mit adam kiezunpeople.csail.mit.edu/akiezun/kiezundefensefinal.pdf · adam kiezun mit software...
TRANSCRIPT
![Page 1: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/1.jpg)
E ective Software Testing with a String-Constraint Solver
Adam KiezunMIT
![Page 2: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/2.jpg)
Software Testing Aims To Find Errors Before Users (Or Hackers) Do
Goals of software testing• improve quality• protect from adversaries
Reported Severe Vulnerabilitiessource: US-CERT
![Page 3: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/3.jpg)
Software Testing Aims To Find Errors Before Users (Or Hackers) Do
Goal: help find errors by improving testing tools
Goals of software testing• improve quality• protect from adversaries
Reported Severe Vulnerabilitiessource: US-CERT
Research HackersTech transfer
![Page 4: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/4.jpg)
Concolic Testing Is An E ective Software Testing Methodology
Implementation-based: exploit knowledge of program code
Dynamic: observe running program using
combined concrete and symbolic execution
Constraint solver systematically enumerate execution paths
Key idea: improve e ectiveness, applicability of concolic testing with a string-constraint solver
Tools: DART, CUTE, CREST, SAGE, EXE, Klee, Apollo, jFuzz
![Page 5: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/5.jpg)
E ective Software Testing With A String-Constraint Solver
Hampi: String-Constraint Solver [ISSTA’09]
Concolic Security Testing [ICSE’09]
Grammar-based Concolic Testing [PLDI’08]
Concolic Testing
![Page 6: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/6.jpg)
Results Summary: String-Constraint Solver
Novel solver for string constraints
Supports context-free grammars, regular constraints
E ective in concolic testing, program analysis
E cient: ~7x faster than a comparable solver
Hampi: String-Constraint Solver [ISSTA’09]
![Page 7: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/7.jpg)
Results Summary: Concolic Security Testing
Novel technique for creating SQL injection and XSS attacks on Web applications
Uses Hampi for grammar constraints to construct attack inputs
First to create damaging second-order cross-site scripting (XSS) attacks
60 attacks (23 SQL injection, 37 XSS) on 5 PHP applications, 0 false positives
Concolic Security Testing [ICSE’09]
![Page 8: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/8.jpg)
Results Summary: Grammar-based Concolic Testing
Grammar-based Concolic Testing [PLDI’08]
Novel technique for testing programs with structured inputs
Uses Hampi for input-format grammar constraints
Improves coverage by 30-100%
3 new infinite-loop errors
![Page 9: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/9.jpg)
E ective Software Testing With A String-Constraint Solver
Hampi: String-Constraint Solver [ISSTA’09]
Concolic Security Testing [ICSE’09]
Concolic Testing
Grammar-based Concolic Testing [PLDI’08]
![Page 10: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/10.jpg)
void main(char[] in){
int count=0;
if (in[0] == ’b’)
count++;
if (in[1] == ’a’)
count++;
if (in[2] == ’d’)
count++;
if (count == 3)
ERROR;
}
xyz
Concolic Testing Combines Dynamic Symbolic Execution, Path Enumeration
