Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.

Slides:

Advertisements

Similar presentations

Basics of Recursion Programming with Recursion

Advertisements

Deep packet inspection – an algorithmic view Cristian Estan (U of Wisconsin-Madison) at IEEE CCW 2008.

1 Automating the Generation of Mutation Tests Mike Papadakis and Nicos Malevris Department of Informatics Athens University of Economics and Business.

Statically Validating Must Summaries for Incremental Compositional Dynamic Test Generation Patrice Godefroid Shuvendu K. Lahiri Cindy Rubio-González International.

Debugging operating systems with time-traveling virtual machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.

Leonardo de Moura Microsoft Research. Z3 is a new solver developed at Microsoft Research. Development/Research driven by internal customers. Free for.

KLEE: Effective Testing of Systems Programs

Symbolic Analysis. Symbolic analysis tracks the values of variables in programs symbolically as expressions of input variables and other variables, which.

1 Symbolic Execution Kevin Wallace, CSE

Amal Khalil & Juergen Dingel

A Survey of Approaches for Automated Unit Testing

Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008

Symbolic Execution with Mixed Concrete-Symbolic Solving

MATH 224 – Discrete Mathematics

PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)

1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.

Problem Solving by Searching Copyright, 1996 © Dale Carnegie & Associates, Inc. Chapter 3 Spring 2007.

Methods of Proof Chapter 7, second half.. Proof methods Proof methods divide into (roughly) two kinds: Application of inference rules: Legitimate (sound)

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Heming Cui, Gang Hu, Jingyue Wu, Junfeng Yang Columbia University

Hybrid Concolic Testing Rupak Majumdar Koushik Sen UC Los Angeles UC Berkeley.

Testing and Analysis of Device Drivers Supervisor: Abhik Roychoudhury Author: Pham Van Thuan 1.

Online Performance Auditing Using Hot Optimizations Without Getting Burned Jeremy Lau (UCSD, IBM) Matthew Arnold (IBM) Michael Hind (IBM) Brad Calder (UCSD)

Automatic Generation of Inputs of Death and High-Coverage Tests Presented by Yoni Leibowitz EXE & KLEE.

CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.

Eliminating Stack Overflow by Abstract Interpretation John Regehr Alastair Reid Kirk Webb University of Utah.

DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.

Evaluation of DART DART: Directed Automated Random Testing Godefroid, Klarlund, Sen.

EXecution generated Executions: Automatically generating inputs of death. Dawson Engler Cristian Cadar, Junfeng Yang, Can Sar, Paul Twohey Stanford University.

1 Today More on random testing + symbolic constraint solving (“concolic” testing) Using summaries to explore fewer paths (SMART) While preserving level.

1 Loop-Extended Symbolic Execution on Binary Programs Pongsin Poosankam ‡* Prateek Saxena * Stephen McCamant * Dawn Song * ‡ Carnegie Mellon University.

Composing Dataflow Analyses and Transformations Sorin Lerner (University of Washington) David Grove (IBM T.J. Watson) Craig Chambers (University of Washington)

AUTOMATIC CONCOLIC TEST GENERATION WITH VIRTUAL PROTOTYPES FOR POST-SILICON VALIDATION Reviewer: Shin-Yann Ho Instructor: Jie-Hong Jiang.

DART: Directed Automated Random Testing Koushik Sen University of Illinois Urbana-Champaign Joint work with Patrice Godefroid and Nils Klarlund.

Tao Xie (North Carolina State University) Nikolai Tillmann, Jonathan de Halleux, Wolfram Schulte (Microsoft Research, Redmond WA, USA)

Symbolic Execution with Mixed Concrete-Symbolic Solving (SymCrete Execution) Jonathan Manos.

CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.

Automatic Generation of Inputs of Death and High-Coverage Tests Presented by Yoni Leibowitz EXE & KLEE.

Presented by: Tom Staley. Introduction Rising security concerns in the smartphone app community Use of private data: Passwords Financial records GPS locations.

