field failure reproduction using symbolic execution and
play

FIELD FAILURE REPRODUCTION USING SYMBOLIC EXECUTION AND GENETIC - PowerPoint PPT Presentation

Jun 07, 2023 •422 likes •810 views

FIELD FAILURE REPRODUCTION USING SYMBOLIC EXECUTION AND GENETIC PROGRAMMING Alessandro (Alex) Orso School of Computer Science College of Computing Georgia Institute of Technology Partially supported by: NSF, IBM, and MSR DSE SBST FIELD

  1. FIELD FAILURE REPRODUCTION USING SYMBOLIC EXECUTION AND GENETIC PROGRAMMING Alessandro (Alex) Orso School of Computer Science – College of Computing Georgia Institute of Technology Partially supported by: NSF, IBM, and MSR

  2. DSE SBST FIELD FAILURE REPRODUCTION USING SYMBOLIC EXECUTION AND GENETIC PROGRAMMING Alessandro (Alex) Orso School of Computer Science – College of Computing Georgia Institute of Technology Partially supported by: NSF, IBM, and MSR

  3. DSE SBST FIELD FAILURE REPRODUCTION USING SYMBOLIC EXECUTION AND GENETIC PROGRAMMING Alessandro (Alex) Orso School of Computer Science – College of Computing Georgia Institute of Technology Partially supported by: NSF, IBM, and MSR

  4. DSE SBST FIELD FAILURE REPRODUCTION USING SYMBOLIC EXECUTION AND Field failures are GENETIC PROGRAMMING unavoidable! Alessandro (Alex) Orso School of Computer Science – College of Computing Georgia Institute of Technology Partially supported by: NSF, IBM, and MSR

  5. DSE SBST FIELD FAILURE REPRODUCTION USING SYMBOLIC EXECUTION AND Field failures are GENETIC PROGRAMMING unavoidable! Alessandro (Alex) Orso School of Computer Science – College of Computing Georgia Institute of Technology Partially supported by: NSF, IBM, and MSR

  6. TYPICAL DEBUGGING PROCESS Bug Repository Very hard to (1) reproduce (2) debug

  7. TYPICAL DEBUGGING PROCESS Recent survey of Apache, Eclipse, and Mozilla developers: Information on how to reproduce field failures is the most valuable, and difficult to obtain, piece of information for investigating such failures. [Zimmermann10] Bug Repository Very hard to (1) reproduce (2) debug

  8. TYPICAL DEBUGGING PROCESS Recent survey of Apache, Eclipse, and Mozilla developers: Information on how to reproduce field failures is the most valuable, and difficult to obtain, piece of information for investigating such failures. [Zimmermann10] Bug Repository OVERARCHING GOAL : help developers (1) investigate field failures, Very hard to (2) understand their causes, and (1) reproduce (3) eliminate such causes. (2) debug

  9. OUR WORK SO FAR Recording and replaying executions [icsm 2007, icse 2007] Input minimization ✘ [woda 2006, icse 2007] Input anonymization [icse 2011] Mimicking field failures [icse 2012, icst 2014] Explaining field failures [issta 2013, TR]

  10. MIMICKING FIELD FAILURES User run ( R ) Mimicked run ( R’ ) • F’ is analogous to F • R’ is an actual execution in the field F F’ in house

  11. MIMICKING FIELD FAILURES User run ( R ) Relevant events Mimicked run ( R’ ) (breadcrumbs)

  12. OVERALL VISION In house In the field Software developer Application Instrumentation sed.c:8958 -> sed.c: 8958 sed.c:8993 -> sed.c: 9011 sed.c:8785 -> sed.c: 8786 sed.c:8786 -> sed.c: 8786 sed.c:990 -> sed.c: 990 Crash report Likely faults Field Failure Field Failure Synthesized (execution data) Reproduction Executions Debugging

  13. DSE SBST BUGREDUX/SBFR Crash report Field Failure Synthesized (execution data) Reproduction Executions

  14. BUGREDUX Joint work with Wei Jin Crash report (execution data) Synthesized Executions

  15. BUGREDUX Joint work with Wei Jin Crash report Test Input (execution data)

  16. BUGREDUX Joint work with Wei Jin Candidate input Input Oracle Crash report generator Test Input (execution data) • Execution data Point of failure (POF) • Failure call stack • Call sequence • Complete trace • • Input generation technique Guided symbolic execution •

