DART: Directed Automated Random Testing. CUTE: Concolic Unit Testing Engine. Slide Source: Koushik Sen from Berkeley
|
|
- Kristopher Allen
- 5 years ago
- Views:
Transcription
1 DAR: Directed Automated Random esting CUE: Concolic Unit esting Engine Slide Source: Koushik Sen from Berkeley
2 Verification and esting We would like to prove programs correct
3 Verification and esting We would like to prove programs correct World prefers to test and validate
4 Verification and esting We would like to prove programs correct World prefers to test and validate Evidence: 50%-80% software development cost goes into testing only Why?
5 Verification and esting We would like to prove programs correct World prefers to test and validate Evidence: 50%-80% software development cost goes into testing only Why? One Reason: esting can expose Unforeseen Behaviors
6 Goals of esting Generate test inputs Execute program on generated test inputs Catch assertion violations Problem: how to ensure that all reachable ments are executed Solution: Explore all feasible execution paths
7 of Programs All Possible Paths Binary tree Non- Conditional Statements Conditional Statements Computation tree Internal node conditional ment execution Edge execution of a sequence of nonconditional ments Each path in the tree represents an equivalence class of inputs
8 Concolic esting Combine random testing (concrete execution) and symbolic testing (symbolic execution) Concrete + Symbolic = Concolic
9 Running Example int double (int v) { return 2*v; void testme (int x, int y) { z = double (y); if (z == x) { if (x > y+10) { ERROR;
10 Running Example int double (int v) { return 2*v; void testme (int x, int y) { N 2*y == x Y z = double (y); if (z == x) { N x > y+10 Y if (x > y+10) { ERROR; ERROR
11 Concolic esting Approach int double (int v) { return 2*v; concrete Concrete symbolic Symbolic path condition void testme (int x, int y) { z = double (y); x = 22, y = 7 x = x 0, y = y 0 if (z == x) { if (x > y+10) { ERROR;
12 Concolic esting Approach int double (int v) { return 2*v; void testme (int x, int y) { concrete Concrete symbolic Symbolic path condition z = double (y); if (z == x) { if (x > y+10) { x = 22, y = 7, z = 14 x = x 0, y = y 0, z = 2*y 0 ERROR;
13 Concolic esting Approach int double (int v) { return 2*v; void testme (int x, int y) { z = double (y); concrete Concrete symbolic Symbolic path condition if (z == x) { 2*y 0!= x 0 if (x > y+10) { ERROR; x = 22, y = 7, z = 14 x = x 0, y = y 0, z = 2*y 0
14 Concolic esting Approach int double (int v) { return 2*v; concrete Concrete symbolic Symbolic path condition void testme (int x, int y) { z = double (y); Solve: 2*y 0 == x 0 Solution: x 0 = 2, y 0 = 1 if (z == x) { 2*y 0!= x 0 if (x > y+10) { ERROR; x = 22, y = 7, z = 14 x = x 0, y = y 0, z = 2*y 0
15 Concolic esting Approach int double (int v) { return 2*v; concrete Concrete symbolic Symbolic path condition void testme (int x, int y) { z = double (y); x = 2, y = 1 x = x 0, y = y 0 if (z == x) { if (x > y+10) { ERROR;
16 Concolic esting Approach int double (int v) { return 2*v; void testme (int x, int y) { concrete Concrete symbolic Symbolic path condition z = double (y); if (z == x) { if (x > y+10) { x = 2, y = 1, z = 2 x = x 0, y = y 0, z = 2*y 0 ERROR;
17 Concolic esting Approach int double (int v) { return 2*v; void testme (int x, int y) { z = double (y); concrete Concrete symbolic Symbolic path condition if (z == x) { if (x > y+10) { x = 2, y = 1, z = 2 x = x 0, y = y 0, z = 2*y 0 2*y 0 == x 0 ERROR;
18 Concolic esting Approach int double (int v) { return 2*v; void testme (int x, int y) { z = double (y); concrete Concrete symbolic Symbolic path condition if (z == x) { if (x > y+10) { 2*y 0 == x 0 x 0 y ERROR; x = 2, y = 1, z = 2 x = x 0, y = y 0, z = 2*y 0
19 Concolic esting Approach int double (int v) { return 2*v; concrete Concrete symbolic Symbolic path condition void testme (int x, int y) { z = double (y); Solve: (2*y 0 == x 0 ) Æ (x 0 > y ) Solution: x 0 = 30, y 0 = 15 if (z == x) { if (x > y+10) { 2*y 0 == x 0 x 0 y ERROR; x = 2, y = 1, z = 2 x = x 0, y = y 0, z = 2*y 0
20 Concolic esting Approach int double (int v) { return 2*v; concrete Concrete symbolic Symbolic path condition void testme (int x, int y) { z = double (y); x = 30, y = 15 x = x 0, y = y 0 if (z == x) { if (x > y+10) { ERROR;
21 Concolic esting Approach int double (int v) { return 2*v; concrete Concrete symbolic Symbolic path condition void testme (int x, int y) { z = double (y); Program Error if (z == x) { if (x > y+10) { 2*y 0 == x 0 x 0 > y ERROR; x = 30, y = 15 x = x 0, y = y 0
22 Explicit Path (not State) Model Checking raverse all execution paths one by one to detect errors assertion violations program crash uncaught exceptions combine with valgrind to discover memory errors
