Heming Cui, Gang Hu, Jingyue Wu, Junfeng Yang Columbia University

Slides:



Advertisements
Similar presentations
PEREGRINE: Efficient Deterministic Multithreading through Schedule Relaxation Heming Cui, Jingyue Wu, John Gallagher, Huayang Guo, Junfeng Yang Software.
Advertisements

Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.
KLEE: Effective Testing of Systems Programs
A Survey of Approaches for Automated Unit Testing
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.
Background for “KISS: Keep It Simple and Sequential” cs264 Ras Bodik spring 2005.
Parrot: A Practical Runtime for Deterministic, Stable, and Reliable Threads Heming Cui, Jiri Simsa, Yi-Hong Lin, Hao Li, Ben Blum, Xinan Xu, Junfeng Yang,
Effectively Model Checking Real-World Distributed Systems Junfeng Yang Joint work with Huayang Guo, Ming Wu, Lidong Zhou, Gang Hu, Lintao Zhang, Heming.
Static Technique. Static Technique - Review  A way of testing software work products  Program code, requirement spec., design spec.  Test plan, test.
Testing and Analysis of Device Drivers Supervisor: Abhik Roychoudhury Author: Pham Van Thuan 1.
Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.
Software Testing and Quality Assurance
Synergy: A New Algorithm for Property Checking
Program Analysis Using Randomization Sumit Gulwani, George Necula (U.C. Berkeley)
1 Advanced Material The following slides contain advanced material and are optional.
Applying Dynamic Analysis to Test Corner Cases First Penka Vassileva Markova Madanlal Musuvathi.
Formal verification Marco A. Peña Universitat Politècnica de Catalunya.
Chapter 1: Introduction To Computer | SCP1103 Programming Technique C | Jumail, FSKSM, UTM, 2005 | Last Updated: July 2005 Slide 1 Introduction To Computers.
AUTOMATIC CONCOLIC TEST GENERATION WITH VIRTUAL PROTOTYPES FOR POST-SILICON VALIDATION Reviewer: Shin-Yann Ho Instructor: Jie-Hong Jiang.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
Mining Windows Kernel API Rules Jinlin Yang 09/28/2005CS696.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
Parallelizing Security Checks on Commodity Hardware E.B. Nightingale, D. Peek, P.M. Chen and J. Flinn U Michigan.
Verifying Atomicity via Data Independence Ohad Shacham Yahoo Labs, Israel Eran Yahav Technion, Israel Guy Gueta Yahoo Labs, Israel Alex Aiken Stanford.
Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv University Nathan Bronson Stanford University Alex Aiken Stanford.
Huayang Guo 1,2, Ming Wu 1, Lidong Zhou 1, Gang Hu 1,2, Junfeng Yang 2, Lintao Zhang 1 1 Microsoft Research Asia 2 Columbia University Practical Software.
Automated Whitebox Fuzz Testing (NDSS 2008) Presented by: Edmund Warner University of Central Florida April 7, 2011 David Molnar UC Berkeley
Test Suite Reduction for Regression Testing of Simple Interactions between Two Software Modules Dmitry Kichigin.
Aditya V. Nori, Sriram K. Rajamani Microsoft Research India.
Pallavi Joshi* Mayur Naik † Koushik Sen* David Gay ‡ *UC Berkeley † Intel Labs Berkeley ‡ Google Inc.
Race Checking by Context Inference Tom Henzinger Ranjit Jhala Rupak Majumdar UC Berkeley.
Type Systems CS Definitions Program analysis Discovering facts about programs. Dynamic analysis Program analysis by using program executions.
1 Test Selection for Result Inspection via Mining Predicate Rules Wujie Zheng
1 Phase Implementation. Janice Regan, Overview of Implementation phase Create Class Skeletons Define Implementation Plan (+ determine subphases)
Page 1 5/2/2007  Kestrel Technology LLC A Tutorial on Abstract Interpretation as the Theoretical Foundation of CodeHawk  Arnaud Venet Kestrel Technology.
University of Maryland Mining Source Code Change History for Program Understanding Chadd Williams.
Xusheng Xiao North Carolina State University CSC 720 Project Presentation 1.
Model Checking Grid Policies JeeHyun Hwang, Mine Altunay, Tao Xie, Vincent Hu Presenter: tanya levshina International Symposium on Grid Computing (ISGC.
Finding Errors in.NET with Feedback-Directed Random Testing Carlos Pacheco (MIT) Shuvendu Lahiri (Microsoft) Thomas Ball (Microsoft) July 22, 2008.
CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE.
E X PLODE: a Lightweight, General System for Finding Serious Storage System Errors Junfeng Yang, Can Sar, Dawson Engler Stanford University.
Sound and Precise Analysis of Parallel Programs through Schedule Specialization Jingyue Wu, Yang Tang, Gang Hu, Heming Cui, Junfeng Yang Columbia University.
Random Interpretation Sumit Gulwani UC-Berkeley. 1 Program Analysis Applications in all aspects of software development, e.g. Program correctness Compiler.
Software Quality Assurance and Testing Fazal Rehman Shamil.
Performance Problems You Can Fix: A Dynamic Analysis of Memoization Opportunities Luca Della Toffola – ETH Zurich Michael Pradel – TU Darmstadt Thomas.
Automating Configuration Troubleshooting with Dynamic Information Flow Analysis Mona Attariyan Jason Flinn University of Michigan.
Synergy: A New Algorithm for Property Checking Bhargav S. Gulavani (IIT Bombay)‏ Yamini Kannan (Microsoft Research India)‏ Thomas A. Henzinger (EPFL)‏
Random Test Generation of Unit Tests: Randoop Experience
Testing Overview Software Reliability Techniques Testing Concepts CEN 4010 Class 24 – 11/17.
Verification vs. Validation Verification: "Are we building the product right?" The software should conform to its specification.The software should conform.
CS 5150 Software Engineering Lecture 21 Reliability 2.
Shadow Shadow of a Doubt: Testing for Divergences Between Software Versions Hristina PalikarevaTomasz KuchtaCristian Cadar ICSE’16, 20 th May 2016 This.
Tanakorn Leesatapornwongsa, Jeffrey F. Lukman, Shan Lu, Haryadi S. Gunawi.
Jeremy Nimmer, page 1 Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science Joint work with.
Improving the quality of PLC programs
Lazy Preemption to Enable Path-Based Analysis of Interrupt-Driven Code
Chapter 8 – Software Testing
Lazy Diagnosis of In-Production Concurrency Bugs
Yongle Zhang, Serguei Makarov, Xiang Ren, David Lion, Ding Yuan
CBCD: Cloned Buggy Code Detector
Symbolic Execution Tools for Software Testing
RDE: Replay DEbugging for Diagnosing Production Site Failures
Heming Cui, Jingyue Wu, John Gallagher, Huayang Guo, Junfeng Yang
Testing, conclusion Based on material by Michael Ernst, University of Washington.
When I want to execute the subroutine I just give the command Write()
The Zoo of Software Security Techniques
SOFTWARE ENGINEERING INSTITUTE
Presentation transcript:

