Outline. 1 Background. 2 Symbolic Execution. 3 Whitebox Fuzzing. 4 Summary. 1 Cost of each Microsoft Security Bulletin: $Millions
|
|
- Cory Bruce
- 6 years ago
- Views:
Transcription
1 CS 6V81-05: System Security and Malicious Code Analysis and Zhiqiang Lin 1 Background 2 Department of Computer Science University of Texas at Dallas 3 April 9 th, Software security bugs can be very expensive 1 Background Cost of each Microsoft Security Bulletin: $Millions 2 Cost due to worms (Slammer, CodeRed, Blaster, etc.): $Billions 3 Many security exploits are initiated via files or packets Ex: MS Windows includes parsers for hundreds of file formats 4 0-day Vulnerability means money/weapon Security testing: hunting for million-dollar bugs
2 Hunting for Security Bugs Black hat 1 Code inspection (of binaries) 2 Blackbox fuzz testing Blackbox fuzz testing 1 A form of blackbox random testing [Miller+90] 2 Randomly fuzz (=modify) a well-formed input 3 Grammar-based fuzzing: rules that encode well-formed ness + heuristics about how to fuzz (e.g., using probabilistic weights) Black-box fuzzing has been heavily used in security testing Simple yet effective: many bugs found this way Introducing Blackbox Fuzzing Examples 1 Peach, Protos, Spike, Autodafe, etc. Why so many blackbox fuzzers? Because anyone can write (a simple) one in a week-end! Conceptually simple, yet effective Sophistication is in the add-on Test harnesses (e.g., for packet fuzzing) Grammars (for specific input formats) No principled test generation No attempt to cover each state/rule in the grammar When probabilities, no global optimization (simply random walks) Idea: mix fuzz testing with dynamic test generation 1 Symbolic execution 2 Collect constraints on inputs 3 Negate those, solve with constraint solver, generate new inputs 4 do systematic dynamic test generation (=DART) = DART meets Fuzz Foundation: DART (Directed Automated Random Testing) Key extensions: ( ), implemented in SAGE [NDSS 08] 1 Background 2 3 4
3 What is symbolic execution A Complete Code Example/Demo with BitBlaze Symbolic execution and program testing, King [Comm. ACM 1976], Cited by 960 Analysis of programs with unspecified inputs Execute a program on symbolic inputs Symbolic states represent sets of concrete states Insight: code can generate its own test cases 1 #include <stdio.h> 2 3 FILE *fp; 4 5 int main () 6 { 7 char buffer[10]; 8 char a, b; 9 scanf ("%s", buffer); 10 fp = fopen("/boot/input","r"); 11 fscanf (fp, "%c%c", &a, &b); 12 fclose (fp); 13 if (a == x ) 14 { 15 printf ("WE ARE IN X\n"); 16 if (b == y ) 17 printf ("WE ARE IN Y\n"); 18 } 19 return 0; 20 } Assembly f4 <main>: 80481f4: 55 push %ebp 80481f5: 89 e5 mov %esp,%ebp 80481f7: 83 ec 38 sub $0x38,%esp 80481fa: 83 e4 f0 and $0xfffffff0,%esp : 8d 45 e7 lea -0x19(%ebp),%eax : mov %eax,0x8(%esp) a: c f9 5f 0a movl $0x80a5ff9,0x4(%esp) : : a c 08 mov 0x80c5018,%eax : mov %eax,(%esp) a: e8 71 0c call 8048ed0 < fscanf> f: a c 08 mov 0x80c5018,%eax : mov %eax,(%esp) : e8 64 0d call 8048fd0 <_IO_fclose> c: 80 7d e7 78 cmpb $0x78,-0x19(%ebp) : 75 1e jne <main+0x9c> : c fe 5f 0a 08 movl $0x80a5ffe,(%esp) : e8 02 0b call 8048d80 <_IO_printf> e: 80 7d e6 79 cmpb $0x79,-0x1a(%ebp) : 75 0c jne <main+0x9c> : c b 60 0a 08 movl $0x80a600b,(%esp) b: e8 f0 0a call 8048d80 <_IO_printf> : b mov $0x0,%eax : c9 leave : c3 ret A Complete Code Example/Demo with BitBlaze SAT Problem 1 #include <stdio.h> 2 3 FILE *fp; 4 5 int main () 6 { 7 char buffer[10]; 8 char a, b; 9 scanf ("%s", buffer); 10 fp = fopen ("/boot/input", "r"); 11 fscanf (fp, "%c%c", &a, &b); 12 fclose (fp); 13 if (a == x ) 14 { 15 printf ("WE ARE IN X\n"); 16 if (b == y ) 17 printf ("WE ARE IN Y\n"); 18 } 19 return 0; 20 } Goal The system needs to automatically generate the input for /boot/input, with the content below. /boot/input xy000 SAT In computer science, satisfiability (often written in all capitals or abbreviated SAT) is the problem of determining if the variables of a given Boolean formula can be assigned in such a way as to make the formula evaluate to TRUE. In complexity theory, the satisfiability problem (SAT) is a decision problem, whose instance is a Boolean expression written using only AND, OR, NOT, variables, and parentheses. The question is: given the expression, is there some assignment of TRUE and FALSE values to the variables that will make the entire expression true?