23 Explicit Path (not State) Model Checking raverse all execution paths one by one to detect errors assertion violations program crash uncaught exceptions combine with valgrind to discover memory errors
24 Explicit Path (not State) Model Checking raverse all execution paths one by one to detect errors assertion violations program crash uncaught exceptions combine with valgrind to discover memory errors
25 Explicit Path (not State) Model Checking raverse all execution paths one by one to detect errors assertion violations program crash uncaught exceptions combine with valgrind to discover memory errors
26 Explicit Path (not State) Model Checking raverse all execution paths one by one to detect errors assertion violations program crash uncaught exceptions combine with valgrind to discover memory errors
27 Explicit Path (not State) Model Checking raverse all execution paths one by one to detect errors assertion violations program crash uncaught exceptions combine with valgrind to discover memory errors
28 Directed Search: Summary Dynamic test generation to direct executions along alternative program paths collect symbolic constraints at branch points (whenever possible) negate one constraint at a branch point to take other branch (say b) call constraint solver with new path constraint to generate new test inputs next execution driven by these new test inputs to take alternative branch b check with dynamic instrumentation that branch b is indeed taken Repeat this process until all execution paths are covered May never terminate! Significantly improves code coverage vs. pure random testing
29 DAR for C: Implementation Details prgm.c CIL (Berkeley) dart (OCaml, C) test_driver.c prgm_instrumented.c dart.c C compiler prgm.exe Constraint solver(s) (e.g., lp_solve.so) 3 possible outcomes: Error found Complete coverage Run forever
30 DAR: Success Stories ested a C implementation of a security protocol (Needham- Schroeder) with a known attack About 400 lines of C code; experiments on a Linux 800Mz P-III machine DAR takes less than 2 seconds (664 runs) to discover a (partial) attack, with an unconstrained (possibilistic) intruder model DAR takes 18 minutes (328,459 runs) to discover a (full) attack, with a realistic (Dolev-Yao) intruder model DAR found a new bug in this C implementation of Lowe s fix to the NS protocol (after 22 minutes of search; bug confirmed by the code s author) In contrast, a systematic -space search of this program composed with a concurrent nondeterministic intruder model using VeriSoft (a sw model checker) does not find the attack
31 Limitations Path Space of a Large Program is Huge Path Explosion Problem Entire Computation ree
32 Limitations Path Space of a Large Program is Huge Path Explosion Problem Entire Computation ree Explored by Concolic esting
33 Limitations Path Space of a Large Program is Huge Path Explosion Problem Entire Computation ree How bad is this in Practice? or a simple parser (PL/0) concolic testing failed to generate a valid program within 24 hours. or the vi editor, CUE only tested 3 character long inputs Explored by Concolic esting
DART: Directed Automated Random Testing
DART: Directed Automated Random Testing Patrice Godefroid Nils Klarlund Koushik Sen Bell Labs Bell Labs UIUC Presented by Wei Fang January 22, 2015 PLDI 2005 Page 1 June 2005 Motivation Software testing:
More informationCUTE: A Concolic Unit Testing Engine for C
CUTE: A Concolic Unit Testing Engine for C Koushik Sen Darko Marinov Gul Agha University of Illinois Urbana-Champaign Goal Automated Scalable Unit Testing of real-world C Programs Generate test inputs
More informationTiming Analysis of Event-Driven Programs with Directed Testing
iming Analysis of Event-Driven Programs with Directed esting Mahdi Eslamimehr Hesam Samimi {eslamimehr, samimi@ucla.edu Communications Design Group, SAP Labs alk Outline Introduction oyota UA Case Problem
More informationSymbolic Execution, Dynamic Analysis
Symbolic Execution, Dynamic Analysis http://d3s.mff.cuni.cz Pavel Parízek CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Symbolic execution Pavel Parízek Symbolic Execution, Dynamic Analysis
More informationAutomated Software Analysis Techniques For High Reliability: A Concolic Testing Approach. Moonzoo Kim
Automated Software Analysis Techniques For High Reliability: A Concolic Testing Approach Moonzoo Kim Contents Automated Software Analysis Techniques Background Concolic testing process Example of concolic
More informationSymbolic Execu.on. Suman Jana
Symbolic Execu.on Suman Jana Acknowledgement: Baishakhi Ray (Uva), Omar Chowdhury (Purdue), Saswat Anand (GA Tech), Rupak Majumdar (UCLA), Koushik Sen (UCB) What is the goal? Tes.ng Tes%ng approaches are
More informationTesting. ECE/CS 5780/6780: Embedded System Design. Why is testing so hard? Why do testing?
