applications of smt to
play

Applications of SMT to Test Generation Patrice Godefroid Microsoft - PowerPoint PPT Presentation

Feb 28, 2024 •239 likes •876 views

Applications of SMT to Test Generation Patrice Godefroid Microsoft Research SAT/SMT Summer School 2012 Page 1 June 2012 Test Generation is Big Business #1 application for SMT solvers today (CPU usage) SAGE @ Microsoft: 1 st

  1. Applications of SMT to Test Generation Patrice Godefroid Microsoft Research SAT/SMT Summer School 2012 Page 1 June 2012

  2. Test Generation is Big Business • #1 application for SMT solvers today (CPU usage) • SAGE @ Microsoft: – 1 st whitebox fuzzer for security testing – 400+ machine years (since 2008)  – 3.4+ Billion constraints – 100s of apps, 100s of security bugs – Example: Win7 file fuzzing How fuzzing bugs were found ~1/3 of all fuzzing bugs found by SAGE  (Win7, 2006-2009) : (missed by everything else…) – Bug fixes shipped (quietly) to 1 Billion+ PCs – Millions of dollars saved • for Microsoft + time/energy for the world Blackbox SAGE All Others Fuzzing + Regression SAT/SMT Summer School 2012 Page 2 June 2012

  3. Agenda 1. Why Test Generation? 2. What kind of SMT constraints ? 3. New: test generation from validity proofs Disclaimer: here, focus on test generation for software using SMT (not hardware using SAT) SAT/SMT Summer School 2012 Page 3 June 2012

  4. Part 1: Why Test Generation ? Whitebox Fuzzing for Security Testing (The Killer App) SAT/SMT Summer School 2012 Page 4 June 2012

  5. Security is Critical (to Microsoft) • Software security bugs can be very expensive: – Cost of each Microsoft Security Bulletin: $Millions – Cost due to worms (Slammer, CodeRed, Blaster, etc.): $Billions • Many security exploits are initiated via files or packets – Ex: MS Windows includes parsers for hundreds of file formats • Security testing: “hunting for million - dollar bugs” – Write A/V (always exploitable), Read A/V (sometimes exploitable), NULL-pointer dereference, division-by-zero (harder to exploit but still DOS attacks), etc. SAT/SMT Summer School 2012 Page 5 June 2012

  6. I am from Belgium too! Hunting for Security Bugs • Main techniques used by “black hats”: – Code inspection (of binaries) and – Blackbox fuzz testing • Blackbox fuzz testing: – A form of blackbox random testing [Miller+90] – Randomly fuzz (=modify) a well-formed input – Grammar-based fuzzing : rules that encode “well - formed”ness + heuristics about how to fuzz (e.g., using probabilistic weights) • Heavily used in security testing – Simple yet effective: many bugs found this way … – At Microsoft, fuzzing is mandated by the SDL  SAT/SMT Summer School 2012 Page 6 June 2012

  7. Introducing Whitebox Fuzzing • Idea: mix fuzz testing with dynamic test generation – Dynamic symbolic execution – Collect constraints on inputs – Negate those, solve with constraint solver, generate new inputs –  do “systematic dynamic test generation” (= DART) • Whitebox Fuzzing = “DART meets Fuzz” Two Parts: 1. Foundation: DART (Directed Automated Random Testing) 2. Key extensions (“ Whitebox Fuzzing”), implemented in SAGE SAT/SMT Summer School 2012 Page 7 June 2012

  8. Automatic Code-Driven Test Generation Problem: Given a sequential program with a set of input parameters, generate a set of inputs that maximizes code coverage = “automate test generation using program analysis” This is not “model - based testing” (= generate tests from an FSM spec) SAT/SMT Summer School 2012 Page 8 June 2012

  9. How? (1) Static Test Generation • Static analysis to partition the program’s input space [King76,…] • Ineffective whenever symbolic reasoning is not possible – which is frequent in practice… (pointer manipulations, complex arithmetic, calls to complex OS or library functions, etc.) Example: Can’t statically generate int obscure(int x, int y) { values for x and y if (x==hash(y)) error(); that satisfy “x==hash(y)” ! return 0; } SAT/SMT Summer School 2012 Page 9 June 2012

