RUGRAT: Runtime Test Case Generation using Dynamic Compilers Ben Breech NASA Goddard Space Flight Center Lori Pollock John Cavazos University of Delaware.

Slides:

Advertisements

Similar presentations

Overcoming an UNTRUSTED COMPUTING BASE: Detecting and Removing Malicious Hardware Automatically Matthew Hicks Murph Finnicum Samuel T. King University.

Advertisements

Compiler Optimized Dynamic Taint Analysis James Kasten Alex Crowell.

White Box and Black Box Testing Tor Stålhane. What is White Box testing White box testing is testing where we use the info available from the code of.

8. Code Generation. Generate executable code for a target machine that is a faithful representation of the semantics of the source code Depends not only.

CSI 3120, Implementing subprograms, page 1 Implementing subprograms The environment in block-structured languages The structure of the activation stack.

CPS3340 COMPUTER ARCHITECTURE Fall Semester, /17/2013 Lecture 12: Procedures Instructor: Ashraf Yaseen DEPARTMENT OF MATH & COMPUTER SCIENCE CENTRAL.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.

1 Integrating Influence Mechanisms into Impact Analysis for Increased Precision Ben Breech Lori Pollock Mike Tegtmeyer University of Delaware Army Research.

A Comparison of Online and Dynamic Impact Analysis Algorithms Ben Breech Mike Tegtmeyer Lori Pollock University of Delaware.

Design of a Framework for Testing Security Mechanisms for Program-Based Attacks Ben “Security” Breech and Lori Pollock University of Delaware.

Memory Allocation. Three kinds of memory Fixed memory Stack memory Heap memory.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University.

The Memory Behavior of Data Structures Kartik K. Agaram, Stephen W. Keckler, Calvin Lin, Kathryn McKinley Department of Computer Sciences The University.

CS 104 Introduction to Computer Science and Graphics Problems Software and Programming Language (2) Programming Languages 09/26/2008 Yang Song (Prepared.

09/18/06 1 Software Security Vulnerability Testing in Hostile Environment Herbert H. Thompson James A. Whittaker Florence E. Mottay.

State coverage: an empirical analysis based on a user study Dries Vanoverberghe, Emma Eyckmans, and Frank Piessens.

Efficient Software-Based Fault Isolation—sandboxing Presented by Carl Yao.

P51UST: Unix and Software Tools Unix and Software Tools (P51UST) Compilers, Interpreters and Debuggers Ruibin Bai (Room AB326) Division of Computer Science.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

By Renan Campos.  When to overload new/delete and why  Requirements of the implementing “new”  Implementing “array new”  Implementing the “delete”

Chapter 7: Runtime Environment –Run time memory organization. We need to use memory to store: –code –static data (global variables) –dynamic data objects.

U NIVERSITY OF D ELAWARE C OMPUTER & I NFORMATION S CIENCES D EPARTMENT Optimizing Compilers CISC 673 Spring 2011 Course Overview John Cavazos University.

15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.

1 JavaScript. 2 What’s wrong with JavaScript? A very powerful language, yet –Often hated –Browser inconsistencies –Misunderstood –Developers find it painful.

Learning, Monitoring, and Repair in Application Communities Martin Rinard Computer Science and Artificial Intelligence Laboratory Massachusetts Institute.

Support for Debugging Automatically Parallelized Programs Robert Hood Gabriele Jost CSC/MRJ Technology Solutions NASA.

FIG: A Prototype Tool for On-Line Verification of Recovery Mechanisms Naveen Sastry, Pete Broadwell, Jonathan Traupman, David Patterson University of California,

FIG: Fault Injection in glibc Pete Broadwell, Naveen Sastry Jonathan Traupman.

CS533 Concepts of Operating Systems Jonathan Walpole.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

1 C - Memory Simple Types Arrays Pointers Pointer to Pointer Multi-dimensional Arrays Dynamic Memory Allocation.

Colorama: Architectural Support for Data-Centric Synchronization Luis Ceze, Pablo Montesinos, Christoph von Praun, and Josep Torrellas, HPCA 2007 Shimin.

U NIVERSITY OF D ELAWARE C OMPUTER & I NFORMATION S CIENCES D EPARTMENT Optimizing Compilers CISC 673 Spring 2009 Overview of Compilers and JikesRVM John.