Testing ECE/CS 5780/6780: Embedded System Design Scott R. Little Lecture 24: Introduction to Software Testing and Verification What is software testing? Running a program in order to find bugs (faults,
More informationSymbolic Execution for Bug Detection and Automated Exploit Generation
Symbolic Execution for Bug Detection and Automated Exploit Generation Daniele Cono D Elia Credits: Emilio Coppa SEASON Lab season-lab.github.io May 27, 2016 1 / 29 Daniele Cono D Elia Symbolic Execution
More informationDART: Directed Automated Random Testing
DART: Directed Automated Random Testing Patrice Godefroid Nils Klarlund Bell Laboratories, Lucent Technologies {god,klarlund@bell-labs.com Koushik Sen Computer Science Department University of Illinois
More informationn HW7 due in about ten days n HW8 will be optional n No CLASS or office hours on Tuesday n I will catch up on grading next week!
Announcements SMT Solvers, Symbolic Execution n HW7 due in about ten days n HW8 will be optional n No CLASS or office hours on Tuesday n I will catch up on grading next week! n Presentations n Some of
More informationThree Important Testing Questions
Testing Part 2 1 Three Important Testing Questions How shall we generate/select test cases? Did this test execution succeed or fail? How do we know when we ve tested enough? 65 1. How do we know when we
More informationLATEST : Lazy Dynamic Test Input Generation
LATEST : Lazy Dynamic Test Input Generation Rupak Majumdar Koushik Sen Electrical Engineering and Computer Sciences University of California at Berkeley Technical Report No. UCB/EECS-2007-36 http://www.eecs.berkeley.edu/pubs/techrpts/2007/eecs-2007-36.html
More informationAutomatic Software Verification
Automatic Software Verification Instructor: Mooly Sagiv TA: Oded Padon Slides from Eran Yahav and the Noun Project, Wikipedia Course Requirements Summarize one lecture 10% one lecture notes 45% homework
More informationSymbolic and Concolic Execution of Programs
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015 Information Security, CS 526 1 Reading for this lecture Symbolic execution and program testing - James
More informationCombining Model Checking and Testing
Combining Model Checking and Testing Patrice Godefroid Abstract Model checking and testing have a lot in common. Over the last two decades, significant progress has been made on how to broaden the scope
More informationApplications of Logic in Software Engineering. CS402, Spring 2016 Shin Yoo
Applications of Logic in Software Engineering CS402, Spring 2016 Shin Yoo Acknowledgements I borrow slides from: Moonzoo Kim Theo C. Ruys (http://spinroot.com/spin/doc/ SpinTutorial.pdf) CBMC & Daniel
More informationAutomated Software Testing in the Absence of Specifications
Automated Software Testing in the Absence of Specifications Tao Xie North Carolina State University Department of Computer Science Nov 2005 http://www.csc.ncsu.edu/faculty/xie/ Why Automate Testing? Software
More informationEmblematic Execution for Software Testing based on DART AND CUTE
Emblematic Execution for Software Testing based on DART AND CUTE K. K. V. D. Hari Prasad 1, Ch. V. Phani Krishna and V. Samson Deva Kumar 3 1 Student, IV/IV B.Tech, Department of Computer Science Engineering,
More informationStatic Analysis and Bugfinding
Static Analysis and Bugfinding Alex Kantchelian 09/12/2011 Last week we talked about runtime checking methods: tools for detecting vulnerabilities being exploited in deployment. So far, these tools have
More informationConcolic Testing of Sequential and Concurrent Programs
Concolic Testing of Sequential and Concurrent Programs Koushik Sen University of California, Berkeley ksen@cs.berkeley.edu and Darko Marinov University of Illinois at Urbana Champaign marinov@cs.uiuc.edu
More informationAnalysis/Bug-finding/Verification for Security
Analysis/Bug-finding/Verification for Security VIJAY GANESH University of Waterloo Winter 2013 Analysis/Test/Verify for Security Instrument code for testing Heap memory: Purify Perl tainting (information
More informationAn Eclipse Plug-in for Model Checking
