ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
EXE: automatically generating inputs of death
Full text PdfPdf (407 KB)
Source Conference on Computer and Communications Security archive
Proceedings of the 13th ACM conference on Computer and communications security table of contents
Alexandria, Virginia, USA
SESSION: Software and network exploits table of contents
Pages: 322 - 335  
Year of Publication: 2006
ISBN:1-59593-518-5
Authors
Cristian Cadar  Stanford University, Stanford, CA
Vijay Ganesh  Stanford University, Stanford, CA
Peter M. Pawlowski  Stanford University, Stanford, CA
David L. Dill  Stanford University, Stanford, CA
Dawson R. Engler  Stanford University, Stanford, CA
Sponsors
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 18,   Downloads (12 Months): 146,   Citation Count: 38
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1180405.1180445
What is a DOI?

ABSTRACT

This paper presents EXE, an effective bug-finding tool that automatically generates inputs that crash real code. Instead of running code on manually or randomly constructed input, EXE runs it on symbolic input initially allowed to be "anything." As checked code runs, EXE tracks the constraints on each symbolic (i.e., input-derived) memory location. If a statement uses a symbolic value, EXE does not run it, but instead adds it as an input-constraint; all other statements run as usual. If code conditionally checks a symbolic expression, EXE forks execution, constraining the expression to be true on the true branch and false on the other. Because EXE reasons about all possible values on a path, it has much more power than a traditional runtime tool: (1) it can force execution down any feasible program path and (2) at dangerous operations (e.g., a pointer dereference), it detects if the current path constraints allow any value that causes a bug.When a path terminates or hits a bug, EXE automatically generates a test case by solving the current path constraints to find concrete values using its own co-designed constraint solver, STP. Because EXE's constraints have no approximations, feeding this concrete input to an uninstrumented version of the checked code will cause it to follow the same path and hit the same bug (assuming deterministic code).EXE works well on real code, finding bugs along with inputs that trigger them in: the BSD and Linux packet filter implementations, the udhcpd DHCP server, the pcre regular expression library, and three Linux file systems.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
T. Ball. A theory of predicate-complete test coverage and generation. In Proceedings of the Third International Symposium on Formal Methods for Components and Objects, Nov. 2004.
 
2
T. Ball and R. B. Jones, editors. Computer Aided Verification, 18th International Conference, CAV 2006, Seattle, WA, USA, August 17-20, 2006, Proceedings, volume 4144 of Lecture Notes in Computer Science. Springer, 2006.
3
Thomas Ball , Rupak Majumdar , Todd Millstein , Sriram K. Rajamani, Automatic predicate abstraction of C programs, Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation, p.203-213, June 2001, Snowbird, Utah, United States
 
4
Thomas Ball , Sriram K. Rajamani, Automatically validating temporal safety properties of interfaces, Proceedings of the 8th international SPIN workshop on Model checking of software, p.103-122, May 2001, Toronto, Ontario, Canada
 
5
C. Barrett and S. Berezin. CVC Lite: A new implementation of the cooperating validity checker. In R. Alur and D. A. Peled, editors, CAV, Lecture Notes in Computer Science. Springer, 2004.
 
6
C. Barrett, S. Berezin, I. Shikanian, M. Chechik, A. Gurfinkel, and D. L. Dill. A practical approach to partial functions in CVC Lite. In PDPAR'04 Workshop, Cork, Ireland, July 2004.
7
Robert S. Boyer , Bernard Elspas , Karl N. Levitt, SELECT—a formal system for testing and debugging programs by symbolic execution, ACM SIGPLAN Notices, v.10 n.6, p.234-245, June 1975
 
8
Willem Visser , Klaus Havelund , Guillaume Brat , SeungJoon Park, Model Checking Programs, Proceedings of the 15th IEEE international conference on Automated software engineering, p.3, September 11-15, 2000
 
9
David Brumley , James Newsome , Dawn Song , Hao Wang , Somesh Jha, Towards Automatic Generation of Vulnerability-Based Signatures, Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P'06), p.2-16, May 21-24, 2006  [doi>10.1109/SP.2006.41]
 
10
Randal E. Bryant , Shuvendu K. Lahiri , Sanjit A. Seshia, Modeling and Verifying Systems Using a Logic of Counter Arithmetic with Lambda Expressions and Uninterpreted Functions, Proceedings of the 14th International Conference on Computer Aided Verification, p.78-92, July 27-31, 2002
 