Operating Systems Lecture 14 Segments Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of Software Engineering.

CSCI Rational Purify 1 Rational Purify Overview Michel Izygon - Jim Helm.

Limits of Instruction-Level Parallelism Presentation by: Robert Duckles CSE 520 Paper being presented: Limits of Instruction-Level Parallelism David W.

Exceptional Control Flow Topics Exceptions except1.ppt CS 105 “Tour of the Black Holes of Computing”

Efficient Software-based Fault Isolation Robert Wahbe, Steven Lucco, Thomas E. Anderson & Susan L. Graham Presented By Tony Bock.

Using Dynamic Compilers for Software Testing Ben Breech Lori Pollock John Cavazos.

Efficient software-based fault isolation Robert Wahbe, Steven Lucco, Thomas Anderson & Susan Graham Presented by: Stelian Coros.

Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.

PLC '06 Experience in Testing Compiler Optimizers Using Comparison Checking Masataka Sassa and Daijiro Sudo Dept. of Mathematical and Computing Sciences.

A Binary Agent Technology for COTS Software Integrity Anant Agarwal Richard Schooler InCert Software.

/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.

VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.

Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.

Interrupts and Exception Handling. Execution We are quite aware of the Fetch, Execute process of the control unit of the CPU –Fetch and instruction as.

Protecting C and C++ programs from current and future code injection attacks Yves Younan, Wouter Joosen and Frank Piessens DistriNet Department of Computer.

Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.

Embedded Real-Time Systems

How to Detect Self-Modifying Code During Instruction-Set Simulation Pardo AMAS-BT 2009.

Optimistic Hybrid Analysis

Eighth Lecture Exception Handling in Java

Exceptional Control Flow

Mechanism: Address Translation

Exceptional Control Flow

Ke Bai and Aviral Shrivastava Presented by Bryce Holton

Optimizing Malloc and Free

Hwisoo So. , Moslem Didehban#, Yohan Ko

Detecting Targeted Attacks Using Shadow Honeypots

CSE 303 Concepts and Tools for Software Development

CSC-682 Advanced Computer Security

Mechanism: Address Translation

Optimizing Compilers CISC 673 Spring 2009 Course Overview

Dynamic Binary Translators and Instrumenters

Return-to-libc Attacks

Presentation transcript:

RUGRAT: Runtime Test Case Generation using Dynamic Compilers Ben Breech NASA Goddard Space Flight Center Lori Pollock John Cavazos University of Delaware

Motivating Example if ((sptr = malloc (size + 1)) == NULL) { findmem (); findmem (); if ((sptr = malloc (size + 1)) == NULL) xlfail (“insufficient string space”); } How do I test this callsite?  Make the machine run out of memory?  Flip the conditional, recompile, flip back?  Pretend it doesn’t exist during testing?

Generalizing the Problem  Code to handle uncommon situations Difficult to test Difficult to test May need external environment event to trigger May need external environment event to trigger  Examples: Error handling code Error handling code Testing program security mechanisms Testing program security mechanisms

Observation  Hard to reach code executes when program thinks something uncommon has occurred if ((sptr = malloc (size + 1)) == NULL) { findmem (); findmem (); xlfail (“insufficient string space”); } if ((sptr = malloc (size + 1)) == NULL)  Could test findmem() by simulating error e.g., could add instructions to program so program believes malloc failed e.g., could add instructions to program so program believes malloc failed

RUGRAT Approach Use Dynamic Compilers to generate test cases for hard to reach code. Automatically add instructions to program during execution to simulate uncommon situation.

Dynamic Compilers  Dynamic compilers perform compilation tasks during program execution code Analysis transformation optimization Create basic block translate Basic block Mod. Basic block Execute on CPU Dynamic Compiler

RUGRAT Architecture code Analysis transformation optimization Create basic block translate Basic block Mod. Basic block Execute on CPU Dynamic Compiler Create basic block Dynatest Generator Test spec Test Oracle Test Report

Test Spec  Details where/how for inserting tests  Current prototype limited (environment vars). Can express: Function locations Function locations “test all calls to function x”“test all calls to function x” “test only second call to x in function y”“test only second call to x in function y” Failure value (e.g., 0, -1, etc) Failure value (e.g., 0, -1, etc) Some side effects Some side effects