  17. ALGORITHM (SIMPLIFIED) Input icfg for P goals (list of code locations) statesSet= {<cl, pc, ss, goal>} Output I f (candidate input) Main algorithm SelNextState minDis = ∞ init; currGoal = first(goals) repeat retState = null currState = SelNextState() if (!currState) backtrack or fail foreach state in statesSet if (currState.cl == currGoal) if (state.goal = currGoal) if (currGoal == last(goals)) if (state.cl can reach currGoal) return solve(currState.pc) d = |shortest path state.cl, currGoal| else if d < minDis currGoal = next(goals) minDis = d currState.goal = currGoal retState = state symbolicallyExec(currState) return retState

  18. ALGORITHM (SIMPLIFIED) Input icfg for P goals (list of code locations) statesSet= {<cl, pc, ss, goal>} Output I f (candidate input) Optimizations/Heuristics Main algorithm SelNextState Dynamic tainting to reduce the symbolic input space minDis = ∞ init; currGoal = first(goals) Program analysis information to prune the search space repeat retState = null Some randomness in the shortest path computation currState = SelNextState() if (!currState) backtrack or fail foreach state in statesSet if (currState.cl == currGoal) if (state.goal = currGoal) if (currGoal == last(goals)) if (state.cl can reach currGoal) return solve(currState.pc) d = |shortest path state.cl, currGoal| else if d < minDis currGoal = next(goals) minDis = d currState.goal = currGoal retState = state symbolicallyExec(currState) return retState

  19. BUGREDUX EVALUATION – FAILURES CONSIDERED Name Repository Size(KLOC) # Faults sed SIR 14 2 grep SIR 10 1 gzip SIR 5 2 ncompress BugBench 2 1 polymorph BugBench 1 1 aeon exploit-db 3 1 glftpd exploit-db 6 1 htget exploit-db 3 1 socat exploit-db 35 1 tipxd exploit-db 7 1 aspell exploit-db 0.5 1 exim exploit-db 241 1 rsync exploit-db 67 1 xmail exploit-db 1 1

  20. BUGREDUX EVALUATION – FAILURES CONSIDERED Name Repository Size(KLOC) # Faults sed SIR 14 2 grep SIR 10 1 gzip SIR 5 2 ncompress BugBench 2 1 polymorph BugBench 1 1 None of these faults can be discovered by aeon exploit-db 3 1 a vanilla KLEE with a timeout of 72 hours glftpd exploit-db 6 1 htget exploit-db 3 1 socat exploit-db 35 1 tipxd exploit-db 7 1 aspell exploit-db 0.5 1 exim exploit-db 241 1 rsync exploit-db 67 1 xmail exploit-db 1 1

  21. BUGREDUX EVALUATION – RESULTS Name POF Call Stack Call Seq. Compl. Trace sed #1 sed #2 grep gzip #1 gzip #2 ncompress One of three outcomes: polymorph ✘ : fail aeon ~ : synthesize rsync ✔ : (synthesize and) mimic glftpd htget socat tipxd aspell xmail exim

  22. ~ ~ ~ ~ ~ ~ ~ BUGREDUX EVALUATION – RESULTS Synth.: 10/16 Synth.: 16/16 Synth.: 2/16 Synth.: 9/16 Mimic: 6/16 Mimic: 16/16 Mimic: 2/16 Mimic: 6/16 Name POF Call Stack Call Seq. Compl. Trace sed #1 ✘ ✘ ✔ ✘ sed #2 ✘ ✘ ✔ ✘ grep ✘ ✔ ✘ gzip #1 ✔ ✔ ✔ ✘ gzip #2 ✔ ✘ ncompress ✔ ✔ ✔ ✘ polymorph ✔ ✔ ✔ ✘ aeon ✔ ✔ ✔ ✔ rsync ✘ ✘ ✔ ✘ glftpd ✔ ✔ ✔ ✘ htget ✔ ✘ socat ✘ ✘ ✔ ✘ tipxd ✔ ✔ ✔ ✘ aspell ✔ ✘ xmail ✘ ✘ ✔ ✘ exim ✘ ✘ ✔ ✔

