EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on.

Slides:

Advertisements

Similar presentations

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,

Advertisements

Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.

KLEE: Effective Testing of Systems Programs

1 Symbolic Execution Kevin Wallace, CSE

Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.

Delta Debugging and Model Checkers for fault localization

Symbolic Execution with Mixed Concrete-Symbolic Solving

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Fuzzing and Patch Analysis: SAGEly Advice. Introduction.

Control Flow Analysis (Chapter 7) Mooly Sagiv (with Contributions by Hanne Riis Nielson)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.

Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.

1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.

Fast Paths in Concurrent Programs Wen Xu, Princeton University Sanjeev Kumar, Intel Labs. Kai Li, Princeton University.

Online Performance Auditing Using Hot Optimizations Without Getting Burned Jeremy Lau (UCSD, IBM) Matthew Arnold (IBM) Michael Hind (IBM) Brad Calder (UCSD)

ATOM: A System for Building Customized Program Analysis Tools.

Making Choices using Structure at the Instance Level within a Case Based Reasoning Framework Cormac Gebruers*, Alessio Guerri †, Brahim Hnich* & Michela.

Automatic Generation of Inputs of Death and High-Coverage Tests Presented by Yoni Leibowitz EXE & KLEE.

Using Natural Language Program Analysis to Locate and understand Action-Oriented Concerns David Shepherd, Zachary P. Fry, Emily Hill, Lori Pollock, and.

1 Optimisation Although Constraint Logic Programming is somehow focussed in constraint satisfaction (closer to a “logical” view), constraint optimisation.

AGVI Automatic Generation, Verification, and Implementation of security protocols By: Dawn Song, Adrian Perrig, and Doantam Phan. In: 13 th Conference.

ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.

Program Exploration with Pex Nikolai Tillmann, Peli de Halleux Pex

Finding the Weakest Characterization of Erroneous Inputs Dzintars Avots and Benjamin Livshits.

5-Nov-2003 Heuristic Search Techniques What do you do when the search space is very large or infinite? We’ll study three more AI search algorithms: Backtracking.

1 Advanced Material The following slides contain advanced material and are optional.

EXecution generated Executions: Automatically generating inputs of death. Dawson Engler Cristian Cadar, Junfeng Yang, Can Sar, Paul Twohey Stanford University.

Summary of query compilers (Section16.8) Varun Gupta Department of Computer Science ID-216 CS 257.

1 Loop-Extended Symbolic Execution on Binary Programs Pongsin Poosankam ‡* Prateek Saxena * Stephen McCamant * Dawn Song * ‡ Carnegie Mellon University.

Additional project suggestions Finish lecturing on BDDs Survey some symbolic analysis papers Ganesh, Week 8 CS 6110, Spring 2011.

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

S.P.L.O.T. - Software Product Lines Online Tools ( Marcilio Mendonca, Moises Branco, Donald Cowan, University of Waterloo, Canada.

Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

IE 594 : Research Methodology – Discrete Event Simulation David S. Kim Spring 2009.

Automatic Generation of Inputs of Death and High-Coverage Tests Presented by Yoni Leibowitz EXE & KLEE.

The Role of Programming Languages Chapter 1: Programming Languages: Concepts and Constructs by Ravi Sethi.

UC San Diego / VLSI CAD Laboratory Incremental Multiple-Scan Chain Ordering for ECO Flip-Flop Insertion Andrew B. Kahng, Ilgweon Kang and Siddhartha Nath.

Automated Whitebox Fuzz Testing (NDSS 2008) Presented by: Edmund Warner University of Central Florida April 7, 2011 David Molnar UC Berkeley

Automated Whitebox Fuzz Testing Network and Distributed System Security (NDSS) 2008 by Patrice Godefroid, ‏Michael Y. Levin, and ‏David Molnar Present.

Integration of Search and Learning Algorithms Eugene Fink.

Simulation is the process of studying the behavior of a real system by using a model that replicates the behavior of the system under different scenarios.

1. 2 Pipelining vs. Parallel processing  In both cases, multiple “things” processed by multiple “functional units” Pipelining: each thing is broken into.