CSC 322 Operating Systems Concepts Lecture - 25: by Ahmed Mumtaz Mustehsan Special Thanks To: Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall,

Automated Whitebox Fuzz Testing (NDSS 2008) Presented by: Edmund Warner University of Central Florida April 7, 2011 David Molnar UC Berkeley

Automated Whitebox Fuzz Testing Network and Distributed System Security (NDSS) 2008 by Patrice Godefroid, ‏Michael Y. Levin, and ‏David Molnar Present.

jFuzz – Java based Whitebox Fuzzing

EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on.

Finding Errors in.NET with Feedback-Directed Random Testing Carlos Pacheco (MIT) Shuvendu Lahiri (Microsoft) Thomas Ball (Microsoft) July 22, 2008.

Precomputation- based Prefetching By James Schatz and Bashar Gharaibeh.

Directed Random Testing Evaluation. FDRT evaluation: high-level – Evaluate coverage and error-detection ability large, real, and stable libraries tot.

CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE.

Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261.

The Yogi Project Software property checking via static analysis and testing Aditya V. Nori, Sriram K. Rajamani, Sai Deep Tetali, Aditya V. Thakur Microsoft.

Optimization Problems

CS265: Dynamic Partial Order Reduction Koushik Sen UC Berkeley.

Convicting Exploitable Software Vulnerabilities: An Efficient Input Provenance Based Approach Zhiqiang Lin Xiangyu Zhang, Dongyan Xu Purdue University.

CUTE: A Concolic Unit Testing Engine for C Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.

Lazy Annotation for Program Testing and Verification (Supplementary Materials) Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang December 3,

MINIX Presented by: Clinton Morse, Joseph Paetz, Theresa Sullivan, and Angela Volk.

Random Test Generation of Unit Tests: Randoop Experience

CSE 331 SOFTWARE DESIGN & IMPLEMENTATION SYMBOLIC TESTING Autumn 2011.

Shadow Shadow of a Doubt: Testing for Divergences Between Software Versions Hristina PalikarevaTomasz KuchtaCristian Cadar ICSE’16, 20 th May 2016 This.

Effective Data-Race Detection for the Kernel

RDE: Replay DEbugging for Diagnosing Production Site Failures

Presented by Mahadevan Vasudevan + Microsoft , *UC-Berkeley

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.

Automatic Test Generation SymCrete

CUTE: A Concolic Unit Testing Engine for C

Presentation transcript:

Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS 2008

Goal: generate inputs that explore (ideally) all paths of a program Run program on symbolic input, whose initial value is anything At conditionals that use symbolic inputs, fork execution and follow both paths: On true branch, add constraint that condition is true On false, that it is not When a path terminates, generate a test case by solving the constraints on that path Constraint-Based Test Generation

EGT / EXE / KLEE DART [Godefroid/Klarlund/Sen] CUTE [Sen et al.] SAGE, Pex [Godefroid et al.] Vigilante [Castro et al ] BitScope [Song et al.] RWset applicable to any of these Constraint-Based Test Generation

Effective bug-finding tool File system code ext2, ext3, JFS Networking applications bpf, udhcpd Library code PCRE, Pintos Device drivers Minix EXE Results

Scalability challenge Exponential space! –Relatively small number of interesting paths: e.g., those that achieve maximum branch coverage Mixed symbolic/concrete execution (EXE/DART) Search heuristics –Best First Search (EXE) –Generational Search (SAGE) Symbolic execution + random testing (Hybrid CUTE) Caching function summaries (SMART) Demand-Driven Compositional Symbolic Execution (Pex)

RWset (read-write set) analysis Determine whether continuing to execute the current program path will explore new states Only a value observed by the program can determine the execution of new program states

{data, arg1, arg2} = unconstrained flag = 0; if (arg1 > 100) flag = 1; if (arg2 > 100) flag = 1; process(data, flag);

flag = 0 {data, arg1, arg2} = unconstrained flag = 0; if (arg1 > 100) flag = 1; if (arg2 > 100) flag = 1; process(data, flag);

arg1 > 100 flag = 0 {data, arg1, arg2} = unconstrained flag = 0; if (arg1 > 100) flag = 1; if (arg2 > 100) flag = 1; process(data, flag); true: arg1 > 100 false: arg

