Goal-oriented dynamic test generation

ContextMemory safety errors such as buffer overflow vulnerabilities are one of the most serious classes of security threats. Detecting and removing such security errors are important tasks of software testing for improving the quality and reliability of software in practice. ObjectiveThis paper presents a goal-oriented testing approach for effectively and efficiently exploring security vulnerability errors. A goal is a potential safety violation and the testing approach is to automatically generate test inputs to uncover the violation. MethodWe use type inference analysis to diagnose potential safety violations and dynamic symbolic execution to perform test input generation. A major challenge facing dynamic symbolic execution in such application is the combinatorial explosion of the path space. To address this fundamental scalability issue, we employ data dependence analysis to identify a root cause leading to the execution of the goal and propose a path exploration algorithm to guide dynamic symbolic execution for effectively discovering the goal. ResultsTo evaluate the effectiveness of our proposed approach, we conducted experiments against 23 buffer overflow vulnerabilities. We observed a significant improvement of our proposed algorithm over two widely adopted search algorithms. Specifically, our algorithm discovered security vulnerability errors within a matter of a few seconds, whereas the two baseline algorithms failed even after 30min of testing on a number of test subjects. ConclusionThe experimental results highlight the potential of utilizing data dependence analysis to address the combinatorial path space explosion issue faced by dynamic symbolic execution for effective security testing.

[1]  James A. Whittaker,et al.  What is software testing? And why is it so hard? , 2000 .

[2]  Samik Basu,et al.  Analysis & Detection of SQL Injection Vulnerabilities via Automatic Test Case Generation of Programs , 2010, 2010 10th IEEE/IPSJ International Symposium on Applications and the Internet.

[3]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[4]  Matthew B. Dwyer,et al.  Differential symbolic execution , 2008, SIGSOFT '08/FSE-16.

[5]  Dawson R. Engler,et al.  A few billion lines of code later , 2010, Commun. ACM.

[6]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[7]  Andreas Podelski,et al.  Lightweight Static Analysis for GUI Testing , 2012, 2012 IEEE 23rd International Symposium on Software Reliability Engineering.

[8]  Dawson R. Engler,et al.  Under-constrained execution: making automatic code destruction easy and scalable , 2007, ISSTA '07.

[9]  Carlos Urias Munoz,et al.  Automatic Generation of Random Self-Checking Test Cases , 1983, IBM Syst. J..

[10]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[11]  Patrice Godefroid,et al.  Compositional dynamic test generation , 2007, POPL '07.

[12]  P. David Coward Symbolic execution systems-a review , 1988, Softw. Eng. J..

[13]  Hongseok Yang,et al.  Automated concolic testing of smartphone apps , 2012, SIGSOFT FSE.

[14]  Nikolai Tillmann,et al.  Precise identification of problems for structural test generation , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[15]  Giovanni Denaro,et al.  Enhancing structural software coverage by incrementally computing branch executability , 2011, Software Quality Journal.

[16]  Dawei Qi,et al.  Path exploration based on symbolic output , 2013, TSEM.

[17]  Vadim Okun,et al.  Effect of static analysis tools on software security: preliminary investigation , 2007, QoP '07.

[18]  Alessandro Orso,et al.  Are automated debugging techniques actually helping programmers? , 2011, ISSTA '11.

[19]  Phil McMinn,et al.  Evolutionary Testing Using an Extended Chaining Approach , 2006, Evolutionary Computation.

[20]  Mark Harman,et al.  Reformulating software engineering as a search problem , 2003 .

[21]  Robert O. Hastings,et al.  Fast detection of memory leaks and access errors , 1991 .

[22]  Carlos Pacheco,et al.  Directed random testing , 2009 .

[23]  Corina S. Pasareanu,et al.  A survey of new trends in symbolic execution for software testing and analysis , 2009, International Journal on Software Tools for Technology Transfer.

[24]  Corina S. Pasareanu,et al.  Test input generation for java containers using state matching , 2006, ISSTA '06.

[25]  Koushik Sen,et al.  Symbolic execution for software testing: three decades later , 2013, CACM.