An Eclipse Plug-in for Model Checking Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala Electrical Engineering and Computer Sciences University of California, Berkeley, USA Rupak Majumdar Computer Science
More informationSoftware Model Checking
20 ans de Recherches sur le Software Model Checking 1989 1994 2006 2009 Université de Liège Bell Labs Microsoft Research Patrice Godefroid Page 1 Mars 2009 Model Checking A B C Each component is modeled
More informationSymbolic Execution. Wei Le April
Symbolic Execution Wei Le 2016 April Agenda What is symbolic execution? Applications History Interal Design: The three challenges Path explosion Modeling statements and environments Constraint solving
More informationActive Testing for Concurrent Programs
Active Testing for Concurrent Programs Pallavi Joshi, Mayur Naik, Chang-Seo Park, Koushik Sen 12/30/2008 ROPAS Seminar ParLab, UC Berkeley Intel Research Overview ParLab The Parallel Computing Laboratory
More informationSoftware security, secure programming
Software security, secure programming Fuzzing and Dynamic Analysis Master on Cybersecurity Master MoSiG Academic Year 2017-2018 Outline Fuzzing (or how to cheaply produce useful program inputs) A concrete
More informationImproving Program Testing and Understanding via Symbolic Execution
Improving Program Testing and Understanding via Symbolic Execution Kin-Keung Ma PhD Dissertation Defense December 9 th, 2011 Motivation } Every year, billions of dollars are lost due to software system
More informationSymbolic Execution. Joe Hendrix Galois, Inc SMT Summer School galois
Symbolic Execution Joe Hendrix Galois, Inc SMT Summer School 2015 Galois, Inc We solve hard research problems for clients. Symbolic Execution is a technique for mapping code into logic. is widely used
More informationAutomated Test-Input Generation
Automated Test-Input Generation Tao Xie North Carolina State University Department of Computer Science Nov 2005 http://www.csc.ncsu.edu/faculty/xie/ Why Automate Testing? Software testing is important
More informationCUTE: A Concolic Unit Testing Engine for C
CUTE: A Concolic Unit Testing Engine for C Koushik Sen, Darko Marinov, Gul Agha Department of Computer Science University of Illinois at Urbana-Champaign {ksen,marinov,agha}@cs.uiuc.edu ABSTRACT In unit
More informationAutomated Software Testing
Automated Software Testing for the 21 st Century Patrice Godefroid Microsoft Research Page 1 June 2015 Outline Two parts: 1. Some recent advances on automated software testing Technical developments Applications
More informationOverview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas
CS 6V81.005 Automatic Exploit Generation (AEG) Matthew Stephen Department of Computer Science University of Texas at Dallas February 20 th, 2012 Outline 1 Overview Introduction Considerations 2 AEG Challenges
More informationSoftware Model Checking. Xiangyu Zhang
Software Model Checking Xiangyu Zhang Symbolic Software Model Checking CS510 S o f t w a r e E n g i n e e r i n g Symbolic analysis explicitly explores individual paths, encodes and resolves path conditions
More informationSoftware Testing CS 408. Lecture 6: Dynamic Symbolic Execution and Concolic Testing 1/30/18
Software Testing CS 408 Lecture 6: Dynamic Symbolic Execution and Concolic Testing 1/30/18 Relevant Papers CUTE: A Concolic Unit Testing Engine for C Koushik Sen, Darko Marinov, Gul Agha Department of
More informationPrinciples of Software Construction: Objects, Design, and Concurrency (Part 2: Designing (Sub )Systems)
Principles of Software Construction: Objects, Design, and Concurrency (Part 2: Designing (Sub )Systems) More Analysis for Functional Correctness Jonathan Aldrich Charlie Garrod School of Computer Science
More informationActive Testing for Concurrent Programs
Active Testing for Concurrent Programs Pallavi Joshi Mayur Naik Chang-Seo Park Koushik Sen 1/8/2009 ParLab Retreat ParLab, UC Berkeley Intel Research Overview Checking correctness of concurrent programs
More informationSymbolic Execution for Software Testing: Three Decades Later
doi:10.1145/2408776.2408795 The challenges and great promise of modern symbolic execution techniques, and the tools to help implement them. By Cristian Cadar and Koushik Sen Symbolic Execution for Software
