The Experts below are selected from a list of 360 Experts worldwide ranked by ideXlab platform
Patrice Godefroid - One of the best experts on this subject based on the ideXlab platform.
-
automatic partial loop summarization in Dynamic Test generation
International Symposium on Software Testing and Analysis, 2011Co-Authors: Patrice Godefroid, Daniel LuchaupAbstract:Whitebox fuzzing extends Dynamic Test generation based on symbolic execution and constraint solving from unit Testing to whole-application security Testing. Unfortunately, input-dependent loops may cause an explosion in the number of constraints to be solved and in the number of execution paths to be explored. In practice, whitebox fuzzers arbitrarily bound the number of constraints and paths due to input-dependent loops, at the risk of missing code and bugs. In this work, we investigate the use of simple loop-guard pattern-matching rules to automatically guess an input constraint defining the number of iterations of input-dependent loops during Dynamic symbolic execution. We discover the loop structure of the program on the fly, detect induction variables, which are variables modified by a constant value during loop iterations, and infer simple partial loop invariants relating the value of such variables. Whenever a guess is confirmed later during the current Dynamic symbolic execution, we then inject new constraints representing pre and post loop conditions, effectively summarizing sets of executions of that loop. These pre and post conditions are derived from partial loop invariants synthesized Dynamically using pattern-matching rules on the loop guards and induction variables, without requiring any static analysis, theorem proving, or input-format specification. This technique has been implemented in the whitebox fuzzer SAGE, scales to large programs with many nested loops, and we present results of experiments with a Windows 7 image parser.
-
automatic partial loop summarization in Dynamic Test generation
International Symposium on Software Testing and Analysis, 2011Co-Authors: Patrice Godefroid, Daniel LuchaupAbstract:Whitebox fuzzing extends Dynamic Test generation based on symbolic execution and constraint solving from unit Testing to whole-application security Testing. Unfortunately, input-dependent loops may cause an explosion in the number of constraints to be solved and in the number of execution paths to be explored. In practice, whitebox fuzzers arbitrarily bound the number of constraints and paths due to input-dependent loops, at the risk of missing code and bugs. In this work, we investigate the use of simple loop-guard pattern-matching rules to automatically guess an input constraint defining the number of iterations of input-dependent loops during Dynamic symbolic execution. We discover the loop structure of the program on the fly, detect induction variables, which are variables modified by a constant value during loop iterations, and infer simple partial loop invariants relating the value of such variables. Whenever a guess is confirmed later during the current Dynamic symbolic execution, we then inject new constraints representing pre and post loop conditions, effectively summarizing sets of executions of that loop. These pre and post conditions are derived from partial loop invariants synthesized Dynamically using pattern-matching rules on the loop guards and induction variables, without requiring any static analysis, theorem proving, or input-format specification. This technique has been implemented in the whitebox fuzzer SAGE, scales to large programs with many nested loops, and we present results of experiments with a Windows 7 image parser.
-
symbolic execution for software Testing in practice preliminary assessment
International Conference on Software Engineering, 2011Co-Authors: Cristian Cadar, Koushik Sen, Patrice Godefroid, Sarfraz Khurshid, Corina S Păsăreanu, Nikolai Tillmann, Willem VisserAbstract:We present results for the "Impact Project Focus Area" on the topic of symbolic execution as used in software Testing. Symbolic execution is a program analysis technique introduced in the 70s that has received renewed interest in recent years, due to algorithmic advances and increased availability of computational power and constraint solving technology. We review classical symbolic execution and some modern extensions such as generalized symbolic execution and Dynamic Test generation. We also give a preliminary assessment of the use in academia, research labs, and industry.
-
compositional Dynamic Test generation
Symposium on Principles of Programming Languages, 2007Co-Authors: Patrice GodefroidAbstract:Dynamic Test generation is a form of Dynamic program analysis that attempts to compute Test inputs to drive a program along a specific program path. Directed Automated Random Testing, or DART for short, blends Dynamic Test generation with model checking techniques with the goal of systematically executing all feasible program paths of a program while detecting various types of errors using run-time checking tools (like Purify, for instance). Unfortunately, systematically executing all feasible program paths does not scale to large, realistic programs.This paper addresses this major limitation and proposes to perform Dynamic Test generation compositionally, by adapting known techniques for interprocedural static analysis. Specifically, we introduce a new algorithm, dubbed SMART for Systematic Modular Automated Random Testing, that extends DART by Testing functions in isolation, encoding Test results as function summaries expressed using input preconditions and output postconditions, and then re-using those summaries when Testing higher-level functions. We show that, for a fixed reasoning capability, our compositional approach to Dynamic Test generation (SMART) is both sound and complete compared to monolithic Dynamic Test generation (DART). In other words, SMART can perform Dynamic Test generation compositionally without any reduction in program path coverage. We also show that, given a bound on the maximum number of feasible paths in individual program functions, the number of program executions explored by SMART is linear in that bound, while the number of program executions explored by DART can be exponential in that bound. We present examples of C programs and preliminary experimental results that illustrate and validate empirically these properties.