Dynatest Generator  Scans instructions for location to insert test (e.g., call to function X)  Allows function X to execute  Adds instructions to simulate error Instructions added after function X Instructions added after function X Program thinks error happened, reacts Program thinks error happened, reacts

Example if ((sptr = malloc (size + 1)) == NULL) { findmem (); findmem (); xlfail (“insufficient string space”); if ((sptr = malloc (size + 1)) == NULL) call malloc (code for malloc) movl sptr cmpl sptr, 0 jnz L1 call findmem …. L1: … Dynatest Generator call malloc (code for malloc) movl 0, movl ENOMEM, errno movl sptr cmpl sptr, 0 jnz L1 call findmem …. L1: … }L1:

The Good, the Bad and the Ugly The Bad:  Not a perfect simulation The Good:  Adequate simulation  Can target system or appl calls  Saves quite a lot of tester effort The Ugly:  Still a prototype

Security Mechanism Testing: Encrypting Function Pointers  Protects progs against func pointer attacks  Difficult to test (need vulnerable program and attack)  RUGRAT can simulate attack by adding instructions Very different from error handling code case Very different from error handling code case RUGRAT can be used for variety of testing tasks.

Current Implementation Notes  Used DynamoRIO 1 dynamic compiler Some limitations (but new version is available) Some limitations (but new version is available)  Test spec from env. vars  Nothing fancy for oracle 1 Bruening, et al., CGO 2003

Experiments  Ran variety of programs with RUGRAT space, SPEC, MiBENCH space, SPEC, MiBENCH  Tested handling of errors in malloc / fopen / write malloc / fopen / write Application calls Application calls

Experiments Summary Can RUGRAT generate tests to cover error handling code? YES! RUGRAT tested error handling code at 120+ callsites (missed one because DynamoRIO incurred a segfault)

Experiments Summary Can RUGRAT increase statement coverage for error handling code? YES! RUGRAT increased code coverage ~ 50% (on average) of error handling code Not all statements executed b/c of different optionsNot all statements executed b/c of different options RUGRAT detected cases of omission errorsRUGRAT detected cases of omission errors

Fault Detection  Could RUGRAT help detect failures in error handling code?  Grad students seeded faults into error handling code for space program Changed assignments, loops, conditionals,etc Changed assignments, loops, conditionals,etc Seeded total of 34 faults Seeded total of 34 faults

Fault Detection Summary  RUGRAT detected 15 / 34 faults  Of 19 undetected faults: 6 changed return values, but callers only checked certain vals (e.g., if (func () != 0)) 6 changed return values, but callers only checked certain vals (e.g., if (func () != 0)) 2 allocated too little memory (malloc may allocate more memory than requested anyway) 2 allocated too little memory (malloc may allocate more memory than requested anyway) 2 unknown 2 unknown 1 caused space to quit 1 caused space to quit 8 instances were caller performed same code as callee (e.g., any fault in callee was undid by caller) 8 instances were caller performed same code as callee (e.g., any fault in callee was undid by caller)

Some related work  Holodeck 1, FIG 2 Require tester provide alternative “stub” functions to do testing Require tester provide alternative “stub” functions to do testing Miss application calls Miss application calls  Dynamic branch switching 3 Not originally intended for testing error code Not originally intended for testing error code Need to know which branch to change Need to know which branch to change Far less accurate simulation Far less accurate simulation 1 Thompson et al., SAC Broadwell et al., SHAMAN Zhang et al., ICSE 2006

Conclusions and Summary  Presented RUGRAT architecture Can test hard to reach (and seldom tested) code by using dynamic compilers Can test hard to reach (and seldom tested) code by using dynamic compilers Saves tester effort Saves tester effort  RUGRAT is a general tool

RUGRAT Architecture code Basic block Mod. Basic block Execute on CPU Dynamic Compiler Create basic block Dynatest Generator Test spec Test Oracle Test Report

Experiments Summary  Tested variety programs with RUGRAT  120+ error code handling callsites covered Both application and system calls Both application and system calls  Increased error code coverage ~ 50% over regular test cases Not all error code statements could be covered Not all error code statements could be covered Different options, etcDifferent options, etc  Reasonable time overhead