![Page 11: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/11.jpg)
void main(char[] in){
int count=0;
if (in[0] == ’b’)
count++;
if (in[1] == ’a’)
count++;
if (in[2] == ’d’)
count++;
if (count == 3)
ERROR;
}
(in[0] ’b’) Path constraint:
xyz
Concolic Testing Combines Dynamic Symbolic Execution, Path Enumeration
![Page 12: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/12.jpg)
void main(char[] in){
int count=0;
if (in[0] == ’b’)
count++;
if (in[1] == ’a’)
count++;
if (in[2] == ’d’)
count++;
if (count == 3)
ERROR;
}
xyz
Path constraint: (in[0] ’b’) (in[1] ’a’)
Concolic Testing Combines Dynamic Symbolic Execution, Path Enumeration
![Page 13: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/13.jpg)
void main(char[] in){
int count=0;
if (in[0] == ’b’)
count++;
if (in[1] == ’a’)
count++;
if (in[2] == ’d’)
count++;
if (count == 3)
ERROR;
}
xyz
Path constraint: (in[0] ’b’) (in[1] ’a’) (in[2] ’d’)
Concolic Testing Combines Dynamic Symbolic Execution, Path Enumeration
![Page 14: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/14.jpg)
void main(char[] in){
int count=0;
if (in[0] == ’b’)
count++;
if (in[1] == ’a’)
count++;
if (in[2] == ’d’)
count++;
if (count == 3)
ERROR;
}
Path constraint: (in[0] ’b’) (in[1] ’a’) (in[2]=’d’) xyd
Concolic Testing Combines Dynamic Symbolic Execution, Path Enumeration
![Page 15: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/15.jpg)
void main(char[] in){
int count=0;
if (in[0] == ’b’)
count++;
if (in[1] == ’a’)
count++;
if (in[2] == ’d’)
count++;
if (count == 3)
ERROR;
}
Path constraint: (in[0] ’b’) (in[1]=’a’) xaz
Concolic Testing Combines Dynamic Symbolic Execution, Path Enumeration
![Page 16: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/16.jpg)
void main(char[] in){
int count=0;
if (in[0] == ’b’)
count++;
if (in[1] == ’a’)
count++;
if (in[2] == ’d’)
count++;
if (count == 3)
ERROR;
}
Path constraint: (in[0]=’b’) byz
Concolic Testing Combines Dynamic Symbolic Execution, Path Enumeration
![Page 17: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/17.jpg)
void main(char[] in){
int count=0;
if (in[0] == ’b’)
count++;
if (in[1] == ’a’)
count++;
if (in[2] == ’d’)
count++;
if (count == 3)
ERROR;
}
xyz
Seed input
Concolic Testing Systematically Enumerates All Paths In The Program
![Page 18: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/18.jpg)
void main(char[] in){
int count=0;
if (in[0] == ’b’)
count++;
if (in[1] == ’a’)
count++;
if (in[2] == ’d’)
count++;
if (count == 3)
ERROR;
}
xyz xyd xaz byz
Generated inputs(each covers a new path)
Concolic Testing Systematically Enumerates All Paths In The Program
![Page 19: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/19.jpg)
void main(char[] in){
int count=0;
if (in[0] == ’b’)
count++;
if (in[1] == ’a’)
count++;
if (in[2] == ’d’)
count++;
if (count == 3)
ERROR;
}
xyz xyd xaz byz xad byd baz
Concolic Testing Systematically Enumerates All Paths In The Program
![Page 20: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/20.jpg)
void main(char[] in){
int count=0;
if (in[0] == ’b’)
count++;
if (in[1] == ’a’)
count++;
if (in[2] == ’d’)
count++;
if (count == 3)
ERROR;
}
xyz xyd xaz byz xad byd baz bad
Concolic testing creates inputs for all program paths.