Hiroshi Inamura - One of the best experts on this subject based on the ideXlab platform.
-
Dynamic Test input generation for web applications
International Symposium on Software Testing and Analysis, 2008Co-Authors: Gary Wassermann, Ajay Chander, Dinakar Dhurjati, Hiroshi InamuraAbstract:Web applications routinely handle sensitive data, and many people rely on them to support various daily activities, so errors can have severe and broad-reaching consequences. Unlike most desktop applications, many web applications are written in scripting languages, such as PHP. The Dynamic features commonly supported by these languages significantly inhibit static analysis and existing static analysis of these languages can fail to produce meaningful results on realworld web applications. Automated Test input generation using the concolic Testing framework has proven useful for finding bugs and improving Test coverage on C and Java programs, which generally emphasize numeric values and pointer-based data structures. However, scripting languages, such as PHP, promote a style of programming for developing web applications that emphasizes string values, objects, and arrays. In this paper, we propose an automated input Test generation algorithm that uses runtime values to analyze Dynamic code, models the semantics of string operations, and handles operations whose argument and return values may not share a common type. As in the standard concolic Testing framework, our algorithm gathers constraints during symbolic execution. Our algorithm resolves constraints over multiple types by considering each variable instance individually, so that it only needs to invert each operation. By recording constraints selectively, our implementation successfully finds bugs in real-world web applications which state-of-the-art static analysis tools fail to analyze.
Koushik Sen - One of the best experts on this subject based on the ideXlab platform.
-
symbolic execution for software Testing in practice preliminary assessment
International Conference on Software Engineering, 2011Co-Authors: Cristian Cadar, Koushik Sen, Patrice Godefroid, Sarfraz Khurshid, Corina S Păsăreanu, Nikolai Tillmann, Willem VisserAbstract:We present results for the "Impact Project Focus Area" on the topic of symbolic execution as used in software Testing. Symbolic execution is a program analysis technique introduced in the 70s that has received renewed interest in recent years, due to algorithmic advances and increased availability of computational power and constraint solving technology. We review classical symbolic execution and some modern extensions such as generalized symbolic execution and Dynamic Test generation. We also give a preliminary assessment of the use in academia, research labs, and industry.
-
Heuristics for scalable Dynamic Test generation
ASE 2008 - 23rd IEEE ACM International Conference on Automated Software Engineering Proceedings, 2008Co-Authors: Jacob Burnim, Koushik SenAbstract:Recently there has been great success in using symbolic execution to automatically generate Test inputs for small software systems. A primary challenge in scaling such approaches to larger programs is the combinatorial explosion of the path space. It is likely that sophisticated strategies for searching this path space are needed to generate inputs that effectively Test large programs (by, e.g., achieving significant branch coverage). We present several such heuristic search strategies, including a novel strategy guided by the control flow graph of the program under Test. We have implemented these strategies in CREST, our open source concolic Testing tool for C, and evaluated them on two widely-used software tools, grep 2.2 (15 K lines of code) and Vim 5.7 (150 K lines). On these benchmarks, the presented heuristics achieve significantly greater branch coverage on the same Testing budget than concolic Testing with a traditional depth-first search strategy.
-
Dynamic Test input generation for database applications
International Symposium on Software Testing and Analysis, 2007Co-Authors: Michael Emmi, Rupak Majumdar, Koushik SenAbstract:We describe an algorithm for automatic Test input generation for database applications. Given a program in an imperative language that interacts with a database through API calls, our algorithm generates both input data for the program as well as suitable database records to systematically explore all paths of the program, including those paths whose execution depend on data returned by database queries. Our algorithm is based on concolic execution, where the program is run with concrete inputs and simultaneously also with symbolic inputs for both program variables as well as the database state. The symbolic constraints generated along a path enable us to derive new input values and new database records that can cause execution to hit uncovered paths. Simultaneously, the concrete execution helps to retain precision in the symbolic computations by allowing Dynamic values to be used in the symbolic executor. This allows our algorithm, for example, to identify concrete SQL queries made by the program, even if these queries are built Dynamically. The contributions of this paper are the following. We develop an algorithm that can track symbolic constraints across language boundaries and use those constraints in conjunction with a novel constraint solver to generate both program inputs and database state. We propose a constraint solver that can solve symbolic constraints consisting of both linear arithmetic constraints over variables as well as string constraints (string equality, disequality, as well as membership in regular languages). Finally, we provide an evaluation of the algorithm on a Java implementation of MediaWiki, a popular wiki package that interacts with a database back-end.
Daniel Luchaup - One of the best experts on this subject based on the ideXlab platform.