arg1 > arg2 > 100 flag = 1 flag = 0 true: arg2 > 100 false: arg2 100 {data, arg1, arg2} = unconstrained flag = 0; if (arg1 > 100) flag = 1; if (arg2 > 100) flag = 1; process(data, flag); true: arg1 > 100 false: arg1 100

arg1 > arg2 > 100 flag = 1 flag = 0 true: arg2 > 100 flag = 1 false: arg2 100 process(data, 1) {data, arg1, arg2} = unconstrained flag = 0; if (arg1 > 100) flag = 1; if (arg2 > 100) flag = 1; process(data, flag); true: arg1 > 100 false: arg1 100

arg1 > arg2 > 100 flag = 1 flag = 0 true: arg2 > 100 flag = 1 false: arg2 100 process(data, 1) {data, arg1, arg2} = unconstrained flag = 0; if (arg1 > 100) flag = 1; if (arg2 > 100) flag = 1; process(data, flag); true: arg1 > 100 false: arg1 100

arg1 > arg2 > 100 flag = 1 flag = 0 true: arg2 > 100 flag = 1 false: arg2 100 process(data, 1) If arg1, arg2 not read true: arg1 > 100 false: arg1 100

Write-set analysis Look at values written in the past State abstraction in model checking Memory state = write set up to current progr. pt. –Concrete writes: concr loc = concr val –Symbolic writes: constraint(sym loc) Program point P, two paths w/ same write-set –prune the second one

Write-sets Precision: reason at the byte-level Minimize write-set size 1. Overwrites 2. Dead locations 3. Alpha renaming Complicated in the symbolic domain a[i] = 17; a[j] = 20; Cannot discard all constraints on dead locations

Read-set analysis Key idea: can ignore from write-set writes to locations that are never read again –Definition of read driven by goal to achieve high branch coverage –Location read if can hit a new branch by changing its value

arg1 > arg2 > 100 flag = 1 flag = 0 true: arg2 > 100 flag = 1 false: arg1 100 process(data, 1) true: arg1 > 100 false: arg1 100 process(data, 1) RWset arg1 = True-True path arg2 = data =

arg1 > arg2 > 100 flag = 1 flag = 0 true: arg2 > 100 flag = 1 false: arg1 100 process(data, 1) true: arg1 > 100 false: arg1 100 process(data, 1) arg1 = True-True path arg2 = flag = 0 data = RWset

arg1 > arg2 > 100 flag = 1 flag = 0 true: arg2 > 100 flag = 1 false: arg1 100 process(data, 1) true: arg1 > 100 false: arg1 100 process(data, 1) arg1 > 100 True-True path arg2 = flag = 0 data = RWset

arg1 > arg2 > 100 flag = 1 flag = 0 true: arg2 > 100 flag = 1 false: arg1 100 process(data, 1) true: arg1 > 100 false: arg1 100 process(data, 1) arg1 > 100 True-True path arg2 = flag = 1 data = RWset

arg1 > arg2 > 100 flag = 1 flag = 0 true: arg2 > 100 flag = 1 false: arg1 100 process(data, 1) true: arg1 > 100 false: arg1 100 process(data, 1) arg1 > 100 True-True path arg2 > 100 flag = 1 data = RWset

arg1 > arg2 > 100 flag = 1 flag = 0 true: arg2 > 100 flag = 1 false: arg1 100 process(data, 1) true: arg1 > 100 false: arg1 100 process(data, 1) arg1 > 100 True-True path arg2 > 100 flag = 1 data = RWset

arg1 > arg2 > 100 flag = 1 flag = 0 true: arg2 > 100 flag = 1 false: arg1 100 process(data, 1) true: arg1 > 100 false: arg1 100 process(data, 1) arg1 > 100 True-True path arg2 > 100 flag = 1 data = RWset

arg1 > arg2 > 100 flag = 1 flag = 0 true: arg2 > 100 flag = 1 false: arg1 100 process(data, 1) true: arg1 > 100 false: arg1 100 process(data, 1) True-True path flag = 1 data = arg1, arg2 not read arg1 > 100 arg2 > 100 RWset

