[PPT] - Automated Test Generation: A Journey from Symbolic Execution to PowerPoint Presentation

SLIDE 1

Automated Test Generation: A Journey from Symbolic Execution to Smart Fuzzing and Beyond

Koushik Sen

EECS Department University of California, Berkeley https://people.eecs.berkeley.edu/~ksen/

1

SLIDE 2

2

Programs are still written by humans, and will be written by humans

SLIDE 3

3

To Err is Human Software Bugs

SLIDE 4

Programs Have Bugs

4

SLIDE 5

Why Program Testing?

5

 Programmer familiarity  Concrete input for debugging  No false positives  Easy regression

SLIDE 6

Why Automated Testing?

6

SLIDE 7

Automated Testing Hits the Mainstream

7

SLIDE 8

Automated Testing Hits the Mainstream

8

SLIDE 9

Automated Testing Hits the Mainstream

9

SLIDE 10

Automated Testing Hits the Mainstream

10

SLIDE 11

Automated Testing Hits the Mainstream

11

SLIDE 12

Automated Testing Hits the Mainstream

12

SLIDE 13

Automated Testing Hits the Mainstream

13

SLIDE 14

Automated Testing Hits the Mainstream

14

SLIDE 15

Automated Testing Hits the Mainstream

15

SLIDE 16

Goals of Automated Testing

Assumption: A program with optional assertions

Goal: Automatically generate test inputs

Get “good” code coverage Find “most” assertion violations Find crashes Find security vulnerabilities

16

SLIDE 17

Approaches to Test Generation

Symbolic execution Fuzz testing Hybrid Human-guidance AI guidance Many more ...

SLIDE 18

Symbolic Execution and Concolic Testing

18

SLIDE 19

Symbolic Execution

 Java PathFinder, KLEE, S2E, Veritesting

Concolic Testing

 Combine concrete execution and symbolic execution  DART, CUTE, CREST, ConBol, Apollo, Jalangi, CATG

Concrete + Symbolic = Concolic

19

SLIDE 20

Symbolic Execution and Concolic Testing

void testme (int x, int y) { 1. z = 2 * y; 2. if (z == x) { 3. if (x > y+10) { 4. ERROR; 5. } 6. } 7.}

20

SLIDE 21

Symbolic Execution and Concolic Testing

void testme (int x, int y) { 1. z = 2 * y; 2. if (z == x) { 3. if (x > y+10) { 4. ERROR; 5. } 6. } 7.}

Path constraint x y z true x0 y0 undef

21

SLIDE 22

Symbolic Execution and Concolic Testing

void testme (int x, int y) { 1. z = 2 * y; 2. if (z == x) { 3. if (x > y+10) { 4. ERROR; 5. } 6. } 7.}

22

Path constraint x y z true x0 y0 2y0

SLIDE 23

Symbolic Execution and Concolic Testing

void testme (int x, int y) { 1. z = 2 * y; 2. if (z == x) { 3. if (x > y+10) { 4. ERROR; 5. } 6. } 7.}

23

Path constraint x y z 2y0 = x0 x0 y0 2y0

SLIDE 24

Symbolic Execution and Concolic Testing

void testme (int x, int y) { 1. z = 2 * y; 2. if (z == x) { 3. if (x > y+10) { 4. ERROR; 5. } 6. } 7.}

24

Path constraint x y z 2y0 = x0 /\ x0 > y0 + 10 x0 y0 2y0

SLIDE 25

Symbolic Execution and Concolic Testing

void testme (int x, int y) { 1. z = 2 * y; 2. if (z == x) { 3. if (x > y+10) { 4. ERROR; 5. } 6. } 7.}

25

Path constraint x y z 2y0 = x0 /\ x0 > y0 + 10 22 11 Solve Test Inputs

SLIDE 26

Concolic Testing in Practice

Led to the development of several industrial and

academic automated testing and security tools

– Projects at Intel, Google, MathWorks, NTT, SalesForce – PEX, SAGE, and YOGI at Microsoft – Apollo at IBM, and Conbol and Jalangi at Samsung – BitBlaze, jFuzz, Oasis, and SmartFuzz in academia

26

SLIDE 27

Coverage is Low

27

SLIDE 28

Why Coverage is Low?

✗ Expensive to explore each path (i.e. input) ✗ Astronomical # of paths ✗ Explores a small fraction of paths

But finds complex logical bugs

28

SLIDE 29

Fuzz Testing

29

SLIDE 30

Fuzzing in One Slide

Program

30

SLIDE 31

Fuzzing in One Slide

Fuzzer Program

31

SLIDE 32

Fuzzing in One Slide

Fuzzer Program

Input Input Input Input

H@5^23#t.f

Randomly generate Input

32

./Program < /dev/random

SLIDE 33

Fuzzing in One Slide

Fuzzer Program

Input Input Input Input

Run on Inputs

33

Randomly generate Input ./Program < /dev/random

H@5^23#t.f

SLIDE 34

Mutational Fuzzing in One Slide

Program

. . . . .

Input Input Input

Seed Interesting Input(s)

34

SLIDE 35

Mutational Fuzzing in One Slide

Fuzzer Program

. . . . .

Input Input Input

Seed Interesting Input(s)

35

SLIDE 36

Mutational Fuzzing in One Slide

Fuzzer Program

. . . . .

Input Input Input

Seed Interesting Input(s)

Pick an Input

36

SLIDE 37

Mutational Fuzzing in One Slide

Fuzzer Program

Input Input Input Input

<!BTTLIST

. . . . .

Input Input Input

Seed Interesting Input(s)

Pick an Input Mutate the Input

37 <!ATTLIST

SLIDE 38

Mutational Fuzzing in One Slide

Fuzzer Program

Input Input Input Input Inputs

. . . . .

