symbolic execution and fuzz testing
play

Symbolic Execution and Fuzz Testing ISSISP Summer School 2018 - PowerPoint PPT Presentation

Oct 03, 2023 •171 likes •1.17k views

Symbolic Execution and Fuzz Testing ISSISP Summer School 2018 Prof. Abhik Roychoudhury National University of Singapore 1 Thanks to organizers and ISSISP Steve Blackburn Adrian Herrera ISSISP Summer School 2018 Tony Hosking

  1. Symbolic Execution and Fuzz Testing ISSISP Summer School 2018 Prof. Abhik Roychoudhury National University of Singapore 1

  2. Thanks to organizers and ISSISP • Steve Blackburn • Adrian Herrera ISSISP Summer School 2018 • Tony Hosking • Shane McGrath and all organizers of the event. 2

  3. Ack. to former students and grant Marcel. Boehme, PhD. NUS 2014, Post-doc NUS -> Lecturer Monash Van Thuan Pham, PhD. 2017 Sergey Mechtaev, PhD. 2018 -> Lecturer University College London Shin Hwei Tan, PhD. 2018 -> Asst Prof, SUSTech, Shenzen. China ISSISP Summer School 2018 Jooyong Yi, past post-doc -> Asst Prof. Innopolis ACKNOWLEDGEMENT: National Cyber Security Research program from NRF Singapore http://www.comp.nus.edu.sg/~tsunami/ and DSO National Labs 3

  4. COTS-integrated Platforms Trustworthy System Flaws Malicious Vulnerability Behavior ISSISP Summer School 2018 Outsourced and Shared Data Data Breach Binary analysis of paramount need for software acquisition or assembly. 4 http://www.comp.nus.edu.sg/~tsunami

  5. Enhancing local capabilities Education – NUS (New degree program) Vulnerability Binary Discovery Hardening Industry Agency Collaboration Collaboration – ST, Symantec, ISSISP Summer School 2018 DSTA, … NEC, … Data Verification Protection Research Outputs – Publications, Tools, Academic Collaboration, 5 Exchanges, Seminars, Workshops

  6. Short Videos • https://youtu.be/C1hl_ujw6B0 Plan • (1 Minute) • History of Symbolic execution • https://youtu.be/EHBjMSQvIpg – Symbolic Execution and Program Testing • (1 Minute) • Use in fuzz testing ISSISP Summer School 2018 • Lead up to specification inference • How the ideas of symbolic execution can be transported to automated program repair 6

  7. In this(?) talk … Search Symbolic Execution • Enhance the effectiveness of search • Explore capabilities of symbolic techniques, with symbolic execution execution beyond search as inspiration • Automated Program Repair • Systematic Fuzz Testing ISSISP Summer School 2018 7

  8. “ Program testing and program proving can be considered as extreme alternatives. …. This paper describes a practical approach between these two extremes … ISSISP Summer School 2018 Each symbolic execution result may be equivalent to a large number of normal tests ” 8

  9. Testing BLACK-BOX Requirements ISSISP Summer School 2018 9

  10. Testing Require ments ISSISP Summer School 2018 WHITE-BOX 10

  11. Proving via SW Model Checking ISSISP Summer School 2018 11

  12. Proving: SW Model Checking ISSISP Summer School 2018 12

  13. Blurring the lines: Symbolic Exec. SEARCH(A, 1, 5, X, found, j) SEARCH( A, L, U, X, found, j){ int j, found = 0; while (L <= U && found == 0){ X == A[3] found == 1 j == 3 j = (L+U)/2; if (X == A[j]){ found = 1;} X == A[1] && X < A[3] found == 1 j == 1 else if (X < A[j]){ U = j -1; } X < A[1] && X <A[3] found == 0 j == 0 else{ L = j +1; } ISSISP Summer School 2018 } X = A[2] && X > A[1] && X <A[3] found == 1 j == 2 if (found == 0){ j = L – 1;} …. } Testing ? Comprehension?? Verification ??? 13

