96 research outputs found
A Survey of Symbolic Execution Techniques
Many security and software testing applications require checking whether
certain properties of a program hold for any possible usage scenario. For
instance, a tool for identifying software vulnerabilities may need to rule out
the existence of any backdoor to bypass a program's authentication. One
approach would be to test the program using different, possibly random inputs.
As the backdoor may only be hit for very specific program workloads, automated
exploration of the space of possible inputs is of the essence. Symbolic
execution provides an elegant solution to the problem, by systematically
exploring many possible execution paths at the same time without necessarily
requiring concrete inputs. Rather than taking on fully specified input values,
the technique abstractly represents them as symbols, resorting to constraint
solvers to construct actual instances that would cause property violations.
Symbolic execution has been incubated in dozens of tools developed over the
last four decades, leading to major practical breakthroughs in a number of
prominent software reliability applications. The goal of this survey is to
provide an overview of the main ideas, challenges, and solutions developed in
the area, distilling them for a broad audience.
The present survey has been accepted for publication at ACM Computing
Surveys. If you are considering citing this survey, we would appreciate if you
could use the following BibTeX entry: http://goo.gl/Hf5FvcComment: This is the authors pre-print copy. If you are considering citing
this survey, we would appreciate if you could use the following BibTeX entry:
http://goo.gl/Hf5Fv
ASSINATURA DO TESTE ESTRUTURAL (ATE) - MÉTRICA BASEADA EM TESTE FLUXO DE DADOS E ANÁLISE DE MUTANTES SIGNATURE OF THE STRUCTURAL TEST (SST) - METRIC BASED ON DATA FLOW TEST AND MUTANT ANALYSIS
The structural test makes it possible to guarantee the quality of the software by analyzing the source code. In this sense, this paper presents a new method of structural testing with the application of data flow testing and mutant analysis techniques. It is an arithmetic model called Signature of the Structural Test (SSt), which receives parameters such as variables, operands, operators and commands, determines a metric with the objective of detecting possible semantic and logical errors between the definitions of variables and their uses, such as also, reducing the test paths in the data graph and the mutants generated. The result was favorable to the continuation of the research with other testsand guidance for the construction of an appropriate tool.O teste estrutural possibilita garantir a qualidade do software pela análise do código fonte. Nesse sentido, este trabalho apresenta um novo método de teste estrutural com a aplicação das técnicas teste fluxo de dados e análise de mutantes. Trata-se de um modelo aritmético intitulado Assinatura do Teste Estrutural (AtE), que recebe parâmetros como variáveis, operandos, operadores e comandos, determina uma métrica com objetivos de detectar possíveis erros semânticos e lógicos entre as definições de variáveis e seus usos, como também, reduzir os caminhos de testes no grafo de dados e os mutantes gerados. O resultado mostrou-se favorável à continuação da pesquisa com outros ensaios edirecionamento para construção de ferramenta apropriada
Recommended from our members
On Efficiency and Accuracy of Data Flow Tracking Systems
Data Flow Tracking (DFT) is a technique broadly used in a variety of security applications such as attack detection, privacy leak detection, and policy enforcement. Although effective, DFT inherits the high overhead common to in-line monitors which subsequently hinders their adoption in production systems. Typically, the runtime overhead of DFT systems range from 3× to 100× when applied to pure binaries, and 1.5× to 3× when inserted during compilation. Many performance optimization approaches have been introduced to mitigate this problem by relaxing propagation policies under certain conditions but these typically introduce the issue of inaccurate taint tracking that leads to over-tainting or under-tainting.
Despite acknowledgement of these performance / accuracy trade-offs, the DFT literature consistently fails to provide insights about their implications. A core reason, we believe, is the lack of established methodologies to understand accuracy.
In this dissertation, we attempt to address both efficiency and accuracy issues. To this end, we begin with libdft, a DFT framework for COTS binaries running atop commodity OSes and we then introduce two major optimization approaches based on statically and dynamically analyzing program binaries.
The first optimization approach extracts DFT tracking logics and abstracts them using TFA. We then apply classic compiler optimizations to eliminate redundant tracking logic and minimize interference with the target program. As a result, the optimization can achieve 2× speed-up over base-line performance measured for libdft. The second optimization approach decouples the tracking logic from execution to run them in parallel leveraging modern multi-core innovations. We apply his approach again applied to libdft where it can run four times as fast, while concurrently consuming fewer CPU cycles.
We then present a generic methodology and tool for measuring the accuracy of arbitrary DFT systems in the context of real applications. With a prototype implementation for the Android framework – TaintMark, we have discovered that TaintDroid’s various performance optimizations lead to serious accuracy issues, and that certain optimizations should be removed to vastly improve accuracy at little performance cost. The TaintMark approach is inspired by blackbox differential testing principles to test for inaccuracies in DFTs, but it also addresses numerous practical challenges that arise when applying those principles to real, complex applications. We introduce the TaintMark methodology by using it to understand taint tracking accuracy trade-offs in TaintDroid, a well-known DFT system for Android.