4 Background Background FoundationSymbolic and ToolsExecution Decision Problem Definition In computability theory and computational complexity theory, a decision problem is a question in some formal system with a yes-or-no answer, depending on the values of some input parameters Basic Concepts Literal A literal p is a variable x or its negation x. Clause A clause C is a disjunction of literals: x 1 x 2 x 3 CNF A CNF is a conjunction of clauses: (x2 x41 x15) (x6 x2) (x31 x41 x6 x156) SAT is a NP-complete problem Yices Example/Demo SAT Problem The SAT-problem is: 1 Find a boolean assignment 2 such that each clause has a true literal First problem shown to be NP-complete (1971) 1 #include<stdio.h> 2 #include"yices_c.h" 3 int main(){ 4 yices_context ctx = yices_mk_context(); 5 yices_type ty = yices_mk_type(ctx, "int"); 6 yices_var_decl xdecl = yices_mk_var_decl(ctx, "x", ty); 7 yices_var_decl ydecl = yices_mk_var_decl(ctx, "y", ty); 8 yices_expr x = yices_mk_var_from_decl(ctx, xdecl); 9 yices_expr y = yices_mk_var_from_decl(ctx, ydecl); 10 yices_expr n1 = yices_mk_num(ctx, 2); 11 yices_expr n2 = yices_mk_num(ctx, 1); 12 yices_expr args[2]; 13 args[0] = x; args[1] = n1; 14 yices_expr e1 = yices_mk_sum(ctx, args, 2); //x args[0] = y; args[1] = n2; 16 yices_expr e2 = yices_mk_sub(ctx, args, 2); //y yices_expr c1 = yices_mk_le(ctx, e1, e2); // x + 2 <= y yices_assert(ctx, c1); 19 switch (yices_check(ctx)) { 20 case l_true: 21 printf("satisfiable\n"); 22 yices_model m = yices_get_model(ctx); 23 yices_display_model(m); 24 break; 25 case l_false: 26 printf("unsatisfiable\n"); 27 break; 28 } 29 return 0; 30 } 1 (define x::int) 2 (define y::int) 3 (assert (<= (+ x 2) (- y 1) ) ) 4 (check) Result satisfiable (= x -3) (= y 0)
5 STP Example STP Example 1 x0 : BITVECTOR(8); 2 x1 : BITVECTOR(8); 3 x2 : BITVECTOR(8); 4 x3 : BITVECTOR(8); 5 QUERY(NOT(NOT((~((IF (((x3@(x2@(x1@x0))) = 0h )) THEN (0b1) ELSE (0b0) ENDIF)) = 0b1)))); Result Invalid. ASSERT( x3 = 0hex64 ); ASSERT( x0 = 0hex21 ); ASSERT( x2 = 0hex61 ); ASSERT( x1 = 0hex62 ); char x, y ; if ( x * y == 16 ) Path Constraint x : BITVECTOR ( 8 ) ; y : BITVECTOR ( 8 ) ; QUERY(NOT(BVMULT( 8, x, y ) = 0h10 ) Results Invalid. ASSERT( y = 0hex05 ) ; ASSERT( x = 0hexD0 ) Mostly used SMT Solvers Z3 A high-performance theorem prover being developed at Microsoft Research. Z3 supports linear real and integer arithmetic, fixed-size bit-vectors, extensional arrays, uninterpreted functions, and quantifiers. Yices An efficient SMT solver that decides the satisfiability of arbitrary formulas containing uninterpreted function symbols with equality, linear real and integer arithmetic, scalar types, recursive datatypes, tuples, records, extensional arrays, fixed-size bit-vectors, quantifiers, and lambda expressions Mostly used SMT Solvers MiniSmt MiniSmt is a simple SMT solver for non-linear arithmetic based on MiniSat and Yices CVC3 CVC3 is an automatic theorem prover for Satisfiability Modulo Theories (SMT) problems. It can be used to prove the validity (or, dually, the satisfiability) of first-order formulas in a large number of built-in logical theories and their combination.
