badger complexity analysis with fuzzing and symbolic
play

Badger : Complexity Analysis with Fuzzing and Symbolic Execution - PowerPoint PPT Presentation

Nov 02, 2023 •220 likes •403 views

Badger : Complexity Analysis with Fuzzing and Symbolic Execution Yannic Noller Rody Kersten Corina S. Pasareanu yannic.noller@hu-berlin.de International Symposium on Software Testing and Analysis (ISSTA) 2018 ! 1 Problem Solution Example

  1. Badger : Complexity Analysis with Fuzzing and Symbolic Execution Yannic Noller Rody Kersten Corina S. Pasareanu yannic.noller@hu-berlin.de International Symposium on Software Testing and Analysis (ISSTA) 2018 ! 1

  2. Problem Solution Example Evaluation Related Summary Complexity Analysis discover vulnerabilities related to worst-case time/ space complexity, e.g., Denial-of-Service 0 public void sort ( int [] a) { find worst-case input: 
 1 int N = a.length; automated + fast + concrete 2 for ( int i = 1; i < N; i++) { 3 int j = i - 1; 4 int x = a[i]; • worst-case complexity: 5 while ((j >= 0) && (a[j] > x)) { O(n 2 ) 6 a[j + 1] = a[j]; 7 j--; • e.g. a=[8, 7, 6] (n=3) 8 } 9 a[j + 1] = x; 10 } 11 } Insertion Sort yannic.noller@hu-berlin.de International Symposium on Software Testing and Analysis (ISSTA) 2018 ! 2

  3. Problem Solution Example Evaluation Related Summary Our Contributions • combine fuzzing and symbolic execution to find algorithmic complexity vulnerabilities • Badger, a framework for analysis of Java applications • analysis parameterized by a cost metric • handling of user-defined cost yannic.noller@hu-berlin.de International Symposium on Software Testing and Analysis (ISSTA) 2018 ! 3

  4. Problem Solution Example Evaluation Related Summary Badger KelinciWCA (based on AFL) increased fuzzer coverage or increased cost exchange interesting 
 inputs symbolic execution based on Symbolic PathFinder (SPF) fuzzer and symbolic execution run in parallel yannic.noller@hu-berlin.de International Symposium on Software Testing and Analysis (ISSTA) 2018 ! 4

  5. Problem Solution Example Evaluation Related Summary KelinciWCA • based on AFL, extends Kelinci [Kersten2017] • mutation-based greybox fuzzing • cost-guided fuzzer: coverage + cost • cost metrics: timing / memory / user-defined • maintain current highscore yannic.noller@hu-berlin.de International Symposium on Software Testing and Analysis (ISSTA) 2018 ! 5

  6. Problem Solution Example Evaluation Related Summary SymExe with SPF fuzzer export inputs import inputs 1 5 SymExe interesting input Trie Extension / 
 2 concolic execution Input Assessment includes most promising node worst-case analysis new input Input 
 4 3 Exploration Generation trie-guided symbolic model generation execution path condition bounded symbolic input generation execution yannic.noller@hu-berlin.de International Symposium on Software Testing and Analysis (ISSTA) 2018 ! 6

  7. Problem Solution Example Evaluation Related Summary Example Trie extension with initial input. The most promising node get selected. initial input 
 a=[37, 42, 48] 0 public void sort ( int [] a) { 1 int N = a.length; 2 for ( int i = 1; i < N; i++) { id=0 
 3 int j = i - 1; ROOT 4 int x = a[i]; score=7.0 5 while ((j >= 0) && (a[j] > x)) { 6 a[j + 1] = a[j]; id=1 
 7 j--; line=5 8 } choice=0 
 9 a[j + 1] = x; score=7.0 10 } 11 } id=2 line=5 Insertion Sort choice=0 
 score=7.0 yannic.noller@hu-berlin.de International Symposium on Software Testing and Analysis (ISSTA) 2018 ! 7

