enhancing symbolic execution for coverage oriented testing
play

Enhancing Symbolic Execution for Coverage-Oriented Testing S - PowerPoint PPT Presentation

Apr 08, 2023 •671 likes •1.43k views

Enhancing Symbolic Execution for Coverage-Oriented Testing S ebastien Bardin, Nikolai Kosmatov, Micka el Delahaye CEA LIST, Software Safety Lab (Paris-Saclay, France) Bardin et al. CFV 2015 1/ 40 Context : white-box software testing

  1. Enhancing Symbolic Execution for Coverage-Oriented Testing S´ ebastien Bardin, Nikolai Kosmatov, Micka¨ el Delahaye CEA LIST, Software Safety Lab (Paris-Saclay, France) Bardin et al. CFV 2015 1/ 40

  2. Context : white-box software testing Testing process Generate a test input Run it and check for errors Estimate coverage : if enough stop, else loop Coverage criteria [decision, mcdc, mutants, etc.] play a major role definition = systematic way of deriving test requirements generate tests, decide when to stop, assess quality of testing beware : infeasible test requirements [waste generation effort, imprecise coverage ratios] beware : lots of different coverage criteria Bardin et al. CFV 2015 2/ 40

  3. Context : Dynamic Symbolic Execution Dynamic Symbolic Execution [dart, cute, exe, sage, pex, klee, . . . ] � very powerful approach to (white box) test generation � many tools and many successful case-studies since mid 2000’s Bardin et al. CFV 2015 3/ 40

  4. Context : Dynamic Symbolic Execution Dynamic Symbolic Execution [dart, cute, exe, sage, pex, klee, . . . ] � very powerful approach to (white box) test generation � many tools and many successful case-studies since mid 2000’s Symbolic Execution [King 70’s] consider a program P on input v , and a given path σ a path predicate ϕ σ for σ is a formula s.t. v | = ϕ σ ⇒ P(v) follows σ can be used for bounded-path testing ! old idea, recent renew interest [requires powerful solvers] Bardin et al. CFV 2015 3/ 40

  5. Context : Dynamic Symbolic Execution Dynamic Symbolic Execution [dart, cute, exe, sage, pex, klee, . . . ] � very powerful approach to (white box) test generation � many tools and many successful case-studies since mid 2000’s Symbolic Execution [King 70’s] consider a program P on input v , and a given path σ a path predicate ϕ σ for σ is a formula s.t. v | = ϕ σ ⇒ P(v) follows σ can be used for bounded-path testing ! old idea, recent renew interest [requires powerful solvers] Dynamic Symbolic Execution [Korel+, Williams+, Godefroid+] interleave dynamic and symbolic executions drive the search towards feasible paths for free give hints for relevant under-approximations [robustness] Bardin et al. CFV 2015 3/ 40

  6. Context : Dynamic Symbolic Execution (2) input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ [wpre, spost] solve ϕ σ for satisfiability [smt solver] SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. CFV 2015 4/ 40

  7. Context : Dynamic Symbolic Execution (2) input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ [wpre, spost] solve ϕ σ for satisfiability [smt solver] SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. CFV 2015 4/ 40

  8. Context : Dynamic Symbolic Execution (2) input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ [wpre, spost] solve ϕ σ for satisfiability [smt solver] SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. CFV 2015 4/ 40

  9. Context : Dynamic Symbolic Execution (2) input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ [wpre, spost] solve ϕ σ for satisfiability [smt solver] SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. CFV 2015 4/ 40

  10. Context : Dynamic Symbolic Execution (2) input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ [wpre, spost] solve ϕ σ for satisfiability [smt solver] SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. CFV 2015 4/ 40

  11. Context : Dynamic Symbolic Execution (2) input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ [wpre, spost] solve ϕ σ for satisfiability [smt solver] SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. CFV 2015 4/ 40

  12. Context : Dynamic Symbolic Execution (2) input : a program P output : a test suite TS covering all feasible paths of Paths ≤ k ( P ) pick a path σ ∈ Paths ≤ k ( P ) compute a path predicate ϕ σ of σ [wpre, spost] solve ϕ σ for satisfiability [smt solver] SAT(s) ? get a new pair < s, σ > loop until no more path to cover Bardin et al. CFV 2015 4/ 40

  13. The problem DSE is GREAT for automating structural testing � very powerful approach to (white box) test generation � many tools and many successful case-studies since mid 2000’s Bardin et al. CFV 2015 5/ 40