  10. How? (2) Dynamic Test Generation • Run the program (starting with some random inputs), gather constraints on inputs at conditional statements, use a constraint solver to generate new test inputs • Repeat until a specific program statement is reached [Korel90,…] • Or repeat to try to cover ALL feasible program paths: DART = Directed Automated Random Testing = systematic dynamic test generation [PLDI’05,…] – detect crashes, assertion violations, use runtime checkers (Purify,…) SAT/SMT Summer School 2012 Page 10 June 2012

  11. DART = Directed Automated Random Testing Example: - start with (random) x=33, y=42 Run 1 : - execute concretely and symbolically: int obscure(int x, int y) { if (33 != 567) | if (x != hash(y)) constraint too complex if (x==hash(y)) error();  simplify it: x != 567 return 0; - solve: x==567  solution: x=567 } - new test input: x=567, y=42 Run 2 : the other branch is executed All program paths are now covered ! • Observations: – Dynamic test generation extends static test generation with additional runtime information: it is more powerful – see [DART in PLDI’05], [PLDI’11] – The number of program paths can be infinite: may not terminate! – Still, DART works well for small programs (1,000s LOC) – Significantly improves code coverage vs. random testing SAT/SMT Summer School 2012 Page 11 June 2012

  12. DART Implementations • Defined by symbolic execution, constraint generation and solving – Languages: C, Java, x86, .NET,… – Theories: linear arith., bit-vectors, arrays, uninterpreted functions,… – Solvers: lp_solve, CVCLite, STP, Disolver , Z3,… • Examples of tools/systems implementing DART: – EXE/EGT (Stanford): independent [’05 - ’06] closely related work – CUTE = same as first DART implementation done at Bell Labs – SAGE (CSE/MSR) for x86 binaries and merges it with “fuzz” testing for finding security bugs (more later) – PEX (MSR) for .NET binaries in conjunction with “parameterized - unit tests” for unit testing of .NET programs – YOGI (MSR) for checking the feasibility of program paths generated statically using a SLAM-like tool – Vigilante (MSR) for generating worm filters – BitScope (CMU/Berkeley) for malware analysis – CatchConv (Berkeley) focus on integer overflows – Splat (UCLA) focus on fast detection of buffer overflows – Apollo (MIT/IBM) for testing web applications … and more! SAT/SMT Summer School 2012 Page 12 June 2012

  13. Whitebox Fuzzing [NDSS’08] • Whitebox Fuzzing = “DART meets Fuzz” • Apply DART to large applications (not unit) • Start with a well-formed input (not random) • Combine with a generational search (not DFS) – Negate 1-by-1 each constraint in a path constraint – Generate many children for each parent run – Challenge all the layers of the application sooner Gen 1 – Leverage expensive symbolic execution parent • Search spaces are huge, the search is partial … yet effective at finding bugs ! SAT/SMT Summer School 2012 Page 13 June 2012

  14. Example void top(char input[4]) input = “good” { Path constraint: int cnt = 0; bood I 0 !=‘b’  I 0 =‘b’ if (input[0] == ‘b’) cnt++; I 1 !=‘a’  I 1 =‘a’ gaod if (input[1] == ‘a’) cnt++;  I 2 =‘d’ I 2 !=‘d’ if (input[2] == ‘d’) cnt++; godd  I 3 =‘!’ if (input[3] == ‘!’) cnt++; I 3 !=‘!’ goo! SMT if (cnt >= 4) crash(); good solver  SAT Gen 1 } Negate each constraint in path constraint Solve new constraint  new input SAT/SMT Summer School 2012 Page 14 June 2012

  15. The Search Space If symbolic execution is perfect void top(char input[4]) and search space is small, { int cnt = 0; this is verification ! if (input[0] == ‘b’) cnt++; if (input[1] == ‘a’) cnt++; if (input[2] == ‘d’) cnt++; if (input[3] == ‘!’) cnt++; if (cnt >= 4) crash(); } SAT/SMT Summer School 2012 Page 15 June 2012