11
William R. Bush , Jonathan D. Pincus , David J. Sielaff, A static analyzer for finding dynamic programming errors, Software—Practice & Experience, v.30 n.7, p.775-802, June 2000  [doi>10.1002/(SICI)1097-024X(200006)30:7<775::AID-SPE309>3.0.CO;2-H]
 
12
C. Cadar and D. Engler. Execution generated test cases: How to make systems code crash itself. In Proceedings of the 12th International SPIN Workshop on Model Checking of Software, August 2005. A longer version of this paper appeared as Technical Report CSTR-2005-04, Computer Systems Laboratory, Stanford University.
13
Edmund Clarke , Daniel Kroening, Hardware verification using ANSI-C programs as a reference, Proceedings of the 2003 conference on Asia South Pacific design automation, January 21-24, 2003, Kitakyushu, Japan  [doi>10.1145/1119772.1119831]
 
14
B. Cook, D. Kroening, and N. Sharygina. Cogent: Accurate theorem proving for program verification. In K. Etessami and S. K. Rajamani, editors, Proceedings of CAV 2005, volume 3576 of Lecture Notes in Computer Science, pages 296--300. Springer Verlag, 2005.
15
James C. Corbett , Matthew B. Dwyer , John Hatcliff , Shawn Laubach , Corina S. Păsăreanu , Robby , Hongjun Zheng, Bandera: extracting finite-state models from Java source code, Proceedings of the 22nd international conference on Software engineering, p.439-448, June 04-11, 2000, Limerick, Ireland  [doi>10.1145/337180.337234]
 
16
Thomas H. Cormen , Clifford Stein , Ronald L. Rivest , Charles E. Leiserson, Introduction to Algorithms, McGraw-Hill Higher Education, 2001
 
17
SWAT: the Coverity software analysis toolset. http://coverity.com.
18
Manuvir Das , Sorin Lerner , Mark Seigle, ESP: path-sensitive program verification in polynomial time, Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation, June 17-19, 2002, Berlin, Germany
19
Robert DeLine , Manuel Fähndrich, Enforcing high-level protocols in low-level software, Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation, p.59-69, June 2001, Snowbird, Utah, United States
 
20
N. Een and N. Sorensson. An extensible SAT-solver. In Proc. of the Sixth International Conference on Theory and Applications of Satisfiability Testing, pages 78--92, May 2003.
21
Roger Ferguson , Bogdan Korel, The chaining approach for software test data generation, ACM Transactions on Software Engineering and Methodology (TOSEM), v.5 n.1, p.63-86, Jan. 1996  [doi>10.1145/226155.226158]
22
Cormac Flanagan , Stephen N. Freund, Type-based race detection for Java, Proceedings of the ACM SIGPLAN 2000 conference on Programming language design and implementation, p.219-232, June 18-21, 2000, Vancouver, British Columbia, Canada
23
Cormac Flanagan , K. Rustan M. Leino , Mark Lillibridge , Greg Nelson , James B. Saxe , Raymie Stata, Extended static checking for Java, Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation, June 17-19, 2002, Berlin, Germany
24
Jeffrey S. Foster , Tachio Terauchi , Alex Aiken, Flow-sensitive type qualifiers, Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation, June 17-19, 2002, Berlin, Germany
25
Patrice Godefroid, Model checking for programming languages using VeriSoft, Proceedings of the 24th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.174-186, January 15-17, 1997, Paris, France  [doi>10.1145/263699.263717]
26
Patrice Godefroid , Nils Klarlund , Koushik Sen, DART: directed automated random testing, Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, June 12-15, 2005, Chicago, IL, USA
27
Arnaud Gotlieb , Bernard Botella , Michel Rueher, Automatic test data generation using constraint solving techniques, Proceedings of the 1998 ACM SIGSOFT international symposium on Software testing and analysis, p.53-62, March 02-04, 1998, Clearwater Beach, Florida, United States
28
Neelam Gupta , Aditya P. Mathur , Mary Lou Soffa, Automated test data generation using an iterative relaxation method, Proceedings of the 6th ACM SIGSOFT international symposium on Foundations of software engineering, p.231-244, November 01-05, 1998, Lake Buena Vista, Florida, United States
 
29
R. Hastings and B. Joyce. Purify: Fast detection of memory leaks and access errors. In Proceedings of the Winter USENIX Conference, Dec. 1992.
 
