Van Thuan 1.

Testing and Analysis of Device Drivers Supervisor: Abhik Roychoudhury Author: Pham Van Thuan 1.
Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.

Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.
Software Testing and Quality Assurance

Software Testing and Quality Assurance
Synergy: A New Algorithm for Property Checking

Synergy: A New Algorithm for Property Checking
Program Analysis Using Randomization Sumit Gulwani, George Necula (U.C. Berkeley)

Program Analysis Using Randomization Sumit Gulwani, George Necula (U.C. Berkeley)
1 Advanced Material The following slides contain advanced material and are optional.

1 Advanced Material The following slides contain advanced material and are optional.
Applying Dynamic Analysis to Test Corner Cases First Penka Vassileva Markova Madanlal Musuvathi.

Applying Dynamic Analysis to Test Corner Cases First Penka Vassileva Markova Madanlal Musuvathi.
Formal verification Marco A. Peña Universitat Politècnica de Catalunya.

Formal verification Marco A. Peña Universitat Politècnica de Catalunya.

Similar presentations

Ads by Google