  14. Blurring the lines: Symbolic Exec. SEARCH( A, L, U, X, found, j){ SEARCH(A, 1, 5, 20, found, j) int j, found = 0; while (L <= U && found == 0){ SEARCH(A, 1, 5, X, found, j) j = (L+U)/2; if (X == A[j]){ found = 1;} else if (X < A[j]){ U = j -1; } SEARCH(A, N, N+4, X, found, j) else{ L = j +1; } ISSISP Summer School 2018 } if (found == 0){ j = L – 1;} SEARCH(A, 1, M, X, found, j) } Testing ? Comprehension?? Verification ??? 14

  15. Primer on SE ISSISP Summer School 2018 Abhik Roychoudhury National University of Singapore 15

  16. Concrete execution Concrete input Concrete input in == 1 in == 1 Program Program out = in + 1 out = in * 2 P Q ISSISP Summer School 2018 Concrete Concrete output output out == 2 out == 2 No observable difference! 16

  17. Execution with symbolic inputs Symbolic input Symbolic input in == q in == q Program Program out = in + 1 out = in * 2 P Q ISSISP Summer School 2018 Concrete output Concrete output out == 2* q out == q + 1 To expose difference, try to find q such that q + 1 ¹ 2 * q 17

  18. Path exploration based symbolic execution in == q input in; in >= 0 input in; No Yes Keep both if (in >= 0) a = in; else a = -1; a = in; a = -1; ISSISP Summer School 2018 return a; q <0 Þ q ≥ 0 Þ return a out == -1 out == q 18

  19. On-the-fly path exploration Instead of analyzing the whole program, shift from one program path to another. in == 0 in == 5 input in; z = 0; x = 0; Sample exploration: Continue the if (in > 0){ search for failing inputs. Try ISSISP Summer School 2018 z = in *2; those which do not go through the x = in +2; “same” path. x = x + 2; } How to perform symbolic else … execution along a single if ( z > x){ path? return error; } X Ö 19

  20. Exploring one path in==0 input in; in >= 0 Useful to find: No Yes “the set of all inputs which trace a given a = -1; a = in; path” ISSISP Summer School 2018 Path condition return a; in ≥ 0 20

  21. Path condition computation in == 5 Line# Assignment store Path condition 1 input in; 1 {} true 2 z = 0; x = 0; 2 {(z,0),(x,0)} true 3 if (in > 0){ 4 z = in *2; 3 {(z,0),(x,0)} in > 0 5 x = in +2; 4 {(z,2*in), (x,0)} in > 0 6 x = x + 2; 7 } 5 {(z,2*in), (x,in+2)} in > 0 ISSISP Summer School 2018 8 else … 6 {(z,2*in), (x, in+4)} in > 0 9 if ( z > x){ 7 {(z, 2*in), (x, in+4)} in > 0 return error; } 9 {(z, 2*in), (x, in+4)} in>0 Ù (2*in > in +4) 21

  22. Directed testing • Start with a random input I. • Execute program P with I – Suppose I executes path p in program P. – While executing p, collect a symbolic formula f which captures the set of all inputs which execute path p in program P. – f is the path condition of path p traced by input i. • Minimally change f, to produce a formula f1 ISSISP Summer School 2018 – Solve f1 to get a new input I1 which executes a path p1 different from path p. 22

  23. Concrete Symbolic Execution Execution concrete state symbolic state constraints main(){ int t1 = randomInt(); int t2 = randomInt(); t1=0, t2=457 t1=m, t2=n test_me(t1,t2); } int add100(int x){ return x + 100;} int test_me(int Climb, int Up){ int sep, upward; if (Climb > 0){ ISSISP Summer School 2018 sep = Up;} else {sep = add100(Up);} if (sep > 150){ upward = 1; } else {upward = 0;} if (upward < 0){ abort; } else return upward; 23 }

  24. Concrete Symbolic Execution Execution concrete state symbolic state constraints main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int add100(int x){ return x + 100;} int test_me(int Climb, int Up){ Climb=0, Up=457 Climb=m, Up=n int sep, upward; if (Climb > 0){ ISSISP Summer School 2018 sep = Up;} else {sep = add100(Up);} if (sep > 150){ upward = 1; } else {upward = 0;} if (upward < 0){ abort; } else return upward; 24 }