  16. SAGE (Scalable Automated Guided Execution) • Generational search introduced in SAGE • Performs symbolic execution of x86 execution traces – Builds on Nirvana, iDNA and TruScan for x86 analysis – Don’t care about language or build process – Easy to test new applications, no interference possible • Can analyse any file-reading Windows applications • Several optimizations to handle huge execution traces – Constraint caching and common subexpression elimination – Unrelated constraint optimization – Constraint subsumption for constraints from input-bound loops – “Flip - count” limit (to prevent endless loop expansions) SAT/SMT Summer School 2012 Page 16 June 2012

  17. SAGE Architecture Coverage Constraints Input0 Data Check for Code Generate Solve Crashes Coverage Constraints Constraints (AppVerifier) (Nirvana) (TruScan) (Z3) Input1 Input2 … InputN MSR algorithms SAGE was mostly developed by CSE & code inside (2006-2008) (2006-2012) SAT/SMT Summer School 2012 Page 17 June 2012

  18. Some Experiments Most much (100x) bigger than ever tried before! • Seven applications – 10 hours search each App Tested #Tests Mean Depth Mean #Instr. Mean Input Size ANI 11468 178 2,066,087 5,400 Media1 6890 73 3,409,376 65,536 Media2 1045 1100 271,432,489 27,335 Media3 2266 608 54,644,652 30,833 Media4 909 883 133,685,240 22,209 Compressed 1527 65 480,435 634 File Format OfficeApp 3008 6502 923,731,248 45,064 SAT/SMT Summer School 2012 Page 18 June 2012

  19. Generational Search Leverages Symbolic Execution • Each symbolic execution is expensive 30 25 20 15 X1,000 10 25m30s 5 0 SymbolicExecutor TestTask • Yet, symbolic execution does not dominate search time SymbolicExecutor Testing/Tracing/Coverage 10 hours SAT/SMT Summer School 2012 Page 19 June 2012

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

OpenStack Workload Reference Architecture: Web Applications Web applications are the most

OpenStack Workload Reference Architecture: Web Applications Web applications are the most

OpenStack Workload Reference Architecture: Web Applications Web applications are the most prevalent Apache, MySQL, and PHP/Python/Perl and is applications in business today. They are driven considered by many as the platform of choice by user

106 views • 9 slides
Applications of AMS There is a rich field of applications for AMS due to the increased efficiency

Applications of AMS There is a rich field of applications for AMS due to the increased efficiency

Applications of AMS There is a rich field of applications for AMS due to the increased efficiency and accuracy of radiocarbon dating. It ranges from geology, hydrology, oceanology, climatology, and a wide range of environmental applications

338 views • 29 slides
New Directions for Web Applications Dave Raggett, Canon, TV Raman, IBM 1/11 Web Applications

New Directions for Web Applications Dave Raggett, Canon, TV Raman, IBM 1/11 Web Applications

Canon New Directions for Web Applications Dave Raggett, Canon, TV Raman, IBM 1/11 Web Applications Workshop, San Jose, June 2004 Canon Goals Break Web applications out of the browser! Freedom to build wider variety of applications

612 views • 18 slides
Multimedia Applications Multimedia Applications Srinidhi Varadarajan Multimedia Applications

Multimedia Applications Multimedia Applications Srinidhi Varadarajan Multimedia Applications

Multimedia Applications Multimedia Applications Srinidhi Varadarajan Multimedia Applications Multimedia Applications Multimedia requirements Streaming Phone over IP Recovering from Jitter and Loss RTP Diff-serv, Int-serv,

483 views • 27 slides
Network Applications Network Applications There are many network applications Network

Network Applications Network Applications There are many network applications Network

Network Applications Network Applications There are many network applications Network applications involve the cooperation Client Server Programming Client Server Programming of processes running on different hosts connected by a

323 views • 7 slides
Web applications are used extensively in many areas: We will rely on web applications more in

Web applications are used extensively in many areas: We will rely on web applications more in

Muath Alkhalaf 1 Shauvik Roy Choudhary 2 Mattia Fazzini 2 Tevfik Bultan 1 Alessandro Orso 2 Christopher Kruegel 1 1 UC Santa Barbara 2 Georgia Tech Web applications are used extensively in many areas: We will rely on web applications more in

