Syari'at Cadar Bagi Wanita Muslimah (Bantahan Seputar Syubhat Tentang Cadar)
EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski,...
-
Upload
dale-doyle -
Category
Documents
-
view
223 -
download
0
Transcript of EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski,...
![Page 1: EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649f515503460f94c74a66/html5/thumbnails/1.jpg)
EXE: Automatically Generating Inputs of Death
Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler
13th ACM conference on Computer and
communications security (CCS), 2006
Presented By: Clayton Andrews
![Page 2: EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649f515503460f94c74a66/html5/thumbnails/2.jpg)
Outline
EXE Motivation Real bugs How to use Example STP
Optimization
Experiments
Search Heuristics
Conclusion
Contributions
![Page 3: EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649f515503460f94c74a66/html5/thumbnails/3.jpg)
EXE
EXecution generated Executions
An effective-bug finding tool
Not manual or randomly constructed input
Runs on symbolic input allowed to be “anything”
![Page 4: EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649f515503460f94c74a66/html5/thumbnails/4.jpg)
EXE
Code can generate its own test cases
Runs the code on all inputs at once
Follows all paths
![Page 5: EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649f515503460f94c74a66/html5/thumbnails/5.jpg)
Motivation
Possible paths of code execution can be large Manual testing far from exhaustive Difficult for developers to reason all paths
Random testing not sufficient Suppose bug exists for 1 input of 100 trillion
Dynamic tools require initial test cases Presents same problem as manual test
![Page 6: EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649f515503460f94c74a66/html5/thumbnails/6.jpg)
Real Bugs
Berkeley Packet Filter Evil packet filters exploit buffer overruns
udhcpd DHCP server Generates packets that invalid reads/writes
pcre library Bad regular expressions that compromise
![Page 7: EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649f515503460f94c74a66/html5/thumbnails/7.jpg)
How to Use
Simply call the method make_symbolic() on any input that is unconstrained
Compiled using the EXE compiler, exe-cc
Then compiled using a standard compiler E.g. gcc
![Page 8: EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649f515503460f94c74a66/html5/thumbnails/8.jpg)
Example
![Page 9: EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649f515503460f94c74a66/html5/thumbnails/9.jpg)
STP
EXE's constraint solver More precisely a decision procedure
Decision procedures Determine satisfiability of logic formulas Express constraints to satisfy an expression
![Page 10: EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649f515503460f94c74a66/html5/thumbnails/10.jpg)
STP
Co-designed for EXE
Faster than CVCL, a similar system 550x faster
![Page 11: EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649f515503460f94c74a66/html5/thumbnails/11.jpg)
Optimizations
Caching EXE caches results of satisfiability queries
Constraint independence Breaks apart constraints into subsets (A[1]= A[2]+ A[3]) (A[2] >A[4]) (A[7]= A[8])∧ ∧
(A[1]= A[2]+ A[3]) (A[2] >A[4])∧ A[7]= A[8]
![Page 12: EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649f515503460f94c74a66/html5/thumbnails/12.jpg)
Experiments
Bpf, pcre, udhcpd, expant and tcpdump
![Page 13: EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649f515503460f94c74a66/html5/thumbnails/13.jpg)
Search Heuristics
Every time EXE forks it must choose a path
By default, EXE uses depth-first search
Use heuristics to choose “interesting” paths
![Page 14: EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649f515503460f94c74a66/html5/thumbnails/14.jpg)
Search Heuristics
Their BFS uses a mixture of best-first and depth-first search
New heuristics are easy to plugin
![Page 15: EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649f515503460f94c74a66/html5/thumbnails/15.jpg)
Conclusion
EXE uses symbolic execution to find bugs
STP was co-designed to be fast
EXE was powerful enough to uncover bugs in real programs
![Page 16: EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649f515503460f94c74a66/html5/thumbnails/16.jpg)
Contributions
The decision procedure STP was created
Code can be tested through all paths at once
Does not rely on manual input or “luck”
![Page 17: EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649f515503460f94c74a66/html5/thumbnails/17.jpg)
Reference
"EXE: automatically generating inputs of death", Cadar, Cristian and Ganesh, Vijay and Pawlowski, Peter M. and Dill, David L. and Engler, Dawson R., 13th ACM conference on Computer and communications security (CCS), 2006.
![Page 18: EXE: Automatically Generating Inputs of Death Cristian Cadar, Vijay Ganesh, Peter M. Pawlowski, David L. Dill, Dawson R. Engler 13th ACM conference on.](https://reader035.fdocuments.net/reader035/viewer/2022062407/56649f515503460f94c74a66/html5/thumbnails/18.jpg)
Questions?