-
automatic partial loop summarization in Dynamic Test generation
International Symposium on Software Testing and Analysis, 2011Co-Authors: Patrice Godefroid, Daniel LuchaupAbstract:Whitebox fuzzing extends Dynamic Test generation based on symbolic execution and constraint solving from unit Testing to whole-application security Testing. Unfortunately, input-dependent loops may cause an explosion in the number of constraints to be solved and in the number of execution paths to be explored. In practice, whitebox fuzzers arbitrarily bound the number of constraints and paths due to input-dependent loops, at the risk of missing code and bugs. In this work, we investigate the use of simple loop-guard pattern-matching rules to automatically guess an input constraint defining the number of iterations of input-dependent loops during Dynamic symbolic execution. We discover the loop structure of the program on the fly, detect induction variables, which are variables modified by a constant value during loop iterations, and infer simple partial loop invariants relating the value of such variables. Whenever a guess is confirmed later during the current Dynamic symbolic execution, we then inject new constraints representing pre and post loop conditions, effectively summarizing sets of executions of that loop. These pre and post conditions are derived from partial loop invariants synthesized Dynamically using pattern-matching rules on the loop guards and induction variables, without requiring any static analysis, theorem proving, or input-format specification. This technique has been implemented in the whitebox fuzzer SAGE, scales to large programs with many nested loops, and we present results of experiments with a Windows 7 image parser.
-
automatic partial loop summarization in Dynamic Test generation
International Symposium on Software Testing and Analysis, 2011Co-Authors: Patrice Godefroid, Daniel LuchaupAbstract:Whitebox fuzzing extends Dynamic Test generation based on symbolic execution and constraint solving from unit Testing to whole-application security Testing. Unfortunately, input-dependent loops may cause an explosion in the number of constraints to be solved and in the number of execution paths to be explored. In practice, whitebox fuzzers arbitrarily bound the number of constraints and paths due to input-dependent loops, at the risk of missing code and bugs. In this work, we investigate the use of simple loop-guard pattern-matching rules to automatically guess an input constraint defining the number of iterations of input-dependent loops during Dynamic symbolic execution. We discover the loop structure of the program on the fly, detect induction variables, which are variables modified by a constant value during loop iterations, and infer simple partial loop invariants relating the value of such variables. Whenever a guess is confirmed later during the current Dynamic symbolic execution, we then inject new constraints representing pre and post loop conditions, effectively summarizing sets of executions of that loop. These pre and post conditions are derived from partial loop invariants synthesized Dynamically using pattern-matching rules on the loop guards and induction variables, without requiring any static analysis, theorem proving, or input-format specification. This technique has been implemented in the whitebox fuzzer SAGE, scales to large programs with many nested loops, and we present results of experiments with a Windows 7 image parser.
Jaakko Keranen - One of the best experts on this subject based on the ideXlab platform.
-
effect of extent of motion and type of load on the wear of polyethylene in a biaxial hip simulator
Journal of Biomedical Materials Research Part B, 2003Co-Authors: Vesa Saikko, Olof Calonius, Jaakko KeranenAbstract:The most commonly used wear Test device for prosthetic hip joints is the so-called biaxial rocking motion (BRM) design. The design has been criticized for its excessive sliding distance per cycle. The design was modified so that the extent of motion was reduced from 46 to 23°, and comparative Tests were run with the use of 1-kN static load. The present authors have earlier used 1-kN static load with good results. To further confirm this finding, additional, comparative Tests were run with double-peak Dynamic load and 46° extent of motion. All three Tests (46°/static, 23°/static and 46°/Dynamic), were done with conventional ultra-high-molecular-weight polyethylene acetabular cups against polished CoCr femoral heads in diluted calf serum lubricant. In all Tests, the principal cup wear mechanism was adhesive, manifested as burnishing. With respect to wear particles, those produced in the 46°/Dynamic Test showed the lowest resemblance to particles isolated from periprosthetic tissues. The 46°/Dynamic Test produced a mean wear rate 43% higher than 46°/static, whereas the 46°/static and 23°/static Tests produced almost identical values. The results indicated that the 46° extent of motion and Dynamic load may not always be the optimal combination in BRM Tests. © 2003 Wiley Periodicals, Inc. J Biomed Mater Res Part B: Appl Biomater 65B: 186–192, 2003
-
effect of extent of motion and type of load on the wear of polyethylene in a biaxial hip simulator
Journal of Biomedical Materials Research, 2003Co-Authors: Vesa Saikko, Olof Calonius, Jaakko KeranenAbstract:The most commonly used wear Test device for prosthetic hip joints is the so-called biaxial rocking motion (BRM) design. The design has been criticized for its excessive sliding distance per cycle. The design was modified so that the extent of motion was reduced from 46 to 23°, and comparative Tests were run with the use of 1-kN static load. The present authors have earlier used 1-kN static load with good results. To further confirm this finding, additional, comparative Tests were run with double-peak Dynamic load and 46° extent of motion. All three Tests (46°/static, 23°/static and 46°/Dynamic), were done with conventional ultrahigh-molecular-weight polyethylene acetabular cups against polished CoCr femoral heads in diluted calf serum lubricant. In all Tests, the principal cup wear mechanism was adhesive, manifested as burnishing. With respect to wear particles, those produced in the 46°/Dynamic Test showed the lowest resemblance to particles isolated from periprosthetic tissues. The 46°/Dynamic Test produced a mean wear rate 43% higher than 46°/static, whereas the 46°/static and 23°/static Tests produced almost identical values. The results indicated that the 46° extent of motion and Dynamic load may not always be the optimal combination in BRM Tests.
