Using Dynamic Compilers for Software Testing Ben Breech Lori Pollock John Cavazos.

Slides:

Advertisements

Similar presentations

Automating Software Module Testing for FAA Certification Usha Santhanam The Boeing Company.

Advertisements

GCSE Computing Lesson 5.

CS 11 C track: lecture 7 Last week: structs, typedef, linked lists This week: hash tables more on the C preprocessor extern const.

Chapter 15 Debugging. Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Debugging with High Level Languages.

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Overcoming an UNTRUSTED COMPUTING BASE: Detecting and Removing Malicious Hardware Automatically Matthew Hicks Murph Finnicum Samuel T. King University.

Anshul Kumar, CSE IITD CSL718 : VLIW - Software Driven ILP Hardware Support for Exposing ILP at Compile Time 3rd Apr, 2006.

Autonomic Systems Justin Moles, Winter 2006 Enabling autonomic behavior in systems software with hot swapping Paper by: J. Appavoo, et al. Presentation.

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

Countering Trusting Trust with Diverse Double-Compiling (by David A Wheeler) Dan Frohlich.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Testing Without Executing the Code Pavlina Koleva Junior QA Engineer WinCore Telerik QA Academy Telerik QA Academy.

1 Integrating Influence Mechanisms into Impact Analysis for Increased Precision Ben Breech Lori Pollock Mike Tegtmeyer University of Delaware Army Research.

A Comparison of Online and Dynamic Impact Analysis Algorithms Ben Breech Mike Tegtmeyer Lori Pollock University of Delaware.

RUGRAT: Runtime Test Case Generation using Dynamic Compilers Ben Breech NASA Goddard Space Flight Center Lori Pollock John Cavazos University of Delaware.

Design of a Framework for Testing Security Mechanisms for Program-Based Attacks Ben “Security” Breech and Lori Pollock University of Delaware.

OS Spring’03 Introduction Operating Systems Spring 2003.

PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection S. Lu, P. Zhou, W. Liu, Y. Zhou, J. Torrellas University.

About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter objectives are listed in the beginning.

CS 104 Introduction to Computer Science and Graphics Problems Software and Programming Language (2) Programming Languages 09/26/2008 Yang Song (Prepared.

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,

1 Chapter-01 Introduction to Computers and C++ Programming.

P51UST: Unix and Software Tools Unix and Software Tools (P51UST) Compilers, Interpreters and Debuggers Ruibin Bai (Room AB326) Division of Computer Science.

A Portable Virtual Machine for Program Debugging and Directing Camil Demetrescu University of Rome “La Sapienza” Irene Finocchi University of Rome “Tor.

15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.

Chapter 1: A First Program Using C#. Programming Computer program – A set of instructions that tells a computer what to do – Also called software Software.

Chapter 10: Compilers and Language Translation Invitation to Computer Science, Java Version, Third Edition.

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Defenses Author:

© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Memory: Relocation.

CNIT 127: Exploit Development Ch 3: Shellcode. Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object.

Chapter 1 Introduction. Chapter 1 - Introduction 2 The Goal of Chapter 1 Introduce different forms of language translators Give a high level overview.

Introduction to Compilers. Related Area Programming languages Machine architecture Language theory Algorithms Data structures Operating systems Software.

U NIVERSITY OF D ELAWARE C OMPUTER & I NFORMATION S CIENCES D EPARTMENT Optimizing Compilers CISC 673 Spring 2009 Overview of Compilers and JikesRVM John.

1 Compiler Design (40-414)  Main Text Book: Compilers: Principles, Techniques & Tools, 2 nd ed., Aho, Lam, Sethi, and Ullman, 2007  Evaluation:  Midterm.

Compilers: Overview/1 1 Compiler Structures Objective – –what are the main features (structures) in a compiler? , Semester 1,

CSCI1600: Embedded and Real Time Software Lecture 33: Worst Case Execution Time Steven Reiss, Fall 2015.

University of Maryland Instrumentation with Relocatable Program Code Tugrul Ince Department of Computer Science University of Maryland, College Park, MD.

Efficient software-based fault isolation Robert Wahbe, Steven Lucco, Thomas Anderson & Susan Graham Presented by: Stelian Coros.

Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.

A Binary Agent Technology for COTS Software Integrity Anant Agarwal Richard Schooler InCert Software.

Whole Test Suite Generation. Abstract Not all bugs lead to program crashes, and not always is there a formal specification to check the correctness of.

VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.

Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Crispin Cowan SANS 2000.

Java Programming Fifth Edition Chapter 1 Creating Your First Java Classes.

A Framework For Trusted Instruction Execution Via Basic Block Signature Verification Milena Milenković, Aleksandar Milenković, and Emil Jovanov Electrical.

Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.

Embedded Real-Time Systems

How to Detect Self-Modifying Code During Instruction-Set Simulation Pardo AMAS-BT 2009.

Lecture 3 Translation.

Buffer Overflow Defenses

CSCE 548 Secure Software Development Risk-Based Security Testing

Protecting Memory What is there to protect in memory?