6 Background Mostly used SMT Solvers Background For each path, build a path condition Condition on inputs, for the execution to follow that path Check path condition satisfiability (SAT-problem), explore only feasible paths STP STP is a constraint solver (also referred to as a decision procedure or automated prover) aimed at solving constraints generated by program analysis tools, theorem provers, automated bug finders, biology, cryptography, intelligent fuzzers and model checkers. STP has been used in many research projects at Stanford, Berkeley, MIT, CMU and other universities. When execution path diverges, fork, adding constraints on symbolic values When we terminate (or crash), use a constraint solver to generate concrete input Symbolic state Symbolic values/expressions for variables Path condition Program counter Background Introduction Valgrind and STP Implementation Conclusion State of the art Goal Concept Symbolic execution: example Introduc Valgrind and Implementa Conclu State of the art Goal Concept Symbolic execution: example input = "\x06\x00\x00\x00\x0f\x00\x00\x00" In courtesy of Gabriel Campana for this great example Fuzzgrind: an automatic fuzzing tool Introduction Valgrind and STP Implementation Conclusion 10/55 Symbolic execution: exam input = "\x06\x00\x00\x00\x0f\x00\x00\x00" 1 Background Fuzzgrind: an automatic fuzzing tool 11/55 input Fuzzgrind: an
7 Fuzzing Fuzzing Basic Idea Search for software implementation errors by injecting invalid data Test generation Random mutation Model-based How it works Make fuzzing be completely automatic. Give a target program and an input, New inputs generated automatically, Wait for crashes. Tools for fuzzing Open Source Sulley SPIKE Peach Fuzzing Academia [NDSS 2008] IntScope [NDSS 2009] SmartFuzz [USENIX Security 2009] BuzzFuzz [ICSE 2009] Checksum-aware Fuzz [Oakland 2010] Insight Use of algebraic expressions to represent the variable values throughout the execution of the program. Basic Idea Symbolically execute the target program on a given input, Analyze execution path and extract path conditions depending on the input Negate each path condition Solve constraints and generate new test inputs This algorithm is repeated until all executions path are (ideally) covered
8 A Complete Code Example with Fuzzgrind Internals of 1 #include <stdio.h> 2 #include <stdlib.h> 3 #include <fcntl.h> 4 #include <unistd.h> 5 #define ERROR(x) do { perror(x); \ exit(-1); } while (0); 6 int main(int argc, char *argv[]) { 7 char buffer[5] = { 0 }; 8 int fd; 9 if (argc!= 2) { 10 printf("usage: %s <file>\n", argv[0]); 11 exit(-1); 12 } 13 if ((fd = open(argv[1], O_RDONLY)) == -1) { 14 ERROR("open"); 15 } 16 if (read(fd, buffer, 4)!= 4) { 17 ERROR("read"); 18 } 19 if (*(int *)buffer == 0x ) { 20 printf("ok, vulnerability\n"); 21 } 22 return 0; 23 } Path Constraint 1 x0 : BITVECTOR(8); 2 x1 : BITVECTOR(8); 3 x2 : BITVECTOR(8); 4 x3 : BITVECTOR(8); 5 QUERY(NOT(NOT((~((IF (((x3@(x2@(x1@x0))) = 0h )) THEN (0b1) ELSE (0b0) ENDIF)) = 0b1))) ); Results Invalid. ASSERT( x3 = 0hex64 ); ASSERT( x0 = 0hex21 ); ASSERT( x2 = 0hex61 ); ASSERT( x1 = 0hex62 ); 1 Dynamic Binary Instrumentation At run-time disassemble instructions, and capture the semantics and constraints 2 Data Flow (Taint) Capturing and Analysis Associate constraint with input 3 Constraint Solving Query and solve the constraint to generate new input 4 System-events, control flow handler (Optional) Run the program with new state 1 Background 2 Advantages 1 Symboic execution is promissing in vulnerabiliity discovery 2 It can drive the program to run desired path 3 4 Research Problems 1 Symbolic execution cannot handle complicated constraint 2 It doesn t provide clues on how to fuzz and get the vulnerability 3 Vulnerable code identification is still needed
9 References James C. King,Symbolic execution and program testing, Communications of the ACM, volume 19, number 7, 1976, DART: Directed Automated Random Testing, PLDI 2005 Automated Whitebox Fuzz Testing, with Levin and Molnar, NDSS 2008 Grammar-Based, PLDI
Fuzzgrind: an automatic fuzzing tool
Fuzzgrind: an automatic fuzzing tool 1/55 Fuzzgrind: an automatic fuzzing tool Gabriel Campana Sogeti / ESEC gabriel.campana(at)sogeti.com Fuzzgrind: an automatic fuzzing tool 2/55 Plan 1 2 3 4 Fuzzgrind:
More informationDynamic Software Model Checking
Dynamic Software Model Checking Patrice Godefroid Microsoft Research Page 1 September 2014 Ed Clarke: A man, An idea LASER 2011 summer school (Elba island, Italy) Page 2 September 2014 Ed Clarke: A man,
More informationAutomated Software Testing
Automated Software Testing for the 21 st Century Patrice Godefroid Microsoft Research Page 1 June 2015 Outline Two parts: 1. Some recent advances on automated software testing Technical developments Applications
More informationSymbolic and Concolic Execution of Programs
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015 Information Security, CS 526 1 Reading for this lecture Symbolic execution and program testing - James
More informationDecision Procedures in the Theory of Bit-Vectors
Decision Procedures in the Theory of Bit-Vectors Sukanya Basu Guided by: Prof. Supratik Chakraborty Department of Computer Science and Engineering, Indian Institute of Technology, Bombay May 1, 2010 Sukanya
More informationSatisfiability Modulo Theories: ABsolver
Satisfiability Modulo Theories: ABsolver Michael Tautschnig Joint work with: Andreas Bauer Martin Leucker Christian Schallhart Michael Tautschnig 1 Outline 1. Introduction Michael Tautschnig 2 Outline
More informationStatic Analysis and Bugfinding
