Evaluation of DART DART: Directed Automated Random Testing Godefroid, Klarlund, Sen.

Slides:

Advertisements

Similar presentations

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,

Advertisements

Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.

Leonardo de Moura Microsoft Research. Z3 is a new solver developed at Microsoft Research. Development/Research driven by internal customers. Free for.

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008

Symbolic Execution with Mixed Concrete-Symbolic Solving

PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Fuzzing and Patch Analysis: SAGEly Advice. Introduction.

Parallel Symbolic Execution for Structural Test Generation Matt Staats Corina Pasareanu ISSTA 2010.

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

Hybrid Concolic Testing Rupak Majumdar Koushik Sen UC Los Angeles UC Berkeley.

Dynamic Symbolic Execution CS 8803 FPL Oct 31, 2012 (Slides adapted from Koushik Sen) 1.

Testing and Analysis of Device Drivers Supervisor: Abhik Roychoudhury Author: Pham Van Thuan 1.

A Comparison of Online and Dynamic Impact Analysis Algorithms Ben Breech Mike Tegtmeyer Lori Pollock University of Delaware.

CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.

1 HOIST: A System for Automatically Deriving Static Analyzers for Embedded Systems John Regehr Alastair Reid School of Computing, University of Utah.

Pexxxx White Box Test Generation for

Problem Spaces & Search CSE 473. © Daniel S. Weld Topics Agents & Environments Problem Spaces Search & Constraint Satisfaction Knowledge Repr’n.

PLDI’2005Page 1June 2005 DART: Directed Automated Random Testing Patrice Godefroid Nils Klarlund Koushik Sen Bell Labs Bell Labs UIUC.

Concurrent, Distributed Systems Stock ExchangesTelecoms Commuter Rail.

DART Directed Automated Random Testing Patrice Godefroid, Nils Klarlund, and Koushik Sen Syed Nabeel.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Finding Bugs in Web Applications Using Dynamic Test Generation and Explicit-State Model Checking -Shreyas Ravindra.

Dynamic Taint Analysis and Forward Symbolic Execution Ankush Tyagi.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Automating Software Testing Using Program Analysis -Patrice Godefroid, Peli de Halleux, Aditya V. Nori, Sriram K. Rajamani,Wolfram Schulte, and Nikolai.

Dynodroid: An Input Generation System for Android Apps

DART: Directed Automated Random Testing Koushik Sen University of Illinois Urbana-Champaign Joint work with Patrice Godefroid and Nils Klarlund.

CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.

Presented by: Tom Staley. Introduction Rising security concerns in the smartphone app community Use of private data: Passwords Financial records GPS locations.

1 VeriSoft A Tool for the Automatic Analysis of Concurrent Reactive Software Represents By Miller Ofer.

PUMA: Programmable UI- Automation for Large Scale Dynamic Analysis of Mobile Apps MobiSys’ 14 Presented by Haocheng Huang

Automated Whitebox Fuzz Testing (NDSS 2008) Presented by: Edmund Warner University of Central Florida April 7, 2011 David Molnar UC Berkeley

Dept. of Computer and Information Sciences : University of Delaware John Cavazos Department of Computer and Information Sciences University of Delaware.

Automated Whitebox Fuzz Testing Network and Distributed System Security (NDSS) 2008 by Patrice Godefroid, ‏Michael Y. Levin, and ‏David Molnar Present.

COMPUTER SECURITY MIDTERM REVIEW CS161 University of California BerkeleyApril 4, 2012.

Mining Gigabytes of Dynamic Traces for Test Generation Suresh Thummalapenta North Carolina State University Peli de Halleux and Nikolai Tillmann Microsoft.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Towards Program.

Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.

Xusheng Xiao North Carolina State University CSC 720 Project Presentation 1.

Finding Errors in.NET with Feedback-Directed Random Testing Carlos Pacheco (MIT) Shuvendu Lahiri (Microsoft) Thomas Ball (Microsoft) July 22, 2008.

Directed Random Testing Evaluation. FDRT evaluation: high-level – Evaluate coverage and error-detection ability large, real, and stable libraries tot.

CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE.

Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261.