14 Compilers, Interpreters and Debuggers

Protecting Memory What is there to protect in memory?

Introduction to programming

Language Translation Compilation vs. interpretation.

CS1101X Programming Methodology

APEx: Automated Inference of Error Specifications for C APIs

CSCI1600: Embedded and Real Time Software

Hwisoo So. , Moslem Didehban#, Yohan Ko

CSC-682 Advanced Computer Security

Chapter 15 Debugging.

Compiler Structures 1. Overview Objective

CSCI1600: Embedded and Real Time Software

Dynamic Binary Translators and Instrumenters

Chapter 15 Debugging.

Presentation transcript:

Using Dynamic Compilers for Software Testing Ben Breech Lori Pollock John Cavazos

Background: Static Compilers source code Lexical, syntactic, Semantic analysis Inter. Rep. (basic blocks) Static Analysis Optimization Code generation Executable Code Static Compiler

Background: Software Testing  Assesses quality of software Correctness, performance, security Correctness, performance, security  Most testing performed by executing code Executable Code Test Input Execute Program Results Expected Results Check Results (oracle)

Motivating Example if ((sptr = malloc (size + 1)) == NULL) { findmem (); findmem (); if ((sptr = malloc (size + 1)) == NULL) xlfail (“insufficient string space”); } How do I test this callsite?  Make the machine run out of memory?  Flip the conditional, recompile, flip back?  Pretend it doesn’t exist during testing?

Generalizing the Problem  Code to handle uncommon situations Difficult to test Difficult to test May need external environment event to trigger May need external environment event to trigger  Examples: Error handling code Error handling code Testing program security mechanisms Testing program security mechanisms

Observation  Hard to reach code executes when program thinks something uncommon has occurred if ((sptr = malloc (size + 1)) == NULL) { findmem (); findmem (); xlfail (“insufficient string space”); } if ((sptr = malloc (size + 1)) == NULL)  Could test findmem() by simulating error E.g., could add instructions to program so program believes malloc failed E.g., could add instructions to program so program believes malloc failed

RUGRAT Approach Use Dynamic Compilers to generate test cases for hard to reach code. Automatically add instructions to program during execution to simulate uncommon situation.

Dynamic Compilers  Dynamic compilers perform compilation tasks during program execution code Analysis & optimization Create basic block translate Basic block Mod. Basic block Execute on CPU Dynamic Compiler

RUGRAT Architecture code Analysis & optimization Create basic block translate Basic block Mod. Basic block Execute on CPU Dynamic Compiler Create basic block Dynatest Generator Test spec Test Oracle Test Report

Dynatest Generator  Decides when/where/how to add test Decision based on test specification Decision based on test specification  Test spec examples “test all mallocs in program” “test all mallocs in program” “test 2nd malloc call in function foo” “test 2nd malloc call in function foo”

Example if ((sptr = malloc (size + 1)) == NULL) { findmem (); findmem (); xlfail (“insufficient string space”); } if ((sptr = malloc (size + 1)) == NULL) call malloc (code for malloc) movl sptr cmpl sptr, 0 jnz L1 call findmem …. L1: … Dynatest Generator call malloc (code for malloc) movl 0, movl ENOMEM, errno movl sptr cmpl sptr, 0 jnz L1 call findmem …. L1: …

Good Times, Bad Times The Bad:  Not a perfect simulation The Good:  Adequate simulation  Can target system or appl calls  Saves quite a lot of tester effort

Security Mechanism Testing: Encrypting Function Pointers  Protects progs against func pointer attacks  Difficult to test (need vulnerable program and attack)  RUGRAT can simulate attack by adding instructions Very different from error handling code case Very different from error handling code case RUGRAT can be used for variety of testing tasks.

Experiments Summary  Tested variety programs with RUGRAT  120+ error code handling callsites covered Both application and system calls Both application and system calls  Increased error code coverage ~ 50% over regular test cases Not all error code statements could be covered Not all error code statements could be covered Different options, etcDifferent options, etc  Reasonable time overhead

Some related work  Holodeck [1], FIG [2] Require tester provide alternative “stub” functions to do testing Require tester provide alternative “stub” functions to do testing Miss application calls Miss application calls  Dynamic branch switching [3] Not originally intended for testing error code Not originally intended for testing error code Need to know which branch to change Need to know which branch to change Far less accurate simulation Far less accurate simulation [1] Thompson et al., SAC 2002 [2] Broadwell et al., SHAMAN 2002 [3] Zhang et al., ICSE 2006

Conclusions and Summary  Presented RUGRAT architecture Can test hard to reach (and seldom tested) code by using dynamic compilers Can test hard to reach (and seldom tested) code by using dynamic compilers Saves tester effort Saves tester effort  RUGRAT is a general tool

RUGRAT Architecture code Basic block Mod. Basic block Execute on CPU Dynamic Compiler Create basic block Dynatest Generator Test spec Test Oracle Test Report