Static Analysis and Bugfinding Alex Kantchelian 09/12/2011 Last week we talked about runtime checking methods: tools for detecting vulnerabilities being exploited in deployment. So far, these tools have
More informationAutomated Whitebox Fuzz Testing. by - Patrice Godefroid, - Michael Y. Levin and - David Molnar
Automated Whitebox Fuzz Testing by - Patrice Godefroid, - Michael Y. Levin and - David Molnar OUTLINE Introduction Methods Experiments Results Conclusion Introduction Fuzz testing is an effective Software
More informationSoftware Model Checking
20 ans de Recherches sur le Software Model Checking 1989 1994 2006 2009 Université de Liège Bell Labs Microsoft Research Patrice Godefroid Page 1 Mars 2009 Model Checking A B C Each component is modeled
More informationCS , Spring 2004 Exam 1
Andrew login ID: Full Name: CS 15-213, Spring 2004 Exam 1 February 26, 2004 Instructions: Make sure that your exam is not missing any sheets (there should be 15), then write your full name and Andrew login
More informationOverview REWARDS TIE HOWARD Summary CS 6V Data Structure Reverse Engineering. Zhiqiang Lin
CS 6V81-05 Data Structure Reverse Engineering Zhiqiang Lin Department of Computer Science The University of Texas at Dallas September 2 nd, 2011 Outline 1 Overview 2 REWARDS 3 TIE 4 HOWARD 5 Summary Outline
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 16: Building Secure Software Department of Computer Science and Engineering University at Buffalo 1 Review A large number of software vulnerabilities various
More informationSymbolic Execution. Wei Le April
Symbolic Execution Wei Le 2016 April Agenda What is symbolic execution? Applications History Interal Design: The three challenges Path explosion Modeling statements and environments Constraint solving
More informationSymbolic Execution, Dynamic Analysis
Symbolic Execution, Dynamic Analysis http://d3s.mff.cuni.cz Pavel Parízek CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Symbolic execution Pavel Parízek Symbolic Execution, Dynamic Analysis
More informationSymbolic Execution. Joe Hendrix Galois, Inc SMT Summer School galois
Symbolic Execution Joe Hendrix Galois, Inc SMT Summer School 2015 Galois, Inc We solve hard research problems for clients. Symbolic Execution is a technique for mapping code into logic. is widely used
More informationFull Name: CISC 360, Fall 2008 Example of Exam
Full Name: CISC 360, Fall 2008 Example of Exam Page 1 of 0 Problem 1. (12 points): Consider the following 8-bit floating point representation based on the IEEE floating point format: There is a sign bit
More informationCS , Fall 2004 Exam 1
Andrew login ID: Full Name: CS 15-213, Fall 2004 Exam 1 Tuesday October 12, 2004 Instructions: Make sure that your exam is not missing any sheets, then write your full name and Andrew login ID on the front.
More informationYices 1.0: An Efficient SMT Solver
Yices 1.0: An Efficient SMT Solver AFM 06 Tutorial Leonardo de Moura (joint work with Bruno Dutertre) {demoura, bruno}@csl.sri.com. Computer Science Laboratory SRI International Menlo Park, CA Yices: An
More informationKLEE Workshop Feeding the Fuzzers. with KLEE. Marek Zmysłowski MOBILE SECURITY TEAM R&D INSTITUTE POLAND
Feeding the Fuzzers with KLEE Marek Zmysłowski MOBILE SECURITY TEAM R&D INSTITUTE POLAND This presentation was created with help and commitment of the Samsung R&D Poland Mobile Security team. KLEE and
More informationSatisfiability Modulo Theories. DPLL solves Satisfiability fine on some problems but not others
DPLL solves Satisfiability fine on some problems but not others DPLL solves Satisfiability fine on some problems but not others Does not do well on proving multipliers correct pigeon hole formulas cardinality
More informationBuffer Overflow Attacks
CS- Spring Buffer Overflow Attacks Computer Systems..-, CS- Spring Hacking Roots in phone phreaking White Hat vs Gray Hat vs Black Hat Over % of Modern Software Development is Black Hat! Tip the balance:
More informationDeductive Methods, Bounded Model Checking
Deductive Methods, Bounded Model Checking http://d3s.mff.cuni.cz Pavel Parízek CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Deductive methods Pavel Parízek Deductive Methods, Bounded
More informationAutomated Whitebox Fuzz Testing
Automated Whitebox Fuzz Testing ( Research Patrice Godefroid (Microsoft Michael Y. Levin (Microsoft Center for ( Excellence Software David Molnar (UC Berkeley & MSR) Fuzz Testing Send random data to application
More informationSymbolic Execu.on. Suman Jana
Symbolic Execu.on Suman Jana Acknowledgement: Baishakhi Ray (Uva), Omar Chowdhury (Purdue), Saswat Anand (GA Tech), Rupak Majumdar (UCLA), Koushik Sen (UCB) What is the goal? Tes.ng Tes%ng approaches are
More informationSymbolic Execution for Bug Detection and Automated Exploit Generation
Symbolic Execution for Bug Detection and Automated Exploit Generation Daniele Cono D Elia Credits: Emilio Coppa SEASON Lab season-lab.github.io May 27, 2016 1 / 29 Daniele Cono D Elia Symbolic Execution
More informationAnalysis/Bug-finding/Verification for Security
Analysis/Bug-finding/Verification for Security VIJAY GANESH University of Waterloo Winter 2013 Analysis/Test/Verify for Security Instrument code for testing Heap memory: Purify Perl tainting (information
More informationSoftware security, secure programming
Software security, secure programming Fuzzing and Dynamic Analysis Master on Cybersecurity Master MoSiG Academic Year 2017-2018 Outline Fuzzing (or how to cheaply produce useful program inputs) A concrete
More informationn HW7 due in about ten days n HW8 will be optional n No CLASS or office hours on Tuesday n I will catch up on grading next week!
