1 / 18

EXE: Automatically Generating Inputs of Death

Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on Computer and communications security (CCS), 2006 Presented By: Clayton Andrews. EXE: Automatically Generating Inputs of Death. Optimization Experiments Search Heuristics Conclusion

ferrol
Télécharger la présentation

EXE: Automatically Generating Inputs of Death

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on Computer and communications security (CCS), 2006 Presented By: Clayton Andrews EXE: Automatically Generating Inputs of Death

  2. Optimization Experiments Search Heuristics Conclusion Contributions Outline • EXE • Motivation • Real bugs • How to use • Example • STP

  3. EXE • EXecution generated Executions • An effective-bug finding tool • Not manual or randomly constructed input • Runs on symbolic input • allowed to be “anything”

  4. EXE • Code can generate its own test cases • Runs the code on all inputs at once • Follows all paths

  5. Motivation • Possible paths of code execution can be large • Manual testing far from exhaustive • Difficult for developers to reason all paths • Random testing not sufficient • Suppose bug exists for 1 input of 100 trillion • Dynamic tools require initial test cases • Presents same problem as manual test

  6. Real Bugs • Berkeley Packet Filter • Evil packet filters exploit buffer overruns • udhcpd DHCP server • Generates packets that invalid reads/writes • pcre library • Bad regular expressions that compromise

  7. How to Use • Simply call the method make_symbolic() on any input that is unconstrained • Compiled using the EXE compiler, exe-cc • Then compiled using a standard compiler • E.g. gcc

  8. Example

  9. STP • EXE's constraint solver • More precisely a decision procedure • Decision procedures • Determine satisfiability of logic formulas • Express constraints to satisfy an expression

  10. STP • Co-designed for EXE • Faster than CVCL, a similar system • 550x faster

  11. Optimizations • Caching • EXE caches results of satisfiability queries • Constraint independence • Breaks apart constraints into subsets • (A[1]= A[2]+ A[3]) ∧ (A[2] >A[4]) ∧ (A[7]= A[8]) • (A[1]= A[2]+ A[3]) ∧ (A[2] >A[4]) • A[7]= A[8]

  12. Experiments • Bpf, pcre, udhcpd, expant and tcpdump

  13. Search Heuristics • Every time EXE forks it must choose a path • By default, EXE uses depth-first search • Use heuristics to choose “interesting” paths

  14. Search Heuristics • Their BFS uses a mixture of best-first and depth-first search • New heuristics are easy to plugin

  15. Conclusion • EXE uses symbolic execution to find bugs • STP was co-designed to be fast • EXE was powerful enough to uncover bugs in real programs

  16. Contributions • The decision procedure STP was created • Code can be tested through all paths at once • Does not rely on manual input or “luck”

  17. Reference • "EXE: automatically generating inputs of death", Cadar, Cristian and Ganesh, Vijay and Pawlowski, Peter M. and Dill, David L. and Engler, Dawson R., 13th ACM conference on Computer and communications security (CCS), 2006.

  18. Questions?

More Related