Automated Concolic Testing of Smartphone Apps Saswat Anand Stanford Univ. Mayur Naik Georgia Tech. Hongseok Yang Univ. of Oxford Mary Jean Harrold Georgia.

Slides:

Advertisements

Similar presentations

Chapter 18 Building the user interface. This chapter discusses n Javas graphical user interface. n Swing: an enhancement of a library called the Abstract.

Advertisements

Android Application Development Tutorial. Topics Lecture 6 Overview Programming Tutorial 3: Sending/Receiving SMS Messages.

The Derivative in Graphing and Application

View-Based Application Development Lecture 1 1. Flows of Lecture 1 Before Lab Introduction to the Game to be developed in this workshop Comparison between.

Higher Order Universal One-Way Hash Functions Deukjo Hong Graduate School of Information Security, Center for Information Security Technologies, Korea.

Services. Application component No user interface Two main uses Performing background processing Supporting remote method execution.

A Survey of Approaches for Automated Unit Testing

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008

Symbolic Execution with Mixed Concrete-Symbolic Solving

Mantis: Automatic Performance Prediction for Smartphone Applications Byung-Gon Chun Microsoft Yongin Kwon, Sangmin Lee, Hayoon Yi, Donghyun Kwon, Seungjun.

PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)

Dynodroid: Dynamic Analysis of Smartphone Apps

Application Fundamentals Android Development. Announcements Posting in D2L Tutorials.

Symbolic execution © Marcelo d’Amorim 2010.

Symbolically Executing Mobile Apps: The Good, the Bad, and the Ugly Mayur Naik Georgia Tech Joint work with Saswat Anand and Hongseok Yang.

Chapter 6 Jam! Implementing Audio in Android Apps.

Chapter 6: Jam! Implementing Audio in Android Apps.

CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.

CSE 331 SOFTWARE DESIGN & IMPLEMENTATION TESTING II Autumn 2011.

Android 101 Application Fundamentals January 29, 2010.

ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.

ClickToPhone. ClickToPhone User Levels Beginner (answering and calling only) Intermediate (+ texting) Advanced (+ music, gallery, clock) Expert (+ 3 rd.

Software Testing and QA Theory and Practice (Chapter 4: Control Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.

Chien-Chung Shen Manifest and Activity Chien-Chung Shen

1 Skip Cave Chief Scientist, Intervoice Inc. Multimodal Framework Proposal.

CREST Internal Yunho Kim Provable Software Laboratory CS Dept. KAIST.

CS5103 Software Engineering Lecture 08 Android Development II.

CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.

Getting to Know TiVo: The Home Media Engine (HME SDK) Eric M. Upchurch CS 525 Spring 2008.

Presented by: Tom Staley. Introduction Rising security concerns in the smartphone app community Use of private data: Passwords Financial records GPS locations.

Mobile Application Development using Android Lecture 2.

16 Services and Broadcast Receivers CSNB544 Mobile Application Development Thanks to Utexas Austin.

Automated GUI testing How to test an interactive application automatically?

© Materna GmbH 2014www.materna.de1 Materna JMEDS Explorer for Android.

TXT29-1-1® Copyright Intrado Inc – All rights reserved.

Testing Testing Techniques to Design Tests. Testing:Example Problem: Find a mode and its frequency given an ordered list (array) of with one or more integer.

Automated GUI testing How to test an interactive application automatically?

Introduction for Families. Seesaw gives your child a place to document their learning, be creative and learn how to use technology. Seesaw is a new way.

ANDROID L. Grewe Components  Java Standard Development Kit (JDK) (download) (latest version)  AndroidStudio.

Georgia Institute of Technology More on Creating Classes part 2 Barb Ericson Georgia Institute of Technology Oct 2005.

1 x 2 Game 1: One Player Game If you select a number sentence, give the answer. If you select an answer give the number sentence that has that answer.

Andy Xie [s ].  Still in development  Need testing platform  Inspect the working of the planner  Simulate Environment Changes  Simulate Moving.

Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base.

See it. Click it. Get it. INTERACTIVE VIDEO “Where Psychology Meets Technology” THE FUTURE IS NOW.

Automated Network Repair with Meta Provenance

PROGRAMMING TESTING B MODULE 2: SOFTWARE SYSTEMS 22 NOVEMBER 2013.

Improving Structural Testing of Object-Oriented Programs via Integrating Evolutionary Testing and Symbolic Execution Kobi Inkumsah Tao Xie Dept. of Computer.

Services Background operating component without a visual interface Running in the background indefinitely Differently from Activity, Service in Android.