[26]  Úlfar Erlingsson,et al.  Low-Level Software Security: Attacks and Defenses , 2007, FOSAD.

[27]  James A. Whittaker,et al.  How to Break Software Security , 2003 .

[28]  Mark Harman,et al.  FloPSy - Search-Based Floating Point Constraint Solving for Symbolic Execution , 2010, ICTSS.

[29]  Dan S. Wallach,et al.  Java security: from HotJava to Netscape and beyond , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[30]  K. V. Hanford,et al.  Automatic Generation of Test Cases , 1970, IBM Syst. J..

[31]  David A. Wagner,et al.  Dynamic Test Generation to Find Integer Bugs in x86 Binary Linux Programs , 2009, USENIX Security Symposium.

[32]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[33]  Jooyong Yi,et al.  Bogor/Kiasan: A k-bounded Symbolic Execution for Checking Strong Heap Properties of Open Systems , 2006, 21st IEEE/ACM International Conference on Automated Software Engineering (ASE'06).

[34]  Monica S. Lam,et al.  Efficient context-sensitive pointer analysis for C programs , 1995, PLDI '95.

[35]  Mark Harman,et al.  FlagRemover: A testability transformation for transforming loop-assigned flags , 2011, TSEM.

[36]  David Wagner,et al.  Dynamic test generation for large binary programs , 2009 .

[37]  Peter W. O'Hearn,et al.  Symbolic Execution with Separation Logic , 2005, APLAS.

[38]  David Notkin,et al.  Symstra: A Framework for Generating Object-Oriented Unit Tests Using Symbolic Execution , 2005, TACAS.

[39]  Koushik Sen,et al.  CUTE and jCUTE: Concolic Unit Testing and Explicit Path Model-Checking Tools , 2006, CAV.

[40]  Yuanyuan Zhang,et al.  Search-based software engineering: Trends, techniques and applications , 2012, CSUR.

[41]  Xiangyu Zhang,et al.  Efficient online detection of dynamic control dependence , 2007, ISSTA '07.

[42]  Myra B. Cohen,et al.  Directed test suite augmentation: techniques and tradeoffs , 2010, FSE '10.

[43]  Rupak Majumdar,et al.  Symbolic execution algorithms for test generation , 2009 .

[44]  George Candea,et al.  Efficient state merging in symbolic execution , 2012, Software Engineering.

[45]  Moonzoo Kim,et al.  Scalable Distributed Concolic Testing: A Case Study on a Flash Storage Platform , 2010, ICTAC.

[46]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy software , 2005, TOPL.

[47]  Gul Agha,et al.  Scalable Automated Methods for Dynamic Program Analysis , 2006 .

[48]  Zhendong Su,et al.  Synthesizing method sequences for high-coverage testing , 2011, OOPSLA '11.

[49]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[50]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[51]  Willem Visser,et al.  Efficient Testing of Concurrent Programs with Abstraction-Guided Symbolic Execution , 2009, SPIN.

[52]  Xiao Qu,et al.  A Case Study of Concolic Testing Tools and their Limitations , 2011, 2011 International Symposium on Empirical Software Engineering and Measurement.

[53]  Corina S. Pasareanu,et al.  Verification of Java Programs Using Symbolic Execution and Invariant Generation , 2004, SPIN.

[54]  Karl N. Levitt,et al.  SELECT—a formal system for testing and debugging programs by symbolic execution , 1975 .

[55]  Corina S. Pasareanu,et al.  JPF-SE: A Symbolic Execution Extension to Java PathFinder , 2007, TACAS.

[56]  Koushik Sen,et al.  Heuristics for Scalable Dynamic Test Generation , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[57]  Michael R. Lowry,et al.  Combining unit-level symbolic execution and system-level concrete execution for testing nasa software , 2008, ISSTA '08.

[58]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[59]  Mark Harman,et al.  AUSTIN: An open source tool for search based software testing of C programs , 2013, Inf. Softw. Technol..

[60]  Joe D. Warren,et al.  The program dependence graph and its use in optimization , 1984, TOPL.