30
Gerard J. Holzmann, The Model Checker SPIN, IEEE Transactions on Software Engineering, v.23 n.5, p.279-295, May 1997  [doi>10.1109/32.588521]
 
31
Gerard J. Holzmann, From Code to Models, Proceedings of the Second International Conference on Application of Concurrency to System Design, p.3, June 25-29, 2001
 
32
S. Khurshid, C. S. Pasareanu, and W. Visser. Generalized symbolic execution for model checking and testing. In Proceedings of the Ninth International Conference on Tools and Algorithms for the Construction and Analysis of Systems, 2003.
 
33
E. Larson and T. Austin. High coverage detection of input-related security faults. In Proceedings of the 12th USENIX Security Symposium, August 2003.
34
Barton P. Miller , Louis Fredriksen , Bryan So, An empirical study of the reliability of UNIX utilities, Communications of the ACM, v.33 n.12, p.32-44, Dec. 1990  [doi>10.1145/96267.96279]
 
35
George C. Necula , Scott McPeak , Shree Prakash Rahul , Westley Weimer, CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs, Proceedings of the 11th International Conference on Compiler Construction, p.213-228, April 08-12, 2002
36
Greg Nelson , Derek C. Oppen, Simplification by Cooperating Decision Procedures, ACM Transactions on Programming Languages and Systems (TOPLAS), v.1 n.2, p.245-257, Oct. 1979  [doi>10.1145/357073.357079]
 
37
N. Nethercote and J. Seward. Valgrind: A program supervision framework. Electronic Notes in Theoretical Computer Science, 89(2), 2003.
 
38
PCRE - Perl Compatible Regular Expressions. http://www.pcre.org/.
 
39
PCRE Regular Expression Heap Overflow. US-CERT Cyber Security Bulletin SB05-334. http://www.us-cert.gov/cas/bulletins/SB05-334.html#pcre.
 
40
O. Ruwase and M. S. Lam. A practical dynamic buffer overflow detector. In Proceedings of the 11th Annual Network and Distributed System Security Symposium, pages 159--169, 2004.
41
Koushik Sen , Darko Marinov , Gul Agha, CUTE: a concolic unit testing engine for C, Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering, September 05-09, 2005, Lisbon, Portugal
 
42
D. Wagner, J. Foster, E. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In The 2000 Network and Distributed Systems Security Conference. San Diego, CA, Feb. 2000.
43
Yichen Xie , Alex Aiken, Scalable error detection using boolean satisfiability, Proceedings of the 32nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.351-363, January 12-14, 2005, Long Beach, California, USA
 
44
Y. Xie and A. Aiken. Saturn: A SAT-based tool for bug detection. In K. Etessami and S. K. Rajamani, editors, CAV, volume 3576 of Lecture Notes in Computer Science, pages 139--143. Springer, 2005.
 
45
Junfeng Yang , Can Sar , Paul Twohey , Cristian Cadar , Dawson Engler, Automatically Generating Malicious Disks using Symbolic Execution, Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P'06), p.243-257, May 21-24, 2006  [doi>10.1109/SP.2006.7]
 
46
J. Yang, P. Twohey, D. Engler, and M. Musuvathi. Using model checking to find serious file system errors. In Symposium on Operating Systems Design and Implementation, December 2004.