Announcements SMT Solvers, Symbolic Execution n HW7 due in about ten days n HW8 will be optional n No CLASS or office hours on Tuesday n I will catch up on grading next week! n Presentations n Some of
More informationHAMPI A Solver for String Theories
HAMPI A Solver for String Theories Vijay Ganesh MIT (With Adam Kiezun, Philip Guo, Pieter Hooimeijer and Mike Ernst) Dagstuhl, 2010 Motivation for String Theories String-manipulating programs ü String
More informationVUzzer: Application-Aware Evolutionary Fuzzing
VUzzer: Application-Aware Evolutionary Fuzzing Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cocojar, Cristiano Giuffrida, Herbert Bos (Presenter: Dennis Andriesse ) Vrije Universiteit Amsterdam IIIT
More informationSeminar in Software Engineering Presented by Dima Pavlov, November 2010
Seminar in Software Engineering-236800 Presented by Dima Pavlov, November 2010 1. Introduction 2. Overview CBMC and SAT 3. CBMC Loop Unwinding 4. Running CBMC 5. Lets Compare 6. How does it work? 7. Conclusions
More informationlogistics: ROP assignment
bug-finding 1 logistics: ROP assignment 2 2013 memory safety landscape 3 2013 memory safety landscape 4 different design points memory safety most extreme disallow out of bounds usually even making out-of-bounds
More informationFrom Z3 to Lean, Efficient Verification
From Z3 to Lean, Efficient Verification Turing Gateway to Mathematics, 19 July 2017 Leonardo de Moura, Microsoft Research Joint work with Nikolaj Bjorner and Christoph Wintersteiger Satisfiability Solution/Model
More informationYices 1.0: An Efficient SMT Solver
Yices 1.0: An Efficient SMT Solver SMT-COMP 06 Leonardo de Moura (joint work with Bruno Dutertre) {demoura, bruno}@csl.sri.com. Computer Science Laboratory SRI International Menlo Park, CA Yices: An Efficient
More informationPooya Saadatpanah, Michalis Famelis, Jan Gorzny, Nathan Robinson, Marsha Chechik, Rick Salay. September 30th, University of Toronto.
Comparing the Pooya Michalis Jan Nathan Marsha Chechik, Rick Salay University of Toronto September 30th, 2012 MoDeVVa 12 1 / 32 in software modeling : pervasive in MDE Models with uncertainty: Represent
More informationAutomatic Software Verification
Automatic Software Verification Instructor: Mooly Sagiv TA: Oded Padon Slides from Eran Yahav and the Noun Project, Wikipedia Course Requirements Summarize one lecture 10% one lecture notes 45% homework
More informationCYSE 411/AIT681 Secure Software Engineering Topic #17: Symbolic Execution
CYSE 411/AIT681 Secure Software Engineering Topic #17: Symbolic Execution Instructor: Dr. Kun Sun Software has bugs To find them, we use testing and code reviews But some bugs are still missed Rare features
More informationSoftware has bugs. Static analysis 4/9/18. CYSE 411/AIT681 Secure Software Engineering. To find them, we use testing and code reviews
CYSE 411/AIT681 Secure Software Engineering Topic #17: Symbolic Execution Instructor: Dr. Kun Sun Software has bugs To find them, we use testing and code reviews But some bugs are still missed Rare features
More informationAbstraction Recovery for Scalable Static Binary Analysis
Abstraction Recovery for Scalable Static Binary Analysis Edward J. Schwartz Software Engineering Institute Carnegie Mellon University 1 The Gap Between Binary and Source Code push mov sub movl jmp mov
More informationProject 1 Notes and Demo
Project 1 Notes and Demo Overview You ll be given the source code for 7 short buggy programs (target[1-7].c). These programs will be installed with setuid root Your job is to write exploits (sploit[1-7].c)
More informationResearch on Fuzz Testing Framework based on Concolic Execution
017 International Conference on Computer Science and Application Engineering (CSAE 017) ISBN: 978-1-60595-505-6 Research on uzz Testing ramework based on Concolic Execution Xiong Xie and Yuhang Chen *
More informationIntegration of SMT Solvers with ITPs There and Back Again
Integration of SMT Solvers with ITPs There and Back Again Sascha Böhme and University of Sheffield 7 May 2010 1 2 Features: SMT-LIB vs. Yices Translation Techniques Caveats 3 4 Motivation Motivation System
More informationTest Automation. 20 December 2017
Test Automation 20 December 2017 The problem of test automation Testing has repetitive components, so automation is justified The problem is cost-benefit evaluation of automation [Kaner] Time for: test
More informationLink Edits and Relocatable Code
Link Edits and Relocatable Code Computer Systems Chapter 7.4-7.7 gcc g o ttt ttt.c ttt.c gcc ttt Pre-Processor Linker Compiler Assembler ttt.s ttt.o gcc g o ttt ttt.c main.c gcc cmd util.c Pre-Processor
More informationCODE ANALYSIS CARPENTRY
SEAN HEELAN THE (IN)COMPLETE GUIDE TO CODE ANALYSIS CARPENTRY ( Or how to avoid braining yourself when handed an SMT solving hammer Immunity Inc. Part I: Down the Rabbit Hole Propositional Logic Mechanical
More informationIn Our Last Exciting Episode
In Our Last Exciting Episode #1 Lessons From Model Checking To find bugs, we need specifications What are some good specifications? To convert a program into a model, we need predicates/invariants and
More informationIntroduction Presentation A
CSE 2421/5042: Systems I Low-Level Programming and Computer Organization Introduction Presentation A Read carefully: Bryant Chapter 1 Study: Reek Chapter 2 Skim: Reek Chapter 1 08/22/2018 Gojko Babić Some
More informationECE264 Fall 2013 Exam 1, September 24, 2013
ECE264 Fall 2013 Exam 1, September 24, 2013 In signing this statement, I hereby certify that the work on this exam is my own and that I have not copied the work of any other student while completing it.