Input Input Input

Seed Interesting Input(s)

Pick an Input Mutate the Input Run on Inputs

38 <!BTTLIST <!ATTLIST

SLIDE 39

Mutational Fuzzing in One Slide

Fuzzer Program

Input Input Input Input Inputs

. . . . .

Input Input Input

Seed Interesting Input(s)

Pick an Input Mutate the Input Run on Inputs

39 <!BTTLIST <!ATTLIST

Mutational Fuzzers

Radamsa
Zzuf

SLIDE 40

Feedback-Directed Fuzzing

40

SLIDE 41

Feedback-directed Fuzzing 101

Fuzzer Program

Input Input Input Input Inputs

. . . . .

Input Input Input

Seed Interesting Inputs

Pick an Input Mutate the Input Run on Inputs

41

SLIDE 42

Feedback-directed Fuzzing 101

Fuzzer Program

Input Input Input Input Inputs

. . . . .

Input Input Input

Seed Interesting Inputs

Pick an Input Mutate the Input Run on Inputs

Feedback

Coverage
Execution length
Well-formed input
...

42

SLIDE 43

Feedback-directed Fuzzing 101

Fuzzer Program

Input Input Input Input Inputs

. . . . .

Input Input Input

Seed Interesting Inputs

Pick an Input Mutate the Input Run on Inputs

Feedback

Coverage
Execution length
Well-formed input
...

Interesting?

New coverage?
Longer execution?
Valid input?
...

43

SLIDE 44

Feedback-directed Fuzzing 101

Fuzzer Program

Input Input Input Input Inputs

. . . . .

Input Input Input

Seed Interesting Inputs

Pick an Input Mutate the Input Run on Inputs

Feedback

Coverage
Execution length
Well-formed input
...

Interesting?

New coverage?
Longer execution?
Valid input?
...

Yes: add Input

44

SLIDE 45

Feedback-directed Fuzzing 101

Fuzzer Program

Input Input Input Input Inputs

. . . . .

Input Input Input

Seed Interesting Inputs

Pick an Input Mutate the Input Run on Inputs

Feedback

Coverage
Execution length
Well-formed input
...

Interesting?

New coverage?
Longer execution?
Valid input?
...

Yes: add Input No: Discard input

45

SLIDE 46

Feedback-directed Fuzzing 101

Fuzzer Program

Input Input Input Input Inputs

. . . . .

Input Input Input

Seed Interesting Inputs

Pick an Input Mutate the Input Run on Inputs

Feedback

Coverage
Execution length
Well-formed input
...

Interesting?

New coverage?
Longer execution?
Valid input?
...

Yes: add Input No: Discard input

46

Lots of choices:

1. Which input to pick?
2. How to mutate an

input?

3. How many mutants to

generate?

4. What kind of feedback?
5. How to decide if an

input is interesting? Resolved using heuristics

ver a period of 10 years

SLIDE 47

Feedback-directed Fuzzing 101

Fuzzer Program

Input Input Input Input Inputs

. . . . .

Input Input Input

Seed Interesting Inputs

Pick an Input Mutate the Input Run on Inputs

Feedback

Coverage
Execution length
Well-formed input
...

Interesting?

New coverage?
Longer execution?
Valid input?
...

Yes: add Input No: Discard input

47

Lots of choices:

1. Which input to pick?
2. How to mutate an

input?

3. How many mutants to

generate?

4. What kind of feedback?
5. How to decide if an

input is interesting? Resolved using heuristics

ver a period of 10 years

SLIDE 48

Feedback-directed Fuzzing 101

Fuzzer Program

Input Input Input Input Inputs

. . . . .

Input Input Input

Seed Interesting Inputs

Pick an Input Mutate the Input Run on Inputs

Feedback

Coverage
Execution length
Well-formed input
...

Interesting?

New coverage?
Longer execution?
Valid input?
...

Yes: add Input No: Discard input

48

Lots of choices:

1. Which input to pick?
2. How to mutate an

input?

3. How many mutants to

generate?

4. What kind of feedback?
5. How to decide if an

input is interesting? Resolved using heuristics

ver a period of 10 years

SLIDE 49

Feedback-directed Fuzzing 101

Fuzzer Program

Input Input Input Input Inputs

. . . . .

Input Input Input

Seed Interesting Inputs

Pick an Input Mutate the Input Run on Inputs

Feedback

Coverage
Execution length
Well-formed input
...

Interesting?

New coverage?
Longer execution?
Valid input?
...

Yes: add Input No: Discard input

49

Lots of choices:

1. Which input to pick?
2. How to mutate an

input?

3. How many mutants to

generate?

4. What kind of feedback?
5. How to decide if an

input is interesting? Resolved using heuristics

ver a period of 10 years

SLIDE 50

Feedback-directed Fuzzing 101

Fuzzer Program

Input Input Input Input Inputs

. . . . .

Input Input Input

Seed Interesting Inputs

Pick an Input Mutate the Input Run on Inputs

Feedback

Coverage
Execution length
Well-formed input
...

Interesting?

New coverage?
Longer execution?
Valid input?
...

Yes: add Input No: Discard input

50

Lots of choices:

1. Which input to pick?
2. How to mutate an

input?

3. How many mutants to

generate?

4. What kind of feedback?
5. How to decide if an

input is interesting? Resolved using heuristics

ver a period of 10 years

SLIDE 51

Feedback-directed Fuzzing 101

Fuzzer Program

Input Input Input Input Inputs

. . . . .

Input Input Input

Seed Interesting Inputs

Pick an Input Mutate the Input Run on Inputs

Feedback

Coverage
Execution length
Well-formed input
...

