EXE: automatically generating inputs of death
Download
Report
Transcript EXE: automatically generating inputs of death
EXE: Automatically Generating
Inputs of Death
Cristian Cadar, Vijay Ganesh, Peter M.
Pawlowski, David L. Dill, Dawson R. Engler
13th ACM conference on Computer and
communications security (CCS), 2006
Presented By: Clayton Andrews
Outline
EXE
Optimization
Motivation
Experiments
Real bugs
Search Heuristics
How to use
Conclusion
Example
Contributions
STP
EXE
EXecution generated Executions
An effective-bug finding tool
Not manual or randomly constructed input
Runs on symbolic input
allowed to be “anything”
EXE
Code can generate its own test cases
Runs the code on all inputs at once
Follows all paths
Motivation
Possible paths of code execution can be large
Manual testing far from exhaustive
Difficult for developers to reason all paths
Random testing not sufficient
Suppose bug exists for 1 input of 100 trillion
Dynamic tools require initial test cases
Presents same problem as manual test
Real Bugs
Berkeley Packet Filter
udhcpd DHCP server
Evil packet filters exploit buffer overruns
Generates packets that invalid reads/writes
pcre library
Bad regular expressions that compromise
How to Use
Simply call the method make_symbolic() on any
input that is unconstrained
Compiled using the EXE compiler, exe-cc
Then compiled using a standard compiler
E.g. gcc
Example
STP
EXE's constraint solver
More precisely a decision procedure
Decision procedures
Determine satisfiability of logic formulas
Express constraints to satisfy an expression
STP
Co-designed for EXE
Faster than CVCL, a similar system
550x faster
Optimizations
Caching
EXE caches results of satisfiability queries
Constraint independence
Breaks apart constraints into subsets
(A[1]= A[2]+ A[3]) ∧ (A[2] >A[4]) ∧ (A[7]= A[8])
(A[1]= A[2]+ A[3]) ∧ (A[2] >A[4])
A[7]= A[8]
Experiments
Bpf, pcre, udhcpd, expant and tcpdump
Search Heuristics
Every time EXE forks
it must choose a path
By default, EXE uses
depth-first search
Use heuristics to
choose “interesting”
paths
Search Heuristics
Their BFS uses a
mixture of best-first
and depth-first search
New heuristics are
easy to plugin
Conclusion
EXE uses symbolic execution to find bugs
STP was co-designed to be fast
EXE was powerful enough to uncover bugs in
real programs
Contributions
The decision procedure STP was created
Code can be tested through all paths at once
Does not rely on manual input or “luck”
Reference
"EXE: automatically generating inputs of death",
Cadar, Cristian and Ganesh, Vijay and
Pawlowski, Peter M. and Dill, David L. and
Engler, Dawson R., 13th ACM conference on
Computer and communications security (CCS),
2006.
Questions?