More informationDirected Random Testing*
Directed Random Testing* Wolfram Schulte Microsoft Research Soqua 11/2006 Wasformerlyanouncedas: ChalengeProblemsinTesting 1 What my team does Static program verification & language design Verifying multi-threaded
More informationEnvironment Modeling for Automated Testing of Cloud Applications
Environment Modeling for Automated Testing of Cloud Applications Linghao Zhang 1,2, Tao Xie 2, Nikolai Tillmann 3, Peli de Halleux 3, Xiaoxing Ma 1, Jian lv 1 1 Nanjing University, China, 2 North Carolina
More informationAutomated Testing of Cloud Applications
Automated Testing of Cloud Applications Linghao Zhang, Tao Xie, Nikolai Tillmann, Peli de Halleux, Xiaoxing Ma, Jian lv {lzhang25, txie}@ncsu.edu, {nikolait, jhalleux}@microsoft.com, {xxm, lj}@nju.edu.cn
More informationTest Automation. 20 December 2017
Test Automation 20 December 2017 The problem of test automation Testing has repetitive components, so automation is justified The problem is cost-benefit evaluation of automation [Kaner] Time for: test
More informationWelcome to Software Analysis and Testing.
Welcome to Software Analysis and Testing. In this course, we will be diving deep into the theory and practice of software analysis, which lies at the heart of many software development processes such as
More informationAutomated Whitebox Fuzz Testing. by - Patrice Godefroid, - Michael Y. Levin and - David Molnar
Automated Whitebox Fuzz Testing by - Patrice Godefroid, - Michael Y. Levin and - David Molnar OUTLINE Introduction Methods Experiments Results Conclusion Introduction Fuzz testing is an effective Software
More informationLow level security. Andrew Ruef
Low level security Andrew Ruef What s going on Stuff is getting hacked all the time We re writing tons of software Often with little regard to reliability let alone security The regulatory environment
More informationCMSC 430 Introduction to Compilers. Fall Symbolic Execution
CMSC 430 Introduction to Compilers Fall 2015 Symbolic Execution Introduction Static analysis is great Lots of interesting ideas and tools Commercial companies sell, use static analysis It all looks good
More informationScalable Test Generation by Interleaving Concrete and Symbolic Execution
Scalable Test Generation by Interleaving Concrete and Symbolic Execution Xiaoke Qin and Prabhat Mishra Department of Computer and Information Science and Engineering University of Florida, Gainesville
More informationSymbolic Computation via Program Transformation
Symbolic Computation via Program Transformation Henrich Lauko, Petr Ročkai and Jiří Barnat Masaryk University Brno, Czech Republic Symbolic Computation Motivation verify programs with inputs from the environment
More informationSoftware Vulnerability
Software Vulnerability Refers to a weakness in a system allowing an attacker to violate the integrity, confidentiality, access control, availability, consistency or audit mechanism of the system or the
More informationDynamic Test Generation to Find Bugs in Web Application
Dynamic Test Generation to Find Bugs in Web Application C.SathyaPriya 1 and S.Thiruvenkatasamy 2 1 Department of IT, Shree Venkateshwara Hi-Tech Engineering College, Gobi, Tamilnadu, India. 2 Department
More informationBounded Model Checking Of C Programs: CBMC Tool Overview
Workshop on Formal Verification and Analysis Tools, CFDVS, IIT-Bombay - Feb 21,2017 Bounded Model Checking Of C Programs: CBMC Tool Overview Prateek Saxena CBMC Developed and Maintained by Dr Daniel Kröning
More informationDynamic Software Model Checking
Dynamic Software Model Checking Patrice Godefroid Microsoft Research Page 1 September 2014 Ed Clarke: A man, An idea LASER 2011 summer school (Elba island, Italy) Page 2 September 2014 Ed Clarke: A man,
More informationProgram Testing via Symbolic Execution
Program Testing via Symbolic Execution Daniel Dunbar Program Testing via Symbolic Execution p. 1/26 Introduction Motivation Manual testing is difficult Program Testing via Symbolic Execution p. 2/26 Introduction
More informationIn this Lecture you will Learn: Testing in Software Development Process. What is Software Testing. Static Testing vs.