Interesting?

New coverage?
Longer execution?
Valid input?
...

Yes: add Input No: Discard input

51

Lots of choices:

1. Which input to pick?
2. How to mutate an

input?

3. How many mutants to

generate?

4. What kind of feedback?
5. How to decide if an

input is interesting? Resolved using heuristics

ver a period of 10 years

SLIDE 52

Feedback-directed Fuzzing 101

Fuzzer Program

Input Input Input Input Inputs

. . . . .

Input Input Input

Seed Interesting Inputs

Pick an Input Mutate the Input Run on Inputs

Feedback

Coverage
Execution length
Well-formed input
...

Interesting?

New coverage?
Longer execution?
Valid input?
...

Yes: add Input No: Discard input

52

Fuzzers:

AFL
AFLFast
Libfuzzer
Angora
VUzzer
Steelix
AFLGo
AFLSmart
Nautilus
FairFuzz
PerfFuzz
JQF/Zest
FuzzFactory
RLCheck

SLIDE 53

What Bugs Can Fuzzing Find?

Assertion violations
Segmentation faults
Buffer overflows
Use-after-frees
Integer signedness
etc. …

53

SLIDE 54

What Bugs Have Fuzzing Found?

Tons of them ...
CVE-2014-6277: ShellShock bug in Bash:

– GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment ...

CVE-2014-0160: Heartbleed bug in OpenSSL:

– A read buffer overflow allowed an attacker to extract information from servers using OpenSSL

CVE-2016-8677: ImageMagick

– imagemagick: memory allocate failure in AcquireQuantumPixels (quantum.c)

CVE-2014-1564: Firefox

– Mozilla Firefox before 32.0, Firefox ESR 31.x before 31.1, and Thunderbird 31.x before 31.1 do not properly initialize memory for GIF rendering

CVE-2010-0539: Safari Remote Execution

– Integer signedness error in the window drawing implementation in Apple Java for Mac OS X 10.5 ...

See http://lcamtuf.coredump.cx/afl/ for an exhaustive list of bugs and

security vulnerabilities found by a state-of-the-art fuzzer AFL

54

SLIDE 55

55

How Good is Fuzzing?

SLIDE 56

What’s Missing? Uneven Coverage

Observation: some parts

f the program easier to

cover

int process_xml(char * fuzzed_data, int fuzzed_data_len) { if (fuzzed_data_len >= 10) { // more code } // ... if (starts_with(fuzzed_data, “<!ATTLIST”)){ // ... } // ... return process_result; } Hit by 100k+ inputs Hit by 1 input  Code under is well-covered

 Code under is barely covered 56

SLIDE 57

FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage Caroline Lemieux, Koushik Sen University of California, Berkeley

source: https://github.com/carolemieux/afl-rb

F z u z ? u z r F a i r F u z z F u z !

57

SLIDE 58

Feedback-directed Fuzzing 101

Fuzzer Program

Input Input Input Input Inputs

. . . . .

Input Input Input

Seed Interesting Inputs

Pick an Input Mutate the Input Run on Inputs

Feedback

Coverage
Execution length
Well-formed input
...

Interesting?

New coverage?
Longer execution?
Valid input?
...

Yes: add Input No: Discard input

58

SLIDE 59

FairFuzz: Ideas

Fuzzer Program

Input Input Input Input Inputs

. . . . .

Input Input Input

Seed Interesting Inputs

Pick an Input Mutate the Input Run on Inputs

Feedback

Coverage
Execution length
Well-formed input
...

Interesting?

New coverage?
Longer execution?
Valid input?
...

Yes: add Input No: Discard input

59

FairFuzz Ideas: 2 heuristics

1. Identify: branches hit

by few inputs (rare branches)

2. Identify: where input

can be mutated and hit branch

SLIDE 60

FairFuzz: Ideas

Fuzzer Program

Input Input Input Input Inputs

. . . . .

Input Input Input

Seed Interesting Inputs

Pick an Input Mutate the Input Run on Inputs

Feedback

Coverage
Execution length
Well-formed input
...

Interesting?

New coverage?
Longer execution?
Valid input?
...

Yes: add Input No: Discard input

60

FairFuzz Ideas: 2 heuristics

1. Identify: branches hit

by few inputs (rare branches)

2. Identify: where an

input can be mutated and hit branch

SLIDE 61

Summary Results – Coverage Leaders

61

SLIDE 62

Summary Results – Coverage Leaders

62

FairFuzz achieves the highest coverage fast, for nearly all benchmarks

SLIDE 63

PerfFuzz: Automatically Generating Pathological Inputs

Caroline Lemieux, Rohan Padhye, Koushik Sen, Dawn Song University of California, Berkeley

source: https://github.com/carolemieux/perffuzz

63

SLIDE 64

Performance Problems Have Consequences

poor user experience excessive resource consumption security vulnerabilities (DoS)

64

SLIDE 65

Feedback-directed Fuzzing 101

Fuzzer Program

Input Input Input Input Inputs

. . . . .

Input Input Input

Seed Interesting Inputs

Pick an Input Mutate the Input Run on Inputs

Feedback

Coverage
Execution length
Well-formed input
...

Interesting?

New coverage?
Longer execution?
Valid input?
...

Yes: add Input No: Discard input

65

SLIDE 66

PerfFuzz: Idea

Fuzzer Program

Input Input Input Input Inputs

. . . . .

Input Input Input

Seed Interesting Inputs

Pick an Input Mutate the Input Run on Inputs

Feedback

# of times each

branch is executed

Interesting?

Longer execution
f some branch?

