An empirical study of the reliability of UNIX utilities
Communications of the ACM
The chaining approach for software test data generation
ACM Transactions on Software Engineering and Methodology (TOSEM)
IEEE Transactions on Software Engineering - Special issue on formal methods in software practice
Model checking for programming languages using VeriSoft
Proceedings of the 24th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Automatic test data generation using constraint solving techniques
Proceedings of the 1998 ACM SIGSOFT international symposium on Software testing and analysis
Automated test data generation using an iterative relaxation method
SIGSOFT '98/FSE-6 Proceedings of the 6th ACM SIGSOFT international symposium on Foundations of software engineering
Bandera: extracting finite-state models from Java source code
Proceedings of the 22nd international conference on Software engineering
A static analyzer for finding dynamic programming errors
Software—Practice & Experience
Type-based race detection for Java
PLDI '00 Proceedings of the ACM SIGPLAN 2000 conference on Programming language design and implementation
Simplification by Cooperating Decision Procedures
ACM Transactions on Programming Languages and Systems (TOPLAS)
Enforcing high-level protocols in low-level software
Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation
Automatic predicate abstraction of C programs
Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation
Automatically validating temporal safety properties of interfaces
SPIN '01 Proceedings of the 8th international SPIN workshop on Model checking of software
Flow-sensitive type qualifiers
PLDI '02 Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation
ESP: path-sensitive program verification in polynomial time
PLDI '02 Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation
Extended static checking for Java
PLDI '02 Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation
Introduction to Algorithms
CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs
CC '02 Proceedings of the 11th International Conference on Compiler Construction
CVC: A Cooperating Validity Checker
CAV '02 Proceedings of the 14th International Conference on Computer Aided Verification
CAV '02 Proceedings of the 14th International Conference on Computer Aided Verification
ACSD '01 Proceedings of the Second International Conference on Application of Concurrency to System Design
ASE '00 Proceedings of the 15th IEEE international conference on Automated software engineering
SELECT—a formal system for testing and debugging programs by symbolic execution
Proceedings of the international conference on Reliable software
Scalable error detection using boolean satisfiability
Proceedings of the 32nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
DART: directed automated random testing
Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
CUTE: a concolic unit testing engine for C
Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering
Hardware verification using ANSI-C programs as a reference
ASP-DAC '03 Proceedings of the 2003 Asia and South Pacific Design Automation Conference
Towards Automatic Generation of Vulnerability-Based Signatures
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Automatically Generating Malicious Disks using Symbolic Execution
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
EXE: automatically generating inputs of death
Proceedings of the 13th ACM conference on Computer and communications security
Using model checking to find serious file system errors
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
High coverage detection of input-related security facults
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Generalized symbolic execution for model checking and testing
TACAS'03 Proceedings of the 9th international conference on Tools and algorithms for the construction and analysis of systems
A theory of predicate-complete test coverage and generation
FMCO'04 Proceedings of the Third international conference on Formal Methods for Components and Objects
Proceedings of the 18th international conference on Computer Aided Verification
CAV'06 Proceedings of the 18th international conference on Computer Aided Verification
Saturn: a SAT-based tool for bug detection
CAV'05 Proceedings of the 17th international conference on Computer Aided Verification
Cogent: accurate theorem proving for program verification
CAV'05 Proceedings of the 17th international conference on Computer Aided Verification
Execution generated test cases: how to make systems code crash itself
SPIN'05 Proceedings of the 12th international conference on Model Checking Software
On test repair using symbolic execution
Proceedings of the 19th international symposium on Software testing and analysis
Proceedings of the FSE/SDP workshop on Future of software engineering research
SPIN'10 Proceedings of the 17th international SPIN conference on Model checking software
Finding complex concurrency bugs in large multi-threaded applications
Proceedings of the sixth conference on Computer systems
Symbolic execution with mixed concrete-symbolic solving
Proceedings of the 2011 International Symposium on Software Testing and Analysis
Selecting peers for execution comparison
Proceedings of the 2011 International Symposium on Software Testing and Analysis
Checksum-Aware Fuzzing Combined with Dynamic Taint Analysis and Symbolic Execution
ACM Transactions on Information and System Security (TISSEC)
MACE: model-inference-assisted concolic exploration for protocol and vulnerability discovery
SEC'11 Proceedings of the 20th USENIX conference on Security
Usable verification of object-oriented programs by combining static and dynamic techniques
SEFM'11 Proceedings of the 9th international conference on Software engineering and formal methods
A slice-based decision procedure for type-based partial orders
IJCAR'10 Proceedings of the 5th international conference on Automated Reasoning
Information needs for software development analytics
Proceedings of the 34th International Conference on Software Engineering
Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering
STING: finding name resolution vulnerabilities in programs
Security'12 Proceedings of the 21st USENIX conference on Security symposium
SMT solvers for software security
WOOT'12 Proceedings of the 6th USENIX conference on Offensive Technologies
S2PF: speculative symbolic PathFinder
ACM SIGSOFT Software Engineering Notes
SymDrive: testing drivers without devices
OSDI'12 Proceedings of the 10th USENIX conference on Operating Systems Design and Implementation
Test-case generation and bug-finding through symbolic execution
Proceedings of the South African Institute for Computer Scientists and Information Technologists Conference
Green: reducing, reusing and recycling constraints in program analysis
Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering
Bounded-Interference sequentialization for testing concurrent programs
ISoLA'12 Proceedings of the 5th international conference on Leveraging Applications of Formal Methods, Verification and Validation: technologies for mastering change - Volume Part I
Augmenting vulnerability analysis of binary code
Proceedings of the 28th Annual Computer Security Applications Conference
Coverage-directed observability-based validation for embedded software
ACM Transactions on Design Automation of Electronic Systems (TODAES)
Explicating symbolic execution (xSymExe): an evidence-based verification framework
Proceedings of the 2013 International Conference on Software Engineering
Steering symbolic execution to less traveled paths
Proceedings of the 2013 ACM SIGPLAN international conference on Object oriented programming systems languages & applications
WCET squeezing: on-demand feasibility refinement for proven precise WCET-bounds
Proceedings of the 21st International conference on Real-Time Networks and Systems
Simseer and bugwise: web services for binary-level software similarity and defect detection
AusPDC '13 Proceedings of the Eleventh Australasian Symposium on Parallel and Distributed Computing - Volume 140
Hi-index | 0.00 |
This article presents EXE, an effective bug-finding tool that automatically generates inputs that crash real code. Instead of running code on manually or randomly constructed input, EXE runs it on symbolic input initially allowed to be anything. As checked code runs, EXE tracks the constraints on each symbolic (i.e., input-derived) memory location. If a statement uses a symbolic value, EXE does not run it, but instead adds it as an input-constraint; all other statements run as usual. If code conditionally checks a symbolic expression, EXE forks execution, constraining the expression to be true on the true branch and false on the other. Because EXE reasons about all possible values on a path, it has much more power than a traditional runtime tool: (1) it can force execution down any feasible program path and (2) at dangerous operations (e.g., a pointer dereference), it detects if the current path constraints allow any value that causes a bug. When a path terminates or hits a bug, EXE automatically generates a test case by solving the current path constraints to find concrete values using its own co-designed constraint solver, STP. Because EXE’s constraints have no approximations, feeding this concrete input to an uninstrumented version of the checked code will cause it to follow the same path and hit the same bug (assuming deterministic code). EXE works well on real code, finding bugs along with inputs that trigger them in: the BSD and Linux packet filter implementations, the dhcpd DHCP server, the pcre regular expression library, and three Linux file systems.