  14. The problem DSE is GREAT for automating structural testing � very powerful approach to (white box) test generation � many tools and many successful case-studies since mid 2000’s Yet, no real support for structural coverage criteria [except path coverage and branch coverage] Would be useful : when required to produce tests achieving some criterion for producing “good” tests for an external oracle [functional correctness, security, performance, etc.] Recent efforts [Active Testing, Augmented DSE, Mutation DSE] limited or unclear expressiveness explosion of the search space [ APex : 272x avg, up to 2,000x] Bardin et al. CFV 2015 5/ 40

  15. Our goals and results Goals : extend DSE to a large set of structural coverage criteria support these criteria in a unified way support these criteria in an efficient way detect (some) infeasible test requirements Bardin et al. CFV 2015 6/ 40

  16. Our goals and results Goals : extend DSE to a large set of structural coverage criteria support these criteria in a unified way support these criteria in an efficient way detect (some) infeasible test requirements Results � generic low-level encoding of coverage criteria [ICST 14] � efficient variant of DSE for coverage criteria [ICST 14] � sound and quasi-complete detection of infeasibility [ICST 15] Bardin et al. CFV 2015 6/ 40

  17. Outline Introduction Labels Efficient DSE for Labels Infeasible label detection The GACC criterion Conclusion Bardin et al. CFV 2015 7/ 40

  18. Focus : Labels Annotate programs with labels ◮ predicate attached to a specific program instruction Label ( loc , ϕ ) is covered if a test execution ◮ reaches the instruction at loc ◮ satisfies the predicate ϕ Good for us ◮ can easily encode a large class of coverage criteria [see after] ◮ in the scope of standard program analysis techniques Bardin et al. CFV 2015 8/ 40

  19. Simulation of standard coverage criteria statement_1 ; statement_1 ; // l1: x==y && a<b if (x==y && a<b) // l2: !(x==y && a<b) − − − − − → {...}; if (x==y && a<b) statement_3 ; {...}; statement_3 ; Decision Coverage ( DC ) Bardin et al. CFV 2015 9/ 40

  20. Simulation of standard coverage criteria statement_1 ; // l1: x==y statement_1 ; // l2: !(x==y) if (x==y && a<b) // l3: a<b − − − − − → {...}; // l4: !(a<b) statement_3 ; if (x==y && a<b) {...}; statement_3 ; Condition Coverage ( CC ) Bardin et al. CFV 2015 9/ 40

  21. Simulation of standard coverage criteria statement_1 ; // l1: x==y && a<b statement_1 ; // l2: x==y && a>=b if (x==y && a<b) // l3: x!=y && a<b − − − − − → {...}; // l4: x!=y && a>=b statement_3 ; if (x==y && a<b) {...}; statement_3 ; Multiple-Condition Coverage ( MCC ) Bardin et al. CFV 2015 9/ 40

  22. Simulation of standard coverage criteria OBJ : generic specification mechanism for coverage criteria � IC , DC , FC , CC , MCC , GACC large part of Weak Mutations Input Domain Partition Run-Time Error Bardin et al. CFV 2015 9/ 40

  23. Simulation of standard coverage criteria OBJ : generic specification mechanism for coverage criteria � IC , DC , FC , CC , MCC , GACC large part of Weak Mutations Input Domain Partition Run-Time Error Out of scope : . strong mutations, MCDC . (side-effect weak mutations) Bardin et al. CFV 2015 9/ 40

  24. Focus : Simulation of Weak Mutations mutant M = syntactic modification of program P weakly covering M = finding t such that P( t ) � = M( t ) just after the mutation Bardin et al. CFV 2015 10/ 40

  25. From weak mutants to labels (1) Bardin et al. CFV 2015 11/ 40

  26. From weak mutants to labels (2) One label per mutant Mutation inside a statement �→ lhs := e lhs := e’ ◮ add label : e � = e ′ �→ lhs := e lhs’ := e ◮ add label : & lhs � = & lhs ′ ∧ ( lhs � = e ∨ lhs ′ � = e ) Mutation inside a decision �→ if (cond) if (cond’) ◮ add label : cond ⊕ cond ′ Beware : no side-effect inside labels Bardin et al. CFV 2015 12/ 40

Recommend

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of London Joint work with: Stefan Bucur, George Candea, Volodymyr Kuznetsov @ EPFL Symbolic Execution Automatically explore program paths

2.34k views • 200 slides
Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing

Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing

Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing Timotej Kapus, Cristian Cadar Department of Computing Imperial College London if (x &gt; 2294967295) { assert(false); } printf(&quot;x:

1.08k views • 45 slides
Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Concolic Testing Dynamic Symbolic Execution Marco Probst Albert-Ludwigs-Universitt Freiburg