  8. Problem Solution Example Evaluation Related Summary Example Exploration and input generation . id=0 
 ROOT 0 public void sort ( int [] a) { score=7.0 1 int N = a.length; 2 for ( int i = 1; i < N; i++) { id=1 
 3 int j = i - 1; line=5 4 int x = a[i]; choice=0 
 5 while ((j >= 0) && (a[j] > x)) { score=7.0 6 a[j + 1] = a[j]; 7 j--; id=2 id=3 8 } line=5 line=5 9 a[j + 1] = x; choice=0 
 choice=1 
 score=7.0 10 } score=? 11 } pc = sym _0 ≤ sym _1 ∧ sym _1 > sym _2 Insertion Sort new input 
 a=[0, 1, 0] yannic.noller@hu-berlin.de International Symposium on Software Testing and Analysis (ISSTA) 2018 ! 8

  9. Problem Solution Example Evaluation Related Summary Example Assessment of new input and extension of the trie. New most promising node gets selected. new input 
 a=[0, 1, 0] id=0 
 0 public void sort ( int [] a) { ROOT 1 int N = a.length; score=8.5 2 for ( int i = 1; i < N; i++) { 3 int j = i - 1; id=1 
 4 int x = a[i]; line=5 5 while ((j >= 0) && (a[j] > x)) { choice=0 
 6 a[j + 1] = a[j]; score=8.5 7 j--; 8 } id=2 id=3 9 a[j + 1] = x; line=5 line=5 10 } choice=0 
 choice=1 
 score=7.0 11 } score=10 Insertion Sort id=4 line=5 choice=0 
 score=10 yannic.noller@hu-berlin.de International Symposium on Software Testing and Analysis (ISSTA) 2018 ! 9

  10. Problem Solution Example Evaluation Related Summary Research Questions RQ1 : Since Badger combines fuzzing and symbolic execution, is it better than each part on their own in terms of: (a) Quality of worst-case, and (b) Speed? RQ2 : Is KelinciWCA better than Kelinci in terms of: (a) Quality of worst-case, and (b) Speed? RQ3 : Can Badger reveal worst-case vulnerabilities? yannic.noller@hu-berlin.de International Symposium on Software Testing and Analysis (ISSTA) 2018 ! 10

  11. Problem Solution Example Evaluation Related Summary Experiments ID Subject 1 Insertion Sort each experiment for 5 2 Quicksort hours and 5 times 3a Regular Expression (fixed input) 3b Regular Expression (fixed regex) we report the average values 
 4 Hash Table (our full data set is available 5 Compression online) 6 Image Processor 7 Smart Contract yannic.noller@hu-berlin.de International Symposium on Software Testing and Analysis (ISSTA) 2018 ! 11

  12. Problem Solution Example Evaluation Related Summary KelinciWCA 9305 Badger after 20min: 9305 after 2.85 hours Insertion Sort (N=64) 9850 19.35x 10000 9533 18.73x 7500 6701 costs (# jumps) 5000 3025 2500 Kelinci KelinciWCA SymExe Badger 0 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 300 time (minutes) initial input score: 509 yannic.noller@hu-berlin.de International Symposium on Software Testing and Analysis (ISSTA) 2018 ! 12

  13. Problem Solution Example Evaluation Related Summary no significant di ff erence between Badger and KelinciWCA Quicksort (N=64) 3719 1.31x 3800 3683 1.30x 3161 2970 2850 costs (# jumps) 1900 950 Kelinci KelinciWCA SymExe Badger 0 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 300 time (minutes) initial input score: 2829 yannic.noller@hu-berlin.de International Symposium on Software Testing and Analysis (ISSTA) 2018 ! 13

  14. Problem Solution Example Evaluation Related Summary Image Processor (2x2 JPEG) 400000 349,438 40.11x 300000 291,384 costs (# jumps) 193,730 22.24x 200000 188,719 100000 Kelinci KelinciWCA SymExe Badger 0 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 300 time (minutes) initial input score: 8712 yannic.noller@hu-berlin.de International Symposium on Software Testing and Analysis (ISSTA) 2018 ! 14

  15. Problem Solution Example Evaluation Related Summary Existing Solutions • Fuzzing 
 e.g. SlowFuzz [Petsios2017] • Symbolic Execution 
 e.g. WISE , SPF-WCA [Burnim2009] [Luckow2017] • Fuzzing + Symbolic Execution 
 e.g. Driller [Stephens2016] yannic.noller@hu-berlin.de International Symposium on Software Testing and Analysis (ISSTA) 2018 ! 15