Concolic Testing Systematically Enumerates All Paths In The Program
![Page 21: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/21.jpg)
E ective Software Testing With A String-Constraint Solver
Hampi: String-Constraint Solver [ISSTA’09]
Concolic Security Testing [ICSE’09]
Concolic Testing
Grammar-based Concolic Testing [PLDI’08]
![Page 22: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/22.jpg)
Many Program Analyses Reduce To Constraint Generation And Solving
Benefits+ declarative formulation+ better modularity + e ciency improvements
Downsides- limited by solver’s theory
Hampi: constraint solver for a theory of strings
![Page 23: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/23.jpg)
String-Constraint Solver Finds Assignments For String Variables
Finite alphabet (e.g., ASCII characters)
String variables over *
var v
String constraints – language membership:
assert v L
String operations
concat(“foo”, v, “bar”)
![Page 24: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/24.jpg)
Hampi Uses Length Bounding To Support Context-Free Constraints
![Page 25: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/25.jpg)
Hampi Uses Length Bounding To Support Context-Free Constraints
![Page 26: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/26.jpg)
Hampi Uses Length Bounding To Support Context-Free Constraints
![Page 27: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/27.jpg)
Hampi Uses Length Bounding To Support Context-Free Constraints
bounded regularbound(any language)
![Page 28: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/28.jpg)
Hampi Uses Length Bounding To Support Context-Free Constraints
Key Hampi idea: bound length of strings for high expressiveness, e ciency
bounded regularbound(any language)
![Page 29: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/29.jpg)
Hampi Can Solve Context-Free and Regular Constraints
“Find a 4-character string v, such that:• (v) has balanced parentheses, and • (v) contains substring ()()”
![Page 30: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/30.jpg)
Hampi Can Solve Context-Free and Regular Constraints
var v:4;
cfg E := "()" | E E | "(" E ")";
reg Ebounded := bound(E, 6);
val q := concat( ”(" , v , “)" );
assert q in Ebounded;
assert q contains “()()";
“Find a 4-character string v, such that:• (v) has balanced parentheses, and • (v) contains substring ()()”
![Page 31: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/31.jpg)
Hampi Can Solve Context-Free and Regular Constraints
var v:4;
cfg E := "()" | E E | "(" E ")";
reg Ebounded := bound(E, 6);
val q := concat( ”(" , v , “)" );
assert q in Ebounded;
assert q contains “()()";
“Find a 4-character string v, such that:• (v) has balanced parentheses, and • (v) contains substring ()()”
![Page 32: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/32.jpg)
Hampi Can Solve Context-Free and Regular Constraints
var v:4;
cfg E := "()" | E E | "(" E ")";
reg Ebounded := bound(E, 6);
val q := concat( ”(" , v , “)" );
assert q in Ebounded;
assert q contains “()()";
“Find a 4-character string v, such that:• (v) has balanced parentheses, and • (v) contains substring ()()”
![Page 33: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/33.jpg)
Hampi Can Solve Context-Free and Regular Constraints
var v:4;
cfg E := "()" | E E | "(" E ")";
reg Ebounded := bound(E, 6);
val q := concat( ”(" , v , “)" );
assert q in Ebounded;
assert q contains “()()";
“Find a 4-character string v, such that:• (v) has balanced parentheses, and • (v) contains substring ()()”
![Page 34: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/34.jpg)
Hampi Can Solve Context-Free and Regular Constraints
var v:4;
cfg E := "()" | E E | "(" E ")";
reg Ebounded := bound(E, 6);
val q := concat( ”(" , v , “)" );
assert q in Ebounded;
assert q contains “()()";
“Find a 4-character string v, such that:• (v) has balanced parentheses, and • (v) contains substring ()()”
Hampi finds satisfying assignment v = )()(
![Page 35: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/35.jpg)
Hampi Supports Rich String Constraints
Ham
pi
CFG
Analy
zer
Wasserm
ann
Bjo
rner
Hooijm
eie
r
Em
mi
MO
NA
Cab
allero
context-free grammars
regular expressions