In this Lecture you will Learn: Testing in Software Development Process Examine the verification and validation activities in software development process stage by stage Introduce some basic concepts of
More informationIC-Cut: A Compositional Search Strategy for Dynamic Test Generation
IC-Cut: A Compositional Search Strategy for Dynamic Test Generation Maria Christakis 1 and Patrice Godefroid 2 1 Department of Computer Science ETH Zurich, Switzerland maria.christakis@inf.ethz.ch 2 Microsoft
More informationFailure Detection Algorithm for Testing Dynamic Web Applications
J. Vijaya Sagar Reddy & G. Ramesh Department of CSE, JNTUA College of Engineering, Anantapur, Andhra Pradesh, India E-mail: vsreddyj5@gmail.com, ramesh680@gmail.com Abstract - Web applications are the
More informationCSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Static Analysis. Emina Torlak
CSE 403: Software Engineering, Fall 2016 courses.cs.washington.edu/courses/cse403/16au/ Static Analysis Emina Torlak emina@cs.washington.edu Outline What is static analysis? How does it work? Free and
More informationSAT/SMT Solvers and Applications
SAT/SMT Solvers and Applications University of Waterloo Winter 2013 Today s Lecture Lessons learnt so far Implementation-related attacks (control-hazard, malware,...) Program analysis techniques can detect
More informationNo model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine
No model may be available Programmer Software Abstractions Tests Coverage Code Abhik Roychoudhury CS 5219 National University of Singapore Testing Debug Today s lecture Abstract model (Boolean pgm.) Desirable
More informationTopics. Software Testing Test Driven Development Black Box Testing Unit Testing White Box Testing Coverage Testing Software Debugging
Supplemental Materials: Software esting CS2: Data Structures and Algorithms Colorado State University Chris Wilcox, Russ Wakefield, Wim Bohm, Dave Matthews opics Software esting est Driven Development
More informationAdvanced Programming Methods. Introduction in program analysis
Advanced Programming Methods Introduction in program analysis What is Program Analysis? Very broad topic, but generally speaking, automated analysis of program behavior Program analysis is about developing
More informationUsing Model Checking to Debug Device Firmware
To Appear in the Proceedings of 5th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2002). 1 Using Model Checking to Debug Device Firmware Sanjeev Kumar Department of Computer Science
More informationAutomated Unit Testing of Large Industrial Embedded Software using Concolic Testing
Automated Unit Testing of Large Industrial Embedded Software using Concolic Testing, Moonzoo Kim SW Testing & Verification Group KAIST, South Korea Youil Kim, Taeksu Kim, Gunwoo Lee, Yoonkyu Jang Samsung
More informationTackling the Path Explosion Problem in Symbolic Execution-driven Test Generation for Programs
2010 19th IEEE Asian Test Symposium Tackling the Path Explosion Problem in Symbolic Execution-driven Test Generation for Programs Saparya Krishnamoorthy, Michael S. Hsiao and Loganathan Lingappan Department
More informationMultiSE: Multi-path Symbolic Execution using Value Summaries
MultiSE: Multi-path Symbolic Execution using Value Summaries Koushik Sen, George Necula, Liang Gong, Wontae Choi EECS Department, University of California, Berkeley, USA { ksen, necula, gongliang13, wtchoi
More informationTesting & Symbolic Execution
Testing & Symbolic Execution Software Testing The most common way of measuring & ensuring correctness Input 2 Software Testing The most common way of measuring & ensuring correctness Input Observed Behavior
More informationECE 587 Hardware/Software Co-Design Lecture 11 Verification I
ECE 587 Hardware/Software Co-Design Spring 2018 1/23 ECE 587 Hardware/Software Co-Design Lecture 11 Verification I Professor Jia Wang Department of Electrical and Computer Engineering Illinois Institute
More informationCrash Course in Applied PL
Crash Course in Applied PL (with applications to Networks) Software Reliability Lab Department of Computer Science ETH Zurich Overview of Applied PL techniques Static Analysis Program Synthesis ibgp, OSPF,
More informationFrom Symbolic Execution to Concolic Testing. Daniel Paqué
From Symbolic Execution to Concolic Testing Daniel Paqué Structure Symbolic Execution Concolic Testing Execution Generated Testing Concurrency in Concolic Testing 2 Motivation Software Testing usually
More informationCS 510/13. Predicate Abstraction
