Mixing concrete and symbolic execution to improve the performance of dynamic test generation

Authors:
Gen Li;Kai Lu;Ying Zhang;Xicheng Lu;Wei Zhang
Affiliations:
School of Computer, National University of Defence Technology, ChangSha, China;School of Computer, National University of Defence Technology, ChangSha, China;School of Computer, National University of Defence Technology, ChangSha, China;School of Computer, National University of Defence Technology, ChangSha, China;School of Computer, National University of Defence Technology, ChangSha, China
Venue:
NTMS'09 Proceedings of the 3rd international conference on New technologies, mobility and security
Year:
2009

Citing 10
Cited 0

Specifying representations of machine instructions

ACM Transactions on Programming Languages and Systems (TOPLAS)
DART: directed automated random testing

Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
CUTE: a concolic unit testing engine for C

Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering
EXE: automatically generating inputs of death

Proceedings of the 13th ACM conference on Computer and communications security
PathExpander: Architectural Support for Increasing the Path Coverage of Dynamic Bug Detection

Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture
Valgrind: a framework for heavyweight dynamic binary instrumentation

Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
Antfarm: tracking processes in a virtual machine environment

ATEC '06 Proceedings of the annual conference on USENIX '06 Annual Technical Conference
Random testing for security: blackbox vs. whitebox fuzzing

Proceedings of the 2nd international workshop on Random testing: co-located with the 22nd IEEE/ACM International Conference on Automated Software Engineering (ASE 2007)
A buffer overflow benchmark for software model checkers

Proceedings of the twenty-second IEEE/ACM international conference on Automated software engineering
KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs

OSDI'08 Proceedings of the 8th USENIX conference on Operating systems design and implementation

Quantified Score

Hi-index	0.00

Visualization

Abstract

Dynamic test generation approach is becoming increasingly popular to find security vulnerabilities in software. However, existing such approaches and tools have bad system performance because they perform slow symbolic execution on all instructions. This paper presents a new dynamic test generation technique and a tool, Hunter that implements this technique. Unlike other such techniques, Hunter combines concrete and symbolic execution, by executing the inputindependent instructions concretely at full speed and performing symbolic execution only on direct or indirect inputdependent instructions, thus greatly accelerating the overall system performance. We have implemented our Hunter and used it to automatically find the bugs in the benchmarks and applications with known bugs. At the same time, we also compared it with a typical dynamic test generation tool, SAGE, by testing the same application with the same bug. Our results indicate that our Hunter can improve the system performance greatly; and Hunter can effectively find bugs located deep within large applications.