string concatenation
stand-alone tool
unbounded length
![Page 36: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/36.jpg)
Hampi Encodes String Constraints In Bit-Vector Logic
string constraints
core string constraints
Normalizer
Encoder
Decoderbit-vector solution
HAMPI
bit-vector constraints
string solution
Bit-vector Solver
![Page 37: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/37.jpg)
Hampi Normalizer Converts String Constraints To Core Form
string constraints
core string constraints
Normalizer
Encoder
Decoderbit-vector solution
HAMPI
bit-vector constraints
string solution
Bit-vector Solver
Core string constraint have only regular expressions
Expand grammars to regexps• expand nonterminals• eliminate inconsistencies• enumerate choices exhaustively
bound(E, 6)
cfg E := "(" E ")” | E E | "()”;
![Page 38: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/38.jpg)
Hampi Normalizer Converts String Constraints To Core Form
string constraints
core string constraints
Normalizer
Encoder
Decoderbit-vector solution
HAMPI
bit-vector constraints
string solution
Bit-vector Solver
Core string constraint have only regular expressions
Expand grammars to regexps expand nonterminals
• eliminate inconsistencies• enumerate choices exhaustively
E
cfg E := "(" E ")” | E E | "()”;
![Page 39: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/39.jpg)
Hampi Normalizer Converts String Constraints To Core Form
string constraints
core string constraints
Normalizer
Encoder
Decoderbit-vector solution
HAMPI
bit-vector constraints
string solution
Bit-vector Solver
Core string constraint have only regular expressions
Expand grammars to regexps• expand nonterminals
eliminate inconsistencies• enumerate choices exhaustively
( E ) + E E + ()
cfg E := "(" E ")” | E E | "()”;
![Page 40: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/40.jpg)
Hampi Normalizer Converts String Constraints To Core Form
string constraints
core string constraints
Normalizer
Encoder
Decoderbit-vector solution
HAMPI
bit-vector constraints
string solution
Bit-vector Solver
Core string constraint have only regular expressions
Expand grammars to regexps• expand nonterminals
eliminate inconsistencies• enumerate choices exhaustively
( E ) + E E +
cfg E := "(" E ")” | E E | "()”;
![Page 41: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/41.jpg)
Hampi Normalizer Converts String Constraints To Core Form
string constraints
core string constraints
Normalizer
Encoder
Decoderbit-vector solution
HAMPI
bit-vector constraints
string solution
Bit-vector Solver
Core string constraint have only regular expressions
Expand grammars to regexps• expand nonterminals• eliminate inconsistencies
enumerate choices exhaustively
cfg E := "(" E ")” | E E | "()”;
( E ) + E E
![Page 42: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/42.jpg)
string constraints
core string constraints
Normalizer
Encoder
Decoderbit-vector solution
HAMPI
bit-vector constraints
string solution
Bit-vector Solver
Core string constraint have only regular expressions
Expand grammars to regexps• expand nonterminals
eliminate inconsistencies• enumerate choices exhaustively
cfg E := "(" E ")” | E E | "()”;
( E ) + E E + E E + E E + E E + E E + E E + E E
Hampi Normalizer Converts String Constraints To Core Form
![Page 43: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/43.jpg)
Hampi Normalizer Converts String Constraints To Core Form
string constraints
core string constraints
Normalizer
Encoder
Decoderbit-vector solution
HAMPI
bit-vector constraints
string solution
Bit-vector Solver
Core string constraint have only regular expressions
Expand grammars to regexps• expand nonterminals
eliminate inconsistencies• enumerate choices exhaustively
cfg E := "(" E ")” | E E | "()”;
( E ) + E E + E E + E E + E E + E E + E E + E E
![Page 44: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/44.jpg)
Hampi Normalizer Converts String Constraints To Core Form
string constraints
core string constraints
Normalizer
Encoder
Decoderbit-vector solution
HAMPI
bit-vector constraints
string solution
Bit-vector Solver
Core string constraint have only regular expressions
