DART: Directed Automated Random Testing

Similar documents
DART: Directed Automated Random Testing. CUTE: Concolic Unit Testing Engine. Slide Source: Koushik Sen from Berkeley

CUTE: A Concolic Unit Testing Engine for C

DART: Directed Automated Random Testing

Symbolic Execution, Dynamic Analysis

Emblematic Execution for Software Testing based on DART AND CUTE

Dynamic Software Model Checking

Automated Whitebox Fuzz Testing

n HW7 due in about ten days n HW8 will be optional n No CLASS or office hours on Tuesday n I will catch up on grading next week!

Environment Modeling for Automated Testing of Cloud Applications

Automated Whitebox Fuzz Testing. by - Patrice Godefroid, - Michael Y. Levin and - David Molnar

Symbolic Execution for Bug Detection and Automated Exploit Generation

Automated Software Analysis Techniques For High Reliability: A Concolic Testing Approach. Moonzoo Kim

Combining Model Checking and Testing

Profile-Guided Program Simplification for Effective Testing and Analysis

Software Model Checking

Static Analysis and Bugfinding

Analysis/Bug-finding/Verification for Security

Lecture 15 Software Testing

Symbolic and Concolic Execution of Programs

Software Testing CS 408. Lecture 6: Dynamic Symbolic Execution and Concolic Testing 1/30/18

Model Checking Software with

Automated Testing of Cloud Applications

Testing. ECE/CS 5780/6780: Embedded System Design. Why is testing so hard? Why do testing?

From Symbolic Execution to Concolic Testing. Daniel Paqué

CSE 565 Computer Security Fall 2018

Christoph Csallner, University of Texas at Arlington (UTA)

Automatic Software Verification

IC-Cut: A Compositional Search Strategy for Dynamic Test Generation

CSE409, Rob Johnson, Alin Tomescu, November 11 th, 2011 Buffer overflow defenses

KLEE: Effective Testing of Systems Programs Cristian Cadar

Automated Software Testing

Static program checking and verification

LATEST : Lazy Dynamic Test Input Generation

Promela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN

Automated Software Testing in the Absence of Specifications

CMPSC 497: Static Analysis

Clang Static Analyzer Documentation

Symbolic Execution. Wei Le April

Symbolic Execution. Joe Hendrix Galois, Inc SMT Summer School galois

CYSE 411/AIT681 Secure Software Engineering Topic #17: Symbolic Execution

Software has bugs. Static analysis 4/9/18. CYSE 411/AIT681 Secure Software Engineering. To find them, we use testing and code reviews

Improving Program Testing and Understanding via Symbolic Execution

Testing & Symbolic Execution

Automated Test-Input Generation

Timing Analysis of Event-Driven Programs with Directed Testing

Dynamic Symbolic Database Application Testing

An Eclipse Plug-in for Model Checking

Directed Random Testing*

Bounded Model Checking Of C Programs: CBMC Tool Overview

Formal Methods for Assuring Security of Computer Networks

No model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine

Program Analysis. Program Analysis

Testing. Prof. Clarkson Fall Today s music: Wrecking Ball by Miley Cyrus

Finding User/Kernel Pointer Bugs with Type Inference p.1

CUTE: A Concolic Unit Testing Engine for C

Anders Fröberg TDDD80 STORAGE AND TESTING

CSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Static Analysis. Emina Torlak

Software Vulnerability

18-642: Unit Testing 1/31/ Philip Koopman

Motivation. What s the Problem? What Will we be Talking About? What s the Solution? What s the Problem?

CS 520 Theory and Practice of Software Engineering Fall 2018

ICSE MET 17 Keynote. Metamorphic Testing: Beyond Testing Numerical Computations

Microsoft SAGE and LLVM KLEE. Julian Cohen Manual and Automatic Program Analysis

5) Attacker causes damage Different to gaining control. For example, the attacker might quit after gaining control.

Part 5. Verification and Validation

Secure Software Development: Theory and Practice

Symbolic Execu.on. Suman Jana

Debugging as a Science, that too, when your Program is Changing

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Applications of Logic in Software Engineering. CS402, Spring 2016 Shin Yoo

Dynamic Test Generation to Find Bugs in Web Application

An Empirical Comparison of Automated Generation and Classification Techniques for Object-Oriented Unit Testing

Software Testing CS 408. Lecture 11: Review 2/20/18

Testing, Fuzzing, & Symbolic Execution

Three Important Testing Questions

Automatic Generation of Program Specifications

Scaling CQUAL to millions of lines of code and millions of users p.1

Bouncer: Securing Software by Blocking Bad Input

Test Automation. 20 December 2017

CMSC 330: Organization of Programming Languages. OCaml Imperative Programming

Principles of Software Construction: Objects, Design, and Concurrency (Part 2: Designing (Sub )Systems)

