Your search keyword '"Symbolic execution"' showing total 11 results

1. Analyzing system software components using API model guided symbolic execution.

Author

Yavuz, Tuba and Bai, Ken (Yihang)

Subjects

SYSTEMS software, SOFTWARE frameworks, APPLICATION program interfaces, COMPUTER software execution

Abstract

Analyzing real-world software is challenging due to complexity of the software frameworks or APIs they depend on. In this paper, we present a tool, PROMPT, that facilitates the analysis of software components using API model guided symbolic execution. PROMPT has a specification component, PROSE, that lets users define an API model, which consists of a set of data constraints and life-cycle rules that define control-flow constraints among sequentially composed API functions. Given a PROSE model and a software component, PROMPT symbolically executes the component while enforcing the specified API model. PROMPT has been implemented on top of the KLEE symbolic execution engine and has been applied to Linux device drivers from the video, sound, and network subsystems and to some vulnerable components of BlueZ, the implementation of the Bluetooth protocol stack for the Linux kernel. PROMPT detected two new and four known memory vulnerabilities in some of the analyzed system software components. [ABSTRACT FROM AUTHOR]

Published

2020

2. Exploring output-based coverage for testing PHP web applications.

Author

Nguyen, Hung Viet, Phan, Hung Dang, Kästner, Christian, and Nguyen, Tien N.

Abstract

In software testing, different testers focus on different aspects of the software such as functionality, performance, design, and other attributes. While many tools and coverage metrics exist to support testers at the code level, not much support is targeted for testers who want to inspect the output of a program such as a dynamic web application. To support this category of testers, we propose a family of output-coverage metrics (similar to statement, branch, and path coverage metrics on code) that measure how much of the possible output has been produced by a test suite and what parts of the output are still uncovered. To do that, we first approximate the output universe using our existing symbolic execution technique. Then, given a set of test cases, we map the produced outputs onto the output universe to identify the covered and uncovered parts and compute output-coverage metrics. In our empirical evaluation on seven real-world PHP web applications, we show that selecting test cases by output coverage is more effective at identifying presentation faults such as HTML validation errors and spelling errors than selecting test cases by traditional code coverage. In addition, to help testers understand output coverage and augment test cases, we also develop a tool called WebTest that displays the output universe in one single web page and allows testers to visually explore covered and uncovered parts of the output. [ABSTRACT FROM AUTHOR]

Published

2019

3. Analyzing system software components using API model guided symbolic execution

Author

Ken Yihang Bai and Tuba Yavuz

Subjects

Programming language, business.industry, Computer science, 020207 software engineering, Linux kernel, 02 engineering and technology, Symbolic execution, computer.software_genre, Software framework, Protocol stack, Software, Component (UML), Component-based software engineering, 0202 electrical engineering, electronic engineering, information engineering, business, computer, System software

Abstract

Analyzing real-world software is challenging due to complexity of the software frameworks or APIs they depend on. In this paper, we present a tool, PROMPT, that facilitates the analysis of software components using API model guided symbolic execution. PROMPT has a specification component, PROSE, that lets users define an API model, which consists of a set of data constraints and life-cycle rules that define control-flow constraints among sequentially composed API functions. Given a PROSE model and a software component, PROMPT symbolically executes the component while enforcing the specified API model. PROMPT has been implemented on top of the KLEE symbolic execution engine and has been applied to Linux device drivers from the video, sound, and network subsystems and to some vulnerable components of BlueZ, the implementation of the Bluetooth protocol stack for the Linux kernel. PROMPT detected two new and four known memory vulnerabilities in some of the analyzed system software components.

Published

2020

4. Exploring output-based coverage for testing PHP web applications

Author

Hung Dang Phan, Hung Viet Nguyen, Christian Kästner, and Tien N. Nguyen

Subjects

Computer science, business.industry, Code coverage, 020207 software engineering, 02 engineering and technology, Dynamic web page, Symbolic execution, computer.software_genre, Software, Test case, Web page, 0202 electrical engineering, electronic engineering, information engineering, Test suite, Web application, Data mining, business, computer

Abstract

In software testing, different testers focus on different aspects of the software such as functionality, performance, design, and other attributes. While many tools and coverage metrics exist to support testers at the code level, not much support is targeted for testers who want to inspect the output of a program such as a dynamic web application. To support this category of testers, we propose a family of output-coverage metrics (similar to statement, branch, and path coverage metrics on code) that measure how much of the possible output has been produced by a test suite and what parts of the output are still uncovered. To do that, we first approximate the output universe using our existing symbolic execution technique. Then, given a set of test cases, we map the produced outputs onto the output universe to identify the covered and uncovered parts and compute output-coverage metrics. In our empirical evaluation on seven real-world PHP web applications, we show that selecting test cases by output coverage is more effective at identifying presentation faults such as HTML validation errors and spelling errors than selecting test cases by traditional code coverage. In addition, to help testers understand output coverage and augment test cases, we also develop a tool called WebTest that displays the output universe in one single web page and allows testers to visually explore covered and uncovered parts of the output.