Heming Cui, Gang Hu, Jingyue Wu, Junfeng Yang Columbia University Woodpecker: Verifying Systems Rules Using Rule-Directed Symbolic Execution Heming Cui, Gang Hu, Jingyue Wu, Junfeng Yang Columbia University

Systems Programs Must Obey Rules E.g., assert(x); p = malloc(len);  free(p); fp = fopen(f);  fclose(fp); Atomic file update fp = fopen(/etc/passwd’); fwrite(fp, …); fsync(fp); // must do fsync() before rename() // can not unlink(/etc/passwd) Rename(/etc/passwd’, /etc/passwd);

Verifying Rules: Static Analysis strcmp(s,“-”)!=0 High coverage Do not miss bugs Too many false positives Much labor to inspect T F fp=fopen(s,“r”); fp=stdin; s[0]!=‘-’ || s[1] T F fclose(fp); exit(0);

Verifying Rules: Symbolic Execution strcmp(s,“-”)!=0 Pros No false positives Bounded verification Detect serious bugs E.g., [KLEE OSDI ‘08] [S2E ASPLOS ‘11] [DyTa ICSE ‘11] … T F fp=fopen(s,“r”); fp=stdin; s[0]!=‘-’ || s[1] T F fclose(fp); exit(0);

Symbolic Execution (cont.) strcmp(s,“-”)!=0 Problem: path explosion Hard to explore all Heuristics: miss bugs T F fp=fopen(s,“r”); fp=stdin; (c=fgetc(fp))!=EOF F T putchar(c); BOMB! !isprint(c) F c+=64; T s[0]!=‘-’ || s[1] T F fclose(fp); exit(0);

Our Key Insight strcmp(s,“-”)!=0 Although the number of program paths is enormous, only a small portion of the paths are relevant to a checked rule T F fp=fopen(s,“r”); fp=stdin; (c=fgetc(fp))!=EOF F T putchar(c); !isprint(c) F c+=64; T s[0]!=‘-’ || s[1] T F fclose(fp); exit(0);

