273 research outputs found
P4Testgen: An Extensible Test Oracle For P4
We present P4Testgen, a test oracle for the P4-16 language that supports
automatic generation of packet tests for any P4-programmable device. Given a P4
program and sufficient time, P4Testgen generates tests that cover every
reachable statement in the input program. Each generated test consists of an
input packet, control-plane configuration, and output packet(s), and can be
executed in software or on hardware. Unlike prior work, P4Testgen is open
source and extensible, making it a general resource for the community.
P4Testgen not only covers the full P4-16 language specification, it also
supports modeling the semantics of an entire packet-processing pipeline,
including target-specific behaviors-i.e., whole-program semantics. Handling
aspects of packet processing that lie outside of the official specification is
critical for supporting real-world targets (e.g., switches, NICs, end host
stacks). In addition, P4Testgen uses taint tracking and concolic execution to
model complex externs (e.g., checksums and hash functions) that have been
omitted by other tools, and ensures the generated tests are correct and
deterministic. We have instantiated P4Testgen to build test oracles for the
V1model, eBPF, and the Tofino (TNA and T2NA) architectures; each of these
extensions only required effort commensurate with the complexity of the target.
We validated the tests generated by P4Testgen by running them across the entire
P4C program test suite as well as the Tofino programs supplied with Intel's P4
Studio. In just a few months using the tool, we discovered and confirmed 25
bugs in the mature, production toolchains for BMv2 and Tofino, and are
conducting ongoing investigations into further faults uncovered by P4Testgen
LLM for SoC Security: A Paradigm Shift
As the ubiquity and complexity of system-on-chip (SoC) designs increase
across electronic devices, the task of incorporating security into an SoC
design flow poses significant challenges. Existing security solutions are
inadequate to provide effective verification of modern SoC designs due to their
limitations in scalability, comprehensiveness, and adaptability. On the other
hand, Large Language Models (LLMs) are celebrated for their remarkable success
in natural language understanding, advanced reasoning, and program synthesis
tasks. Recognizing an opportunity, our research delves into leveraging the
emergent capabilities of Generative Pre-trained Transformers (GPTs) to address
the existing gaps in SoC security, aiming for a more efficient, scalable, and
adaptable methodology. By integrating LLMs into the SoC security verification
paradigm, we open a new frontier of possibilities and challenges to ensure the
security of increasingly complex SoCs. This paper offers an in-depth analysis
of existing works, showcases practical case studies, demonstrates comprehensive
experiments, and provides useful promoting guidelines. We also present the
achievements, prospects, and challenges of employing LLM in different SoC
security verification tasks.Comment: 42 page
Proceedings of the First NASA Formal Methods Symposium
Topics covered include: Model Checking - My 27-Year Quest to Overcome the State Explosion Problem; Applying Formal Methods to NASA Projects: Transition from Research to Practice; TLA+: Whence, Wherefore, and Whither; Formal Methods Applications in Air Transportation; Theorem Proving in Intel Hardware Design; Building a Formal Model of a Human-Interactive System: Insights into the Integration of Formal Methods and Human Factors Engineering; Model Checking for Autonomic Systems Specified with ASSL; A Game-Theoretic Approach to Branching Time Abstract-Check-Refine Process; Software Model Checking Without Source Code; Generalized Abstract Symbolic Summaries; A Comparative Study of Randomized Constraint Solvers for Random-Symbolic Testing; Component-Oriented Behavior Extraction for Autonomic System Design; Automated Verification of Design Patterns with LePUS3; A Module Language for Typing by Contracts; From Goal-Oriented Requirements to Event-B Specifications; Introduction of Virtualization Technology to Multi-Process Model Checking; Comparing Techniques for Certified Static Analysis; Towards a Framework for Generating Tests to Satisfy Complex Code Coverage in Java Pathfinder; jFuzz: A Concolic Whitebox Fuzzer for Java; Machine-Checkable Timed CSP; Stochastic Formal Correctness of Numerical Algorithms; Deductive Verification of Cryptographic Software; Coloured Petri Net Refinement Specification and Correctness Proof with Coq; Modeling Guidelines for Code Generation in the Railway Signaling Context; Tactical Synthesis Of Efficient Global Search Algorithms; Towards Co-Engineering Communicating Autonomous Cyber-Physical Systems; and Formal Methods for Automated Diagnosis of Autosub 6000
Fuzzing Symbolic Expressions
Recent years have witnessed a wide array of results in software testing,
exploring different approaches and methodologies ranging from fuzzers to
symbolic engines, with a full spectrum of instances in between such as concolic
execution and hybrid fuzzing. A key ingredient of many of these tools is
Satisfiability Modulo Theories (SMT) solvers, which are used to reason over
symbolic expressions collected during the analysis. In this paper, we
investigate whether techniques borrowed from the fuzzing domain can be applied
to check whether symbolic formulas are satisfiable in the context of concolic
and hybrid fuzzing engines, providing a viable alternative to classic SMT
solving techniques. We devise a new approximate solver, FUZZY-SAT, and show
that it is both competitive with and complementary to state-of-the-art solvers
such as Z3 with respect to handling queries generated by hybrid fuzzers
The integration of multi-color taint-analysis with dynamic symbolic execution for Java web application security analysis
The view of IT security in today’s software development processes is changing. While IT
security used to be seen mainly as a risk that had to be managed during the operation
of IT systems, a class of security weaknesses is seen today as measurable quality aspects
of IT system implementations, e.g., the number of paths allowing SQL injection attacks.
Current trends, such as DevSecOps pipelines, therefore establish security testing in the
development process aiming to catch these security weaknesses before they make their
way into production systems. At the same time, the analysis works differently than in
functional testing, as security requirements are mostly universal and not project specific.
Further, they measure the quality of the source code and not the function of the system.
As a consequence, established testing strategies such as unit testing or integration testing
are not applicable for security testing. Instead, a new category of tools is required in
the software development process: IT security weakness analyzers. These tools scan
the source code for security weaknesses independent of the functional aspects of the
implementation. In general, such analyzers give stronger guarantees for the presence
or absence of security weaknesses than functional testing strategies. In this thesis, I
present a combination of dynamic symbolic execution and explicit dynamic multi-color
taint analysis for the security analysis of Java web applications. Explicit dynamic
taint analysis is an established monitoring technique that allows the precise detection of
security weaknesses along a single program execution path, if any are present. Multi-color
taint analysis implies that different properties defining diverse security weaknesses can
be expressed at the same time in different taint colors and are analyzed in parallel during
the execution of a program path. Each taint color analyzes its own security weakness
and taint propagation can be tailored in specific sanitization points for this color. The
downside of dynamic taint analysis is the single exploration of one path. Therefore, this
technique requires a path generator component as counterpart that ensures all relevant
paths are explored. Dynamic symbolic execution is appropriate here, as enumerating all
reachable execution paths in a program is its established strength. The Jaint framework
presented here combines these two techniques in a single tool. More specifically, the
thesis looks into SMT meta-solving, extending dynamic symbolic execution on Java
programs with string operations, and the configuration problem of multi-color taint
analysis in greater detail to enable Jaint for the analysis of Java web applications. The
evaluation demonstrates that the resulting framework is the best research tool on the
OWASP Benchmark. One of the two dynamic symbolic execution engines that I worked
on as part of the thesis has won gold in the Java track of SV-COMP 2022. The other
demonstrates that it is possible to lift the implementation design from a research specific
JVM to an industry grade JVM, paving the way for the future scaling of Jaint
- …