[61]  Corina S. Pasareanu,et al.  Parallel symbolic execution for structural test generation , 2010, ISSTA '10.

[62]  C. V. Ramamoorthy,et al.  On the Automated Generation of Program Test Data , 1976, IEEE Transactions on Software Engineering.

[63]  Daniel P. Siewiorek,et al.  Automated robustness testing of off-the-shelf software components , 1998, Digest of Papers. Twenty-Eighth Annual International Symposium on Fault-Tolerant Computing (Cat. No.98CB36224).

[64]  Antonia Bertolino ISSTA 2002 panel: is ISSTA research relevant to industrial users? , 2002, ISSTA '02.

[65]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[66]  Nikolai Tillmann,et al.  Pex-White Box Test Generation for .NET , 2008, TAP.

[67]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[68]  William G. Griswold,et al.  Implementation techniques for efficient data-flow analysis of large programs , 2001, Proceedings IEEE International Conference on Software Maintenance. ICSM 2001.

[69]  Gregory Tassey,et al.  Prepared for what , 2007 .

[70]  Giuliano Antoniol,et al.  Detecting buffer overflow via automatic test input data generation , 2008, Comput. Oper. Res..

[71]  William E. Howden,et al.  Symbolic Testing and the DISSECT Symbolic Evaluation System , 1977, IEEE Transactions on Software Engineering.

[72]  Cacm Staff,et al.  BufferBloat , 2011, Communications of the ACM.

[73]  Patrice Godefroid,et al.  Billions and billions of constraints: Whitebox fuzz testing in production , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[74]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[75]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[76]  Roger Pressman,et al.  Software Engineering: A Practitioner's Approach, 7Th Edition , 2009 .

[77]  H. Goldstein,et al.  Who killed the virtual case file? [case management software] , 2005, IEEE Spectrum.

[78]  Michael Hicks,et al.  Directed Symbolic Execution , 2011, SAS.

[79]  Lionel C. Briand,et al.  Random Testing: Theoretical Results and Practical Implications , 2012, IEEE Transactions on Software Engineering.

[80]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[81]  Mary Jean Harrold,et al.  Testing: a roadmap , 2000, ICSE '00.

[82]  Antonia Bertolino,et al.  Software Testing Research: Achievements, Challenges, Dreams , 2007, Future of Software Engineering (FOSE '07).

[83]  Dawson R. Engler,et al.  Execution Generated Test Cases: How to Make Systems Code Crash Itself , 2005, SPIN.

[84]  Sarfraz Khurshid,et al.  Directed incremental symbolic execution , 2011, PLDI '11.

[85]  Bogdan Korel,et al.  The chaining approach for software test data generation , 1996, TSEM.

[86]  Barton P. Miller,et al.  An empirical study of the robustness of MacOS applications using random testing , 2007, OPSR.

[87]  Barton P. Miller,et al.  An empirical study of the robustness of Windows NT applications using random testing , 2000 .

[88]  Willem Visser,et al.  Variably interprocedural program analysis for runtime error detection , 2007, ISSTA '07.

[89]  Peter G. Neumann,et al.  Forum on risks to the public in computers and related systems , 1996 .

[90]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[91]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[92]  Yannis Smaragdakis,et al.  Check 'n' crash: combining static checking and testing , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[93]  A. Jefferson Offutt,et al.  A semantic model of program faults , 1996, ISSTA '96.

[94]  Olatunji Ruwase,et al.  A Practical Dynamic Buffer Overflow Detector , 2004, NDSS.

[95]  Barbara G. Ryder,et al.  A safe approximate algorithm for interprocedural aliasing , 1992, PLDI '92.

[96]  Marsha Chechik,et al.  A buffer overflow benchmark for software model checkers , 2007, ASE.

[97]  Andy Huber,et al.  Peer reviews in software: a practical guide , 2002, SOEN.

[98]  Glenford J. Myers,et al.  Art of Software Testing , 1979 .

[99]  Sarfraz Khurshid,et al.  Symbolic execution for software testing in practice: preliminary assessment , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[100]  Raúl A. Santelices,et al.  Exploiting program dependencies for scalable multiple-path symbolic execution , 2010, ISSTA '10.

[101]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000, Softw. Pract. Exp..

[102]  R. Power CSI/FBI computer crime and security survey , 2001 .

[103]  Rupak Majumdar,et al.  Hybrid Concolic Testing , 2007, 29th International Conference on Software Engineering (ICSE'07).

[104]  Barbara G. Ryder,et al.  Relevant context inference , 1999, POPL '99.

[105]  Barry W. Boehm,et al.  Software Defect Reduction Top 10 List , 2001, Computer.

[106]  Corina S. Pasareanu,et al.  Symbolic Execution with Abstract Subsumption Checking , 2006, SPIN.

[107]  Lori A. Clarke,et al.  A System to Generate Test Data and Symbolically Execute Programs , 1976, IEEE Transactions on Software Engineering.

[108]  Roger S. Pressman,et al.  Software Engineering: A Practitioner's Approach , 1982 .

[109]  Edsger W. Dijkstra,et al.  Chapter I: Notes on structured programming , 1972 .

[110]  Gary McGraw,et al.  Static Analysis for Security , 2004, IEEE Secur. Priv..

[111]  Calton Pu,et al.  Buffer overflows: attacks and defenses for the vulnerability of the decade , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[112]  Adam Kiezun,et al.  jFuzz: A Concolic Whitebox Fuzzer for Java , 2009, NASA Formal Methods.

[113]  Mark Lillibridge,et al.  Extended static checking for Java , 2002, PLDI '02.

[114]  Taweesup Apiwattanapong,et al.  Identifying Testing Requirements for Modified Software , 2007 .

[115]  Elaine J. Weyuker,et al.  An Applicable Family of Data Flow Testing Criteria , 1988, IEEE Trans. Software Eng..

[116]  Alvis Cheuk M. Fong,et al.  Dynamic Symbolic Execution Guided by Data Dependency Analysis for High Structural Coverage , 2012, ENASE.

[117]  Boris Beizer,et al.  Software Testing Techniques , 1983 .

[118]  Rex Black,et al.  Foundations of Software Testing ISTQB Certification , 2006 .

[119]  Mukul R. Prasad,et al.  Automated testing with targeted event sequence generation , 2013, ISSTA.

[120]  Alex Groce,et al.  Randomized Differential Testing as a Prelude to Formal Verification , 2007, 29th International Conference on Software Engineering (ICSE'07).

[121]  Nikolai Tillmann,et al.  Parameterized Unit Testing with Pex , 2008, TAP.

[122]  Mark Harman,et al.  The Current State and Future of Search Based Software Engineering , 2007, Future of Software Engineering (FOSE '07).

[123]  Hong Zhu,et al.  Software unit test coverage and adequacy , 1997, ACM Comput. Surv..

[124]  Markus Mock,et al.  Improving program slicing with dynamic points-to data , 2002, SIGSOFT '02/FSE-10.

[125]  George C. Necula,et al.  Dependent Types for Low-Level Programming , 2007, ESOP.

[126]  Phil McMinn,et al.  Search‐based software test data generation: a survey , 2004, Softw. Test. Verification Reliab..

[127]  Elaine J. Weyuker,et al.  The evaluation of program-based software test data adequacy criteria , 1988, CACM.

[128]  Jakob Rehof,et al.  Estimating the Impact of Scalable Pointer Analysis on Optimization , 2001, SAS.

[129]  Nikolai Tillmann,et al.  Fitness-guided path exploration in dynamic symbolic execution , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[130]  Koushik Sen DART: Directed Automated Random Testing , 2009, Haifa Verification Conference.

[131]  Bob Martin,et al.  2010 CWE/SANS Top 25 Most Dangerous Software Errors , 2010 .

[132]  Patrice Godefroid,et al.  Active property checking , 2008, EMSOFT '08.

[133]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[134]  Bruno Dutertre,et al.  A Fast Linear-Arithmetic Solver for DPLL(T) , 2006, CAV.

[135]  A. Jefferson Offutt,et al.  Introduction to Software Testing , 2008 .