Testing and Debugging C Programming and Software Tools. N.C. State Department of Computer Science

CSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Unit Testing. Emina Torlak

Seminar in Software Engineering Presented by Dima Pavlov, November 2010

MEMORY MANAGEMENT TEST-CASE GENERATION OF C PROGRAMS USING BOUNDED MODEL CHECKING

Chapter 8 Software Testing. Chapter 8 Software testing

Active Testing for Concurrent Programs

Language Security. Lecture 40

Concolic Testing of Sequential and Concurrent Programs

Software security, secure programming

Software Testing CS 408. Lecture 10: Compiler Testing 2/15/18

Who is our rival? Upcoming. Testing. Ariane 5 rocket (1996) Ariane 5 rocket 3/8/18. Real programmers need no testing!

Security Testing. John Slankas

A Smart Fuzzer for x86 Executables

CS159. Nathan Sprague. September 30, 2015

Testing Objectives. Successful testing: discovers previously unknown errors

Bullseye: A System for Targeted Test Generation

Research on Fuzz Testing Framework based on Concolic Execution

F-Soft: Software Verification Platform

Heuristics-based Parameter Generation for Java Methods

Transcription:

DART: Directed Automated Random Testing Patrice Godefroid Nils Klarlund Koushik Sen Bell Labs Bell Labs UIUC Presented by Wei Fang January 22, 2015 PLDI 2005 Page 1 June 2005

Motivation Software testing: usually accounts for 50% of software development cost Software failures cost $60 billion annually in the US alone [Source: The economic impacts of inadequate infrastructure for software testing, NIST, May 2002] Unit testing: applies to individual software components Goal: white-box testing for corner cases, 100% code coverage Unit testing is usually done by developers (not testers) Problem: in practice, unit testing is rarely done properly Testing in isolation with manually-written test harness/driver code is too expensive, testing infrastructure for system testing is inadequate Developers are busy, ( black-box ) testing will be done later by testers Bottom-line: many bugs that should have been caught during unit testing remain undetected until field deployment (corner cases where severe reliability bugs hide) Idea: help automate unit testing by eliminating/reducing the need for writing manually test driver and harness code! DART PLDI 2005 Page 2 June 2005

DART: Directed Automated Random Testing 1. Automated extraction of program interface from source code 2. Generation of test driver for random testing through the interface 3. Dynamic test generation to direct executions along alternative program paths Together: (1)+(2)+(3) = DART DART can detect program crashes and assertion violations. Any program that compiles can be run and tested this way: No need to write any test driver or harness code! (Pre- and post-conditions can be added to generated test-driver) PLDI 2005 Page 3 June 2005

Example (C code) int double(int x) { return 2 * x; (1) Interface extraction: parameters of toplevel function external variables return values of external functions void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) (2) Generation of test driver for random testing: main(){ int tmp1 = randomint(); int tmp2 = randomint(); test_me(tmp1,tmp2); Closed (self-executable) program that can be run Problem: probability of reaching abort() is extremely low! PLDI 2005 Page 4 June 2005

DART Step (3): Directed Search main(){ int t1 = randomint(); Concrete Symbolic Path Constraint int t2 = randomint(); test_me(t1,t2); int double(int x) {return 2 * x; void test_me(int x, int y) { int z = double(x); x = 36, y = 99 create symbolic variables x, y if (z==y) { if (y == x+10) PLDI 2005 Page 5 June 2005

DART Step (3): Directed Search main(){ int t1 = randomint(); Concrete Symbolic Path Constraint int t2 = randomint(); test_me(t1,t2); int double(int x) {return 2 * x; void test_me(int x, int y) { int z = double(x); if (z==y) { x = 36, y = 99, z = 72 create symbolic variables x, y z = 2 * x if (y == x+10) PLDI 2005 Page 6 June 2005

DART Step (3): Directed Search main(){ int t1 = randomint(); Concrete Symbolic Path Constraint int t2 = randomint(); test_me(t1,t2); int double(int x) {return 2 * x; Solve: 2 * x == y Solution: x = 1, y = 2 void test_me(int x, int y) { int z = double(x); if (z==y) { create symbolic variables x, y 2 * x!= y if (y == x+10) x = 36, y = 99, z = 72 z = 2 * x PLDI 2005 Page 7 June 2005

