Presentation is loading. Please wait.

Presentation is loading. Please wait.

Evaluation of DART DART: Directed Automated Random Testing Godefroid, Klarlund, Sen.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Evaluation of DART DART: Directed Automated Random Testing Godefroid, Klarlund, Sen."— Presentation transcript:

1 Evaluation of DART DART: Directed Automated Random Testing Godefroid, Klarlund, Sen

2 Experimental Goals  Efficiency of DART directed search approach vs purely random search directed search approach vs purely random search AC-controller program AC-controller program Needham-Schroeder Protocol Needham-Schroeder Protocol  Effectiveness with a large program Open-source oSIP library, 30K LOC of C code Open-source oSIP library, 30K LOC of C code

3 Efficiency Experiment  AC-Controller Program: DART: DART: Explores all exec paths uptoExplores all exec paths upto depth=1 in 6 iterations and less than 1 seconddepth=1 in 6 iterations and less than 1 second Depth=2, find assertaion violation, 7 iterations, <1 secDepth=2, find assertaion violation, 7 iterations, <1 sec Random: Random: Does not find assertion violation after hoursDoes not find assertion violation after hours Probability to find inputs leading assertion = 2**64Probability to find inputs leading assertion = 2**64 Gets stuck in input-filtering codeGets stuck in input-filtering code

4 Another Efficiency Point  Needham-Schroeder security protocol program 406 lines of C code 406 lines of C code  DART: Took < 26 minutes on 2GHz machine to detect middle man attack  VeriSoft (model checker): Hours to detect

5 Effectiveness with Large App  oSIP (open-source) 30K LOC, 600 externally visible functions  DART: Found a way to crach 65% of oSIP functions within 1000 attempts of each function Found a way to crach 65% of oSIP functions within 1000 attempts of each function Most were deferencing a null pointer sent as an argument to a function Most were deferencing a null pointer sent as an argument to a function

6 Putting this work into Context  Colby, Godefroid, Jagadeesan 1998: automatically make program self-executable and systematically explore all behaviors Close program is simplified version Close program is simplified version  Considerable work on test-vector generation with symbolic exec Imprecise static analysis Imprecise static analysis  Dynamic Test generation only generate for specific paths only generate for specific paths Do not deal with function calls or library funcs Do not deal with function calls or library funcs

Download ppt "Evaluation of DART DART: Directed Automated Random Testing Godefroid, Klarlund, Sen."

Similar presentations

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,
Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.

Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.
Leonardo de Moura Microsoft Research. Z3 is a new solver developed at Microsoft Research. Development/Research driven by internal customers. Free for.

Leonardo de Moura Microsoft Research. Z3 is a new solver developed at Microsoft Research. Development/Research driven by internal customers. Free for.
Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008

Masahiro Fujita Yoshihisa Kojima University of Tokyo May 2, 2008
Symbolic Execution with Mixed Concrete-Symbolic Solving

Symbolic Execution with Mixed Concrete-Symbolic Solving
PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)

PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Fuzzing and Patch Analysis: SAGEly Advice. Introduction.

Fuzzing and Patch Analysis: SAGEly Advice. Introduction.
Parallel Symbolic Execution for Structural Test Generation Matt Staats Corina Pasareanu ISSTA 2010.

Parallel Symbolic Execution for Structural Test Generation Matt Staats Corina Pasareanu ISSTA 2010.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Hybrid Concolic Testing Rupak Majumdar Koushik Sen UC Los Angeles UC Berkeley.

Hybrid Concolic Testing Rupak Majumdar Koushik Sen UC Los Angeles UC Berkeley.
Dynamic Symbolic Execution CS 8803 FPL Oct 31, 2012 (Slides adapted from Koushik Sen) 1.

Dynamic Symbolic Execution CS 8803 FPL Oct 31, 2012 (Slides adapted from Koushik Sen) 1.
Testing and Analysis of Device Drivers Supervisor: Abhik Roychoudhury Author: Pham Van Thuan 1.

Testing and Analysis of Device Drivers Supervisor: Abhik Roychoudhury Author: Pham Van Thuan 1.
A Comparison of Online and Dynamic Impact Analysis Algorithms Ben Breech Mike Tegtmeyer Lori Pollock University of Delaware.

A Comparison of Online and Dynamic Impact Analysis Algorithms Ben Breech Mike Tegtmeyer Lori Pollock University of Delaware.
CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.

CSE503: SOFTWARE ENGINEERING SYMBOLIC TESTING, AUTOMATED TEST GENERATION … AND MORE! David Notkin Spring 2011.
1 HOIST: A System for Automatically Deriving Static Analyzers for Embedded Systems John Regehr Alastair Reid School of Computing, University of Utah.

1 HOIST: A System for Automatically Deriving Static Analyzers for Embedded Systems John Regehr Alastair Reid School of Computing, University of Utah.
Pexxxx White Box Test Generation for

Pexxxx White Box Test Generation for
Problem Spaces & Search CSE 473. © Daniel S. Weld 2 473 Topics Agents & Environments Problem Spaces Search & Constraint Satisfaction Knowledge Repr’n.

Problem Spaces & Search CSE 473. © Daniel S. Weld Topics Agents & Environments Problem Spaces Search & Constraint Satisfaction Knowledge Repr’n.
PLDI’2005Page 1June 2005 DART: Directed Automated Random Testing Patrice Godefroid Nils Klarlund Koushik Sen Bell Labs Bell Labs UIUC.

PLDI’2005Page 1June 2005 DART: Directed Automated Random Testing Patrice Godefroid Nils Klarlund Koushik Sen Bell Labs Bell Labs UIUC.
Concurrent, Distributed Systems Stock ExchangesTelecoms Commuter Rail.

Concurrent, Distributed Systems Stock ExchangesTelecoms Commuter Rail.

Similar presentations

Ads by Google