CITED BY  38
Gary Wassermann , Dachuan Yu , Ajay Chander , Dinakar Dhurjati , Hiroshi Inamura , Zhendong Su, Dynamic test input generation for web applications, Proceedings of the 2008 international symposium on Software testing and analysis, July 20-24, 2008, Seattle, WA, USA
David Brumley , Juan Caballero , Zhenkai Liang , James Newsome , Dawn Song, Towards automatic discovery of deviations in binary implementations with applications to error detection and fingerprint generation, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-16, August 06-10, 2007, Boston, MA
Rupak Majumdar , Ru-Gang Xu, Directed test generation using symbolic grammars, Proceedings of the twenty-second IEEE/ACM international conference on Automated software engineering, November 05-09, 2007, Atlanta, Georgia, USA
Dawson Engler , Daniel Dunbar, Under-constrained execution: making automatic code destruction easy and scalable, Proceedings of the 2007 international symposium on Software testing and analysis, p.1-4, July 09-12, 2007, London, United Kingdom
Will Archer , Philip Levis , John Regehr, Interface contracts for TinyOS, Proceedings of the 6th international conference on Information processing in sensor networks, April 25-27, 2007, Cambridge, Massachusetts, USA
Marcelo d'Amorim , Steven Lauterburg , Darko Marinov, Delta execution for efficient state-space exploration of object-oriented programs, Proceedings of the 2007 international symposium on Software testing and analysis, July 09-12, 2007, London, United Kingdom
Patrice Godefroid , Adam Kiezun , Michael Y. Levin, Grammar-based whitebox fuzzing, ACM SIGPLAN Notices, v.43 n.6, June 2008
Will Drewry , Tavis Ormandy, Flayer: exposing application internals, Proceedings of the first conference on First USENIX Workshop on Offensive Technologies, p.1-1, August 06, 2007, Boston, MA
Andrea Lanzi , Lorenzo Martignoni , Mattia Monga , Roberto Paleari, A Smart Fuzzer for x86 Executables, Proceedings of the Third International Workshop on Software Engineering for Secure Systems, p.7, May 20-26, 2007
Miguel Castro , Manuel Costa , Jean-Philippe Martin, Better bug reporting with better privacy, ACM SIGPLAN Notices, v.43 n.3, March 2008
Ru-Gang Xu , Patrice Godefroid , Rupak Majumdar, Testing for buffer overflows with length abstraction, Proceedings of the 2008 international symposium on Software testing and analysis, July 20-24, 2008, Seattle, WA, USA
Manuel Costa , Miguel Castro , Lidong Zhou , Lintao Zhang , Marcus Peinado, Bouncer: securing software by blocking bad input, ACM SIGOPS Operating Systems Review, v.41 n.6, December 2007
Corina S. Pǎsǎreanu , Peter C. Mehlitz , David H. Bushnell , Karen Gundy-Burlet , Michael Lowry , Suzette Person , Mark Pape, Combining unit-level symbolic execution and system-level concrete execution for testing nasa software, Proceedings of the 2008 international symposium on Software testing and analysis, July 20-24, 2008, Seattle, WA, USA
Carlos Pacheco , Shuvendu K. Lahiri , Thomas Ball, Finding errors in .net with feedback-directed random testing, Proceedings of the 2008 international symposium on Software testing and analysis, July 20-24, 2008, Seattle, WA, USA
Michael Martin , Monica S. Lam, Automatic generation of XSS and SQL injection attacks with goal-directed model checking, Proceedings of the 17th conference on Security symposium, p.31-43, July 28-August 01, 2008, San Jose, CA
Nikolai Tillmann , Jonathan de Halleux, White-box testing of behavioral web service contracts with Pex, Proceedings of the 2008 workshop on Testing, analysis, and verification of web services and applications, p.47-48, July 21-21, 2008, Seattle, Washington
Rupak Majumdar , Ru-Gang Xu, Directed test generation using symbolic grammars, Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering, September 03-07, 2007, Dubrovnik, Croatia
Lingxiao Jiang , Zhendong Su, Context-aware statistical debugging: from bug predictors to faulty control flow paths, Proceedings of the twenty-second IEEE/ACM international conference on Automated software engineering, November 05-09, 2007, Atlanta, Georgia, USA
Daniel Kroening , Sanjit A. Seshia, Formal verification at higher levels of abstraction, Proceedings of the 2007 IEEE/ACM international conference on Computer-aided design, November 05-08, 2007, San Jose, California
Christoph Csallner , Yannis Smaragdakis , Tao Xie, DSD-Crasher: A hybrid analysis tool for bug finding, ACM Transactions on Software Engineering and Methodology (TOSEM), v.17 n.2, p.1-37, April 2008