CS265: Dynamic Partial Order Reduction Koushik Sen UC Berkeley.

CAPP: Change-Aware Preemption Prioritization Vilas Jagannath, Qingzhou Luo, Darko Marinov Sep 6 th 2011.

CUTE: A Concolic Unit Testing Engine for C Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.

Combining Static and Dynamic Reasoning for Bug Detection Yannis Smaragdakis and Christoph Csallner Elnatan Reisner – April 17, 2008.

Local Search Algorithms and Optimization Problems

Lazy Annotation for Program Testing and Verification (Supplementary Materials) Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang December 3,

1 Validation of Security Protocols Joint work with Gul Agha, Michael Greenwald, Carl Gunter, Sanjeev Khanna, Darko Marinov, Jose Meseguer, Prasanna Thati,

Dynamic Symbolic Execution (aka, directed automated random testing, aka concolic execution) Slides by Koushik Sen.

Chapter 4 Static Analysis. Summary (1) Building a model of the program:  Lexical analysis  Parsing  Abstract syntax  Semantic Analysis  Tracking.

Random Test Generation of Unit Tests: Randoop Experience

CSE 331 SOFTWARE DESIGN & IMPLEMENTATION SYMBOLIC TESTING Autumn 2011.

Symstra: A Framework for Generating Object-Oriented Unit Tests using Symbolic Execution Tao Xie, Darko Marinov, Wolfram Schulte, and David Notkin University.

Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.

A Review of Software Testing - P. David Coward

Testing Tutorial 7.

APEx: Automated Inference of Error Specifications for C APIs

MobiSys 2017 Symbolic Execution of Android Framework with Applications to Vulnerability Discovery and Exploit Generation Qiang Zeng joint work with Lannan.

بسم الله الرحمن الرحيم.

CS 240 – Lecture 5 Scope of Variables, The Stack, Automatic Variables, Global Variables, Constant Type.

مفاهیم بهره وري.

إستراتيجيات ونماذج التقويم

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.

Automatic Test Generation SymCrete

Example (C code) int double(int x) { return 2 * x; }

CUTE: A Concolic Unit Testing Engine for C

SOFTWARE ENGINEERING INSTITUTE

Presentation transcript:

Evaluation of DART DART: Directed Automated Random Testing Godefroid, Klarlund, Sen

Experimental Goals  Efficiency of DART directed search approach vs purely random search directed search approach vs purely random search AC-controller program AC-controller program Needham-Schroeder Protocol Needham-Schroeder Protocol  Effectiveness with a large program Open-source oSIP library, 30K LOC of C code Open-source oSIP library, 30K LOC of C code

Efficiency Experiment  AC-Controller Program: DART: DART: Explores all exec paths uptoExplores all exec paths upto depth=1 in 6 iterations and less than 1 seconddepth=1 in 6 iterations and less than 1 second Depth=2, find assertaion violation, 7 iterations, <1 secDepth=2, find assertaion violation, 7 iterations, <1 sec Random: Random: Does not find assertion violation after hoursDoes not find assertion violation after hours Probability to find inputs leading assertion = 2**64Probability to find inputs leading assertion = 2**64 Gets stuck in input-filtering codeGets stuck in input-filtering code

Another Efficiency Point  Needham-Schroeder security protocol program 406 lines of C code 406 lines of C code  DART: Took < 26 minutes on 2GHz machine to detect middle man attack  VeriSoft (model checker): Hours to detect

Effectiveness with Large App  oSIP (open-source) 30K LOC, 600 externally visible functions  DART: Found a way to crach 65% of oSIP functions within 1000 attempts of each function Found a way to crach 65% of oSIP functions within 1000 attempts of each function Most were deferencing a null pointer sent as an argument to a function Most were deferencing a null pointer sent as an argument to a function

Putting this work into Context  Colby, Godefroid, Jagadeesan 1998: automatically make program self-executable and systematically explore all behaviors Close program is simplified version Close program is simplified version  Considerable work on test-vector generation with symbolic exec Imprecise static analysis Imprecise static analysis  Dynamic Test generation only generate for specific paths only generate for specific paths Do not deal with function calls or library funcs Do not deal with function calls or library funcs