  23. ~ ~ ~ ~ ~ ~ ~ BUGREDUX EVALUATION – RESULTS Synth.: 10/16 Synth.: 16/16 Synth.: 2/16 Synth.: 9/16 Mimic: 6/16 Mimic: 16/16 Mimic: 2/16 Mimic: 6/16 Name POF Call Stack Call Seq. Compl. Trace sed #1 ✘ ✘ ✔ ✘ sed #2 ✘ ✘ ✔ ✘ grep ✘ ✔ ✘ Observations: gzip #1 ✔ ✔ ✔ ✘ gzip #2 • Faults can be distant from ✔ ✘ ncompress ✔ ✔ ✔ ✘ the failure points: polymorph ✔ ✔ ✔ ✘ => POFs and call stacks aeon ✔ ✔ ✔ ✔ unlikely to help rsync ✘ ✘ ✔ ✘ • More information is not glftpd ✔ ✔ ✔ ✘ htget ✔ ✘ always better • Symbolic execution can socat ✘ ✘ ✔ ✘ tipxd be a limiting factor ✔ ✔ ✔ ✘ aspell ✔ ✘ xmail ✘ ✘ ✔ ✘ exim ✘ ✘ ✔ ✔

  24. ~ ~ ~ ~ ~ ~ ~ BUGREDUX EVALUATION – RESULTS Synth.: 10/16 Synth.: 16/16 Synth.: 2/16 Synth.: 9/16 Mimic: 6/16 Mimic: 16/16 Mimic: 2/16 Mimic: 6/16 Name POF Call Stack Call Seq. Compl. Trace sed #1 ✘ ✘ ✔ ✘ sed #2 ✘ ✘ ✔ ✘ grep ✘ ✔ ✘ Observations: n a c n o i t gzip #1 u ✔ ✔ ✔ ✘ c e x e c i l o b m y S r o f gzip #2 e • Faults can be distant from v ✔ ✘ i t c e f f e n i e b ncompress ✔ ✔ ✔ ✘ the failure points: polymorph y ✔ h l ✔ ✔ ✘ g h i h t => POFs and call stacks i w s m a r g o r p • aeon ✔ ✔ ✔ ✔ t s u p n i d e u r c t u r s t unlikely to help • programs that interact rsync ✘ ✘ ✔ ✘ • More information is not glftpd ✔ ✔ ✔ ✘ with external libraries htget • large complex programs ✔ ✘ always better • Symbolic execution can socat ✘ ✘ ✔ ✘ in general tipxd be a limiting factor ✔ ✔ ✔ ✘ aspell ✔ ✘ xmail ✘ ✘ ✔ ✘ exim ✘ ✘ ✔ ✔

  25. SBFR Joint work with Kifetew, Jin, Tiella, Tonella Crash report Test Input (execution data) • Execution data Call sequence • • Input generation technique Genetic Programming •

  26. SBFR Joint work with Kifetew, Jin, Tiella, Tonella <a> ::= <b> | λ Grammar Crash report Test Input (execution data)

  27. SBFR Joint work with Kifetew, Jin, Tiella, Tonella <a> ::= <b> | λ Grammar Derivation Tree Genetic Programming Crash report Test Input (execution data) Sentence derivation from the grammar: Random application of grammar rules • Uniform • 80/20 • Stochastic (from a corpus)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin &amp; Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
All You Ever Wanted to Know About Dynamic Taint Analysis &amp; Forward Symbolic Execution (but

All You Ever Wanted to Know About Dynamic Taint Analysis &amp; Forward Symbolic Execution (but

All You Ever Wanted to Know About Dynamic Taint Analysis &amp; Forward Symbolic Execution (but might have been afraid to ask) (Yes, we were trying to overflow the title length field on the submission server) Edward J. Schwartz, Thanassis

738 views • 25 slides
Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav Nodar Petar Martin He Balunovic Ambroladze Tsankov Vechev Random Fuzzing vs. Symbolic Execution Random Fuzzing Symbolic Execution Fast Slow

633 views • 29 slides
Compositional Symbolic Execution through Program Specialization e Miguel Rojas 1 and Corina P

Compositional Symbolic Execution through Program Specialization e Miguel Rojas 1 and Corina P

Compositional Symbolic Execution through Program Specialization e Miguel Rojas 1 and Corina P areanu 2 Jos as 1 Technical University of Madrid, Spain 2 CMU-SV/NASA Ames, Moffett Field, CA, USA BYTECODE 2013 March 23, Rome, Italy Software

579 views • 33 slides
Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College London Invited talk at SMT 2015 18 July, San Francisco, CA, USA Dynamic Symbolic Execution Dynamic symbolic execution is a technique for