  25. Concrete Symbolic Execution Execution concrete state symbolic state constraints main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int add100(int x){ return x + 100;} int test_me(int Climb, int Up){ int sep, upward; if (Climb > 0){ ISSISP Summer School 2018 sep = Up;} Climb=0, Up=457, sep= 457 Climb=m, Up=n sep= n m ≤ 0 else {sep = add100(Up);} if (sep > 150){ upward = 1; } else {upward = 0;} if (upward < 0){ abort; } else return upward; 25 }

  26. Concrete Symbolic Execution Execution concrete state symbolic state constraints main(){ int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int add100(int x){ return x + 100;} int test_me(int Climb, int Up){ int sep, upward; if (Climb){ ISSISP Summer School 2018 sep = Up;} else {sep = add100(Up);} Climb=0, Up=457 sep= 557 Climb=m, Up=n sep= if (sep > 150){ m ≤ 0 && n > 50 n+100 upward = 1; } else {upward = 0;} if (upward < 0){ abort; } else return upward; 26 }

  27. Concrete Symbolic Execution Execution main(){ concrete state symbolic state constraints int t1 = randomInt(); int t2 = randomInt(); test_me(t1,t2); } int add100(int x){ return x + 100;} Solve int test_me(int Climb, int Up){ m ≤ 0 && n ≤ 50 int sep, upward; if (Climb){ m == 0, n == 50 sep = Up;} ISSISP Summer School 2018 else {sep = add100(Up);} if (sep > 150){ upward = 1; } else {upward = 0;} Climb=0, Up=457, sep= 557 Climb=m, Up=n, sep= m ≤ 0 && n > 50 if (upward < 0){ n+100, upward =1 abort; } else return upward; } 27 Ack: Koushik Sen (Berkeley)

  28. Concrete Symbolic Execution Execution concrete state symbolic state constraints main(){ int t1 = randomInt(); int t2 = randomInt(); t1=0, t2=50 t1=m, t2=n test_me(t1,t2); } int add100(int x){ return x + 100;} int test_me(int Climb, int Up){ int sep, upward; if (Climb > 0){ ISSISP Summer School 2018 sep = Up;} else {sep = add100(Up);} if (sep > 150){ upward = 1; } else {upward = 0;} if (upward < 0){ abort; } else return upward; 28 }

Recommend

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav

Learning to Fuzz from Symbolic Execution with Application to Smart Contracts Jingxuan Mislav Nodar Petar Martin He Balunovic Ambroladze Tsankov Vechev Random Fuzzing vs. Symbolic Execution Random Fuzzing Symbolic Execution Fast Slow

633 views • 29 slides
Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of

Efficient Symbolic Execution for Software Testing Johannes Kinder Royal Holloway, University of London Joint work with: Stefan Bucur, George Candea, Volodymyr Kuznetsov @ EPFL Symbolic Execution Automatically explore program paths

2.34k views • 200 slides
Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing

Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing

Automatic Testing of Symbolic Execution Engines via Program Generation and Differential Testing Timotej Kapus, Cristian Cadar Department of Computing Imperial College London if (x &gt; 2294967295) { assert(false); } printf(&quot;x:

1.08k views • 45 slides
Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all

A tool for the Symbolic Execution of Linux binaries About Symbolic Execution Dynamically explore all program branches. Inputs are considered symbolic variables. Symbols remain uninstantiated and become constrained at execution

451 views • 24 slides
Concolic Testing Dynamic Symbolic Execution Marco Probst Albert-Ludwigs-Universitt Freiburg

Concolic Testing Dynamic Symbolic Execution Marco Probst Albert-Ludwigs-Universitt Freiburg

Concolic Testing Dynamic Symbolic Execution Marco Probst Albert-Ludwigs-Universitt Freiburg January 25th, 2016 Marco Probst Concolic Testing 1 / 22 Overview Code Example 1 Unit Testing 2 Random Testing Symbolic Execution Concolic

919 views • 89 slides
Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is

Symbolic execution as search, and the rise of solvers Search and SMT Symbolic execution is appealingly simple and useful , but computationally expensive ! We will see how the effective use of symbolic execution boils down to a kind of

494 views • 24 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Enhancing Symbolic Execution for Coverage-Oriented Testing S ebastien Bardin, Nikolai

Enhancing Symbolic Execution for Coverage-Oriented Testing S ebastien Bardin, Nikolai