Yes: add Input No: Discard input

66

PerfFuzz Ideas: change heuristic

1. Feedback: # of

times each branch is executed

2. Interesting: Longer

execution of some branch

SLIDE 67

Macro-Benchmarks: Maximum Path Length

libxml2 libpng libjpeg- turbo zlib

Path length: total number of hits of CFG edges by an input

67

SLIDE 68

Macro-Benchmarks: Maximum Path Length

libxml2 libpng libjpeg- turbo zlib

Path length: total number of hits of CFG edges by an input

24.7x

68

SLIDE 69

PerfFuzz: Memory-alloc Fuzzing

Fuzzer Program

Input Input Input Input Inputs

. . . . .

Input Input Input

Seed Interesting Inputs

Pick an Input Mutate the Input Run on Inputs

Feedback

# of bytes allocated

at each malloc()

Interesting?

More bytes

allocated at some call?

Yes: add Input No: Discard input

69

PerfFuzz Ideas: change heuristic

1. Feedback: # of

bytes allocated at each malloc() call

2. Interesting: More

bytes allocated than any other input

SLIDE 70

Memory-alloc fuzzing: OOMs and Bombs

70

Libpng

1. 100 bytes Input with large dimensions

Reader allocates 2 billion bytes

2. 100 bytes Input with large color space, but fixed dimension

Color table allocated with 4 GB space
Libarchive

1. 50 bytes zipped file: 4GB output 2. Memory leaks with LZMA compression (32 byte ZIP leaks 96 bytes)

SLIDE 71

FuzzFactory: Domain-Specific Fuzzing with Waypoints

Rohan Padhye and Caroline Lemieux and Koushik Sen and Laurent Simon and Hayawardh Vijayakumar

source: https://github.com/rohanpadhye/FuzzFactory

71

SLIDE 72

Domain-Specific Fuzzers

Zest [Padhye et al. 2018]

– “increase coverage amongst valid inputs”

SlowFuzz [Petsios et al. 2017]

– “increase path length”

PerfFuzz [Lemieux et al. 2018]

– “maximize branch exec counts”

DifFuzz [Nilizadeh et al. 2019]

– “leak more info on the side channel”

MemFuzz [Coppik et al. 2019]

– “access new input-dependent memory locations”

72

Common Strategy: Save intermediate inputs

“Waypoints”

SLIDE 73

Can we rapidly create domain- specific fuzzers?

Without touching the underlying search algorithm

73

SLIDE 74

Feedback-directed Fuzzing 101

Fuzzer Program

Input Input Input Input Inputs

. . . . .

Input Input Input

Seed Interesting Inputs

Pick an Input Mutate the Input Run on Inputs

Feedback

Interesting?

Better value
f dsf(k) for

some k? Yes: add Input No: Discard input

74

(key-value map)

SLIDE 75

Example Fuzzers using FuzzFactory

CMP

– Goal: Test programs whose inputs require magic bytes, checksums, etc. – Waypoints: inputs which increase progress of strcmp, memcmp, strstr, etc.

MEM

– Goal: Find memory allocation and management related bugs – Waypoints: input which which increase args to malloc()

CMP+MEM

– Goal: Find memory mgmt bugs in programs with magic bytes, checksums, etc. – Waypoints: CMP or MEM

75

SLIDE 76

Super-Fuzzer: CMP + MEM

76

SLIDE 77

Super-Fuzzer: CMP + MEM

77

LZ4 Bomb (4GB alloc when decoding 21-byte input) PNG Bomb (2GB alloc when reading ~100 byte 20px image)

SLIDE 78

Coverage is Still Low

78

SLIDE 79

Why Coverage is Still Low?

✗ Cannot explore “deep states” ✗ Cannot find complex logical bugs ✗ Gets stuck in input parsing stage

✗ Hardly gets 20%-30% code coverage on real-world

software

But cheap and simple

79

SLIDE 80

Time to Bring Human in the Loop

Approach: Human restricts the set of inputs to be explored by providing Algorithms to search the restricted input space

80

A Randomized Generator A Precondition on Inputs ...

r
r

SLIDE 81

Semantic Fuzzing with Zest

Rohan Padhye (UC Berkeley), Caroline Lemieux (UC Berkeley), Koushik Sen (UC Berkeley), Mike Papadakis (U. Luxembourg), Yves Le Traon (U. Luxembourg)

source: https://github.com/rohanpadhye/jqf

81

SLIDE 82

? How do I test ...

a program taking an XML file as input

– (e.g. Maven, Ant)

a compiler

– (e.g. closure or Rhino compilers for JavaScript)

In general, a program taking structurally

complex inputs

82

SLIDE 83

Human Writes a Simple Input Generator

public XMLElement genXML(Random random) { // Generate a random tag name String name = random.nextString(MAX_TAG_LENGTH); XMLElement node = new XMLElement(name); // Generate a random number of children int n = random.nextInt(MAX_CHILDREN); for (int i = 0; i < n; i++) { // Generate child nodes recursively node.addChild(genXML(random)); } // Maybe insert text inside element if (random.nextBoolean()) { node.addText(random.nextString(MAX_TEXT_LENGTH)); } return node; }

 Generates random syntactically valid XML documents

✗ May not conform to

a given schema

83

Example generated: <foo><i>xyz</i><br/></foo>

foo i br xyz

SLIDE 84

Zest: Mutate Params to Generator

Fuzzer Program

Input Input Input Input params

. . . . .

params params params

Seed Interesting Inputs

Pick a set

f params

Mutate the params

Feedback

Coverage
Input validity

Interesting?

New coverage?
Valid input?

