Presentation is loading. Please wait.

Presentation is loading. Please wait.

EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on.

Published byDale Doyle Modified over 9 years ago

Similar presentations

Presentation on theme: "EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on."— Presentation transcript:

1 EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on Computer and communications security (CCS), 2006 Presented By: Clayton Andrews

2 Outline EXE Motivation Real bugs How to use Example STP Optimization Experiments Search Heuristics Conclusion Contributions

3 EXE EXecution generated Executions An effective-bug finding tool Not manual or randomly constructed input Runs on symbolic input  allowed to be “anything”

4 EXE Code can generate its own test cases Runs the code on all inputs at once Follows all paths

5 Motivation Possible paths of code execution can be large  Manual testing far from exhaustive  Difficult for developers to reason all paths Random testing not sufficient  Suppose bug exists for 1 input of 100 trillion Dynamic tools require initial test cases  Presents same problem as manual test

6 Real Bugs Berkeley Packet Filter  Evil packet filters exploit buffer overruns udhcpd DHCP server  Generates packets that invalid reads/writes pcre library  Bad regular expressions that compromise

7 How to Use Simply call the method make_symbolic() on any input that is unconstrained Compiled using the EXE compiler, exe-cc Then compiled using a standard compiler  E.g. gcc

8 Example

9 STP EXE's constraint solver  More precisely a decision procedure Decision procedures  Determine satisfiability of logic formulas  Express constraints to satisfy an expression

10 STP Co-designed for EXE Faster than CVCL, a similar system  550x faster

11 Optimizations Caching  EXE caches results of satisfiability queries Constraint independence  Breaks apart constraints into subsets  (A[1]= A[2]+ A[3]) ∧ (A[2] >A[4]) ∧ (A[7]= A[8]) (A[1]= A[2]+ A[3]) ∧ (A[2] >A[4]) A[7]= A[8]

12 Experiments Bpf, pcre, udhcpd, expant and tcpdump

13 Search Heuristics Every time EXE forks it must choose a path By default, EXE uses depth-first search Use heuristics to choose “interesting” paths

14 Search Heuristics Their BFS uses a mixture of best-first and depth-first search New heuristics are easy to plugin

15 Conclusion EXE uses symbolic execution to find bugs STP was co-designed to be fast EXE was powerful enough to uncover bugs in real programs

16 Contributions The decision procedure STP was created Code can be tested through all paths at once Does not rely on manual input or “luck”

17 Reference "EXE: automatically generating inputs of death", Cadar, Cristian and Ganesh, Vijay and Pawlowski, Peter M. and Dill, David L. and Engler, Dawson R., 13th ACM conference on Computer and communications security (CCS), 2006.

18 Questions?

Download ppt "EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on."

Similar presentations

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, ThanassisAvgerinos,
Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.

Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.
KLEE: Effective Testing of Systems Programs

KLEE: Effective Testing of Systems Programs
1 Symbolic Execution Kevin Wallace, CSE504 2010-04-28.

1 Symbolic Execution Kevin Wallace, CSE
Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.

Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.
Delta Debugging and Model Checkers for fault localization

Delta Debugging and Model Checkers for fault localization
Symbolic Execution with Mixed Concrete-Symbolic Solving

Symbolic Execution with Mixed Concrete-Symbolic Solving
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Fuzzing and Patch Analysis: SAGEly Advice. Introduction.

Fuzzing and Patch Analysis: SAGEly Advice. Introduction.
Control Flow Analysis (Chapter 7) Mooly Sagiv (with Contributions by Hanne Riis Nielson)

Control Flow Analysis (Chapter 7) Mooly Sagiv (with Contributions by Hanne Riis Nielson)
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.

Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.
Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.

Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.

Bouncer securing software by blocking bad input Miguel Castro Manuel Costa, Lidong Zhou, Lintao Zhang, and Marcus Peinado Microsoft Research.
1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.

1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.
1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.

1 Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation David Brumley, Juan.
Fast Paths in Concurrent Programs Wen Xu, Princeton University Sanjeev Kumar, Intel Labs. Kai Li, Princeton University.

Fast Paths in Concurrent Programs Wen Xu, Princeton University Sanjeev Kumar, Intel Labs. Kai Li, Princeton University.
Online Performance Auditing Using Hot Optimizations Without Getting Burned Jeremy Lau (UCSD, IBM) Matthew Arnold (IBM) Michael Hind (IBM) Brad Calder (UCSD)

Online Performance Auditing Using Hot Optimizations Without Getting Burned Jeremy Lau (UCSD, IBM) Matthew Arnold (IBM) Michael Hind (IBM) Brad Calder (UCSD)
ATOM: A System for Building Customized Program Analysis Tools.

ATOM: A System for Building Customized Program Analysis Tools.

Similar presentations

Ads by Google