Enhancing Symbolic Execution for Coverage-Oriented Testing S ebastien Bardin, Nikolai Kosmatov, Micka el Delahaye CEA LIST, Software Safety Lab (Paris-Saclay, France) Bardin et al. CFV 2015 1/ 40 Context : white-box software testing

1.43k views • 74 slides
Interoperability-Guided Testing of QUIC Implementations using Symbolic Execution Felix Rath ,

Interoperability-Guided Testing of QUIC Implementations using Symbolic Execution Felix Rath ,

Interoperability-Guided Testing of QUIC Implementations using Symbolic Execution Felix Rath , Daniel Schemmel, Klaus Wehrle https://comsys.rwth-aachen.de EPIQ Workshop, Heraklion, Greece, 2018-12-04 QUANT ? Mozquic ? mvfst ? picoquic ?

1.45k views • 97 slides
RESEARCH TOPICS Metamorphic testing OVERVIEW Fuzz testing Regression testing:

RESEARCH TOPICS Metamorphic testing OVERVIEW Fuzz testing Regression testing:

3/31/17 TOPICS 2 RESEARCH TOPICS Metamorphic testing OVERVIEW Fuzz testing Regression testing: selection, prioritization T est input generation CS580A5 SPRING 2017 Fault localization SUDIPTO GHOSH Automatic program

276 views • 3 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin &amp; Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Fuzz Testing for Fun and Profit Presented by:

Fuzz Testing for Fun and Profit Presented by:

W3 Testing at Scale Wednesday, October 2nd, 2019 11:30 AM Fuzz Testing for Fun and Profit Presented by: Melissa Benua

441 views • 11 slides
Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution?

CSE 403: Software Engineering, Winter 2016 courses.cs.washington.edu/courses/cse403/16wi/ Symbolic Execution Emina Torlak emina@cs.washington.edu Outline What is symbolic execution? How does it work? State-of-the-art tools 2

637 views • 34 slides
Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research) Michael Y. Levin

Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research) Michael Y. Levin

Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research) Michael Y. Levin (Microsoft Center for Software Excellence) David Molnar (UC Berkeley &amp; MSR) Fuzz Testing Send random data to application B.

366 views • 36 slides
Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad

Cloud9 Parallel Symbolic Execution for Automated Real-World Software Testing Stefan Bucur, Vlad Ureche, Cristian Zamfir, George Candea School of Computer and Communication Sciences Automated Software Testing Automated Industrial Techniques

1.25k views • 59 slides
Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem

Demo Symbolic Execution Probabilistic Symbolic Execution (Materials kindly provided by Willem Visser) Docker Image Install Docker Download: https://docs.docker.com/engine/installation/ Check: docker --version

446 views • 10 slides
Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College

Constraint Solving in Symbolic Execution Cristian Cadar Department of Computing Imperial College London Invited talk at SMT 2015 18 July, San Francisco, CA, USA Dynamic Symbolic Execution Dynamic symbolic execution is a technique for

660 views • 53 slides
Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths

Symbolic Execution Builds predicates that characterize Conditions for executing paths Symbolic Execution and Proof of Effects of the execution on program state Properties Bridges program behavior to logic Finds important

309 views • 6 slides
Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides
An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar

An Introduction to Dynamic Symbolic Execution and the KLEE Infrastructure Cristian Cadar Department of Computing Imperial College London 14 th TAROT Summer School UCL, London, 3 July 2018 Dynamic Symbolic Execution Dynamic symbolic

856 views • 56 slides
Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank

Pending Constraints in Symbolic Execution for Better Exploration and Seeding Timotej Kapus Frank Busse Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in

1.04k views • 70 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson,

Symbolic Evaluation/Execution Todays Reading Material L. A. Clarke and D. J. Richardson, &quot;Applications of Symbolic Evaluation,&quot; Journal of Systems and Software, 5 (1), January 1985, pp.15-35. Symbolic Evaluation/Execution

1.07k views • 60 slides
Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program

Timotej Kapus Cristian Cadar Imperial College London 1 Symbolic Execution Program analysis technique Active research area Used in industry IntelliTest, SAGE Angr KLOVER 2 Why symbolic execution? No

916 views • 73 slides

More recommend