Published

2018

5. Symbolic PathFinder: integrating symbolic execution with model checking for Java bytecode analysis.

Author

Păsăreanu, Corina, Visser, Willem, Bushnell, David, Geldenhuys, Jaco, Mehlitz, Peter, and Rungta, Neha

Subjects

JAVA programming language, ABSTRACT data types (Computer science), VERTICAL files (Libraries), DATA structures, ELECTRONIC file management

Abstract

Symbolic PathFinder (SPF) is a software analysis tool that combines symbolic execution with model checking for automated test case generation and error detection in Java bytecode programs. In SPF, programs are executed on symbolic inputs representing multiple concrete inputs and the values of program variables are represented by expressions over those symbolic inputs. Constraints over these expressions are generated from the analysis of different paths through the program. The constraints are solved with off-the-shelf solvers to determine path feasibility and to generate test inputs. Model checking is used to explore different symbolic program executions, to systematically handle aliasing in the input data structures, and to analyze the multithreading present in the code. SPF incorporates techniques for handling input data structures, strings, and native calls to external libraries, as well as for solving complex mathematical constraints. We describe the tool and its application at NASA, in academia, and in industry. [ABSTRACT FROM AUTHOR]

Published

2013

6. Efficient and formal generalized symbolic execution.

Author

Deng, Xianghua, Lee, Jooyong, and Robby

Subjects

COMPUTER software research, ALIASES & aliasing (Television), ONLINE algorithms, IMS/VS (Computer system), ERROR messages (Computer science), SEMANTIC network analysis

Abstract

Programs that manipulate dynamic heap objects are difficult to analyze due to issues like aliasing. Lazy initialization algorithm enables the classical symbolic execution to handle such programs. Despite its successes, there are two unresolved issues: (1) inefficiency; (2) lack of formal study. For the inefficiency issue, we have proposed two improved algorithms that give significant analysis time reduction over the original lazy initialization algorithm. In this article, we formalize the lazy initialization algorithm and the improved algorithms as operational semantics of a core subset of the Java Virtual Machine (JVM) instructions, and prove that all algorithms are relatively sound and complete with respect to the JVM concrete semantics. Finally, we conduct a set of extensive experiments that compare the three algorithms and demonstrate the efficiency of the improved algorithms. [ABSTRACT FROM AUTHOR]

Published

2012

7. Unfolding based automated testing of multithreaded programs

Author

Olli Saarikivi, Kari Kähkönen, and Keijo Heljanko

Subjects

Nondeterministic algorithm, Partial order reduction, Programming language, Computer science, Concurrency, Parallel computing, Thread (computing), Deadlock, Petri net, Symbolic execution, computer.software_genre, computer, Software

Abstract

In multithreaded programs both environment input data and the nondeterministic interleavings of concurrent events can affect the behavior of the program. One approach to systematically explore the nondeterminism caused by input data is dynamic symbolic execution. For testing multithreaded programs we present a new approach that combines dynamic symbolic execution with unfoldings, a method originally developed for Petri nets but also applied to many other models of concurrency. We provide an experimental comparison of our new approach with existing algorithms combining dynamic symbolic execution and partial order reductions and show that the new algorithm can explore the reachable control states of each thread with a significantly smaller number of test runs. In some cases the reduction to the number of test runs can be even exponential allowing programs with long test executions or hard-to-solve constraints generated by symbolic execution to be tested more efficiently. In addition we show that our algorithm generates a structure describing different interleavings from which deadlocks can be detected efficiently as well.