Yes: add Input No: Discard input

84

Generator Augmented Program

SLIDE 85

Zest: New bugs discovered

 Google Closure Compiler: #2842, #2843, #3220, #3173  OpenJDK: JDK-8190332, JDK-8190511, JDK-8190512, JDK-8190997, JDK- 8191023, JDK-8191076, JDK-8191109, JDK-8191174,JDK-8191073, JDK- 8193444, JDK-8193877, CVE-2018-3214  Apache Commons: LANG-1385, COMPRESS-424, COLLECTIONS-714, CVE-2018- 11771  Apache Ant: #62655  Apache Maven: #34, #57  Apache PDFBox: PDFBOX-4333, PDFBOX-4338, PDFBOX-4339, CVE-2018-8036  Apache TIKA: CVE-2018-8017, CVE-2018-12418  Apache BCEL: BCEL-303, BCEL-307, BCEL-308, BCEL-309, BCEL-310, BCEL- 311, BCEL-312, BCEL-313  Mozilla Rhino: #405, #406, #407, #409, #410

85

SLIDE 86

Zest finds complex semantic bugs

On this JavaScript input, Google’s Closure compiler throws an “IllegalStateException: Unexpected variable” during optimization passes

86

SLIDE 87

Time to Bring Human in the Loop

Approach: Human restricts the set of inputs to be explored by providing Algorithms to search the restricted input space

87

A Randomized Generator A Precondition on Inputs ...

r
r

SLIDE 88

Efficient Sampling of SAT and SMT Constraints

Rafael Dutra, Kevin Laeufer, Jonathan Bachrach, and Koushik Sen EECS Department UC Berkeley

source: https://github.com/RafaelTupynamba/quicksampler

88

SLIDE 89

Human Writes a Pre-condition on Inputs

 An over-approximation

f valid inputs

 Restricts the set of inputs to be generated Goal: sample inputs from the restricted input space

89

(x + y = 4 ∧ x ≥ 0 ∧ x < 4) ∧ (mem’[1] < 0 ∨ mem’[1] ≥ 4), where x = mem[0], y = mem[1], mem’ = store(mem, mem[0], -1 * mem[mem[0]]) mem ∈ Array(BV[4], BV[4]) In SMT (Satisfiability Modulo Theories)

SLIDE 90

Sampling SAT and SMT Constraints

Goal: Quickly generate lots of solutions that satisfy the constraint Input: Logical constraint (SAT formula)

(x1 x4) (x1 ¬x3 ¬x8) (x1 x8 x6) (x2 x5) (¬x7 ¬x3 x9) (¬x7 x8 ¬x9) (x7 x8 ¬x10) (x7 x10 ¬x6)

1 0 0 0 1 0 0 0

x1 x2 x3 x4 x5 x6 x7 x8 x9 x10

1 0 σ0 0 0 0 1 1 0 0 1 1 0 σ1 1 1 0 0 1 0 0 0 1 0 σ2 0 1 0 1 1 0 0 1 1 0 σ3 1 0 1 0 1 0 0 0 1 0 σ4 1 1 1 0 1 0 0 0 1 0 σ5

SLIDE 91

QuickSampler

Our goals:

Generate samples

>100x faster than other techniques

Sampling should be

close to uniform Our approach:

Compute patterns of bit

flips which preserve satisfiability

Combine those bit flip

patterns to generate lots of samples

91

SLIDE 92

92

Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

SLIDE 93

93

0 0 1 0 1 1 0 0

Random assignment σ’ x0 x1 x2 x3 y0 y1 y2 y3

Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

SLIDE 94

94

Solution σ

0 0 1 0 1 1 1 0

MAX-SAT

Formula φ(x0,x1,x2,x3,y0,y1,y2,y3) 0 0 1 0 1 1 0 0

Random assignment σ’ x0 x1 x2 x3 y0 y1 y2 y3

SLIDE 95

MAX-SAT

95

Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

Solution σ

0 0 1 0 1 1 1 0

MAX-SAT

0 0 1 0 1 1 0 0

Random assignment σ’ x0 x1 x2 x3 y0 y1 y2 y3

SLIDE 96

σ0

96

1 0 1 0 0 1 1 0 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

MAX-SAT

Solution σ

0 0 1 0 1 1 1 0

MAX-SAT

0 0 1 0 1 1 0 0

Random assignment σ’ x0 x1 x2 x3 y0 y1 y2 y3

SLIDE 97

σ0

97

1 0 1 0 0 1 1 0 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

MAX-SAT

Solution σ

0 0 1 0 1 1 1 0

MAX-SAT

0 0 1 0 1 1 0 0

Random assignment σ’ x0 x1 x2 x3 y0 y1 y2 y3

SLIDE 98

σ0

98

1 0 1 0 0 1 1 0 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

MAX-SAT

Solution σ

0 0 1 0 1 1 1 0

MAX-SAT

0 0 1 0 1 1 0 0

Random assignment σ’ x0 x1 x2 x3 y0 y1 y2 y3

0 1 1 1 1 0 1 0

σ1

SLIDE 99

σ0

99

1 0 1 0 0 1 1 0 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

MAX-SAT

Solution σ

0 0 1 0 1 1 1 0

MAX-SAT

0 0 1 0 1 1 0 0

Random assignment σ’ x0 x1 x2 x3 y0 y1 y2 y3

0 1 1 1 1 0 1 0

σ1

SLIDE 100

σ0

100

1 0 1 0 0 1 1 0 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

MAX-SAT

Solution σ

0 0 1 0 1 1 1 0

MAX-SAT

0 0 1 0 1 1 0 0

Random assignment σ’ x0 x1 x2 x3 y0 y1 y2 y3

0 1 1 1 1 0 1 0

σ1

SLIDE 101

σ0

101

1 0 1 0 0 1 1 0 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

MAX-SAT

Solution σ

0 0 1 0 1 1 1 0

MAX-SAT

0 0 1 0 1 1 0 0

Random assignment σ’ x0 x1 x2 x3 y0 y1 y2 y3

0 1 1 1 1 0 1 0

σ1 UNSAT

SLIDE 102

σ0

102

1 0 1 0 0 1 1 0 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

MAX-SAT

Solution σ

0 0 1 0 1 1 1 0

MAX-SAT

0 0 1 0 1 1 0 0

Random assignment σ’ x0 x1 x2 x3 y0 y1 y2 y3

0 1 1 1 1 0 1 0

σ1 UNSAT

SLIDE 103

σ0

103

1 0 1 0 0 1 1 0 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

MAX-SAT

Solution σ

0 0 1 0 1 1 1 0

MAX-SAT

0 0 1 0 1 1 0 0

Random assignment σ’ x0 x1 x2 x3 y0 y1 y2 y3

0 1 1 1 1 0 1 0

σ1 UNSAT0 0 1 1 1 1 1 0 σ3

SLIDE 104

σ0

104

1 0 1 0 0 1 1 0 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

MAX-SAT

Solution σ

0 0 1 0 1 1 1 0

MAX-SAT

0 0 1 0 1 1 0 0

Random assignment σ’ x0 x1 x2 x3 y0 y1 y2 y3

0 1 1 1 1 0 1 0

σ1 UNSAT0 0 1 1 1 1 1 0 σ3

......

SLIDE 105

σ0

105

1 0 1 0 0 1 1 0 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

MAX-SAT

Solution σ

0 0 1 0 1 1 1 0

MAX-SAT

0 0 1 0 1 1 0 0

Random assignment σ’ x0 x1 x2 x3 y0 y1 y2 y3

0 1 1 1 1 0 1 0

σ1 UNSAT0 0 1 1 1 1 1 0 σ3

...... 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

δ3

1 0 0 0 1 0 0 0

δ1 δ0 = σ ⊕ σ1 = σ ⊕ σ3 = σ ⊕ σ0

SLIDE 106

σ0

106

1 0 1 0 0 1 1 0 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

MAX-SAT

Solution σ

0 0 1 0 1 1 1 0

MAX-SAT

0 0 1 0 1 1 0 0

Random assignment σ’ x0 x1 x2 x3 y0 y1 y2 y3

0 1 1 1 1 0 1 0

σ1 UNSAT0 0 1 1 1 1 1 0 σ3

...... 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

δ3

1 0 0 0 1 0 0 0

δ1 δ0 = σ ⊕ σ1 = σ ⊕ σ3 = σ ⊕ σ0 δ01 1 1 0 1 1 1 0 0 = δ0 ∨ δ1

SLIDE 107

σ0

107

1 0 1 0 0 1 1 0 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

MAX-SAT

Solution σ

0 0 1 0 1 1 1 0

MAX-SAT

0 0 1 0 1 1 0 0

Random assignment σ’ x0 x1 x2 x3 y0 y1 y2 y3

0 1 1 1 1 0 1 0

σ1 UNSAT0 0 1 1 1 1 1 0 σ3

...... 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

δ3

1 0 0 0 1 0 0 0

δ1 δ0 = σ ⊕ σ1 = σ ⊕ σ3 = σ ⊕ σ0 δ01 1 1 0 1 1 1 0 0 σ01 1 1 1 1 0 0 1 0 = σ ⊕ δ01

SLIDE 108

σ0

108

1 0 1 0 0 1 1 0 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

MAX-SAT

Solution σ

0 0 1 0 1 1 1 0

MAX-SAT

0 0 1 0 1 1 0 0

Random assignment σ’ x0 x1 x2 x3 y0 y1 y2 y3

0 1 1 1 1 0 1 0

σ1 UNSAT0 0 1 1 1 1 1 0 σ3

...... 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

δ3

1 0 0 0 1 0 0 0

δ1 δ0 = σ ⊕ σ1 = σ ⊕ σ3 = σ ⊕ σ0 δ01 1 1 0 1 1 1 0 0 σ01 1 1 1 1 0 0 1 0 = σ ⊕ δ01 δ03 1 0 0 1 1 0 0 0 = δ0 ∨ δ3

SLIDE 109

σ0

109

1 0 1 0 0 1 1 0 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

MAX-SAT

Solution σ

0 0 1 0 1 1 1 0

MAX-SAT

0 0 1 0 1 1 0 0

Random assignment σ’ x0 x1 x2 x3 y0 y1 y2 y3

0 1 1 1 1 0 1 0

σ1 UNSAT0 0 1 1 1 1 1 0 σ3

...... 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

δ3

1 0 0 0 1 0 0 0

δ1 δ0 = σ ⊕ σ1 = σ ⊕ σ3 = σ ⊕ σ0 δ01 1 1 0 1 1 1 0 0 σ01 1 1 1 1 0 0 1 0 = σ ⊕ δ01 δ03 1 0 0 1 1 0 0 0 σ03 1 0 1 1 0 1 1 0 = σ ⊕ δ03

SLIDE 110

σ0

110

1 0 1 0 0 1 1 0 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

MAX-SAT

Solution σ

0 0 1 0 1 1 1 0

MAX-SAT

0 0 1 0 1 1 0 0

Random assignment σ’ x0 x1 x2 x3 y0 y1 y2 y3

0 1 1 1 1 0 1 0

σ1 UNSAT0 0 1 1 1 1 1 0 σ3

...... 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

δ3

1 0 0 0 1 0 0 0

δ1 δ0 = σ ⊕ σ1 = σ ⊕ σ3 = σ ⊕ σ0 δ01 1 1 0 1 1 1 0 0 σ01 1 1 1 1 0 0 1 0 = σ ⊕ δ01 δ03 1 0 0 1 1 0 0 0 σ03 1 0 1 1 0 1 1 0 = σ ⊕ δ03 δ13 0 1 0 1 0 1 0 0 = δ1 ∨ δ3