More informationFinite Model Generation for Isabelle/HOL Using a SAT Solver
Finite Model Generation for / Using a SAT Solver Tjark Weber webertj@in.tum.de Technische Universität München Winterhütte, März 2004 Finite Model Generation for / p.1/21 is a generic proof assistant: Highly
More informationPart II Let s make it real
Part II Let s make it real Memory Layout of a Process In reality Addresses are written in hexadecimal: For instance, consider the assembly code for IE(): 0x08048428 : push %ebp 0x08048429 : %esp,%ebp
More informationFormal Methods at Scale in Microsoft
Formal Methods at Scale in Microsoft Thomas Ball http://research.microsoft.com/rise Microsoft Research 4 October 2017 Code Integ. Tests Unit Test Testing-based Development Commit, Build Review Web app
More informationImproving Program Testing and Understanding via Symbolic Execution
Improving Program Testing and Understanding via Symbolic Execution Kin-Keung Ma PhD Dissertation Defense December 9 th, 2011 Motivation } Every year, billions of dollars are lost due to software system
More informationSoftware Vulnerability
Software Vulnerability Refers to a weakness in a system allowing an attacker to violate the integrity, confidentiality, access control, availability, consistency or audit mechanism of the system or the
More informationAutomated Software Analysis Techniques For High Reliability: A Concolic Testing Approach. Moonzoo Kim
Automated Software Analysis Techniques For High Reliability: A Concolic Testing Approach Moonzoo Kim Contents Automated Software Analysis Techniques Background Concolic testing process Example of concolic
More informationCS131 Typed Lambda Calculus Worksheet Due Thursday, April 19th
CS131 Typed Lambda Calculus Worksheet Due Thursday, April 19th Name: CAS ID (e.g., abc01234@pomona.edu): I encourage you to collaborate. collaborations below. Please record your Each question is worth
More informationSecurity Testing. Ulf Kargén Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT)
Security Testing TDDC90 Software Security Ulf Kargén Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Security testing vs regular testing Regular
More informationSoftware Testing CS 408. Lecture 6: Dynamic Symbolic Execution and Concolic Testing 1/30/18
Software Testing CS 408 Lecture 6: Dynamic Symbolic Execution and Concolic Testing 1/30/18 Relevant Papers CUTE: A Concolic Unit Testing Engine for C Koushik Sen, Darko Marinov, Gul Agha Department of
More informationOutline. Outline. Program needs a representation for the analysis. Understanding the Program Representations. Zhiqiang Lin
CS 6V81-05: System Security and Malicious Code Analysis Understanding the Program Representations Zhiqiang Lin Department of Computer Science University of Texas at Dallas January 25 th, 2012 Program needs
More informationQ: Exploit Hardening Made Easy
Q: Exploit Hardening Made Easy E.J. Schwartz, T. Avgerinos, and D. Brumley. In Proc. USENIX Security Symposium, 2011. CS 6301-002: Language-based Security Dr. Kevin Hamlen Attacker s Dilemma Problem Scenario
More informationIntroduction to Symbolic Execution
Introduction to Symbolic Execution Classic Symbolic Execution 1 Problem 1: Infinite execution path Problem 2: Unsolvable formulas 2 Problem 3: symbolic modeling External function calls and system calls
More informationChallenging Problems for Yices
Challenging Problems for Yices Bruno Dutertre, SRI International Deduction at Scale Seminar March, 2011 SMT Solvers at SRI 2000-2004: Integrated Canonizer and Solver (ICS) Based on Shostak s method + a
More informationCMSC 430 Introduction to Compilers. Fall Symbolic Execution
CMSC 430 Introduction to Compilers Fall 2015 Symbolic Execution Introduction Static analysis is great Lots of interesting ideas and tools Commercial companies sell, use static analysis It all looks good
More informationJPF SE: A Symbolic Execution Extension to Java PathFinder
JPF SE: A Symbolic Execution Extension to Java PathFinder Saswat Anand 1,CorinaS.Păsăreanu 2, and Willem Visser 2 1 College of Computing, Georgia Institute of Technology saswat@cc.gatech.edu 2 QSS and
More informationJavaPathFinder. Radek Mařík K333, FEE, CTU, Prague As a selection of slides from several JavaPathFinder tutorials 2013 November 26
JavaPathFinder Radek Mařík K333, FEE, CTU, Prague As a selection of slides from several JavaPathFinder tutorials 2013 November 26 Outline What is JPF Usage examples Test case generation JPF architecture
More informationBITCOIN MINING IN A SAT FRAMEWORK
BITCOIN MINING IN A SAT FRAMEWORK Jonathan Heusser @jonathanheusser DISCLAIMER JUST TO BE CLEAR.. This is research! Not saying ASICs suck I am not a cryptographer, nor SAT solver guy WTF REALISED PHD RESEARCH
More informationFuzzing. Abstract. What is Fuzzing? Fuzzing. Daniel Basáez S. January 22, 2009
Fuzzing Daniel Basáez S. dbasaez@inf.utfsm.cl dbasaez@stud.fh-offenburg.de January 22, 2009 Abstract Fuzzing is a technique for Testing, and is very effective for finding security vulnerabilities in software.