Published

2014

8. Symbolic PathFinder: integrating symbolic execution with model checking for Java bytecode analysis

Author

Peter Mehlitz, Jaco Geldenhuys, Neha Rungta, Corina S. Păsăreanu, Willem Visser, and David Bushnell

Subjects

Model checking, Theoretical computer science, Java, Programming language, Computer science, Java bytecode, Symbolic execution, Data structure, computer.software_genre, Symbolic trajectory evaluation, Concolic testing, Aliasing (computing), Software analysis pattern, computer, Software, computer.programming_language

Abstract

Symbolic PathFinder (SPF) is a software analysis tool that combines symbolic execution with model checking for automated test case generation and error detection in Java bytecode programs. In SPF, programs are executed on symbolic inputs representing multiple concrete inputs and the values of program variables are represented by expressions over those symbolic inputs. Constraints over these expressions are generated from the analysis of different paths through the program. The constraints are solved with off-the-shelf solvers to determine path feasibility and to generate test inputs. Model checking is used to explore different symbolic program executions, to systematically handle aliasing in the input data structures, and to analyze the multithreading present in the code. SPF incorporates techniques for handling input data structures, strings, and native calls to external libraries, as well as for solving complex mathematical constraints. We describe the tool and its application at NASA, in academia, and in industry.

Published

2013

9. Efficient and formal generalized symbolic execution

Author

Xianghua Deng, Robby, and Jooyong Lee

Subjects

Soundness, Theoretical computer science, Lazy initialization, Computer science, Programming language, TheoryofComputation_LOGICSANDMEANINGSOFPROGRAMS, Symbolic execution, computer.software_genre, computer, Software, Operational semantics, Heap (data structure)

Abstract

Programs that manipulate dynamic heap objects are difficult to analyze due to issues like aliasing. Lazy initialization algorithm enables the classical symbolic execution to handle such programs. Despite its successes, there are two unresolved issues: (1) inefficiency; (2) lack of formal study. For the inefficiency issue, we have proposed two improved algorithms that give significant analysis time reduction over the original lazy initialization algorithm. In this article, we formalize the lazy initialization algorithm and the improved algorithms as operational semantics of a core subset of the Java Virtual Machine (JVM) instructions, and prove that all algorithms are relatively sound and complete with respect to the JVM concrete semantics. Finally, we conduct a set of extensive experiments that compare the three algorithms and demonstrate the efficiency of the improved algorithms.

Published

2011

10. Deviation Analysis: A New Use of Model Checking

Author

Yunja Choi, Mats P. E. Heimdahl, and Michael W. Whalen

Subjects

Model checking, Computer science, Robustness (computer science), Control system, Symbolic trajectory evaluation, Software requirements specification, Abstraction model checking, Symbolic execution, Algorithm, Software

Abstract

Inaccuracies, or deviations, in the measurements of monitored variables in a control system are facts of life that control software must accommodate. Deviation analysis can be used to determine how a software specification will behave in the face of such deviations. Deviation analysis is intended to answer questions such as "What is the effect on output O if input I is off by 0 to 100?". This property is best checked with some form of symbolic execution approach. In this report we wish to propose a new approach to deviation analysis using model checking techniques. The key observation that allows us to use model checkers is that the property can be restated as "Will there be an effect on output O if input I is off by 0 to 100?"--this restatement of the property changes the analysis from an exploratory analysis to a verification task suitable for model checking.

Published

2005

11. Guest editors introduction: special issue on innovative automated software engineering tools

Author

John Grundy and John Hosking

Subjects

Social software engineering, Service (systems architecture), business.industry, Process (engineering), Computer science, Symbolic execution, computer.software_genre, Embedded software, Software, Systems management, Software engineering, business, Computer-aided software engineering, computer, Software evolution

Abstract

This is the second part of our Special Issue on Innovative Automated Software Engineering Tools. Over 30 papers were submitted to the special issue, demonstrating the key role that tools have in the ASE research and practice communities. The five accepted papers appearing in this second part of the special issue underwent rigorous refereeing, major and minor revisions and then were selected for their scientific contributions. Coincidentally the papers cover an interesting range of ASE tool application areas, including model-based testing, embedded software engineering, symbolic execution and model checking, process-centred environments, and software evolution. Several of these innovative tools adopt service-based and compositional approaches to tool integration. Most have been validated not only on academic problems but also with significant industrial applications and software teams. We would like to thank very much the efforts of all authors of papers both appearing in the special issue, but also those whose work we were unable to accept. We also would like to thank the large number of referees from the automated software engineering community who we had to draw upon very heavily in this process. Finally, we thank Anand David from Springer for excellent assistance with editorial system management and production work, and Bob Hall for having the faith in us to Guest Edit this special issue.

Published

2013