Expand grammars to regexps• expand nonterminals• eliminate inconsistencies• enumerate choices exhaustively
cfg E := "(" E ")” | E E | "()”;
( E ) + E E + E E
![Page 45: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/45.jpg)
Hampi Normalizer Converts String Constraints To Core Form
string constraints
core string constraints
Normalizer
Encoder
Decoderbit-vector solution
HAMPI
bit-vector constraints
string solution
Bit-vector Solver
Core string constraint have only regular expressions
Expand grammars to regexps• expand nonterminals• eliminate inconsistencies• enumerate choices exhaustively
([()() + (())]) +
()[()() + (())] +
[()() + (())]() bound(E, 6)
cfg E := "(" E ")” | E E | "()”;
![Page 46: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/46.jpg)
Hampi Normalizer Uses Compact Representations Of Expressions
()[()() + (())] +
[()() + (())]() +
([()() + (())])
( )
( )
() shared graph nodes forcommon subexpressions
E4 E2
E6
![Page 47: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/47.jpg)
Bit vector B (length 6 bits)
(B[0:4] = B[2:4]) (B[1:3] = 101)
o set:length
Bit Vectors Are Ordered, Fixed-Size, Sets Of Bits
![Page 48: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/48.jpg)
0 1 0 1 0 1
Bit vector B (length 6 bits)
Bit-vector solver finds the solution B = 010101
(B[0:4] = B[2:4]) (B[1:3] = 101)
o set:length
Bit Vectors Are Ordered, Fixed-Size, Sets Of Bits
![Page 49: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/49.jpg)
Hampi Encodes Core Constraints As Bit-Vector Constraints
string constraints
core string constraints
Normalizer
Encoder
Decoderbit-vector solution
HAMPI
bit-vector constraints
string solution
Bit-vector Solver
Map alphabet to bit-vector constants: (
)
Compute size of bit-vector B: (1+4+1) * 1 bit = 6 bits
( v ) ()[()() + (())] + [()() + (())]() + ([()() + (())])
![Page 50: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/50.jpg)
Hampi Encodes Regular Expressions Recursively
string constraints
core string constraints
Normalizer
Encoder
Decoderbit-vector solution
HAMPI
bit-vector constraints
string solution
Bit-vector Solver
( v ) ()[()() + (())] + [()() + (())]() + ([()() + (())])
Formula 1 Formula 2 Formula 3
Encode regular expressions recursively• union + disjunction • concatenation conjunction • Kleene star * conjunction • constant bit-vector constant
![Page 51: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/51.jpg)
Hampi Encoder Exploits Shift-Symmetry In Constraints
string constraints
core string constraints
Normalizer
Encoder
Decoderbit-vector solution
HAMPI
bit-vector constraints
string solution
Bit-vector Solver
( v ) ()[()() + (())] + [()() + (())]() + ([()() + (())])
B[0:2] = 01 B[5:2] = 01
Shift-symmetric constraints
Shift-symmetric constraints = identical modulo o set in bit vector
Hampi reuses encoding templates for symmetric constraints
![Page 52: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/52.jpg)
Hampi Encoder Exploits Shift-Symmetry In Constraints
string constraints
core string constraints
Normalizer
Encoder
Decoderbit-vector solution
HAMPI
bit-vector constraints
string solution
Bit-vector Solver
( v ) ()[()() + (())] + [()() + (())]() + ([()() + (())])
Shift-symmetric constraints
Shift-symmetric constraints = identical modulo o set in bit vector
Hampi reuses encoding templates for symmetric constraints
![Page 53: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/53.jpg)
Hampi Uses Bit-Vector Solver And Decodes Solution
string constraints
core string constraints
Normalizer
Encoder
Decoderbit-vector solution
HAMPI
bit-vector constraints
string solution
Bit-vector Solver
bit-vector constraints
B = 010101
B = ()()()
v = )()(
![Page 54: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/54.jpg)
Result 1: Hampi Is E ective In Static SQL Injection Analysis
1367 string constraints from [Wassermann PLDI’07]
Hampi solved 99.7% of constraints in < 1 sec per constraint
All solvable constraints had short solutions N 4
Hampi scales to large grammars
![Page 55: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/55.jpg)
Result 2: Hampi Is Faster Than The CFGAnalyzer Solver
CFGAnalyzer encodes bounded grammar problems in SAT [Axelsson et al ICALP’08]
avera
ge t
ime (
sec.)