CS 50/3 Predicate Abstraction Predicate Abstraction Extract a finite state model from an infinite state system Used to prove assertions or safety properties Successfully applied for verification of C programs
More informationSecurity Testing. Ulf Kargén Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT)
Security Testing TDDC90 Software Security Ulf Kargén Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Security testing vs regular testing Regular
More informationA survey of new trends in symbolic execution for software testing and analysis
Int J Softw Tools Technol Transfer (2009) 11:339 353 DOI 10.1007/s10009-009-0118-1 REGULAR PAPER A survey of new trends in symbolic execution for software testing and analysis Corina S. Păsăreanu Willem
More informationStatic program checking and verification
Chair of Software Engineering Software Engineering Prof. Dr. Bertrand Meyer March 2007 June 2007 Slides: Based on KSE06 With kind permission of Peter Müller Static program checking and verification Correctness
More informationSystem Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements
System Correctness EEC 421/521: Software Engineering A Whirlwind Intro to Software Model Checking A system is correct when it meets its requirements a design without requirements cannot be right or wrong,
More informationSoftware Testing CS 408. Lecture 11: Review 2/20/18
Software Testing CS 408 Lecture 11: Review 2/20/18 Lecture 1: Basics 2 Two Views Verification: Prove the absence, and conjecture the presence, of bugs Ex: types: Not all ill-typed programs are wrong But,
More informationCrema. Research Briefing. Jacob Torrey & Mark Bridgman May 21, 2015
Crema Research Briefing Jacob Torrey & Mark Bridgman May 21, 2015 The views, opinions, and/or findings contained in this presentation are those of the authors and should not be interpreted as representing
More informationTesting: Coverage and Structural Coverage
Testing: Coverage and Structural Coverage Testing, Quality Assurance, and Maintenance Winter 2017 Prof. Arie Gurfinkel based on slides by Prof. Marsha Chechik and Prof. Lin Tan How would you test this
More informationA Gentle Introduction to Program Analysis
A Gentle Introduction to Program Analysis Işıl Dillig University of Texas, Austin January 21, 2014 Programming Languages Mentoring Workshop 1 / 24 What is Program Analysis? Very broad topic, but generally
More informationProgramming Embedded Systems
Programming Embedded Systems Lecture 8 Overview of software testing Wednesday Feb 8, 2012 Philipp Rümmer Uppsala University Philipp.Ruemmer@it.uu.se 1/53 Lecture outline Testing in general Unit testing
More informationProgram Verification! Goals of this Lecture! Words from the Wise! Testing!
Words from the Wise Testing On two occasions I have been asked [by members of Parliament], Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out? I am not able rightly
More informationAutomated Whitebox Fuzz Testing
Automated Whitebox Fuzz Testing ( Research Patrice Godefroid (Microsoft Michael Y. Levin (Microsoft Center for ( Excellence Software David Molnar (UC Berkeley & MSR) Fuzz Testing Send random data to application
More informationFunctional verification on PIL mode with IAR Embedded Workbench
by Cristina Marconcini, STM CASE s.r.l. Functional verification on PIL mode with IAR Embedded Workbench The increase of complexity of embedded system components combined with time-to-market constraints
More informationTesting. Prof. Clarkson Fall Today s music: Wrecking Ball by Miley Cyrus
Testing Prof. Clarkson Fall 2017 Today s music: Wrecking Ball by Miley Cyrus Review Previously in 3110: Modules Specification (functions, modules) Today: Validation Testing Black box Glass box Randomized
More informationINF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen
INF672 Protocol Safety and Verication Karthik Bhargavan Xavier Rival Thomas Clausen 1 Course Outline Lecture 1 [Today, Sep 15] Introduction, Motivating Examples Lectures 2-4 [Sep 22,29, Oct 6] Network
More informationSliced Path Prefixes: An Effective Method to Enable Refinement Selection
FORTE '15 Sliced Path Prefixes: An Effective Method to Enable Refinement Selection Dirk Beyer, Stefan Löwe, Philipp Wendler SoSy-Lab Software Systems We want Refinement Selection!!! Because straight-forward
More informationCYSE 411/AIT681 Secure Software Engineering Topic #17: Symbolic Execution
CYSE 411/AIT681 Secure Software Engineering Topic #17: Symbolic Execution Instructor: Dr. Kun Sun Software has bugs To find them, we use testing and code reviews But some bugs are still missed Rare features
