exe: automatically generating inputs of death cristian cadar, vijay ganesh, peter m. pawlowski,...
TRANSCRIPT
EXE: Automatically Generating Inputs of Death
Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler
13th ACM conference on Computer and
communications security (CCS), 2006
Presented By: Clayton Andrews
Outline
EXE Motivation Real bugs How to use Example STP
Optimization
Experiments
Search Heuristics
Conclusion
Contributions
EXE
EXecution generated Executions
An effective-bug finding tool
Not manual or randomly constructed input
Runs on symbolic input allowed to be “anything”
EXE
Code can generate its own test cases
Runs the code on all inputs at once
Follows all paths
Motivation
Possible paths of code execution can be large Manual testing far from exhaustive Difficult for developers to reason all paths
Random testing not sufficient Suppose bug exists for 1 input of 100 trillion
Dynamic tools require initial test cases Presents same problem as manual test
Real Bugs
Berkeley Packet Filter Evil packet filters exploit buffer overruns
udhcpd DHCP server Generates packets that invalid reads/writes
pcre library Bad regular expressions that compromise
How to Use
Simply call the method make_symbolic() on any input that is unconstrained
Compiled using the EXE compiler, exe-cc
Then compiled using a standard compiler E.g. gcc
Example
STP
EXE's constraint solver More precisely a decision procedure
Decision procedures Determine satisfiability of logic formulas Express constraints to satisfy an expression
STP
Co-designed for EXE
Faster than CVCL, a similar system 550x faster
Optimizations
Caching EXE caches results of satisfiability queries
Constraint independence Breaks apart constraints into subsets (A[1]= A[2]+ A[3]) (A[2] >A[4]) (A[7]= A[8])∧ ∧
(A[1]= A[2]+ A[3]) (A[2] >A[4])∧ A[7]= A[8]
Experiments
Bpf, pcre, udhcpd, expant and tcpdump
Search Heuristics
Every time EXE forks it must choose a path
By default, EXE uses depth-first search
Use heuristics to choose “interesting” paths
Search Heuristics
Their BFS uses a mixture of best-first and depth-first search
New heuristics are easy to plugin
Conclusion
EXE uses symbolic execution to find bugs
STP was co-designed to be fast
EXE was powerful enough to uncover bugs in real programs
Contributions
The decision procedure STP was created
Code can be tested through all paths at once
Does not rely on manual input or “luck”
Reference
"EXE: automatically generating inputs of death", Cadar, Cristian and Ganesh, Vijay and Pawlowski, Peter M. and Dill, David L. and Engler, Dawson R., 13th ACM conference on Computer and communications security (CCS), 2006.
Questions?