0 10 20 30 40 50 0
5
10
15
20
25
Hampi
CFGAnalyzer
string size (characters)
For size 50, Hampi is 6.8x faster on average (up to 3000x faster)
![Page 56: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/56.jpg)
E ective Software Testing With A String-Constraint Solver
Hampi: String-Constraint Solver [ISSTA’09]
Concolic Security Testing [ICSE’09]
Concolic Testing
Grammar-based Concolic Testing [PLDI’08]
![Page 57: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/57.jpg)
Ardilla Mutates Generated Inputs To Construct Attacks
![Page 58: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/58.jpg)
SQL Injection Attacks Modify Structure Of Database Queries
SELECT msg FROM messages WHERE topicid=‘ ’
Innocuous input: v 1
![Page 59: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/59.jpg)
concat(SELECT msg FROM messages WHERE topicid=‘ v ’)
SQL Injection Attacks Modify Structure Of Database Queries
SELECT msg FROM messages WHERE topicid=‘ ’
Innocuous input: v 1
Symbolic expression for SQL query
![Page 60: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/60.jpg)
concat(SELECT msg FROM messages WHERE topicid=‘ v ’)
SQL Injection Attacks Modify Structure Of Database Queries
SELECT msg FROM messages WHERE topicid=‘ ’
Innocuous input: v 1
SELECT msg FROM messages WHERE topicid=‘ ’
Attack input: v
Attacker gets access to all messages
Symbolic expression for SQL query
![Page 61: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/61.jpg)
var v : 12;
cfg SqlSmall := "SELECT ” [a-z]+ " FROM ” [a-z]+ " WHERE " Cond;
cfg Cond := Val "=" Val | Cond " OR " Cond;
cfg Val := [a-z]+ | "'” [a-z0-9]* "'" | [0-9]+;
reg SqlSmallBounded := bound(SqlSmall, 53);
val q := concat("SELECT msg FROM messages WHERE topicid='", v, "'");
assert q in SqlSmallBounded;
assert q contains "OR ‘0'=‘0'";
Example: Hampi Constraints That Create SQL Injection Attacks
![Page 62: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/62.jpg)
var v : 12;
cfg SqlSmall := "SELECT ” [a-z]+ " FROM ” [a-z]+ " WHERE " Cond;
cfg Cond := Val "=" Val | Cond " OR " Cond;
cfg Val := [a-z]+ | "'” [a-z0-9]* "'" | [0-9]+;
reg SqlSmallBounded := bound(SqlSmall, 53);
val q := concat("SELECT msg FROM messages WHERE topicid='", v, "'");
assert q in SqlSmallBounded;
assert q contains "OR ‘0'=‘0'";
Hampi finds an attack input: v 1’ OR ‘0’=‘0
Example: Hampi Constraints That Create SQL Injection Attacks
![Page 63: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/63.jpg)
Result: Ardilla Finds New Attacks
60 attacks on 5 PHP applications
23 SQL injection
29 XSS first order
8 XSS second order
0 false positives
216 Hampi constraints solved
• 46% of constraints in < 1 second per constraint
• 100% of constraints in < 10 seconds per constraint
![Page 64: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/64.jpg)
E ective Software Testing With A String-Constraint Solver
Hampi: String-Constraint Solver [ISSTA’09]
Concolic Security Testing [ICSE’09]
Grammar-based Concolic Testing [PLDI’08]
Concolic Testing
![Page 65: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/65.jpg)
Sometimes Concolic Testing Is Not Much Better Than Random Fuzzing
Random Fuzz Testing Concolic Testing
Program under test: JavaScript interpreter
![Page 66: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/66.jpg)
Sometimes Concolic Testing Is Not Much Better Than Random Fuzzing
Random Fuzz Testing Concolic Testing
![Page 67: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/67.jpg)
Sometimes Concolic Testing Is Not Much Better Than Random Fuzzing
Concolic TestingRandom Fuzz Testing
![Page 68: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/68.jpg)
Sometimes Concolic Testing Is Not Much Better Than Random Fuzzing
17.6%inputs reach
16.5%inputs reach
Concolic TestingRandom Fuzz Testing
![Page 69: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/69.jpg)
Most Generated Inputs Get Rejected Quickly
