Benchmarking Symbolic Execution Using Constraint Problems -- Initial Results

Symbolic execution is a powerful technique for bug finding and program testing. It is successful in finding bugs in real-world code. The core reasoning techniques use constraint solving, path exploration, and search, which are also the same techniques used in solving combinatorial problems, e.g., finite-domain constraint satisfaction problems (CSPs). We propose CSP instances as more challenging benchmarks to evaluate the effectiveness of the core techniques in symbolic execution. We transform CSP benchmarks into C programs suitable for testing the reasoning capabilities of symbolic execution tools. From a single CSP P, we transform P depending on transformation choice into different C programs. Preliminary testing with the KLEE, Tracer-X, and LLBMC tools show substantial runtime differences from transformation and solver choice. Our C benchmarks are effective in showing the limitations of existing symbolic execution tools. The motivation for this work is we believe that benchmarks of this form can spur the development and engineering of improved core reasoning in symbolic execution engines

Eunomia: Enabling User-specified Fine-Grained Search in Symbolically Executing WebAssembly Binaries

Although existing techniques have proposed automated approaches to alleviate the path explosion problem of symbolic execution, users still need to optimize symbolic execution by applying various searching strategies carefully. As existing approaches mainly support only coarse-grained global searching strategies, they cannot efficiently traverse through complex code structures. In this paper, we propose Eunomia, a symbolic execution technique that allows users to specify local domain knowledge to enable fine-grained search. In Eunomia, we design an expressive DSL, Aes, that lets users precisely pinpoint local searching strategies to different parts of the target program. To further optimize local searching strategies, we design an interval-based algorithm that automatically isolates the context of variables for different local searching strategies, avoiding conflicts between local searching strategies for the same variable. We implement Eunomia as a symbolic execution platform targeting WebAssembly, which enables us to analyze applications written in various languages (like C and Go) but can be compiled into WebAssembly. To the best of our knowledge, Eunomia is the first symbolic execution engine that supports the full features of the WebAssembly runtime. We evaluate Eunomia with a dedicated microbenchmark suite for symbolic execution and six real-world applications. Our evaluation shows that Eunomia accelerates bug detection in real-world applications by up to three orders of magnitude. According to the results of a comprehensive user study, users can significantly improve the efficiency and effectiveness of symbolic execution by writing a simple and intuitive Aes script. Besides verifying six known real-world bugs, Eunomia also detected two new zero-day bugs in a popular open-source project, Collections-C.Comment: Accepted by ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA) 202

Autoscopy: Detecting Pattern-Searching Rootkits via Control Flow Tracing

Traditional approaches to rootkit detection assume the execution of code at a privilege level below that of the operating system kernel, with the use of virtual machine technologies to enable the detection system itself to be immune from the virus or rootkit code. In this thesis, we approach the problem of rootkit detection from the standpoint of tracing and instrumentation techniques, which work from within the kernel and also modify the kernel\u27s run-time state to detect aberrant control flows. We wish to investigate the role of emerging tracing frameworks (Kprobes, DTrace etc.) in enforcing operating system security without the reliance on a full-blown virtual machine just for the purposes of such policing. We first build a novel rootkit prototype that uses pattern-searching techniques to hijack hooks embedded in dynamically allocated memory, which we present as a showcase of emerging attack techniques. We then build an intrusion detection system-- autoscopy, atop kprobes, that detects anomalous control flow patterns typically exhibited by rootkits within a running kernel. Furthermore, to validate our approach, we show that we were able to successfully detect 15 existing Linux rootkits. We also conduct performance analyses, which show the overhead of our system to range from 2% to 5% on a wide range of standard benchmarks. Thus by leveraging tracing frameworks within operating systems, we show that it is possible to introduce real-world security in devices where performance and resource constraints are tantamount to security considerations