A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.

CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE.

Scientific Debugging. Errors in Software Errors are unexpected behaviors or outputs in programs As long as software is developed by humans, it will contain.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.

Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261.

CSCI1600: Embedded and Real Time Software Lecture 33: Worst Case Execution Time Steven Reiss, Fall 2015.

CAPP: Change-Aware Preemption Prioritization Vilas Jagannath, Qingzhou Luo, Darko Marinov Sep 6 th 2011.

Static Identification of Delinquent Loads V.M. Panait A. Sasturkar W.-F. Fong.

Software Testing Mehwish Shafiq. Testing Testing is carried out to validate and verify the piece developed in order to give user a confidence to use reliable.

Automating Configuration Troubleshooting with Dynamic Information Flow Analysis Mona Attariyan Jason Flinn University of Michigan.

Combining Static and Dynamic Reasoning for Bug Detection Yannis Smaragdakis and Christoph Csallner Elnatan Reisner – April 17, 2008.

MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.

TEMPLATE DESIGN © Crawling is the process of automatically exploring a web application to discover the states of the application.

On Concurrency Idioms and their Effect on Program Analysis Weizmann Institute of Science Guy Katz and David Harel.

On the Relation Between Simulation-based and SAT-based Diagnosis CMPE 58Q Giray Kömürcü Boğaziçi University.

Reasoning about code CSE 331 University of Washington.

Testing the Software with Blinders on

CSCI1600: Embedded and Real Time Software

Edward J. Schwartz, Thanassis Avgerinos, David Brumley

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.

Calpa: A Tool for Automating Dynamic Compilation

CSC-682 Advanced Computer Security

CSCI1600: Embedded and Real Time Software

Software Testing.

Presentation transcript:

EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on Computer and communications security (CCS), 2006 Presented By: Clayton Andrews

Outline EXE Motivation Real bugs How to use Example STP Optimization Experiments Search Heuristics Conclusion Contributions

EXE EXecution generated Executions An effective-bug finding tool Not manual or randomly constructed input Runs on symbolic input  allowed to be “anything”

EXE Code can generate its own test cases Runs the code on all inputs at once Follows all paths

Motivation Possible paths of code execution can be large  Manual testing far from exhaustive  Difficult for developers to reason all paths Random testing not sufficient  Suppose bug exists for 1 input of 100 trillion Dynamic tools require initial test cases  Presents same problem as manual test

Real Bugs Berkeley Packet Filter  Evil packet filters exploit buffer overruns udhcpd DHCP server  Generates packets that invalid reads/writes pcre library  Bad regular expressions that compromise

How to Use Simply call the method make_symbolic() on any input that is unconstrained Compiled using the EXE compiler, exe-cc Then compiled using a standard compiler  E.g. gcc

Example

STP EXE's constraint solver  More precisely a decision procedure Decision procedures  Determine satisfiability of logic formulas  Express constraints to satisfy an expression

STP Co-designed for EXE Faster than CVCL, a similar system  550x faster

Optimizations Caching  EXE caches results of satisfiability queries Constraint independence  Breaks apart constraints into subsets  (A[1]= A[2]+ A[3]) ∧ (A[2] >A[4]) ∧ (A[7]= A[8]) (A[1]= A[2]+ A[3]) ∧ (A[2] >A[4]) A[7]= A[8]

Experiments Bpf, pcre, udhcpd, expant and tcpdump

Search Heuristics Every time EXE forks it must choose a path By default, EXE uses depth-first search Use heuristics to choose “interesting” paths

Search Heuristics Their BFS uses a mixture of best-first and depth-first search New heuristics are easy to plugin

Conclusion EXE uses symbolic execution to find bugs STP was co-designed to be fast EXE was powerful enough to uncover bugs in real programs

Contributions The decision procedure STP was created Code can be tested through all paths at once Does not rely on manual input or “luck”

Reference "EXE: automatically generating inputs of death", Cadar, Cristian and Ganesh, Vijay and Pawlowski, Peter M. and Dill, David L. and Engler, Dawson R., 13th ACM conference on Computer and communications security (CCS), 2006.

Questions?