While the aforementioned works focus on the efficiency and accuracy issues of DFT systems that dynamically track data flow, we also explore another design choice that statically tracks information flow by analyzing and instrumenting the application source code. We apply this approach to the different problem of integer error detection in order to reduce the number of false alarmings
Test generation for high coverage with abstraction refinement and coarsening (ARC)
Testing is the main approach used in the software industry to expose failures. Producing thorough test suites is an expensive and error prone task that can greatly benefit from automation. Two challenging problems in test automation are generating test input and evaluating the adequacy of test suites: the first amounts to producing a set of test cases that accurately represent the software behavior, the second requires defining appropriate metrics to evaluate the thoroughness of the testing activities. Structural testing addresses these problems by measuring the amount of code elements that are executed by a test suite. The code elements that are not covered by any execution are natural candidates for generating further test cases, and the measured coverage rate can be used to estimate the thoroughness of the test suite. Several empirical studies show that test suites achieving high coverage rates exhibit a high failure detection ability. However, producing highly covering test suites automatically is hard as certain code elements are executed only under complex conditions while other might be not reachable at all. In this thesis we propose Abstraction Refinement and Coarsening (ARC), a goal oriented technique that combines static and dynamic software analysis to automatically generate test suites with high code coverage. At the core of our approach there is an abstract program model that enables the synergistic application of the different analysis components. In ARC we integrate Dynamic Symbolic Execution (DSE) and abstraction refinement to precisely direct test generation towards the coverage goals and detect infeasible elements. ARC includes a novel coarsening algorithm for improved scalability. We implemented ARC-B, a prototype tool that analyses C programs and produces test suites that achieve high branch coverage. Our experiments show that the approach effectively exploits the synergy between symbolic testing and reachability analysis outperforming state of the art test generation approaches. We evaluated ARC-B on industry relevant software, and exposed previously unknown failures in a safety-critical software component
Recommended from our members
JavaFlow : a Java DataFlow Machine
textThe JavaFlow, a Java DataFlow Machine is a machine design concept implementing a Java Virtual Machine aimed at addressing technology roadmap issues along with the ability to effectively utilize and manage very large numbers of processing cores. Specific design challenges addressed include: design complexity through a common set of repeatable structures; low power by featuring unused circuits and ability to power off sections of the chip; clock propagation and wire limits by using locality to bring data to processing elements and a Globally Asynchronous Locally Synchronous (GALS) design; and reliability by allowing portions of the design to be bypassed in case of failures. A Data Flow Architecture is used with multiple heterogeneous networks to connect processing elements capable of executing a single Java ByteCode instruction. Whole methods are cached in this DataFlow fabric, and the networks plus distributed intelligence are used for their management and execution. A mesh network is used for the DataFlow transfers; two ordered networks are used for management and control flow mapping; and multiple high speed rings are used to access the storage subsystem and a controlling General Purpose Processor (GPP). Analysis of benchmarks demonstrates the potential for this design concept. The design process was initiated by analyzing SPEC JVM benchmarks which identified a small number methods contributing to a significant percentage of the overall ByteCode operations. Additional analysis established static instruction mixes to prioritize the types of processing elements used in the DataFlow Fabric. The overall objective of the machine is to provide multi-threading performance for Java Methods deployed to this DataFlow fabric. With advances in technology it is envisioned that from 1,000 to 10,000 cores/instructions could be deployed and managed using this structure. This size of DataFlow fabric would allow all the key methods from the SPEC benchmarks to be resident. A baseline configuration is defined with a compressed dataflow structure and then compared to multiple configurations of instruction assignments and clock relationships. Using a series of methods from the SPEC benchmark running independently, IPC (Instructions per Cycle) performance of the sparsely populated heterogeneous structure is 40% of the baseline. The average ratio of instructions to required nodes is 3.5. Innovative solutions to the loading and management of Java methods along with the translation from control flow to DataFlow structure are demonstrated.Electrical and Computer Engineerin
Integration of Fault Localization into your GitHub Repository
Com a crescente complexidade e escala do software, existe uma forte necessidade de técnicas que auxiliem os desenvolvedores de software a localizar falhas com o mínimo de intervenção humana possível.
O objetivo desta dissertação é analisar o uso de abordagens de localização de falhas baseadas em espectro para ajudar a descobrir falhas em programas Java, bem como o uso de bots no ciclo de vida do desenvolvimento de um software. As técnicas de localização de falhas baseadas em espectro foram escolhidas na área de pesquisa de localização de falhas de software devido aos seus baixos custos de execução e popularidade. Três ferramentas (GZoltar, FLACOCO e Jaguar) destacaram-se como as principais escolhas para a localização de falhas baseada em espectro em Java, de acordo com a pesquisa, e embora todas produzissem resultados comparáveis, o GZoltar foi preferido.
Foi criada uma Action do GitHub que, quando integrada com o GZoltar, permite a análise de relatórios de localização de falhas baseada em espectro em qualquer repositório Java no GitHub. O resultado é um relatório detalhado das linhas de código potencialmente com falhas, personalizável pelo utilizador.
Esta Action foi avaliada tanto em um repositório de exemplo como em vários projetos open-source. Embora a integração tenha sido bem sucedida no repositório de exemplo, as limitações do GZoltar impedem a sua integração na maioria dos projetos open-source, destacando a necessidade de atualizações e testes adicionais de compatibilidade.With the increased complexity and scale of software, there is a strong demand for techniques to guide software engineers to locate faults with less human intervention as possible.
The purpose of this dissertation is to look into the usage of Spectrum-based Fault Localization approaches to help discover faults in Java programs, as well as the use of bots in the software development lifecycle. Spectrum-based Fault Localization techniques were found to be chosen in the research area of software fault localization due to their low execution costs and popularity. Three tools (GZoltar, FLACOCO, and Jaguar) stood out as the top choices for spectrum-based fault localization in Java according to the research, and even though all produced comparable outcomes, GZoltar was preferred.
A GitHub Action was created that, when integrated with GZoltar, allows analysis of Spectrum-based Fault Localization reports in any Java repository on GitHub. The outcome of it is a detailed report of potentially faulty lines of code, customizable by the user.
This action is tested in both a sample repository and several open-source projects. While successful integration is achieved with the sample repository, limitations of GZoltar hinder its integration with most open-source projects, highlighting the need for updates and further compatibility testing
- …