  16. Problem Solution Example Evaluation Related Summary Badger : Complexity Analysis with Fuzzing and Symbolic Execution git clone https://github.com/isstac/badger.git yannic.noller@hu-berlin.de International Symposium on Software Testing and Analysis (ISSTA) 2018 ! 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav Nodar Petar Martin He Balunovic Ambroladze Tsankov Vechev Random Fuzzing vs. Symbolic Execution Random Fuzzing Symbolic Execution Fast Slow

633 views • 29 slides
Lec09: Fuzzing and Symbolic Execution Taesoo Kim 2 Administrivia Three more labs!

Lec09: Fuzzing and Symbolic Execution Taesoo Kim 2 Administrivia Three more labs!

1 Lec09: Fuzzing and Symbolic Execution Taesoo Kim 2 Administrivia Three more labs! including NSA code-breaking challenge! Please submit your working exploits for previous weeks! New recitations: Monday:

293 views • 28 slides
Driller: Augmenting Fuzzing through Symbolic Execution Nick Stephens , John Grosen, Christopher

Driller: Augmenting Fuzzing through Symbolic Execution Nick Stephens , John Grosen, Christopher

Driller: Augmenting Fuzzing through Symbolic Execution Nick Stephens , John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, Giovanni Vigna Motivation - Large number of memory

1.15k views • 35 slides
Automated Test Generation: A Journey from Symbolic Execution to Smart Fuzzing and Beyond Koushik

Automated Test Generation: A Journey from Symbolic Execution to Smart Fuzzing and Beyond Koushik

Automated Test Generation: A Journey from Symbolic Execution to Smart Fuzzing and Beyond Koushik Sen EECS Department University of California, Berkeley https://people.eecs.berkeley.edu/~ksen/ 1 Programs are still written by humans, and will

1.62k views • 134 slides
Leonardo de Moura Microsoft Research Verification/Analysis tools need some form of Symbolic

Leonardo de Moura Microsoft Research Verification/Analysis tools need some form of Symbolic

Leonardo de Moura Microsoft Research Verification/Analysis tools need some form of Symbolic Reasoning Logic is The Calculus of Computer Science (Z. Manna). High computational complexity Test case generation Verifying Compilers

1.73k views • 161 slides
Leonardo de Moura Microsoft Research Verification/Analysis tools need some form of Symbolic

Leonardo de Moura Microsoft Research Verification/Analysis tools need some form of Symbolic

Leonardo de Moura Microsoft Research Verification/Analysis tools need some form of Symbolic Reasoning Satisfiability Modulo Theories: An Appetizer Logic is The Calculus of Computer Science (Z. Manna). High computational complexity

1.35k views • 116 slides
Symbolic data analysis Symbolic data analysis Clustering of large data sets of mixed units

Symbolic data analysis Symbolic data analysis Clustering of large data sets of mixed units

Symbolic data analysis V. Batagelj Symbolic data analysis Symbolic data analysis Clustering of large data sets of mixed units Clustering and optimization Leaders method Vladimir Batagelj Agglomerative method Examples IMFM Ljubljana

871 views • 33 slides
SERVER-SIDE ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Static

SERVER-SIDE ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Static

SERVER-SIDE ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Static analysis for Runtime analysis bug finding Fuzzing Pen testing Tainting Scripting languages Symbolic execution analyzed

646 views • 41 slides
Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps

Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps

Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps Symbolic Stamps Hui Xu, Guoyong Shi and Xiaopeng Li School of Microelectronics, Shanghai Jiao Tong Univ. Shanghai, China Presentation at Asia

655 views • 36 slides
Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng

Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng

Finding Race Conditions in Kernels from fuzzing to symbolic execution Meng Xu July 16, 2020 Meng Xu (Georgia Tech) Finding Race Conditions in Kernels 1 July 16, 2020 The game of attack and defense Bug fi nding Exploitation Pro fi t Meng Xu

2.82k views • 173 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2.

Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2.

Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2. CPAchecker and Symbolic Memory Graphs 3. Abstractions of Symbolic Memory Graphs 4. Using counterexample guided abstraction refinement with Symbolic

412 views • 24 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Machine Learning to Steer Symbolic Computation from its Worst Case Complexity Matthew England

Machine Learning to Steer Symbolic Computation from its Worst Case Complexity Matthew England

Introduction Prior Work Our Recent Work Machine Learning to Steer Symbolic Computation from its Worst Case Complexity Matthew England Coventry University BCTCS and AlgoUK 2020 36th British Colloquium for Theoretical Computer Science Swansea

721 views • 44 slides
Media gives you a library for your images and attached documents, so they can be reused

Media gives you a library for your images and attached documents, so they can be reused

Using Media, Picture, and Focal Point modules Media gives you a library for your images and attached documents, so they can be reused across nodes, they can be edited in one place. The Media library offers this

282 views • 15 slides
PHP Miscellaneous Dr. E. Benoist Winter Term 2005-2006 PHP Miscellaneous 1 PHP Miscellaneous

PHP Miscellaneous Dr. E. Benoist Winter Term 2005-2006 PHP Miscellaneous 1 PHP Miscellaneous

Berner Fachhochschule - HTI PHP Miscellaneous Dr. E. Benoist Winter Term 2005-2006 PHP Miscellaneous 1 PHP Miscellaneous Generating PDF Documents FPDF Library Image Generation GD Library Example: Barcode Generator Authorization

935 views • 56 slides
I I I I % [ , ] I I I I I w b c : N X X s = c ( i ) w b b f i b

I I I I % [ , ] I I I I I w b c : N X X s = c ( i ) w b b f i b

I I I I % [ , ] I I I I I w b c : N X X s = c ( i ) w b b f i b I I I I I I I I I I I

1.21k views • 39 slides
On the Complexity of Approximating Wasserstein Barycenters Alexey Kroshnin, Darina Dvinskikh,

On the Complexity of Approximating Wasserstein Barycenters Alexey Kroshnin, Darina Dvinskikh,

On the Complexity of Approximating Wasserstein Barycenters Alexey Kroshnin, Darina Dvinskikh, Pavel Dvurechensky , Alexander Gasnikov, Nazarii Tupitsa, Csar A. Uribe International Conference on Machine Learning 2019 Wasserstein barycenter m

856 views • 9 slides
Things to Remember Ethics Reminders What is it? Supervision will be influenced by: The

Things to Remember Ethics Reminders What is it? Supervision will be influenced by: The

10/21/2015 Putting the S UPER back in Supervision &amp; Ethics S UPERVISION Why Together? Practical Guidelins for Ethical Practice Shortage of training WCA Annual Conference 3 Oct. 2015 Good counselor good supervisor

297 views • 4 slides
Disability employment policy in the UK Carol Beattie Disability Analysis Division Department

Disability employment policy in the UK Carol Beattie Disability Analysis Division Department

Disability employment policy in the UK Carol Beattie Disability Analysis Division Department for Work and Pensions United Kingdom Structure of presentation Describe the process of labour market activation which has taken place in the UK

131 views • 11 slides
Some Results on Minimum Support Size of ( v , k , ) -BIBD Zongchen Chen Department of

Some Results on Minimum Support Size of ( v , k , ) -BIBD Zongchen Chen Department of

Introduction to BIBD Properties of BIBD with Repeated Blocks Minimum Support Size Some Results on Minimum Support Size of ( v , k , ) -BIBD Zongchen Chen Department of Mathematics, Zhiyuan College Shanghai Jiao Tong University, P.R.China

321 views • 17 slides
Arlington County Civic Federation 2015-2016 100 th Year February 2, 2016 AGENDA 7:30 Call to

Arlington County Civic Federation 2015-2016 100 th Year February 2, 2016 AGENDA 7:30 Call to

Arlington County Civic Federation 2015-2016 100 th Year February 2, 2016 AGENDA 7:30 Call to Order Minutes, Treasurers Report, Announcements 7:40 Department of Parks and Recreation Director Jane Rudolph 8:10 Neighborhood Conservation

535 views • 24 slides

More recommend