More information15-213/18-213, Fall 2011 Final Exam
Andrew ID (print clearly!): Full Name: 15-213/18-213, Fall 2011 Final Exam Friday, December 16, 2011 Instructions: Make sure that your exam is not missing any sheets, then write your Andrew ID and full
More informationIdentifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis
Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis Mingwei Zhang ( ) Aravind Prakash ( ) Xiaolei Li ( ) Zhenkai Liang ( ) Heng Yin ( ) ( ) School of Computing,
More informationAutomated Theorem Proving: DPLL and Simplex
#1 Automated Theorem Proving: DPLL and Simplex One-Slide Summary An automated theorem prover is an algorithm that determines whether a mathematical or logical proposition is valid (satisfiable). A satisfying
More informationTHEORY OF COMPILATION
Lecture 10 Activation Records THEORY OF COMPILATION EranYahav www.cs.technion.ac.il/~yahave/tocs2011/compilers-lec10.pptx Reference: Dragon 7.1,7.2. MCD 6.3,6.4.2 1 You are here Compiler txt Source Lexical
More informationSAT-based Model Checking for C programs
SAT-based Model Checking for C programs Moonzoo Kim Provable Software Lab. CS Division of EE 1 Formal Methods Definition in Wikepedia Formal methods are mathematically-based techniques for the specification,
More informationCS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan Remember Symbolic Model Checking Represent sets of states and the transition relation as Boolean logic formulas
More informationNP-Completeness of 3SAT, 1-IN-3SAT and MAX 2SAT
NP-Completeness of 3SAT, 1-IN-3SAT and MAX 2SAT 3SAT The 3SAT problem is the following. INSTANCE : Given a boolean expression E in conjunctive normal form (CNF) that is the conjunction of clauses, each
More informationReverse Engineering. Class 6. Fuzzing. Reverse Engineering Class 6 Martin Balao martin.uy/reverse v1.0 EN CC BY-SA
Reverse Engineering Class 6 Fuzzing 1 Fuzzing Grey box testing May be guided by reverse engineering Send, in an automatized way, valid and invalid inputs to an application with the goal of triggering bad
More informationLab 10: Introduction to x86 Assembly
CS342 Computer Security Handout # 8 Prof. Lyn Turbak Wednesday, Nov. 07, 2012 Wellesley College Revised Nov. 09, 2012 Lab 10: Introduction to x86 Assembly Revisions: Nov. 9 The sos O3.s file on p. 10 was
More informationCSC 591 Systems Attacks and Defenses Return-into-libc & ROP
CSC 591 Systems Attacks and Defenses Return-into-libc & ROP Alexandros Kapravelos akaprav@ncsu.edu NOEXEC (W^X) 0xFFFFFF Stack Heap BSS Data 0x000000 Code RW RX Deployment Linux (via PaX patches) OpenBSD
More informationSAT Solver. CS 680 Formal Methods Jeremy Johnson
SAT Solver CS 680 Formal Methods Jeremy Johnson Disjunctive Normal Form A Boolean expression is a Boolean function Any Boolean function can be written as a Boolean expression s x 0 x 1 f Disjunctive normal
More informationTesting, Fuzzing, & Symbolic Execution
Testing, Fuzzing, & Symbolic Execution Software Testing The most common way of measuring & ensuring correctness Input 2 Software Testing The most common way of measuring & ensuring correctness Input Observed
More information20 Years of. Dynamic Software Model Checking
20 Years of Dynamic Software Model Checking Patrice Godefroid Microsoft Research Page 1 September 2015 Model Checking A B C deadlock Each component is modeled by a FSM. Model Checking (MC) is check whether
More informationUnited States Naval Academy Electrical and Computer Engineering Department EC310-6 Week Midterm Spring AY2017
United States Naval Academy Electrical and Computer Engineering Department EC310-6 Week Midterm Spring AY2017 1. Do a page check: you should have 8 pages including this cover sheet. 2. You have 50 minutes
More informationECE264 Summer 2013 Exam 1, June 20, 2013
ECE26 Summer 2013 Exam 1, June 20, 2013 In signing this statement, I hereby certify that the work on this exam is my own and that I have not copied the work of any other student while completing it. I
More informationCS , Fall 2001 Exam 1
Andrew login ID: Full Name: CS 15-213, Fall 2001 Exam 1 October 9, 2001 Instructions: Make sure that your exam is not missing any sheets, then write your full name and Andrew login ID on the front. Write
More information8.1 Polynomial-Time Reductions
8.1 Polynomial-Time Reductions Classify Problems According to Computational Requirements Q. Which problems will we be able to solve in practice? A working definition. Those with polynomial-time algorithms.