Defense Technical Information Center thesaurus

This DTIC Thesaurus provides a basic multidisciplinary subject term vocabulary used by DTIC to index and retrieve scientific and technical information from its various data bases and to aid DTIC`s users in their information storage and retrieval operations. It includes an alphabetical posting term display, a hierarchy display, and a Keywork Out of Context (KWOC) display

Designing and Operating Safe and Secure Transit Systems: Assessing Current Practices in the United States and Abroad, MTI Report 04-05

Public transit systems around the world have for decades served as a principal venue for terrorist acts. Today, transit security is widely viewed as an important public policy issue and is a high priority at most large transit systems and at smaller systems operating in large metropolitan areas. Research on transit security in the United States has mushroomed since 9/11; this study is part of that new wave of research. This study contributes to our understanding of transit security by (1) reviewing and synthesizing nearly all previously published research on transit terrorism; (2) conducting detailed case studies of transit systems in London, Madrid, New York, Paris, Tokyo, and Washington, D.C.; (3) interviewing federal officials here in the United States responsible for overseeing transit security and transit industry representatives both here and abroad to learn about efforts to coordinate and finance transit security planning; and (4) surveying 113 of the largest transit operators in the United States. Our major findings include: (1) the threat of transit terrorism is probably not universal—most major attacks in the developed world have been on the largest systems in the largest cities; (2) this asymmetry of risk does not square with fiscal politics that seek to spread security funding among many jurisdictions; (3) transit managers are struggling to balance the costs and (uncertain) benefits of increased security against the costs and (certain) benefits of attracting passengers; (4) coordination and cooperation between security and transit agencies is improving, but far from complete; (5) enlisting passengers in surveillance has benefits, but fearful passengers may stop using public transit; (6) the role of crime prevention through environmental design in security planning is waxing; and (7) given the uncertain effectiveness of antitransit terrorism efforts, the most tangible benefits of increased attention to and spending on transit security may be a reduction in transit-related person and property crimes

Learning Static Knowledge for AI Planning Domain Models via Plan Traces

Learning is fundamental to autonomous behaviour and from the point of view of Machine Learning, it is the ability of computers to learn without being programmed explicitly. Attaining such capability for learning domain models for Automated Planning (AP) engines is what triggered research into developing automated domain-learning systems. These systems can learn from training data. Until recent research it was believed that working in dynamically changing and unpredictable environments, it was not possible to construct action models a priori. After the research in the last decade, many systems have proved effective in engineering domain models by learning from plan traces. However, these systems require additional planner oriented information such as a partial domain model, initial, goal and/or intermediate states. Hence, a question arises - whether or not we can learn a dynamic domain model, which covers all domain behaviours from real-time action sequence traces only. The research in this thesis extends an area of the most promising line of work that is connected to work presented in an REF Journal paper. This research aims to enhance the LOCM system and to extend the method of Learning Domain Models for AI Planning Engines via Plan Traces. This method was first published in ICAPS 2009 by Cresswell, McCluskey, and West (Cresswell, 2009). LOCM is unique in that it requires no prior knowledge of the target domain; however, it can produce a dynamic part of a domain model from training. Its main drawback is that it does not produce static knowledge of the domain, and its model lacks certain expressive features. A key aspect of research presented in this thesis is to enhance the technique with the capacity to generate static knowledge. A test and focus for this PhD is to make LOCM able to learn static relationships in a fully automatic way in addition to the dynamic relationships, which LOCM can already learn, using plan traces as input. We present a novel system - The ASCoL (Automatic Static Constraints Learner) which provides a graphical interface for visual representation and exploits directed graph discovery and analysis technique. It has been designed to discover domain-specific static relations/constraints automatically in order to enhance planning domain models. The ASCoL method has wider applications. Combined with LOCM, ASCoL can be a useful tool to produce benchmark domains for automated planning engines. It is also useful as a debugging tool for improving existing domain models. We have evaluated ASCoL on fifteen different IPC domains and on different types of goal-oriented and random-walk plans as input training data and it has been shown to be effective