arg1 > arg2 > 100 flag = 1 flag = 0 true: arg2 > 100 flag = 1 false: arg1 100 process(data, 1) true: arg1 > 100 false: arg1 100 process(data, 1) True-False path arg1 > 100 True-True path arg2 > 100 flag = 1 data = arg1 > 100 arg2 100 flag = 1 data = arg1, arg2 not read RWset

arg1 > arg2 > 100 flag = 1 flag = 0 true: arg2 > 100 flag = 1 false: arg1 100 process(data, 1) true: arg1 > 100 false: arg1 100 process(data, 1) True-False path arg1 > 100 True-True path arg2 > 100 flag = 1 data = arg1 > 100 arg2 100 flag = 1 data = arg1, arg2 not read RWset

arg1 > arg2 > 100 flag = 1 flag = 0 true: arg2 > 100 flag = 1 false: arg1 100 process(data, 1) true: arg1 > 100 false: arg1 100 process(data, 1) True-False path arg1 > 100 True-True path arg2 > 100 flag = 1 data = arg1 > 100 arg2 100 flag = 1 data = arg1, arg2 not read RWset

Implementation Execution path Global cache P W1W1 W2W2 WpWp (W 1, R 1 ) (W 2, R 2 ) … (W n, R n ) RW-Set(P) WPWP

Implementation P W1W1 W2W2 WpWp (W 1, R 1 ) (W 2, R 2 ) … (W n, R n ) Write-set Hit! Emit test case i.(W P = W i ) RW-Set(P) WPWP Execution path Global cache

Implementation P W1W1 W2W2 WpWp WPWP Read-set Hit! i.(W P R i = W i R i ) Add (W P,R i ) to RW-Set(P) (W 1, R 1 ) (W 2, R 2 ) … (W n, R n ) (W P, R i ) Emit test case RW-Set(P) Execution path Global cache

Implementation P W1W1 W2W2 WpWp (W 1, R 1 ) (W 2, R 2 ) … (W n, R n ) (W P, _) Miss! Add (W P,_) to RW-Set(P)... RW-Set(P) WPWP Execution path Global cache

Evaluation Medium-sized open source benchmarks –bpf, udhcpd, expat, tcpdump, pcre Minix 3 device drivers –lance, pci, sb16

Medium-sized apps bpf: Berkeley Packet Filter expat: XML parsing library pcre: Perl compatible reg exp library tcpdump: tool for printing packet headers udhcpd: a DHCPD server

Medium-sized apps Ran base EXE on each app for 30 minutes –Except 30,000 test cases for PCRE Recorded number of branches hit Reran in RWset mode until we reached the same branch coverage

Medium-sized apps

Non-redundant states pcre tcpdump expat udhcpd bpf Test cases Non-redundant states Test cases Non-redundant states

Performance Dry run for the medium-sized apps: compute write-sets and read-sets but do no pruning

Device drivers Hard to check w/o the physical device or outside of the kernel Focused on three MINIX 3 drivers: –lance: AMD lance ethernet card driver –pci: PCI bus driver –sb16: Sound Blaster 16 driver

Minix 3 device drivers Structured around a main dispatch loop while (1) { /* receive message from other processes, the kernel, or the hardware */ message = read_message(); process(message); }

Minix 3 device drivers Structured around a main dispatch loop while (1) { /* receive message from other processes, the kernel, or the hardware */ message = read_symbolic_data(); process(message); }

Minix 3 device drivers Structured around a main dispatch loop for (k=0; k < n; k++) { /* receive message from other processes, the kernel, or the hardware */ message = read_symbolic_data(); process(message); }

Minix drivers - evaluation Three versions of EXE: –Base –Write-set –RWset Fixed the # of iterations in each version –mainly to have the base version terminate Ran each version for an hour –recorded branch coverage + non-redundant states

Branch coverage (pci) RWset Write-set Base

Branch coverage (lance) RWset Write-set Base

RWset Write-set Base Branch coverage (sb16)

Non-redundant states RWset DFS RWset DFS RWset DFS RWset Base RWset Base RWset Base

Bugs in device drivers

Summary RWset analysis –efficient way to prune large numbers of redundant paths –only values observed by the program trigger the execution of new paths Evaluated on Minix drivers and medium size applications –big reduction in the number of paths explored

Questions?