Symbolic Execution of Network Software Based on Unit Testing

Complex interactions and the distributed nature of network software make automated testing and debugging before deployment a necessity. Symbolic execution is a systematic program analysis technique that has become increasingly popular in network software testing, due to algorithmic advances and availability of computational power and constraint solving technology. However, A main challenge is to detect determining symbolic values for program variables related to library, loops and cryptograph algorithms which are widely used in network software. In this paper, we propose a unit symbolic analysis, a hybrid technique that enables fully automatic symbolic analysis even for the traditionally challenging code. The novelties of this work are threefold: 1) we flexibly employs static symbolic execution to amplify the effect of dynamic symbolic execution on demand, 2) dynamic executions and regression analysis are performed on the unit tests constructed from the code segments to infer program semantics needed by static analysis, and 3) symbolic analysis is utilized to tackle loop structure and cryptograph algorithm module. We developed the Net Sym framework, consisting of a static component that performs symbolic analysis and partitions a program, a dynamic analysis that synthesizes unit tests and automatically infers symbolic values for program variables, and a protocol that enables static and dynamic analyses to be run interactively and concurrently. Our experimental results show that by handling cryptograph algorithms, loops and library calls that a traditional symbolic analysis cannot process, unit symbolic analysis detects more vulnerabilities in less time. The technique is scalable for real-world programs such as GHttpd, SQL Server and GDI.

[1]  David Brumley,et al.  Unleashing Mayhem on Binary Code , 2012, 2012 IEEE Symposium on Security and Privacy.

[2]  Dawson R. Engler,et al.  EXE: Automatically Generating Inputs of Death , 2008, TSEC.

[3]  Patrice Godefroid,et al.  Billions and billions of constraints: Whitebox fuzz testing in production , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[4]  Stephen McCamant,et al.  Loop-extended symbolic execution on binary programs , 2009, ISSTA.

[5]  Nikolai Tillmann,et al.  Automating Software Testing Using Program Analysis , 2008, IEEE Software.

[6]  Koushik Sen DART: Directed Automated Random Testing , 2009, Haifa Verification Conference.

[7]  Mary Lou Soffa,et al.  Marple: Detecting faults in path segments using automatically generated analyses , 2013, TSEM.

[8]  Mary Sue Younger,et al.  Handbook for linear regression , 1979 .

[9]  Donald E. Knuth,et al.  An empirical study of FORTRAN programs , 1971, Softw. Pract. Exp..

[10]  George Candea,et al.  S2E: a platform for in-vivo multi-path analysis of software systems , 2011, ASPLOS XVI.

[11]  David Brumley,et al.  BAP: A Binary Analysis Platform , 2011, CAV.

[12]  Adam A. Porter,et al.  Using symbolic evaluation to understand behavior in configurable software systems , 2010, 2010 ACM/IEEE 32nd International Conference on Software Engineering.

[13]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[14]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[15]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[16]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[17]  Dawson R. Engler,et al.  ARCHER: using symbolic, path-sensitive analysis to detect memory access errors , 2003, ESEC/FSE-11.

[18]  Satish Narayanasamy,et al.  DoublePlay: Parallelizing Sequential Logging and Replay , 2012, ACM Trans. Comput. Syst..

[19]  Nikolai Tillmann,et al.  Pex-White Box Test Generation for .NET , 2008, TAP.

[20]  Mary Lou Soffa,et al.  Marple: a demand-driven path-sensitive buffer overflow detector , 2008, SIGSOFT '08/FSE-16.

[21]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000, Softw. Pract. Exp..

[22]  Nicolas Halbwachs,et al.  Verification of Real-Time Systems using Linear Relation Analysis , 1997, Formal Methods Syst. Des..