SLIDE 111

σ0

111

1 0 1 0 0 1 1 0 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

MAX-SAT

Solution σ

0 0 1 0 1 1 1 0

MAX-SAT

0 0 1 0 1 1 0 0

Random assignment σ’ x0 x1 x2 x3 y0 y1 y2 y3

0 1 1 1 1 0 1 0

σ1 UNSAT0 0 1 1 1 1 1 0 σ3

...... 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

δ3

1 0 0 0 1 0 0 0

δ1 δ0 = σ ⊕ σ1 = σ ⊕ σ3 = σ ⊕ σ0 δ01 1 1 0 1 1 1 0 0 σ01 1 1 1 1 0 0 1 0 = σ ⊕ δ01 δ03 1 0 0 1 1 0 0 0 σ03 1 0 1 1 0 1 1 0 = σ ⊕ δ03 δ13 0 1 0 1 0 1 0 0 = δ1 ∨ δ3

SLIDE 112

σ0

112

1 0 1 0 0 1 1 0 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

MAX-SAT

Solution σ

0 0 1 0 1 1 1 0

MAX-SAT

0 0 1 0 1 1 0 0

Random assignment σ’ x0 x1 x2 x3 y0 y1 y2 y3

0 1 1 1 1 0 1 0

σ1 UNSAT0 0 1 1 1 1 1 0 σ3

...... 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

δ3

1 0 0 0 1 0 0 0

δ1 δ0 = σ ⊕ σ1 = σ ⊕ σ3 = σ ⊕ σ0 δ01 1 1 0 1 1 1 0 0 σ01 1 1 1 1 0 0 1 0 = σ ⊕ δ01 δ03 1 0 0 1 1 0 0 0 σ03 1 0 1 1 0 1 1 0 = σ ⊕ δ03 δ013 1 1 0 1 1 1 0 0 = δ0 ∨ δ1 ∨ δ3

SLIDE 113

σ0

113

1 0 1 0 0 1 1 0 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

MAX-SAT

Solution σ

0 0 1 0 1 1 1 0

MAX-SAT

0 0 1 0 1 1 0 0

Random assignment σ’ x0 x1 x2 x3 y0 y1 y2 y3

0 1 1 1 1 0 1 0

σ1 UNSAT0 0 1 1 1 1 1 0 σ3

...... 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

δ3

1 0 0 0 1 0 0 0

δ1 δ0 = σ ⊕ σ1 = σ ⊕ σ3 = σ ⊕ σ0 δ01 1 1 0 1 1 1 0 0 σ01 1 1 1 1 0 0 1 0 = σ ⊕ δ01 δ03 1 0 0 1 1 0 0 0 σ03 1 0 1 1 0 1 1 0 = σ ⊕ δ03 δ013 1 1 0 1 1 1 0 0 = δ0 ∨ δ1 ∨ δ3

SLIDE 114

σ0

114

1 0 1 0 0 1 1 0 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

MAX-SAT

Solution σ

0 0 1 0 1 1 1 0

MAX-SAT

0 0 1 0 1 1 0 0

Random assignment σ’ x0 x1 x2 x3 y0 y1 y2 y3

0 1 1 1 1 0 1 0

σ1 UNSAT0 0 1 1 1 1 1 0 σ3

...... 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

δ3

1 0 0 0 1 0 0 0

δ1 δ0 = σ ⊕ σ1 = σ ⊕ σ3 = σ ⊕ σ0 δ01 1 1 0 1 1 1 0 0 σ01 1 1 1 1 0 0 1 0 = σ ⊕ δ01 δ03 1 0 0 1 1 0 0 0 σ03 1 0 1 1 0 1 1 0 = σ ⊕ δ03

SLIDE 115

σ0

115

1 0 1 0 0 1 1 0 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

MAX-SAT

Solution σ

0 0 1 0 1 1 1 0

MAX-SAT

0 0 1 0 1 1 0 0

Random assignment σ’ x0 x1 x2 x3 y0 y1 y2 y3

0 1 1 1 1 0 1 0

σ1 UNSAT0 0 1 1 1 1 1 0 σ3

...... 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

δ3

1 0 0 0 1 0 0 0

δ1 δ0 = σ ⊕ σ1 = σ ⊕ σ3 = σ ⊕ σ0 δ01 1 1 0 1 1 1 0 0 σ01 1 1 1 1 0 0 1 0 = σ ⊕ δ01 δ03 1 0 0 1 1 0 0 0 σ03 1 0 1 1 0 1 1 0 = σ ⊕ δ03

115

At most n MAX-SAT calls to generate atomic mutations samples by combining mutations: NO MAX-SAT =O(n6)

( )

n 6

SLIDE 116

σ0

116

1 0 1 0 0 1 1 0 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

MAX-SAT

Solution σ

0 0 1 0 1 1 1 0

MAX-SAT

0 0 1 0 1 1 0 0

Random assignment σ’ x0 x1 x2 x3 y0 y1 y2 y3

0 1 1 1 1 0 1 0

σ1 UNSAT0 0 1 1 1 1 1 0 σ3

...... 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

δ3

1 0 0 0 1 0 0 0

δ1 δ0 = σ ⊕ σ1 = σ ⊕ σ3 = σ ⊕ σ0 δ01 1 1 0 1 1 1 0 0 σ01 1 1 1 1 0 0 1 0 = σ ⊕ δ01 δ03 1 0 0 1 1 0 0 0 σ03 1 0 1 1 0 1 1 0 = σ ⊕ δ03