More informationEfficient Circuit to CNF Conversion
Efficient Circuit to CNF Conversion Panagiotis Manolios and Daron Vroon College of Computing, Georgia Institute of Technology, Atlanta, GA, 30332, USA http://www.cc.gatech.edu/home/{manolios,vroon} Abstract.
More informationBuffer Overflow. Jo, Heeseung
Buffer Overflow Jo, Heeseung IA-32/Linux Memory Layout Heap Runtime stack (8MB limit) Dynamically allocated storage When call malloc(), calloc(), new() DLLs (shared libraries) Data Text Dynamically linked
More informationBUFFER OVERFLOW. Jo, Heeseung
BUFFER OVERFLOW Jo, Heeseung IA-32/LINUX MEMORY LAYOUT Heap Runtime stack (8MB limit) Dynamically allocated storage When call malloc(), calloc(), new() DLLs (shared libraries) Data Text Dynamically linked
More informationCONSTRAINT SOLVING. Lecture at NYU Poly
CONSTRAINT SOLVING Lecture at NYU Poly WHO AM I John Villamil Senior Research Scientist at Accuvant Previously at Matasano Started at Mandiant jvillamil@accuvant.com @day6reak ONCE UPON A TIME I asked
More informationOn The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004
On The Effectiveness of Address-Space Randomization H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004 Code-Injection Attacks Inject malicious executable code
More information238P: Operating Systems. Lecture 7: Basic Architecture of a Program. Anton Burtsev January, 2018
238P: Operating Systems Lecture 7: Basic Architecture of a Program Anton Burtsev January, 2018 What is a program? What parts do we need to run code? Parts needed to run a program Code itself By convention
More informationIntroduction to Computer Systems , fall th Lecture, Sep. 28 th
Introduction to Computer Systems 15 213, fall 2009 9 th Lecture, Sep. 28 th Instructors: Majd Sakr and Khaled Harras Last Time: Structures struct rec { int i; int a[3]; int *p; }; Memory Layout i a p 0
More informationGNATprove a Spark2014 verifying compiler Florian Schanda, Altran UK
1 GNATprove a Spark2014 verifying compiler Florian Schanda, Altran UK Tool architecture User view Source gnatprove Verdict 2 Tool architecture More detailed view... Source Encoding CVC4 gnat2why gnatwhy3
More informationWhy files? 1. Storing a large amount of data 2. Long-term data retention 3. Access to the various processes in parallel
1 File System Why files? 1. Storing a large amount of data 2. Long-term data retention 3. Access to the various processes in parallel 2 Basic Terms File Structures Field basic unit of data. Contains single
More informationCSCI-243 Exam 2 Review February 22, 2015 Presented by the RIT Computer Science Community
CSCI-43 Exam Review February, 01 Presented by the RIT Computer Science Community http://csc.cs.rit.edu C Preprocessor 1. Consider the following program: 1 # include 3 # ifdef WINDOWS 4 # include
More informationFinal Exam. Fall Semester 2016 KAIST EE209 Programming Structures for Electrical Engineering. Name: Student ID:
Fall Semester 2016 KAIST EE209 Programming Structures for Electrical Engineering Final Exam Name: This exam is open book and notes. Read the questions carefully and focus your answers on what has been
More informationOpenSMT2: An SMT Solver for Multi-Core and Cloud Computing
OpenSMT2: An SMT Solver for Multi-Core and Cloud Computing Antti E. J. Hyvärinen, Matteo Marescotti, Leonardo Alt, and Natasha Sharygina Faculty of Informatics, University of Lugano Via Giuseppe Buffi
More informationMixed Integer Linear Programming
Mixed Integer Linear Programming Part I Prof. Davide M. Raimondo A linear program.. A linear program.. A linear program.. Does not take into account possible fixed costs related to the acquisition of new
More informationFormally Certified Satisfiability Solving
SAT/SMT Proof Checking Verifying SAT Solver Code Future Work Computer Science, The University of Iowa, USA April 23, 2012 Seoul National University SAT/SMT Proof Checking Verifying SAT Solver Code Future
More informationPredicting the Resilience of Obfuscated Code Against Symbolic Execution Attacks via Machine Learning
Fakultät für Informatik Technische Universität München 26th USENIX Security Symposium Predicting the Resilience of Obfuscated Code Against Symbolic Execution Attacks via Machine Learning Sebastian Banescu
More informationSmall Formulas for Large Programs: On-line Constraint Simplification In Scalable Static Analysis
Small Formulas for Large Programs: On-line Constraint Simplification In Scalable Static Analysis Isil Dillig, Thomas Dillig, Alex Aiken Stanford University Scalability and Formula Size Many program analysis
More informationTIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley
TIE: Principled Reverse Engineering of Types in Binary Programs! JongHyup Lee, Thanassis Avgerinos, and David Brumley Reverse engineering on binary programs! 1.Code structure 2.Data abstractions TIE 2
More information