Self-adjusting binary search trees
Journal of the ACM (JACM)
The art of computer programming, volume 3: (2nd ed.) sorting and searching
The art of computer programming, volume 3: (2nd ed.) sorting and searching
CSSV: towards a realistic tool for statically detecting all buffer overflows in C
PLDI '03 Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementation
ARCHER: using symbolic, path-sensitive analysis to detect memory access errors
Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering
Testing static analysis tools using exploitable buffer overflows from open source code
Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering
DART: directed automated random testing
Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
CUTE: a concolic unit testing engine for C
Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering
Test input generation for java containers using state matching
Proceedings of the 2006 international symposium on Software testing and analysis
EXE: automatically generating inputs of death
Proceedings of the 13th ACM conference on Computer and communications security
Compositional dynamic test generation
Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Buffer Overflow Attacks
Using Valgrind to detect undefined value errors with bit-precision
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Randomized Differential Testing as a Prelude to Formal Verification
ICSE '07 Proceedings of the 29th international conference on Software Engineering
Valgrind: a framework for heavyweight dynamic binary instrumentation
Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
High coverage detection of input-related security facults
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Predictive testing: amplifying the effectiveness of software testing
Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
Directed test generation using symbolic grammars
Proceedings of the twenty-second IEEE/ACM international conference on Automated software engineering
A decision procedure for bit-vectors and arrays
CAV'07 Proceedings of the 19th international conference on Computer aided verification
Symbolic String Verification: Combining String Analysis and Size Analysis
TACAS '09 Proceedings of the 15th International Conference on Tools and Algorithms for the Construction and Analysis of Systems: Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2009,
Precise pointer reasoning for dynamic test generation
Proceedings of the eighteenth international symposium on Software testing and analysis
Loop-extended symbolic execution on binary programs
Proceedings of the eighteenth international symposium on Software testing and analysis
Reducing Test Inputs Using Information Partitions
CAV '09 Proceedings of the 21st International Conference on Computer Aided Verification
SUDS: an infrastructure for creating dynamic software defect detection tools
Automated Software Engineering
Automatic detection of unsafe component loadings
Proceedings of the 19th international symposium on Software testing and analysis
On test repair using symbolic execution
Proceedings of the 19th international symposium on Software testing and analysis
Automatic partial loop summarization in dynamic test generation
Proceedings of the 2011 International Symposium on Software Testing and Analysis
Linear obfuscation to combat symbolic execution
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
(Quickly) testing the tester via path coverage
WODA '09 Proceedings of the Seventh International Workshop on Dynamic Analysis
Mitigating program security vulnerabilities: Approaches and challenges
ACM Computing Surveys (CSUR)
CLSE: closed-loop symbolic execution
NFM'12 Proceedings of the 4th international conference on NASA Formal Methods
Monitoring Buffer Overflow Attacks: A Perennial Task
International Journal of Secure Software Engineering
State of the art: Dynamic symbolic execution for automated test generation
Future Generation Computer Systems
ARMORY: An automatic security testing tool for buffer overflow defect detection
Computers and Electrical Engineering
A distributed framework for demand-driven software vulnerability detection
Journal of Systems and Software
Hi-index | 0.00 |
We present Splat, a tool for automatically generating inputs that lead to memory safety violations in C programs. Splat performs directed random testing of the code, guided by symbolic execution. However, instead of representing the entire contents of an input buffer symbolically, Splat tracks only a prefix of the buffer symbolically, and a symbolic length that may exceed the size of the symbolic prefix. The part of the buffer beyond the symbolic prefix is filled with concrete random inputs. The use of symbolic buffer lengths makes it possible to compactly summarize the behavior of standard buffer manipulation functions, such as string library functions, leading to a more scalable search for possible memory errors. While reasoning only about prefixes of buffer contents makes the search theoretically incomplete, we experimentally demonstrate that the symbolic length abstraction is both scalable and sufficient to uncover many real buffer overflows in C programs. In experiments on a set of benchmarks developed independently to evaluate buffer overflow checkers, Splat was able to detect buffer overflows quickly, sometimes several orders of magnitude faster than when symbolically representing entire buffers. Splat was also able to find two previously unknown buffer overflows in a heavily-tested storage system.