Concolic Testing Dynamic Symbolic Execution Marco Probst Albert-Ludwigs-Universitt Freiburg

Concolic Testing Dynamic Symbolic Execution Marco Probst Albert-Ludwigs-Universitt Freiburg January 25th, 2016 Marco Probst Concolic Testing 1 / 22 Overview Code Example 1 Unit Testing 2 Random Testing Symbolic Execution Concolic

919 views • 89 slides
Generating High Coverage Tests for SystemC Designs Using Symbolic Execution Bin Lin Department

Generating High Coverage Tests for SystemC Designs Using Symbolic Execution Bin Lin Department

Generating High Coverage Tests for SystemC Designs Using Symbolic Execution Bin Lin Department of Computer Science Portland State University 1 Agenda Introduction Related work and Background Our Approach Evaluation

717 views • 32 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Enhancing Reuse of Constraint Solutions to Improve Symbolic Execution Xiangyang Jia (Wuhan

Enhancing Reuse of Constraint Solutions to Improve Symbolic Execution Xiangyang Jia (Wuhan

Enhancing Reuse of Constraint Solutions to Improve Symbolic Execution Xiangyang Jia (Wuhan University) Carlo Ghezzi (Politecnico di Milano) Shi Ying (Wuhan University) Outline Motivation Logical Basis of our Approach GreenTrie

589 views • 36 slides
Symstra: A Framework for Generating Object-Oriented Unit Tests using Symbolic Execution 1 3 1

Symstra: A Framework for Generating Object-Oriented Unit Tests using Symbolic Execution 1 3 1

Symstra: A Framework for Generating Object-Oriented Unit Tests using Symbolic Execution 1 3 1 Tao Xie, Darko Marinov, Wolfram Schulte, and David Notkin 2 1 University of Washington 2 University of Illinois at Urbana-Champaign 3

709 views • 31 slides
Interoperability-Guided Testing of QUIC Implementations using Symbolic Execution Felix Rath ,

Interoperability-Guided Testing of QUIC Implementations using Symbolic Execution Felix Rath ,

Interoperability-Guided Testing of QUIC Implementations using Symbolic Execution Felix Rath , Daniel Schemmel, Klaus Wehrle https://comsys.rwth-aachen.de EPIQ Workshop, Heraklion, Greece, 2018-12-04 QUANT ? Mozquic ? mvfst ? picoquic ?

1.45k views • 97 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin &amp; Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad Ureche, Cristian Zamfir, George Candea School of Computer and Communication Sciences Automated Software Testing Automated Industrial Techniques

1.25k views • 59 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
Coverage-Oriented Verification Coverage-Oriented Verification of Banias of Banias Alon Gluska

Coverage-Oriented Verification Coverage-Oriented Verification of Banias of Banias Alon Gluska

Coverage-Oriented Verification Coverage-Oriented Verification of Banias of Banias Alon Gluska Intel Corporation Haifa, Israel Agenda Agenda Introduction Coverage-Driven vs. Coverage-Oriented verification Functional coverage in

397 views • 18 slides
Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav Nodar Petar Martin He Balunovic Ambroladze Tsankov Vechev Random Fuzzing vs. Symbolic Execution Random Fuzzing Symbolic Execution Fast Slow

633 views • 29 slides
Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College London Invited talk at SMT 2015 18 July, San Francisco, CA, USA Dynamic Symbolic Execution Dynamic symbolic execution is a technique for

660 views • 53 slides
Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths Symbolic Execution and Proof of Effects of the execution on program state Properties Bridges program behavior to logic Finds important

309 views • 6 slides
Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides
An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar Department of Computing Imperial College London 14 th TAROT Summer School UCL, London, 3 July 2018 Dynamic Symbolic Execution Dynamic symbolic

856 views • 56 slides
Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank Busse Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in

1.04k views • 70 slides
Symbolic Execution and Fuzz Testing ISSISP Summer School 2018 Prof. Abhik Roychoudhury National

Symbolic Execution and Fuzz Testing ISSISP Summer School 2018 Prof. Abhik Roychoudhury National

Symbolic Execution and Fuzz Testing ISSISP Summer School 2018 Prof. Abhik Roychoudhury National University of Singapore 1 Thanks to organizers and ISSISP Steve Blackburn Adrian Herrera ISSISP Summer School 2018 Tony Hosking

1.17k views • 99 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson, &quot;Applications of Symbolic Evaluation,&quot; Journal of Systems and Software, 5 (1), January 1985, pp.15-35. Symbolic Evaluation/Execution

1.07k views • 60 slides

More recommend