Detecting conflicts between structure accesses
PLDI '88 Proceedings of the ACM SIGPLAN 1988 conference on Programming Language design and Implementation
Analysis of pointers and structures
PLDI '90 Proceedings of the ACM SIGPLAN 1990 conference on Programming language design and implementation
Design and validation of computer protocols
Design and validation of computer protocols
Precise interprocedural dataflow analysis via graph reachability
POPL '95 Proceedings of the 22nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Validation with guided search of the state space
DAC '98 Proceedings of the 35th annual Design Automation Conference
Aggregate structure identification and its application to program analysis
Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
GRASP: A Search Algorithm for Propositional Satisfiability
IEEE Transactions on Computers
Model checking
Symbolic execution and program testing
Communications of the ACM
Automatic predicate abstraction of C programs
Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation
POPL '77 Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
Hacker's Delight
Heuristic Model Checking for Java Programs
Proceedings of the 9th International SPIN Workshop on Model Checking of Software
ICSE '81 Proceedings of the 5th international conference on Software engineering
The complexity of theorem-proving procedures
STOC '71 Proceedings of the third annual ACM symposium on Theory of computing
A Survey of Program Slicing Techniques.
A Survey of Program Slicing Techniques.
Disassembly of Executable Code Revisited
WCRE '02 Proceedings of the Ninth Working Conference on Reverse Engineering (WCRE'02)
Red-black trees in a functional setting
Journal of Functional Programming
Directed explicit-state model checking in the validation of communication protocols
International Journal on Software Tools for Technology Transfer (STTT)
Exploring very large state spaces using genetic algorithms
International Journal on Software Tools for Technology Transfer (STTT) - Special section on tools and algorithms for the construction and analysis of systems
Testing static analysis tools using exploitable buffer overflows from open source code
Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering
Pin: building customized program analysis tools with dynamic instrumentation
Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
DART: directed automated random testing
Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
Intermediate-representation recovery from low-level code
Proceedings of the 2006 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulation
Weighted pushdown systems and their application to interprocedural dataflow analysis
Science of Computer Programming - Special issue: Static analysis symposium (SAS 2003)
DSD-Crasher: a hybrid analysis tool for bug finding
Proceedings of the 2006 international symposium on Software testing and analysis
EXE: automatically generating inputs of death
Proceedings of the 13th ACM conference on Computer and communications security
SYNERGY: a new algorithm for property checking
Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering
Analysis of modular arithmetic
ACM Transactions on Programming Languages and Systems (TOPLAS) - Special Issue ESOP'05
BitBlaze: A New Approach to Computer Security via Binary Analysis
ICISS '08 Proceedings of the 4th International Conference on Information Systems Security
An Abstract Interpretation-Based Framework for Control Flow Reconstruction from Binaries
VMCAI '09 Proceedings of the 10th International Conference on Verification, Model Checking, and Abstract Interpretation
Adding nesting structure to words
Journal of the ACM (JACM)
Loop-extended symbolic execution on binary programs
Proceedings of the eighteenth international symposium on Software testing and analysis
Subsumer-First: Steering Symbolic Reachability Analysis
Proceedings of the 16th International SPIN Workshop on Model Checking Software
Heuristics for Scalable Dynamic Test Generation
ASE '08 Proceedings of the 2008 23rd IEEE/ACM International Conference on Automated Software Engineering
Automatic generation of random self-checking test cases
IBM Systems Journal
WYSINWYX: What you see is not what you eXecute
ACM Transactions on Programming Languages and Systems (TOPLAS)
Associative-commutative rewriting on large terms
RTA'03 Proceedings of the 14th international conference on Rewriting techniques and applications
TACAS'08/ETAPS'08 Proceedings of the Theory and practice of software, 14th international conference on Tools and algorithms for the construction and analysis of systems
KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs
OSDI'08 Proceedings of the 8th USENIX conference on Operating systems design and implementation
Principles of Program Analysis
Principles of Program Analysis
Recency-Abstraction for heap-allocated storage
SAS'06 Proceedings of the 13th international conference on Static Analysis
Path optimization in programs and its application to debugging
ESOP'06 Proceedings of the 15th European conference on Programming Languages and Systems
Alternating control flow reconstruction
VMCAI'12 Proceedings of the 13th international conference on Verification, Model Checking, and Abstract Interpretation
make test-zesti: a symbolic execution solution for improving regression testing
Proceedings of the 34th International Conference on Software Engineering
High-coverage symbolic patch testing
SPIN'12 Proceedings of the 19th international conference on Model Checking Software
Dynamically validating static memory leak warnings
Proceedings of the 2013 International Symposium on Software Testing and Analysis
KATCH: high-coverage testing of software patches
Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering
AppIntent: analyzing sensitive data transmission in android for privacy leakage detection
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Binary-code obfuscations in prevalent packer tools
ACM Computing Surveys (CSUR)
Dowsing for overflows: a guided fuzzer to find buffer boundary violations
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.00 |
We present a new technique for exploiting static analysis to guide dynamic automated test generation for binary programs, prioritizing the paths to be explored. Our technique is a three-stage process, which alternates dynamic and static analysis. In the first stage, we run dynamic analysis with a small number of seed tests to resolve indirect jumps in the binary code and build a visibly pushdown automaton (VPA) reflecting the global control-flow of the program. Further, we augment the computed VPA with statically computable jumps not executed by the seed tests. In the second stage, we apply static analysis to the inferred automaton to find potential vulnerabilities, i.e., targets for the dynamic analysis. In the third stage, we use the results of the prior phases to assign weights to VPA edges. Our symbolic-execution based automated test generation tool then uses the weighted shortest-path lengths in the VPA to direct its exploration to the target potential vulnerabilities. Preliminary experiments on a suite of benchmarks extracted from real applications show that static analysis allows exploration to reach vulnerabilities it otherwise would not, and the generated test inputs prove that the static warnings indicate true positives.