![Page 70: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/70.jpg)
Most Generated Inputs Get Rejected Quickly
![Page 71: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/71.jpg)
Most Generated Inputs Get Rejected Quickly
![Page 72: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/72.jpg)
Most Generated Inputs Get Rejected Quickly
![Page 73: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/73.jpg)
Most Generated Inputs Get Rejected Quickly
Key idea: generate only valid inputs
![Page 74: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/74.jpg)
Input-Format Grammar Guides Creation Of E ective Inputs
solve(PC’) new input
![Page 75: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/75.jpg)
Input-Format Grammar Guides Creation Of E ective Inputs
solve(PC’ Grammar) new valid input
Hampi string solver
![Page 76: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/76.jpg)
String-Constraint Solver Helps Create Valid Inputs
Seed input (for JavaScript interpreter): function f(){ var v = 3; }
Constraints on tokens
(created during execution) token0 = function
token1 = id
token2 = (
token3 = )
token4 = {
token5 = var
…
![Page 77: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/77.jpg)
String-Constraint Solver Helps Create Valid Inputs
Seed input (for JavaScript interpreter): function f(){ var v = 3; }
Constraints on tokens
(created during execution) token0 = function
token1 = id
token2 = (
token3 = )
token4 = {
token5 var ffunction f(){ try v = 3; }
![Page 78: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/78.jpg)
String-Constraint Solver Helps Create Valid Inputs
Seed input (for JavaScript interpreter): function f(){ var v = 3; }
Constraints on tokens
(created during execution) token0 = function
token1 = id
token2 = (
token3 = )
token4 = {
token5 var ffunction f(){ try v = 3; }
function f(){ try { } catch ( id ) { } finally { }; }
![Page 79: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/79.jpg)
String-Constraint Solver Helps Avoid Dead-End Inputs
Seed input (for JavaScript interpreter): function f(){ var v = 3; }
Constraints on tokens
(created during execution) token0 = function
token1 = id
token2 = (
token3 = )
token4 {
function f() var var v = 3; }
![Page 80: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/80.jpg)
String-Constraint Solver Helps Avoid Dead-End Inputs
Seed input (for JavaScript interpreter): function f(){ var v = 3; }
Constraints on tokens
(created during execution) token0 = function
token1 = id
token2 = (
token3 = )
token4 {
function f() var var v = 3; }
![Page 81: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/81.jpg)
Results: Grammar-Based Concolic Testing Improves Deep Reachability
Up to 20x deep reachability improvement: more generated inputs reach beyond the parser
![Page 82: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/82.jpg)
Results: Grammar-Based Concolic Testing Improves Coverage
Up to 2x coverage improvement
![Page 83: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/83.jpg)
Results: Grammar-Based Concolic Testing Improves Coverage
Up to 2x coverage improvement
3 infinite-
loop bugs
and finds
new bugs
![Page 84: MIT Adam Kiezunpeople.csail.mit.edu/akiezun/KiezunDefenseFinal.pdf · Adam Kiezun MIT Software Testing Aims To Find Errors Before Users (Or Hackers) Do Goals of software testing](https://reader034.vdocuments.mx/reader034/viewer/2022042400/5f0eaf607e708231d4406edf/html5/thumbnails/84.jpg)
Summary: E ective Software Testing With A String-Constraint Solver
Hampi String-Constraint Solver
expressive: supports context-free grammars
e cient: solver real-world constraint quickly
Concolic Security Testing
creates attacks on Web applications by input generation
and mutation with Hampi string-constraint solver
Grammar-Based Concolic Testing
e ectively tests programs with structured inputs by using Hampi string-constraint solver and input grammars