EXecution generated Executions: Automatically generating inputs of death. Cristian Cadar, Vijay Ganesh, Peter M.Pawlowski, Dawson R Engler, David.Dill.

Slides:



Advertisements
Similar presentations
Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.
Advertisements

1 Symbolic Execution Kevin Wallace, CSE
A Survey of Approaches for Automated Unit Testing
Delta Debugging and Model Checkers for fault localization
Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008
Symbolic Execution with Mixed Concrete-Symbolic Solving
Satisfiability Modulo Theories (An introduction)
PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)
1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Model Counting >= Symbolic Execution Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Panel on Decision Procedures Panel on Decision Procedures Randal E. Bryant Lintao Zhang Nils Klarlund Harald Ruess Sergey Berezin Rajeev Joshi.
Hybrid Concolic Testing Rupak Majumdar Koushik Sen UC Los Angeles UC Berkeley.
CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.
PROOF TRANSLATION AND SMT LIB CERTIFICATION Yeting Ge Clark Barrett SMT 2008 July 7 Princeton.
1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.
DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
Validating High-Level Synthesis Sudipta Kundu, Sorin Lerner, Rajesh Gupta Department of Computer Science and Engineering, University of California, San.
EXecution generated Executions: Automatically generating inputs of death. Dawson Engler Cristian Cadar, Junfeng Yang, Can Sar, Paul Twohey Stanford University.
Efficient Software Model Checking of Data Structure Properties Paul T. Darga Chandrasekhar Boyapati The University of Michigan.
Describing Syntax and Semantics
Looper: Lightweight Detection of Infinite Loops at Runtime Presenter: M. Amin Alipour Software Design Laboratory
Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.
1.3 Executing Programs. How is Computer Code Transformed into an Executable? Interpreters Compilers Hybrid systems.
S.P.L.O.T. - Software Product Lines Online Tools ( Marcilio Mendonca, Moises Branco, Donald Cowan, University of Waterloo, Canada.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.
DART: Directed Automated Random Testing Koushik Sen University of Illinois Urbana-Champaign Joint work with Patrice Godefroid and Nils Klarlund.
Symbolic Execution with Mixed Concrete-Symbolic Solving (SymCrete Execution) Jonathan Manos.
CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.
Types for Programs and Proofs Lecture 1. What are types? int, float, char, …, arrays types of procedures, functions, references, records, objects,...
Fundamentals of Algorithms MCS - 2 Lecture # 1
Automated Whitebox Fuzz Testing (NDSS 2008) Presented by: Edmund Warner University of Central Florida April 7, 2011 David Molnar UC Berkeley
Elements of Computing Systems, Nisan & Schocken, MIT Press, 2005, Chapter 11: Compiler II: Code Generation slide 1www.idc.ac.il/tecs.
Jose Sanchez 1 o Tielei Wang†, TaoWei†, Zhiqiang Lin‡, Wei Zou†. o Purdue University & Peking University o Proceedings of NDSS'09: Network and Distributed.
Type Systems CS Definitions Program analysis Discovering facts about programs. Dynamic analysis Program analysis by using program executions.
Hai Wan School of Software Sun Yat-sen University KRW-2012 June 17, 2012 Boolean Program Repair Reverse Conversion Tool via SMT.
CIS 842: Specification and Verification of Reactive Systems Lecture 1: Course Overview Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The.
1 Test Selection for Result Inspection via Mining Predicate Rules Wujie Zheng
Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.
EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on.
An Undergraduate Course on Software Bug Detection Tools and Techniques Eric Larson Seattle University March 3, 2006.
Author: Alex Groce, Daniel Kroening, and Flavio Lerda Computer Science Department, Carnegie Mellon University Pittsburgh, PA Source: R. Alur and.
CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE.
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261.
Using Symbolic PathFinder at NASA Corina Pãsãreanu Carnegie Mellon/NASA Ames.
CUTE: A Concolic Unit Testing Engine for C Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
( = “unknown yet”) Our novel symbolic execution framework: - extends model checking to programs that have complex inputs with unbounded (very large) data.
Lazy Annotation for Program Testing and Verification (Supplementary Materials) Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang December 3,
Dynamic Symbolic Execution (aka, directed automated random testing, aka concolic execution) Slides by Koushik Sen.
MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.
CSE 331 SOFTWARE DESIGN & IMPLEMENTATION SYMBOLIC TESTING Autumn 2011.
Finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000.
Computer Systems Laboratory Stanford University Clark W. Barrett David L. Dill Aaron Stump A Framework for Cooperating Decision Procedures.
Speaker: Nansen Huang VLSI Design and Test Seminar (ELEC ) March 9, 2016 Simulation-Based Equivalence Checking.
Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.
Types for Programs and Proofs
CISC 7120X Programming Languages and Compilers
High Coverage Detection of Input-Related Security Faults
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.
Automatic Test Generation SymCrete
CSC-682 Advanced Computer Security
CISC 7120X Programming Languages and Compilers
CUTE: A Concolic Unit Testing Engine for C
IntScope: Automatically Detecting Integer overflow vulnerability in X86 Binary Using Symbolic Execution Tielei Wang, TaoWei, ZhingiangLin, weiZou Purdue.
Rich Model Toolkit – An Infrastructure for Reliable Computer Systems
Presentation transcript:

EXecution generated Executions: Automatically generating inputs of death. Cristian Cadar, Vijay Ganesh, Peter M.Pawlowski, Dawson R Engler, David.Dill Computer Systems Laboratory Stanford University Presented by Avinash Reddy Yeddula

Outline Introduction EXE STP EXE Optimizations Related work References

Goal is to find as many bugs as possible in the code Common Techniques: 1.Code review 2.Manual testing 3.Random testing 4.Dynamic tools 5.Static analysis While all the above methods are helpful, they have significant weaknesses. Introduction

Weaknesses: When the code is complex and huge, manual inspection is more challenging than usual. Manual testing is not feasible when the number of cases are very large. In the case of Random testing, blind generation makes hard to hit errors for narrow input range and also hard to hit errors that require structure. Static analysis inspects rather than executes the code. The disadvantage of dynamic analysis is the problem of determining whether the input you used and the executions you observed are generalizable to all possible inputs and executions. Introduction

The main insight behind EXE is that code can automatically generate its own test cases. Instead of running the code on manually or randomly constructed input, EXE runs it on symbolic input that is initially allowed to be anything. When code conditionally checks a symbolic expression EXE forks execution, constraining the expression to be true on the true branch and false on the other. EXE automatically generates a test case when a path terminates or hits a bug. EXE (Execution Generated Executions)

EXE uses a co-designed constraint solver called STP. Careful design of EXE and STP has resulted in a system with several novel features like 1.STP primitives let EXE build constraints for all c expressions with perfect accuracy. 2. Handles pointers and all kinds of bit operations

– Initial state: x unconstrained – Code will return 3 times. – Solve constraints at each return = 3 test cases. example int bad_abs(int x) { if(x < 0) return –x; if(x == ) return –x; return x; } int bad_abs_exe(int x) { if(fork() == child) constrain(x < 0); return -x; else constrain(x >= 0); if(fork() == child) constrain(x == ); return -x; else constrain(x != ); return x; }

EXE (Execution Generated Executions) int main(void){ Int i,t,a[4]={1,3,5,2}; Make_symbolic(&i); If(i>=4) exit(0); Char *p = (char *)a + i*4; *p=*p-1; t=a[*p]; // EXE catches potential overflow i=2 t=t/a[i]; // EXE catches div by 0 when i =0; Printf(“done”); } 3 main jobs exe compiler does

EXE (Execution Generated Executions) i>=4 a[*p] a[i]=0 Test1.out Test3.out Test2.out Add(i>=4) Add(i<4) Inbound a[*p] Outbound a[*p] A[i]==0A[i]!=0 Program ends 3 types of files. Real time examples

EXE (Execution Generated Executions) EXE executes each feasible path tracking all constraints. When a program path terminates its takes the help of STP. A path terminates when 1.Calls exit() 2.It crashes 3. assertion fails 4. EXE detects an error

STP Key Feature STP Primitives Mapping C code to STP constraints The key to speed: fast array constraints Measured performance

STP STP Primitives STP views memory as untyped bytes Provides 3 data types Boolean, bitvectors and array of bit vectors. STP has 2 expression types 1.Terms -- x + y -- returns values, x and y are 32 bitvector values 2.Formula – x + y <z -- returns Boolean

STP Mapping C code to STP constraints EXE uses STP to solve constraints on input as follows. First it tracks what memory locations has symbolic values Second, It translates expressions to bitvector based constraints

STP Mapping C code to STP constraints - Add symbolic variables -As the program executes, the table mapping concrete bytes to STP bitvectors grows in exactly 2 cases: 1.v=e; EXE builds the symbolic expression e sym and records that &v maps to e sym. 2. b[e], b sym, concrete values. Removes the mapping only when array is De- allocation.