660 views • 53 slides
Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths Symbolic Execution and Proof of Effects of the execution on program state Properties Bridges program behavior to logic Finds important

309 views • 6 slides
Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides
An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar Department of Computing Imperial College London 14 th TAROT Summer School UCL, London, 3 July 2018 Dynamic Symbolic Execution Dynamic symbolic

856 views • 56 slides
Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank Busse Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in

1.04k views • 70 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson, &quot;Applications of Symbolic Evaluation,&quot; Journal of Systems and Software, 5 (1), January 1985, pp.15-35. Symbolic Evaluation/Execution

1.07k views • 60 slides
Lecture 1: Introduction to RKHS MLSS Tbingen, 2015 Gatsby Unit, CSML, UCL July 22, 2015

Lecture 1: Introduction to RKHS MLSS Tbingen, 2015 Gatsby Unit, CSML, UCL July 22, 2015

Feature space Basics of reproducing kernel Hilbert spaces Kernel Ridge Regression Lecture 1: Introduction to RKHS MLSS Tbingen, 2015 Gatsby Unit, CSML, UCL July 22, 2015 Lecture 1: Introduction to RKHS Feature space Basics of reproducing

943 views • 93 slides
Improvements on Higher Order Ambisonics Reproduction in the Spherical Harmonics Domain Under

Improvements on Higher Order Ambisonics Reproduction in the Spherical Harmonics Domain Under

Improvements on Higher Order Ambisonics Reproduction in the Spherical Harmonics Domain Under Real-time Constraints Christoph Hold , Hannes Gamper September 14, 2018 Microsoft Research, Technical University Berlin Motivation Motivation 1

694 views • 43 slides
Principle of allocation growth assimilation Soma maintenance reproduction excretion Life

Principle of allocation growth assimilation Soma maintenance reproduction excretion Life

Principle of allocation growth assimilation Soma maintenance reproduction excretion Life history - how allocation changes over the lifetime of an organism. young lifetime old Principle of allocation leads to trade-offs ? Example: Size

473 views • 8 slides
in in Phys Physics ics Applica pplicati tions ons March 2016 - Carlo Tintori ISO 9001:2008

in in Phys Physics ics Applica pplicati tions ons March 2016 - Carlo Tintori ISO 9001:2008

Digital Digital sy systems stems for Multi or Multi-Par arametr ametric ic ana analys ysis is in in Phys Physics ics Applica pplicati tions ons March 2016 - Carlo Tintori ISO 9001:2008 CERT. N. 9105.CAEN CAEN Digitizers

764 views • 63 slides
December PE 46 Webinar REPRODUCTIVE HEALTH PROGRAM Adolescent, Genetics, and Reproductive Health

December PE 46 Webinar REPRODUCTIVE HEALTH PROGRAM Adolescent, Genetics, and Reproductive Health

December PE 46 Webinar REPRODUCTIVE HEALTH PROGRAM Adolescent, Genetics, and Reproductive Health Agenda Welcome/Introductions General Updates Everything PE 46 Everything Data Panel Discussion General Discussion

997 views • 31 slides
Experimental Research Research Methods in HCI Lazar, Feng, and Hochheiser Laboratory vs.

Experimental Research Research Methods in HCI Lazar, Feng, and Hochheiser Laboratory vs.

Experimental Research Research Methods in HCI Lazar, Feng, and Hochheiser Laboratory vs. Non-Laboratory research methods: Observations, field studies, surveys, usability studies, interviews, focus groups, controlled experiments. Eg. Study on

642 views • 3 slides
Quantitative Evaluation Research Questions Quantitative Data Controlled Studies Experimental

Quantitative Evaluation Research Questions Quantitative Data Controlled Studies Experimental

Quantitative Evaluation Research Questions Quantitative Data Controlled Studies Experimental Methods Role of Statistics Quantitative Evaluation What is experimental design? What is an experimental hypothesis? How do I plan an experiment?

432 views • 16 slides
Introduction to HCI Methods and the Design of Studies Guest Lecturer: Marshini Chetty Slides

Introduction to HCI Methods and the Design of Studies Guest Lecturer: Marshini Chetty Slides

Introduction to HCI Methods and the Design of Studies Guest Lecturer: Marshini Chetty Slides amended from Lorrie Cranor and Blase Ur 1 Who am I? Marshini Chetty Marshini C hetty, Assistant Prof Assistant Professor iSchool, UMIACS, CS College of

1.02k views • 37 slides

More recommend