Rupak Majumdar , Ru-Gang Xu, Directed test generation using symbolic grammars, The 6th Joint Meeting on European software engineering conference and the ACM SIGSOFT symposium on the foundations of software engineering: companion papers, September 03-07, 2007, Dubrovnik, Croatia
Anastasis A. Sofokleous , Andreas S. Andreou, Automatic, evolutionary test data generation for dynamic software testing, Journal of Systems and Software, v.81 n.11, p.1883-1898, November, 2008
Hui Liu , Hee Beng Kuan Tan, Covering code behavior on input validation in functional testing, Information and Software Technology, v.51 n.2, p.546-553, February, 2009
Lingxiao Jiang , Zhendong Su, Profile-guided program simplification for effective testing and analysis, Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of software engineering, November 09-14, 2008, Atlanta, Georgia
Patrice Godefroid , Michael Y. Levin , David A. Molnar, Active property checking, Proceedings of the 7th ACM international conference on Embedded software, October 19-24, 2008, Atlanta, GA, USA
Cristian Cadar , Vijay Ganesh , Peter M. Pawlowski , David L. Dill , Dawson R. Engler, EXE: Automatically Generating Inputs of Death, ACM Transactions on Information and System Security (TISSEC), v.12 n.2, p.1-38, December 2008
Nishant Sinha, Symbolic program analysis using term rewriting and generalization, Proceedings of the 2008 International Conference on Formal Methods in Computer-Aided Design, p.1-9, November 17-20, 2008, Portland, Oregon
Prateek Saxena , Pongsin Poosankam , Stephen McCamant , Dawn Song, Loop-extended symbolic execution on binary programs, Proceedings of the eighteenth international symposium on Software testing and analysis, July 19-23, 2009, Chicago, IL, USA
Danhua Shao , Sarfraz Khurshid , Dewayne E. Perry, Whispec: white-box testing of libraries using declarative specifications, Proceedings of the 2007 Symposium on Library-Centric Software Design, p.11-20, October 21-21, 2007, Montreal, Canada
Adam Kiezun , Vijay Ganesh , Philip J. Guo , Pieter Hooimeijer , Michael D. Ernst, HAMPI: a solver for string constraints, Proceedings of the eighteenth international symposium on Software testing and analysis, July 19-23, 2009, Chicago, IL, USA
Junfeng Yang , Tisheng Chen , Ming Wu , Zhilei Xu , Xuezheng Liu , Haoxiang Lin , Mao Yang , Fan Long , Lintao Zhang , Lidong Zhou, MODIST: transparent model checking of unmodified distributed systems, Proceedings of the 6th USENIX symposium on Networked systems design and implementation, p.213-228, April 22-24, 2009, Boston, Massachusetts
Jacob Burnim , Sudeep Juvekar , Koushik Sen, WISE: Automated test generation for worst-case complexity, Proceedings of the 2009 IEEE 31st International Conference on Software Engineering, p.463-473, May 16-24, 2009
Vijay Ganesh , Tim Leek , Martin Rinard, Taint-based directed whitebox fuzzing, Proceedings of the 2009 IEEE 31st International Conference on Software Engineering, p.474-484, May 16-24, 2009
Lorenzo Martignoni , Roberto Paleari , Giampaolo Fresi Roglia , Danilo Bruschi, Testing CPU emulators, Proceedings of the eighteenth international symposium on Software testing and analysis, July 19-23, 2009, Chicago, IL, USA
Bassem Elkarablieh , Patrice Godefroid , Michael Y. Levin, Precise pointer reasoning for dynamic test generation, Proceedings of the eighteenth international symposium on Software testing and analysis, July 19-23, 2009, Chicago, IL, USA
Fadi Zaraket , Wes Masri, Property based coverage criterion, Proceedings of the 2nd International Workshop on Defects in Large Software Systems: Held in conjunction with the ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2009), July 19-19, 2009, Chicago, Illinois
Pieter Hooimeijer , Westley Weimer, A decision procedure for subset constraints over regular languages, ACM SIGPLAN Notices, v.44 n.6, June 2009
V. V. Kuliamin, Integration of verification methods for program systems, Programming and Computing Software, v.35 n.4, p.212-222, July 2009

INDEX TERMS

Primary Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.5 Testing and Debugging
          Subjects: Testing tools (e.g., data generators, coverage testing)

Additional Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.5 Testing and Debugging
          Subjects: Symbolic execution


General Terms:
Languages, Reliability


Keywords:
attack generation, bug finding, constraint solving, dynamic analysis, symbolic execution, test case generation

Collaborative Colleagues:
Cristian Cadar: colleagues
Vijay Ganesh: colleagues
Peter M. Pawlowski: colleagues
David L. Dill: colleagues
Dawson R. Engler: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player