116

At most 50 MAX-SAT calls to generate atomic mutations 15 890 700 samples by combining mutations: NO MAX-SAT

SLIDE 117

σ0

117

1 0 1 0 0 1 1 0 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

MAX-SAT

Solution σ

0 0 1 0 1 1 1 0

MAX-SAT

0 0 1 0 1 1 0 0

Random assignment σ’ x0 x1 x2 x3 y0 y1 y2 y3

0 1 1 1 1 0 1 0

σ1 UNSAT0 0 1 1 1 1 1 0 σ3

...... 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

δ3

1 0 0 0 1 0 0 0

δ1 δ0 = σ ⊕ σ1 = σ ⊕ σ3 = σ ⊕ σ0 δ01 1 1 0 1 1 1 0 0 σ01 1 1 1 1 0 0 1 0 = σ ⊕ δ01 δ03 1 0 0 1 1 0 0 0 σ03 1 0 1 1 0 1 1 0 = σ ⊕ δ03

SLIDE 118

σ0

118

1 0 1 0 0 1 1 0 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

MAX-SAT

Solution σ

0 0 1 0 1 1 1 0

MAX-SAT

0 0 1 0 1 1 0 0

Random assignment σ’ x0 x1 x2 x3 y0 y1 y2 y3

0 1 1 1 1 0 1 0

σ1 UNSAT0 0 1 1 1 1 1 0 σ3

...... 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0

δ3

1 0 0 0 1 0 0 0

δ1 δ0 = σ ⊕ σ1 = σ ⊕ σ3 = σ ⊕ σ0 δ01 1 1 0 1 1 1 0 0 σ01 1 1 1 1 0 0 1 0 = σ ⊕ δ01 δ03 1 0 0 1 1 0 0 0 σ03 1 0 1 1 0 1 1 0 = σ ⊕ δ03

SLIDE 119

SMTSampler: Sampling Solutions of SMT Formulas

Extend the mutations to

work over bit-vectors, arrays and uninterpreted functions

Adaptive generation of

solutions based on accuracy

Improved scalability for

more complex formulas

Dutra et al. [ICCAD 2018]

120

(x + y = 4 ∧ x ≥ 0 ∧ x < 4) ∧ (mem’[1] < 0 ∨ mem’[1] ≥ 4), where x = mem[0], y = mem[1], mem’ = store(mem, mem[0], -1 * mem[mem[0]]) mem ∈ Array(BV[4], BV[4]) SMT (Satisfiability Modulo Theories)

SLIDE 120

Implementation

Implemented in C++ using Z3 as the constraint solver
https://github.com/RafaelTupynamba/quicksampler
https://github.com/RafaelTupynamba/SMTsampler

Optimizations:

Eager generation of samples
Independent support
Unsatisfiable variables

121

SLIDE 121

Experiments

We compared QuickSampler against two state-of-the-art samplers:

UniGen2 [1]

– Uses universal hashing to partition the solution space and produce provably uniform samples

SearchTreeSampler [2]

– Generates pseudo-solutions: partial assignments that can be completed to full solutions

[1] Supratik Chakraborty, Daniel J Fremont, Kuldeep S Meel, Sanjit A Seshia, and Moshe Y Vardi. 2015. On Parallel Scalable Uniform SAT Witness Generation. In TACAS 2015. [2] Stefano Ermon, Carla P Gomes, and Bart Selman. 2012. Uniform solution sampling using a constraint solver as an oracle. In UAI 2012.

122

SLIDE 122

QuickSampler generates valid solutions

○ 102.5±0.8 times faster than SearchTreeSampler ○ 104.7±1.0 times faster than UniGen2

QuickSampler generates unique valid solutions

○ 102.3±0.7 times faster than SearchTreeSampler ○ 104.4±1.1 times faster than UniGen2

124

SLIDE 123

Experiments: Unique Solutions

125

Higher is better

SLIDE 124

Experiments: Uniformity

126

SLIDE 125

QuickSampler and SMTSampler: Limitations

127

Lacks diversity of samples: (x ≥ 4)

φ(x, y, z)

Need to solve the following problem:
Sample solutions from φ given the coverage predicates

ψ1, ψ2, …, ψn

Uniformly sample solutions from the coverage classes

SLIDE 126

Solution: GuidedSampler

Our approach extends SMTSampler by:

Pick a random coverage class of initial solution
Flip coverage predicates to compute

neighboring solutions

Discard new solutions that repeat a previously

seen coverage class

https://github.com/RafaelTupynamba/GuidedSampler

128

SLIDE 127

Experiments: Uniformity over Coverage Classes

129

SLIDE 128

Experiments: Uniformity over Coverage Classes

130

SLIDE 129

Experiments: Uniformity over Coverage Classes

131

SLIDE 130

Automated Test Generation: Past, Present, and Future

132

Symbolic Execution Smart Fuzzing

SLIDE 131

Automated Test Generation: Past, Present, and Future

133

Symbolic Execution Smart Fuzzing Hybrid

SLIDE 132

Automated Test Generation: Past, Present, and Future

134

Symbolic Execution Smart Fuzzing Hybrid Human Guidance

Generators Preconditions Path Annotations ...

SLIDE 133

Automated Test Generation: Past, Present, and Future

135

Symbolic Execution Smart Fuzzing Hybrid

AI Guidance

Generators Preconditions Path Annotations ...

SLIDE 134

Our team

136

Thank you!

Rohan Bavishi Rafael Dutra Kevin Laeufer Caroline Lemieux Rohan Padhye Koushik Sen Ed Younis Abdus Salam Azad