DART Step (3): Directed Search main(){ int t1 = randomint(); Concrete Symbolic Path Constraint int t2 = randomint(); test_me(t1,t2); int double(int x) {return 2 * x; void test_me(int x, int y) { int z = double(x); x = 1, y = 2 create symbolic variables x, y if (z==y) { if (y == x+10) PLDI 2005 Page 8 June 2005

DART Step (3): Directed Search main(){ int t1 = randomint(); Concrete Symbolic Path Constraint int t2 = randomint(); test_me(t1,t2); int double(int x) {return 2 * x; void test_me(int x, int y) { int z = double(x); if (z==y) { x = 1, y = 2, z = 2 create symbolic variables x, y z = 2 * x if (y == x+10) PLDI 2005 Page 9 June 2005

DART Step (3): Directed Search main(){ int t1 = randomint(); Concrete Symbolic Path Constraint int t2 = randomint(); test_me(t1,t2); int double(int x) {return 2 * x; void test_me(int x, int y) { int z = double(x); create symbolic variables x, y if (z==y) { if (y == x+10) x = 1, y = 2, z = 2 z = 2 * x 2 * x == y PLDI 2005 Page 10 June 2005

DART Step (3): Directed Search main(){ int t1 = randomint(); Concrete Symbolic Path Constraint int t2 = randomint(); test_me(t1,t2); int double(int x) {return 2 * x; Solve: (2 * x == y) ^ (y == x +10) Solution: x = 10, y = 20 void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10) create symbolic variables x, y 2 * x == y y!= x + 10 x = 1, y = 2, z = 2 z = 2 * x PLDI 2005 Page 11 June 2005

DART Step (3): Directed Search main(){ int t1 = randomint(); Concrete Symbolic Path Constraint int t2 = randomint(); test_me(t1,t2); int double(int x) {return 2 * x; void test_me(int x, int y) { int z = double(x); x = 10, y = 20 create symbolic variables x, y if (z==y) { if (y!= x+10) PLDI 2005 Page 12 June 2005

DART Step (3): Directed Search main(){ int t1 = randomint(); Concrete Symbolic Path Constraint int t2 = randomint(); test_me(t1,t2); int double(int x) {return 2 * x; void test_me(int x, int y) { int z = double(x); if (z==y) { x = 10, y = 20, z = 20 create symbolic variables x, y z = 2 * x if (y == x+10) PLDI 2005 Page 13 June 2005

DART Step (3): Directed Search main(){ int t1 = randomint(); Concrete Symbolic Path Constraint int t2 = randomint(); test_me(t1,t2); int double(int x) {return 2 * x; void test_me(int x, int y) { int z = double(x); create symbolic variables x, y if (z==y) { if (y == x+10) x = 10, y = 20, z = 20 z = 2 * x 2 * x == y PLDI 2005 Page 14 June 2005

DART Step (3): Directed Search main(){ int t1 = randomint(); Concrete Symbolic Path Constraint int t2 = randomint(); test_me(t1,t2); Program Error int double(int x) {return 2 * x; void test_me(int x, int y) { int z = double(x); create symbolic variables x, y if (z==y) { 2 * x == y if (y == x+10) x = 10, y = 20, z = 20 z = 2 * x y == x +10 PLDI 2005 Page 15 June 2005

Directed Search: Summary Dynamic test generation to direct executions along alternative program paths collect symbolic constraints at branch points (whenever possible) negate one constraint at a branch point to take other branch (say b) call constraint solver with new path constraint to generate new test inputs next execution driven by these new test inputs to take alternative branch b check with dynamic instrumentation that branch b is indeed taken Repeat this process until all execution paths are covered May never terminate! Significantly improves code coverage vs. pure random testing PLDI 2005 Page 16 June 2005

Novelty: Simultaneous Concrete & Symbolic s void foo(int x,int y){ int z = x*x*x; /* could be z = h(x) */ if (z == y) { Assume we can reason about linear constraints only Initially x = 3 and y = 7 (randomly generated) Concrete z = 27, but symbolic z = x*x*x Cannot handle symbolic value of z! Stuck? PLDI 2005 Page 17 June 2005

Novelty: Simultaneous Concrete & Symbolic s void foo(int x,int y){ int z = x*x*x; /* could be z = h(x) */ if (z == y) { Assume we can reason about linear constraints only Initially x = 3 and y = 7 (randomly generated) Replace symbolic expression by concrete value when symbolic expression becomes unmanageable (e.g. non-linear) Concrete z = 27, but symbolic z = x*x*x Cannot handle symbolic value of z! Stuck? NO! Use concrete value z = 27 and proceed Take else branch with constraint 27!= y NOTE: whenever symbolic execution is stuck, static analysis becomes imprecise! Solve 27 = y to take then branch Execute next run with x = 3 and y = 27 PLDI 2005 Page 18 June 2005