872 views • 47 slides
Topic 10: Applications of Holography Aim: To review a range of applications of holography,

Topic 10: Applications of Holography Aim: To review a range of applications of holography,

E I H T Y T Modern Optics O H F G R E U D B I N Topic 10: Applications of Holography Aim: To review a range of applications of holography, including holo- graphic lenses and commercial holographic applications. Contents:

298 views • 14 slides
MY IPHONE APPLICATIONS - 2018 S U P P O R T I N G M E A N D O T H E R S W I T H A D H D

MY IPHONE APPLICATIONS - 2018 S U P P O R T I N G M E A N D O T H E R S W I T H A D H D

MY IPHONE APPLICATIONS - 2018 S U P P O R T I N G M E A N D O T H E R S W I T H A D H D TODAYS AGENDA Top 20 Applications on my Iphone Additional assorted applications you may find useful Format: Combination of screen

859 views • 56 slides
Applications of Immune System Computing Ricardo Hoar What kind of applications? l Computer

Applications of Immune System Computing Ricardo Hoar What kind of applications? l Computer

Applications of Immune System Computing Ricardo Hoar What kind of applications? l Computer Security l Pattern Recognition l Data Mining and Retrieval l Multi-Agent Systems l Design Optimization l Control Applications l Robotics l A

414 views • 28 slides
BFS/DFS Applications BFS and DFS applications Tyler Moore Shortest path between two nodes in a

BFS/DFS Applications BFS and DFS applications Tyler Moore Shortest path between two nodes in a

BFS/DFS Applications BFS and DFS applications Tyler Moore Shortest path between two nodes in a graph CSE 3353, SMU, Dallas, TX Topological sorting Lecture 7 Finding connected components Some slides created by or adapted from Dr. Kevin Wayne.

366 views • 7 slides
New Applications for Graphene Electronics New Applications for Graphene Electronics Han Wang,

New Applications for Graphene Electronics New Applications for Graphene Electronics Han Wang,

New Applications for Graphene Electronics New Applications for Graphene Electronics Han Wang, Daniel Nezich, Jing Kong and Tomas Palacios Department of Electrical Engineering and Computer Science Massachusetts Institute of Technology

421 views • 10 slides
Chapter 2: outline 2.5 P2P applications 2.1 principles of network applications 2.6 video

Chapter 2: outline 2.5 P2P applications 2.1 principles of network applications 2.6 video

Chapter 2: outline 2.5 P2P applications 2.1 principles of network applications 2.6 video streaming and content distribution 2.2 Web and HTTP networks 2.3 electronic mail 2.7 socket programming SMTP, POP3, IMAP with UDP and TCP 2.4 DNS

648 views • 53 slides
Applets and Applications Developing Applets and Applications Application run by user,

Applets and Applications Developing Applets and Applications Application run by user,

Applets and Applications Developing Applets and Applications Application run by user, double-clickable/command-line Create a JPanel with the guts of the GUI/logic No restrictions on access, reads files, URLS, What will be in the

256 views • 6 slides
New Real-time Applications PhD Peter Idestam-Almquist Starcounter AB New real time applications

New Real-time Applications PhD Peter Idestam-Almquist Starcounter AB New real time applications

NewSQL Database for New Real-time Applications PhD Peter Idestam-Almquist Starcounter AB New real time applications Millions of simultaneous online users. High degree of concurrency. Interactive applications (95% reads; 5% writes). 2

700 views • 38 slides
Com paring W eb Applications w ith Desktop Applications: An Em pirical Study Paul Pop

Com paring W eb Applications w ith Desktop Applications: An Em pirical Study Paul Pop

Com paring W eb Applications w ith Desktop Applications: An Em pirical Study Paul Pop paupo@ida.liu.se Department of Computer and Information Science Linkping University Sweden 1 of 13 May 26, 20 0 0 Motivation and Objective Draw

519 views • 13 slides
Maximum Flow Applications Max flow extensions and applications. Disjoint paths and network

Maximum Flow Applications Max flow extensions and applications. Disjoint paths and network