More informationSoftware has bugs. Static analysis 4/9/18. CYSE 411/AIT681 Secure Software Engineering. To find them, we use testing and code reviews
CYSE 411/AIT681 Secure Software Engineering Topic #17: Symbolic Execution Instructor: Dr. Kun Sun Software has bugs To find them, we use testing and code reviews But some bugs are still missed Rare features
More informationSoftware Testing CS 408
Software Testing CS 408 1/09/18 Course Webpage: http://www.cs.purdue.edu/homes/suresh/408-spring2018 1 The Course Understand testing in the context of an Agile software development methodology - Detail
More informationDouble Header. Two Lectures. Flying Boxes. Some Key Players: Model Checking Software Model Checking SLAM and BLAST
Model Checking #1 Double Header Two Lectures Model Checking Software Model Checking SLAM and BLAST Flying Boxes It is traditional to describe this stuff (especially SLAM and BLAST) with high-gloss animation
More informationFoundations: Syntax, Semantics, and Graphs
Foundations: Syntax, Semantics, and Graphs Testing, Quality Assurance, and Maintenance Winter 2018 Prof. Arie Gurfinkel based on slides by Ruzica Pizkac, Claire Le Goues, Lin Tan, Marsha Chechik, and others
More informationSecurity protocols and their verification. Mark Ryan University of Birmingham
Security protocols and their verification Mark Ryan University of Birmingham Contents 1. Authentication protocols (this lecture) 2. Electronic voting protocols 3. Fair exchange protocols 4. Digital cash
More informationProgram Analysis Tools
CMPT 473 Software Quality Assurance Program Analysis Tools Nick Sumner Fixing bugs is costly Why? 2 Fixing bugs is costly The longer broken code exists, the more code depends upon it. 3 Fixing bugs is
More informationBug Finding with Under-approximating Static Analyses. Daniel Kroening, Matt Lewis, Georg Weissenbacher
Bug Finding with Under-approximating Static Analyses Daniel Kroening, Matt Lewis, Georg Weissenbacher Overview Over- vs. underapproximating static analysis Path-based symbolic simulation Path merging Acceleration
More informationRegression testing. Whenever you find a bug. Why is this a good idea?
Regression testing Whenever you find a bug Reproduce it (before you fix it!) Store input that elicited that bug Store correct output Put into test suite Then, fix it and verify the fix Why is this a good
More informationMicrosoft SAGE and LLVM KLEE. Julian Cohen Manual and Automatic Program Analysis
Microsoft SAGE and LLVM KLEE Julian Cohen HockeyInJune@isis.poly.edu Manual and Automatic Program Analysis KLEE KLEE [OSDI 2008, Best Paper Award] Based on symbolic execution and constraint solving techniques
More informationCS5232 Formal Specification and Design Techniques. Using PAT to verify the Needham-Schroeder Public Key Protocol
CS5232 Formal Specification and Design Techniques Using PAT to verify the Needham-Schroeder Public Key Protocol Semester 2, AY 2008/2009 1/37 Table of Contents 1. Project Introduction 3 2. Building the
More informationTesting! The material for this lecture is drawn, in part, from! The Practice of Programming (Kernighan & Pike) Chapter 6!
Testing The material for this lecture is drawn, in part, from The Practice of Programming (Kernighan & Pike) Chapter 6 1 Words from the Wise On two occasions I have been asked [by members of Parliament],
More informationarxiv:cs/ v1 [cs.lo] 22 Jun 2005
The One Page Model Checker arxiv:cs/0506084v1 [cs.lo] 22 Jun 2005 Jason E. Holt isrl@lunkwill.org June 5, 2017 Abstract We show how standard IPC mechanisms can be used with the fork() system call to perform
More information18-642: Unit Testing 1/31/ Philip Koopman
18-642: Unit Testing 1/31/2018 2017-2018 Philip Koopman YOU ARE HERE Product Requirements SPECIFY PRODUCT SPECIFY SOFTWARE Software Requirements TRACEABILITY & VALIDATION Test Plan & Test Results Test
More informationFast dynamic program analysis Race detection. Konstantin Serebryany May
Fast dynamic program analysis Race detection Konstantin Serebryany May 20 2011 Agenda Dynamic program analysis Race detection: theory ThreadSanitizer: race detector Making ThreadSanitizer
More informationCSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Unit Testing. Emina Torlak
CSE 403: Software Engineering, Fall 2016 courses.cs.washington.edu/courses/cse403/16au/ Unit Testing Emina Torlak emina@cs.washington.edu Outline Software quality control Effective unit testing Coverage
More information