Comparison with Static Analysis 1 foobar(int x, int y){ 2 if (x*x*x > 0){ 3 if (x>0 && y==10){ 4 5 6 else { 7 if (x>0 && y==20){ 8 Symbolic execution is stuck at line 2 Static analysis tools will conclude that both aborts may be reachable Sound tools will report both, and thus one false alarm Unsound tools will report no bug found, and miss a bug Static-analysis-based test generation techniques are also helpless here 9 10 11 In contrast, DART finds the only error (line 4) with high probability Unlike static analysis, all bugs reported by DART are guaranteed to be sound PLDI 2005 Page 19 June 2005

Other Advantages of Dynamic Analysis 1 struct foo { int i; char c; 2 3 bar (struct foo *a) { 4 if (a->c == 0) { 5 *((char *)a + sizeof(int)) = 1; 6 if (a->c!= 0) { 7 abort(); 8 9 10 Dealing with dynamic data is easier with concrete executions Due to limitations of alias analysis, static analysis tools cannot determine whether a->c has been rewritten the abort may be reachable In contrast, DART finds the error easily (by solving the linear constraint a->c == 0) In summary, all bugs reported by DART are guaranteed to be sound! But DART may not terminate PLDI 2005 Page 20 June 2005

DART for C: Implementation Details prgm.c CIL (Berkeley) dart (OCaml, C) test_driver.c prgm_instrumented.c dart.c C compiler prgm.exe Constraint solver(s) (e.g., lp_solve.so) 3 possible outcomes: Error found Complete coverage Run forever PLDI 2005 Page 21 June 2005

Experiments: NS Authentication Protocol Tested a C implementation of a security protocol (Needham-Schroeder) with a known attack About 400 lines of C code; experiments on a Linux 800Mz P-III machine DART takes less than 2 seconds (664 runs) to discover a (partial) attack, with an unconstrained (possibilistic) intruder model DART takes 18 minutes (328,459 runs) to discover a (full) attack, with a realistic (Dolev-Yao) intruder model DART found a new bug in this C implementation of Lowe s fix to the NS protocol (after 22 minutes of search; bug confirmed by the code s author) In contrast, a systematic state-space search of this program composed with a concurrent nondeterministic intruder model using VeriSoft (a sw model checker) does not find the attack PLDI 2005 Page 22 June 2005

A Larger Application: osip Open Source SIP library (Session Initiation Protocol) 30,000 lines of C code (version 2.0.9), 600 externally visible functions Results: Attack: send a packet of size 2.5 MB (cygwin) with no 0 or character DART crashed 65% of the externally visible functions within 1000 runs Most of these due to missing(?) NULL-checks for pointers Analysis of results for osip parser revealed a simple attack to crash it! osip version 2.0.9 (August 2004) Int osip_message_parse (osip_message_t * sip, const char *buf) { [ ] char *tmp; tmp = alloca (strlen (buf) + 2); osip_strncpy (tmp, buf, strlen (buf)); osip_util_replace_all_lws (tmp); [ etc. ] alloca fails and returns NULL crash! osip version 2.2.0 (December 2004) Int osip_message_parse (osip_message_t * sip, const char *buf, size_t length) PLDI 2005 Page 23 June 2005 { [ ] char *tmp; tmp = osip_malloc (length + 2); if (tmp==null) { [ print error msg and return 1; ] osip_strncpy (tmp, buf, length); osip_util_replace_all_lws (tmp); [ etc. ]

Related Work Static analysis and automatic test generation based on static analysis: limited by symbolic execution technology (see above) Random testing (fuzz tools, etc.): poor coverage Dynamic test generation (Korel, Gupta-Mathur-Soffa, etc.) Attempt to exercise a specific program DART attempts to cover all executable program paths instead (like MC) Also, DART handles function calls, unknown functions, exploits simultaneous concrete and symbolic executions, is sometimes complete (verification) and has run-time checks to detect incompleteness DART is implemented for C and has been applied to large examples New: extension to deal with symbolic pointers [Sen et al., to appear in FSE 05] New: independent closely related work [Cadar-Engler, to appear in SPIN 05] PLDI 2005 Page 24 June 2005

Conclusion DART = Directed Automated Random Testing Key strength/originality: No manually-generated test driver required (fully automated) As automated as static analysis but with higher precision Starting point for testing process No false alarms but may not terminate Smarter than pure random testing (with directed search) Can work around limitations of symbolic execution technology Symbolic execution is an adjunct to concrete execution Randomization helps where automated reasoning is difficult Overall, complementary to static analysis PLDI 2005 Page 25 June 2005

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback