Micro execution

Micro execution is the ability to execute any code fragment without a user-provided test driver or input data. The user simply identifies a function or code location in an exe or dll. A runtime Virtual Machine (VM) customized for testing purposes then starts executing the code at that location, catches all memory operations before they occur, allocates memory on-the-fly in order to perform those read/write memory operations, and provides input values according to a customizable memory policy, which defines what read memory accesses should be treated as inputs. MicroX is a first prototype VM allowing micro execution of x86 binary code. No test driver, no input data, no source code, no debug symbols are required: MicroX automatically discovers dynamically the Input/Output interface of the code being run. Input values are provided as needed along the execution and can be generated in various ways, e.g., randomly or using some other test-generation tool. To our knowledge, MicroX is the first VM designed for test isolation and generation purposes. This paper introduces micro execution and discusses how to implement it, strengths and limitations, applications, related work and long-term goals.

[1]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[2]  Koushik Sen DART: Directed Automated Random Testing , 2009, Haifa Verification Conference.

[3]  Sanjay Bhansali,et al.  Framework for instruction-level tracing and analysis of program executions , 2006, VEE '06.

[4]  Patrice Godefroid,et al.  Software partitioning for effective automated unit testing , 2006, EMSOFT '06.

[5]  Patrice Godefroid,et al.  Compositional dynamic test generation , 2007, POPL '07.

[6]  Nikolai Tillmann,et al.  Pex-White Box Test Generation for .NET , 2008, TAP.

[7]  Will Drewry,et al.  Flayer: Exposing Application Internals , 2007, WOOT.

[8]  Dawson R. Engler,et al.  Under-constrained execution: making automatic code destruction easy and scalable , 2007, ISSTA '07.

[9]  Patrice Godefroid,et al.  Precise pointer reasoning for dynamic test generation , 2009, ISSTA.

[10]  Benjamin Livshits,et al.  Rozzle: De-cloaking Internet Malware , 2012, 2012 IEEE Symposium on Security and Privacy.

[11]  Christoph Csallner,et al.  Dsc+Mock: a test case + mock class generator in support of coding against interfaces , 2010, WODA '10.

[12]  Satish Narayanasamy,et al.  Automatically classifying benign and harmful data races using replay analysis , 2007, PLDI '07.

[13]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[14]  Patrice Godefroid,et al.  Proving Memory Safety of the ANI Windows Image Parser Using Compositional Exhaustive Testing , 2015, VMCAI.

[15]  Patrice Godefroid,et al.  Billions and billions of constraints: Whitebox fuzz testing in production , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[16]  Dawson R. Engler,et al.  Practical, Low-Effort Equivalence Verification of Real Code , 2011, CAV.

[17]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[18]  Nikolai Tillmann,et al.  Moles: Tool-Assisted Environment Isolation with Closures , 2010, TOOLS.

[19]  Nikolai Tillmann,et al.  Mock-object generation with behavior , 2006, 21st IEEE/ACM International Conference on Automated Software Engineering (ASE'06).

[20]  Glenford J. Myers,et al.  Art of Software Testing , 1979 .

[21]  Patrice Godefroid,et al.  Automatically closing open reactive programs , 1998, PLDI.

[22]  Doron A. Peled,et al.  Path Exploration Tool , 1999, TACAS.

[23]  Shuvendu K. Lahiri,et al.  Differential assertion checking , 2013, ESEC/FSE 2013.

[24]  Klaus Havelund,et al.  Model checking programs , 2000, Proceedings ASE 2000. Fifteenth IEEE International Conference on Automated Software Engineering.

[25]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000, Softw. Pract. Exp..

[26]  Nikolai Tillmann,et al.  Parameterized unit tests , 2005, ESEC/FSE-13.

[27]  Manuel Fähndrich,et al.  Embedded contract languages , 2010, SAC '10.

[28]  Scott D. Stoller Domain partitioning for open reactive systems , 2002, ISSTA '02.

[29]  Alexander Aiken,et al.  Scalable error detection using boolean satisfiability , 2005, POPL '05.

[30]  George Candea,et al.  S2E: a platform for in-vivo multi-path analysis of software systems , 2011, ASPLOS XVI.

[31]  Sam Blackshear,et al.  Almost-correct specifications: a modular semantic framework for assigning confidence to warnings , 2013, PLDI.

[32]  Corina S. Pasareanu,et al.  JPF-SE: A Symbolic Execution Extension to Java PathFinder , 2007, TACAS.

[33]  Dawson R. Engler,et al.  A system and language for building system-specific, static analyses , 2002, PLDI '02.

[34]  Matthew B. Dwyer,et al.  Differential symbolic execution , 2008, SIGSOFT '08/FSE-16.

[35]  Patrice Godefroid,et al.  Model checking for programming languages using VeriSoft , 1997, POPL '97.

[36]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.