STP Limitations of STP -Doesn’t support pointers directly. -Doesn’t support double pointers. Fast Array Constraints Measured performance STP and CVCL, STP is nearly 20 times faster than CVCL

EXE Optimizations Constraint Caching Constraint Independence optimization eg: (a = x+ y) && (x>z) && (p =q) Experiments Search Heuristics

EXE Optimization Test cases None Caching Independence All STP cost BPFEXPATPCRETCPDUMPUDHCPD

STP Search Heuristics

Using EXE to find Bugs Packet Filters UDHCPD Generating Disks of Death

Related Work DART, which is also similar to EXE CUTE, an Extension of DART

References [1] SMTLIB competition. August [2] T. Ball. A theory of predicate-complete test coverage and generation. In Proceedings of the Third International Symposium on Formal Methods for Components and Objects, Nov [3] T. Ball and R. B. Jones, editors. Computer Aided Verication, 18th International Conference, CAV 2006, Seattle, WA, USA, August 17-20, 2006, Proceedings, volume 4144 of Lecture Notes in Computer Science. Springer, [4] T. Ball, R. Majumdar, T. Millstein, and S. K. Rajamani. Automatic predicate abstraction of C programs. In PLDI '01: Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation, pages 203{213. ACM Press, [5] T. Ball and S. Rajamani. Automatically validating temporal safety properties of interfaces. In SPIN 2001 Workshop on Model Checking of Software, May [6] C. Barrett and S. Berezin. CVC Lite: A new implementation of the cooperating validity checker. In R. Alur and D. A. Peled, editors, CAV, Lecture Notes in Computer Science. Springer, [7] C. Barrett, S. Berezin, I. Shikanian, M. Chechik, A. Gurnkel, and D. L. Dill. A practical approach to partial functions in CVC Lite. In PDPAR'04 Workshop, Cork, Ireland, July [8] R. S. Boyer, B. Elspas, and K. N. Levitt. Select { a formal system for testing and debugging programs by symbolic execution. ACM SIGPLAN Notices, 10(6):234{45, June [9] G. Brat, K. Havelund, S. Park, and W. Visser. Model checking programs. In IEEE International Conference on Automated Software Engineering (ASE), [10] D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha. Towards automatic generation of vulnerability-based signatures. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, [11] R. E. Bryant, S. K. Lahiri, and S. A. Seshia. Modeling and verifying systems using a logic of counter arithmetic with lambda expressions and uninterpreted functions. In E. Brinksma and K. G. Larsen, editors, Proc. Computer-Aided Verication (CAV), pages 78{92. Springer-Verlaag, July [12] W. Bush, J. Pincus, and D. Siela. A static analyzer for nding dynamic programming errors. Software: Practice and Experience, 30(7):775{802, [13] C. Cadar and D. Engler. Execution generated test cases: How to make systems code crash itself. In Proceedings of the 12th International SPIN Workshop on Model Checking of Software, August A longer version of this paper appeared as Technical Report CSTR , Computer Systems Laboratory, Stanford University. [14] E. Clarke and D. Kroening. Hardware verication using ANSI-C programs as a reference. In Proceedings of ASP-DAC 2003, pages 308{311. IEEE Computer Society Press, January [15] B. Cook, D. Kroening, and N. Sharygina. Cogent: Accurate theorem proving for program verication. In K. Etessami and S. K. Rajamani, editors, Proceedings of CAV 2005, volume 3576 of Lecture Notes in Computer Science, pages 296{300. Springer Verlag, [16] J. Corbett, M. Dwyer, J. Hatcli, S. Laubach, C. Pasareanu, Robby, and H. Zheng. Bandera: Extracting nite-state models from Java source code. In ICSE 2000, [17] T. H. Cormen, C. E. Leiserson, R. L. Rivest, and C. Stein. Introduction to Algorithms. The MIT Electrical Engineering and Computer Science Series. MIT Press/McGraw Hill, [18] SWAT: the Coverity software analysis toolset. [19] M. Das, S. Lerner, and M. Seigle. Path-sensitive program verication in polynomial time. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation, Berlin, Germany, June [20] R. DeLine and M. Fahndrich. Enforcing high-level protocols in low-level software. In Proceedings of the ACM SIGPLAN 2001 Conference on Programming Language Design and Implementation, June [21] N. Een and N. Sorensson. An extensible SAT-solver. In Proc. of the Sixth International Conference on Theory and Applications of Satisability Testing, pages 78{92, May [22] R. Ferguson and B. Korel. The chaining approach for software test data generation. ACM Trans. Softw. Eng. Methodol., 5(1):63{86, [23] C. Flanagan and S. N. Freund. Type-based race detection for Java. In SIGPLAN Conference on Programming Language Design and Implementation, pages 219{232, [24] C. Flanagan, K. Leino, M. Lillibridge, G. Nelson, J. Saxe, and R. Stata. Extended static checking for Java. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation. ACM Press, [25] J. Foster, T. Terauchi, and A. Aiken. Flow-sensitive type qualiers. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation, June [26] P. Godefroid. Model Checking for Programming Languages using VeriSoft. In Proceedings of the 24th ACM Symposium on Principles of Programming Languages, [27] P. Godefroid, N. Klarlund, and K. Sen. DART: Directed automated random testing. In Proceedings of the Conference on Programming Language Design and Implementation (PLDI), Chicago, IL USA, June ACM Press. [28] A. Gotlieb, B. Botella, and M. Rueher. Automatic test data generation using constraint solving techniques. In ISSTA '98: Proceedings of the 1998 ACM SIGSOFT international symposium on Software testing and analysis, pages 53{62. ACM Press, [29] N. Gupta, A. P. Mathur, and M. L. Soa. Automated test data generation using an iterative relaxation method. In SIGSOFT '98/FSE-6: Proceedings of the 6th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 231{244. ACM Press, [30] R. Hastings and B. Joyce. Purify: Fast detection of memory leaks and access errors. In Proceedings of the Winter USENIX Conference, Dec [31] G. J. Holzmann. The model checker SPIN. Software Engineering, 23(5):279{295, [32] G. J. Holzmann. From code to models. In Proc. 2nd Int. Conf. on Applications of Concurrency to System Design, pages 3{10, Newcastle upon Tyne, U.K., [33] S. Khurshid, C. S. Pasareanu, and W. Visser. Generalized symbolic execution for model checking and testing. In Proceedings of the Ninth International Conference on Tools and Algorithms for the Construction and Analysis of Systems, [34] E. Larson and T. Austin. High coverage detection of input-related security faults. In Proceedings of the 12th USENIX Security Symposium, August [35] B. P. Miller, L. Fredriksen, and B. So. An empirical study of the reliability of UNIX utilities. Communications of the Association for Computing Machinery, 33(12):32{44, [36] G. C. Necula, S. McPeak, S. Rahul, and W. Weimer. CIL: Intermediate language and tools for analysis and transformation of C programs. In International Conference on Compiler Construction, March [37] G. Nelson and D. Oppen. Simplication by cooperating decision procedures. ACM Transactions on Programming Languages and Systems, 1(2):245{57, [38] N. Nethercote and J. Seward. Valgrind: A program supervision framework. Electronic Notes in Theoretical Computer Science, 89(2), [39] PCRE - Perl Compatible Regular Expressions. [40] PCRE Regular Expression Heap Overow. US-CERT Cyber Security Bulletin SB [41] O. Ruwase and M. S. Lam. A practical dynamic buer overow detector. In Proceedings of the 11th Annual Network and Distributed System Security Symposium, pages 159{169, [42] K. Sen, D. Marinov, and G. Agha. CUTE: A concolic unit testing engine for C. In In 5th joint meeting of the European Software Engineering Conference and ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE'05), Sept [43] D. Wagner, J. Foster, E. Brewer, and A. Aiken. A rst step towards automated detection of buer overrun vulnerabilities. In The 2000 Network and Distributed Systems Security Conference. San Diego, CA, Feb [44] Y. Xie and A. Aiken. Scalable error detection using boolean satisability. In Proceedings of the 32nd Annual Symposium on Principles of Programming Languages (POPL 2005), January [45] Y. Xie and A. Aiken. Saturn: A SAT-based tool for bug detection. In K. Etessami and S. K. Rajamani, editors, CAV, volume 3576 of Lecture Notes in Computer Science, pages 139{143. Springer, [46] J. Yang, C. Sar, P. Twohey, C. Cadar, and D. Engler. Automatically generating malicious disks using symbolic execution. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, May [47] J. Yang, P. Twohey, D. Engler, and M. Musuvathi. Using model checking to nd serious le system errors. In Symposium on Operating Systems Design and Implementation, December 2004.

References Few Contents of my slides have been copied from the slides available at Google for understanding various terms used in the paper.

Thank you Question ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.