CUTE: A Concolic Unit Testing Engine for C Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.

MUSIC GENRE JUKEBOX. CLIENT SPECIFICATIONS Audio Player Create, delete, and modify play lists Play, pause, stop, skip, fast forward, and rewind Send Streaming.

Lecture 2: Android Concepts

Events. Slide 2©SoftMoore Consulting Events Events are generated when a user interacts with the view objects of an application. Examples –button clicked–

Week 6 MondayTuesdayWednesdayThursdayFriday Testing III Reading due Group meetings Testing IVSection ZFR due ZFR demos Progress report due Readings out.

CSE 331 SOFTWARE DESIGN & IMPLEMENTATION SYMBOLIC TESTING Autumn 2011.

Speech Service & client(Activity) 오지영.

A Beautiful gift for every Muslim Android & IOS application.

Paul Ammann & Jeff Offutt

Android Mobile Application Development

Automated Pattern Based Mobile Testing

Android Application Development android.cs.uchicago.edu

2018 CONFERECE WEB APP

CS5103 Software Engineering

Android Topics UI Thread and Limited processing resources

Elided to examples only

IV. Convolutional Codes

Reactive Android Development

CUTE: A Concolic Unit Testing Engine for C

CSE 1020:Software Development

Gesto: Mapping UI Events to Gestures and Voice Commands

Presentation transcript:

Automated Concolic Testing of Smartphone Apps Saswat Anand Stanford Univ. Mayur Naik Georgia Tech. Hongseok Yang Univ. of Oxford Mary Jean Harrold Georgia Tech.

Motivation

Problems with Smartphone Apps

Automatically generate test inputs for bounded exhaustive testing of smartphone apps Problem

Test Inputs for Apps Whole-program testing Test input is a sequence of events e 1, e 2 …, e n Types of events: a tap on the screen, change in geo-location, arrival of a SMS message, etc.

Bounded Exhaustive Testing of Apps S, the set of all event sequences* s.t. each sequence takes a unique path *of bounded-length Set of covered branches Goal: cover these

1.Generate individual events 2.Generate sequences of events Two subproblems

Generating Individual Events An event is associated with data o X & Y coordinates of a tap event o geo-location of a change-in-geo-location event o content of an incoming SMS event o etc. Data determine which program path is taken Challenge: Generate the “right” data for events

Example: Music Player App Play Pause Stop Eject Rewind Skip

Example: Music Player App public void onClick(View target) { if (target == play) startService(new Intent(ACTION_PLAY)); else if (target == pause) startService(new Intent(ACTION_PAUSE)); else if (target == skip) startService(new Intent(ACTION_SKIP)); else if (target == rewind) startService(new Intent(ACTION_REWIND)); else if (target == stop) startService(new Intent(ACTION_STOP)); else if (target == eject) showUrlDialog(); } tap(136, 351)

Example: Music Player App public void onClick(View target) { if (target == play) startService(new Intent(ACTION_PLAY)); else if (target == pause) startService(new Intent(ACTION_PAUSE)); else if (target == skip) startService(new Intent(ACTION_SKIP)); else if (target == rewind) startService(new Intent(ACTION_REWIND)); else if (target == stop) startService(new Intent(ACTION_STOP)); else if (target == eject) showUrlDialog(); } tap(248, 351)

Example: Music Player App public void onClick(View target) { if (target == play) startService(new Intent(ACTION_PLAY)); else if (target == pause) startService(new Intent(ACTION_PAUSE)); else if (target == skip) startService(new Intent(ACTION_SKIP)); else if (target == rewind) startService(new Intent(ACTION_REWIND)); else if (target == stop) startService(new Intent(ACTION_STOP)); else if (target == eject) showUrlDialog(); } tap(360, 351)

Example: Music Player App public void onClick(View target) { if (target == play) startService(new Intent(ACTION_PLAY)); else if (target == pause) startService(new Intent(ACTION_PAUSE)); else if (target == skip) startService(new Intent(ACTION_SKIP)); else if (target == rewind) startService(new Intent(ACTION_REWIND)); else if (target == stop) startService(new Intent(ACTION_STOP)); else if (target == eject) showUrlDialog(); } tap(24, 351)

Example: Music Player App public void onClick(View target) { if (target == play) startService(new Intent(ACTION_PLAY)); else if (target == pause) startService(new Intent(ACTION_PAUSE)); else if (target == skip) startService(new Intent(ACTION_SKIP)); else if (target == rewind) startService(new Intent(ACTION_REWIND)); else if (target == stop) startService(new Intent(ACTION_STOP)); else if (target == eject) showUrlDialog(); } tap(136, 493)

Example: Music Player App public void onClick(View target) { if (target == play) startService(new Intent(ACTION_PLAY)); else if (target == pause) startService(new Intent(ACTION_PAUSE)); else if (target == skip) startService(new Intent(ACTION_SKIP)); else if (target == rewind) startService(new Intent(ACTION_REWIND)); else if (target == stop) startService(new Intent(ACTION_STOP)); else if (target == eject) showUrlDialog(); } tap(305, 544)

Existing alternatives Random Testing o Cannot perform systematic/exhaustive testing Platform-specific tools (e.g., hierarchy viewer in Android) o Limited to GUI Events o Cannot handle third-party GUI widgets Generating Individual Events

Our solution Use concolic execution to generate data associated with events

F T F T tap(int x, int y){ 1 if (x>2 && x 1 && y<3) 3 W1_clicked(); 4 else 5 W2_clicked(); 6 }else 7 W3_clicked(); } Generating Individual Tap Events x>2 && x<4 y>1 && y<3

Generating Individual Tap Events tap(1, 5) F T F T x>2 && x<4 y>1 && y<3

Generating Individual Tap Events tap(1, 5) F1 !(x>2 && x<4) W3_clicked() F T F T x>2 && x<4 y>1 && y<3 (x>2 && x<4) tap(3, 5)

(x>2 && x<4) Generating Individual Tap Events tap(1, 5) T1 (x>2 && x 1 && y<3) W2_clicked() tap(3, 5) F T F T x>2 && x<4 y>1 && y<3 (x>2 && x 1 && y<3) tap(3, 2)

Generating Individual Tap Events tap(1, 5) (x>2 && x 1 && y<3) tap(3, 5)tap(3, 2) T1 (x>2 && x 1 && y<3) W1_clicked() F T F T x>2 && x<4 y>1 && y<3

Example: Music Player App ❖ ❖ ❖ ❖❖ ❖ ❖❖ ❖ ❖ ❖

1.Generate individual events 2.Generate sequences of events Two subproblems

Generating Sequences of Events Concatenate individual events generated by concolic execution.

Baseline Algorithm Set of covered branches S, Set of all event sequences s.t. each sequence takes a unique path Baseline algorithm Goal: cover these

Number of sequences generated for Music Player app by baseline algorithm Baseline Algorithm Suffers from Path Explosion

ACTEve Algorithm ACTEve: Automated Concolic Testing of Event-driven programs

ACTEve Algorithm Set of covered branches R s.t. R ⊆ S S, Set of all event sequences s.t. each sequence takes a unique path Baseline algorithm ACTEve algorithm Goal: cover these ACTEve is relatively sound

Path Subsumption Maps memory location to values (symbolic or concrete) Path constraint Program state in concolic execution

Program entry Path Subsumption

Program entry Path Subsumption

Checking path subsumption is very expensive in general o Constraint implication check o Matching memory map But, path subsumption can be checked cheaply in special cases o Read-only events o Events whose mutual ordering does not matter o etc. Path Subsumption

Read-only Events Program Entry

❖ ❖ ❖ ❖❖❖ ❖ ❖ ❖❖ ❖ Read-only Events Read-only events are represented as ❖

ACTEve System Architecture

Empirical Study Apply ACTEve and baseline algorithms o event sequences of length up to 4 o 16 concurrently running emulators o time budget of 12 hours Measured three metrics o running time o number of feasible paths o number of satisfiability checks

Empirical Results

Future Work Widget Explosion

1.Concolic execution to generate individual events 2.ACTEve: an efficient algorithm for bounded exhaustive testing of event- driven programs o Requires only a small fraction (5-36%) of time compared to baseline algorithm 3.Implementation for Android Main Contributions

Backup slides

Read-only Events Program Entry

Output of Android’s “Hierarchy Viewer” tool A Solution: Use Platform-specific Knowlege

void onTouchEvent(MotionEvent e) { int rawX = (int) e.getX(); int rawY = (int) e.getY(); int x = (rawX – MARGIN) / SIZE; int y = (rawY – MARGIN) / SIZE; if (x >= 0 && x = 0 & y < 3) { int cell = x + 3 * y; … } Output of Android’s “Hierarchy Viewer” tool

Program Entry Covered branches same program location Path Subsumption

Program Entry Covered branches same program location Path Subsumption

Path constraint when PAUSE button is tapped on Example: Music Player App