Our Key Insight strcmp(s,“-”)!=0 Although the number of program paths is enormous, only a small portion of the paths are relevant to a checked rule Challenge: how to soundly prune paths? T F fp=fopen(s,“r”); fp=stdin; (c=fgetc(fp))!=EOF F T putchar(c); !isprint(c) F c+=64; T s[0]!=‘-’ || s[1] T F fclose(fp); exit(0);

Rule-Directed Symbolic Execution Soundly prune redundant paths w.r.t. rules Explore one path, and statically peek into the off-the-path branches Woodpecker Leverage a path slicing algo [PEREGRINE SOSP ‘11] Integrated with [KLEE OSDI ‘08] Can leverage powerful techniques in KLEE Builtin + user-written checkers

Sneak Preview of Results 136 popular systems programs, 545K LOC coreutils, shadow, cvs, git, … Five rule checkers Assert, MemLeak, OpenClose, File, DataLoss Verified 3.4x more programs and 4.6x more paths than KLEE, for quick 1H runs. 17x more paths for 4H Detected 113 bugs, including 10 serious data loss errors git: 7 (same pattern) confirmed (corrupting source repositories) useradd: 1 fix (missing /etc/default/useradd file)

Outline Example Evaluation Conclusion

Example T F F T F T T F strcmp(s,“-”)!=0 fp=fopen(s,“r”); fp=stdin; (c=fgetc(fp))!=EOF F T putchar(c); !isprint(c) F c+=64; T s[0]!=‘-’ || s[1] T F fclose(fp); exit(0);

Recording an Execution Trace symbolic name and data strcmp(s,“-”)!=0 $ cat foo.txt T F Execution Trace fp=fopen(s,“r”); fp=stdin; Branch Statements executed True strcmp(s, “-”) fp = fopen(s); True (c = fgetc(fp)) != EOF False c < 32 && c != ‘\n’ putchar(c); False (c = fgetc(fp)) != EOF True s[0] != ‘-’ || ![1] fclose(fp); (c=fgetc(fp))!=EOF F T putchar(c); !isprint(c) F c+=64; T s[0]!=‘-’ || s[1] Do all these branches relevant??? T F fclose(fp); exit(0);

Challenges in Pruning Branches Soundly Control dependency Data dependency Events dependency fp=fopen(); fp=fopen(); fp=fopen(); ... s[0]!=‘-’ s[0]!=‘-’ p[0]=‘-’; ... fclose(fp); exit(0); s[0]!=‘-’ T F fclose(fp); fclose(fp); exit(0); fclose(fp);

Pruning Irrelevant Paths Soundly strcmp(s,“-”)!=0 T F Execution Trace fp=fopen(s,“r”); fp=stdin; Branch Statements executed True strcmp(s, “-”) fp = fopen(s); True (c = fgetc(fp)) != EOF False c < 32 && c != ‘\n’ putchar(c); False (c = fgetc(fp)) != EOF True s[0] != ‘-’ || ![1] fclose(fp); (c=fgetc(fp))!=EOF F T putchar(c); !isprint(c) F c+=64; T s[0]!=‘-’ || s[1] Sound and exponential reduction. T F fclose(fp); exit(0);

Evaluation Setup Program: 136 widely used systems utilities coreutils, shadow, cvs, git, tar, sed. Parameters (same as [KLEE OSDI ‘08] when possible) Input bound: three 2-bytes symbolic arguments for coreutils and shadow, four 8-bytes symbolic arguments for others. Time bound: 1 hour for each coreutils and shadow, 12 hours for others. Evaluation question: Verification: how effective is rule-directed symbolic execution? Bug detection: can Woodpecker find serious rule violations?

1-hour Verification Results Checkers # Programs # Programs Verified % Paths Relevant Woodpecker KLEE Assert 57 13 3 56.8 16.2 MemoryLeak 103 32 7 61.3 12.7 OpenClose 72 19 4 59.2 15.3 FileAccess 120 40 12 65.4 20.9 DataLoss 35 89.4 71.1 Total 387 111 33 62.9 16.7 4-hour Verification Results Verified 17x more paths

# of Rule Violations Discovered Detected 113 rule violations, including 10 data loss errors git: 7 (same pattern) confirmed (corrupting source repo) useradd: 1 fix (missing /etc/default/useradd file)

Conclusion Insight on verifying systems rules: only a small portion of paths are relevant to a checked rule. Woodpecker: rule-directed symbolic execution. Results Verified more programs and paths. Detected serious bugs.

Q & A