Maximum Flow Applications Contents Maximum Flow Applications Max flow extensions and applications. Disjoint paths and network connectivity. Bipartite matchings. Circulations with upper and lower bounds. Census tabulation (matrix

492 views • 20 slides
Secure Multi-Hop Infrastructure Access presented by Reza Curtmola (joint work with B. Awerbuch,

Secure Multi-Hop Infrastructure Access presented by Reza Curtmola (joint work with B. Awerbuch,

Secure Multi-Hop Infrastructure Access presented by Reza Curtmola (joint work with B. Awerbuch, D. Holmer, C. Nita-Rotaru and H. Rubens) 600.647 Advanced Topics in Wireless Networks Wireless Infrastructure Access Few pure wireless peer

526 views • 34 slides
Ruby Prof. Tom Austin San Jos State University Project, Part 3 Introduction to Ruby Created

Ruby Prof. Tom Austin San Jos State University Project, Part 3 Introduction to Ruby Created

CS 152: Programming Language Paradigms Ruby Prof. Tom Austin San Jos State University Project, Part 3 Introduction to Ruby Created by Yukihiro Matsumoto (known as "Matz") Ruby influences Smalltalk everything is an object

543 views • 25 slides
Dont touch that! Why Edge IT is not Cloud IT Open Infrastructure Summit, Spring 2019 @zehicle

Dont touch that! Why Edge IT is not Cloud IT Open Infrastructure Summit, Spring 2019 @zehicle

Dont touch that! Why Edge IT is not Cloud IT Open Infrastructure Summit, Spring 2019 @zehicle @mthiele10 Edge is about integration & AUtomation Like cloud, but also difgerent... @zehicle @mthiele10 it is physically distributed,

682 views • 22 slides
The High Intensity Horizon at Fermilab R. Tschirhart Fermilab Fermilab Users Meeting June 13 th

The High Intensity Horizon at Fermilab R. Tschirhart Fermilab Fermilab Users Meeting June 13 th

The High Intensity Horizon at Fermilab R. Tschirhart Fermilab Fermilab Users Meeting June 13 th , 2012 Project-X: Evolution of the existing Fermilab accelerator complex with the revolution in Super-Conducting RF Technology. any

587 views • 32 slides
Spreadsheets 1 References and Formulas Lecture 11 COMPSCI111/111G SS 2019 Todays

Spreadsheets 1 References and Formulas Lecture 11 COMPSCI111/111G SS 2019 Todays

Spreadsheets 1 References and Formulas Lecture 11 COMPSCI111/111G SS 2019 Todays lecture History of spreadsheet applications How a spreadsheet works Absolute vs relative references Functions: Basic functions (SUM,

382 views • 27 slides
Chapter 1: History O VE E DFORS D EPT . OF EIT, L UND U NIVERSITY Learning outcomes Understand

Chapter 1: History O VE E DFORS D EPT . OF EIT, L UND U NIVERSITY Learning outcomes Understand

Chapter 1: History O VE E DFORS D EPT . OF EIT, L UND U NIVERSITY Learning outcomes Understand which important mechanisms and trends lead to telecom innovations, why digital information systems often are preferable, different types of

296 views • 12 slides
GO-TO-MARKET AND CATEGORY Jennifer Johnson DESIGN FUNDAMENTALS About Me Over 15 years in

GO-TO-MARKET AND CATEGORY Jennifer Johnson DESIGN FUNDAMENTALS About Me Over 15 years in

GO-TO-MARKET AND CATEGORY Jennifer Johnson DESIGN FUNDAMENTALS About Me Over 15 years in enterprise software marketing Former CMO at Coverity (now Synopsys) and Tanium Former Partner at Andreessen Horowitz Currently a category

273 views • 26 slides
xv6 Overview CS 450 : Operating Systems Michael Saelee <lee@iit.edu> Computer Science

xv6 Overview CS 450 : Operating Systems Michael Saelee <lee@iit.edu> Computer Science

xv6 Overview CS 450 : Operating Systems Michael Saelee <lee@iit.edu> Computer Science Science Agenda - Architectural overview - Features & limitations - Hardware dependencies/features Computer Science Science Agenda - Code

365 views • 21 slides

More recommend