Elements of Style: Analyzing a Software Design Feature with a Counterexample Detector
IEEE Transactions on Software Engineering - Special issue: best papers of the 1996 international symposium on software testing and analysis ISSTA'96
Model checking for programming languages using VeriSoft
Proceedings of the 24th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Automatically validating temporal safety properties of interfaces
SPIN '01 Proceedings of the 8th international SPIN workshop on Model checking of software
Bugs as deviant behavior: a general approach to inferring errors in systems code
SOSP '01 Proceedings of the eighteenth ACM symposium on Operating systems principles
An empirical study of operating systems errors
SOSP '01 Proceedings of the eighteenth ACM symposium on Operating systems principles
Using symbolic execution for verifying safety-critical systems
Proceedings of the 8th European software engineering conference held jointly with 9th ACM SIGSOFT international symposium on Foundations of software engineering
POPL '02 Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
ESP: path-sensitive program verification in polynomial time
PLDI '02 Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation
A system and language for building system-specific, static analyses
PLDI '02 Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation
MECA: an extensible, expressive system and language for statically checking security properties
Proceedings of the 10th ACM conference on Computer and communications security
Cost effective dynamic program slicing
Proceedings of the ACM SIGPLAN 2004 conference on Programming language design and implementation
Cloning-based context-sensitive pointer alias analysis using binary decision diagrams
Proceedings of the ACM SIGPLAN 2004 conference on Programming language design and implementation
Improving software security with a C pointer analysis
Proceedings of the 27th international conference on Software engineering
Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
DART: directed automated random testing
Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
CUTE: a concolic unit testing engine for C
Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering
Hardware verification using ANSI-C programs as a reference
ASP-DAC '03 Proceedings of the 2003 Asia and South Pacific Design Automation Conference
Automatically Generating Malicious Disks using Symbolic Execution
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
EXE: automatically generating inputs of death
Proceedings of the 13th ACM conference on Computer and communications security
How is aliasing used in systems software?
Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering
Checking system rules using system-specific, programmer-written compiler extensions
OSDI'00 Proceedings of the 4th conference on Symposium on Operating System Design & Implementation - Volume 4
Using model checking to find serious file system errors
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Understanding data lifetime via whole system simulation
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Shredding your garbage: reducing data lifetime through secure deallocation
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Directed test generation using symbolic grammars
Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
Bouncer: securing software by blocking bad input
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
EXPLODE: a lightweight, general system for finding serious storage system errors
OSDI '06 Proceedings of the 7th symposium on Operating systems design and implementation
MODIST: transparent model checking of unmodified distributed systems
NSDI'09 Proceedings of the 6th USENIX symposium on Networked systems design and implementation
CrystalBall: predicting and preventing inconsistencies in deployed distributed systems
NSDI'09 Proceedings of the 6th USENIX symposium on Networked systems design and implementation
ODR: output-deterministic replay for multicore debugging
Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles
Execution synthesis: a technique for automated software debugging
Proceedings of the 5th European conference on Computer systems
A decision procedure for bit-vectors and arrays
CAV'07 Proceedings of the 19th international conference on Computer aided verification
KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs
OSDI'08 Proceedings of the 8th USENIX conference on Operating systems design and implementation
Symbolic PathFinder: symbolic execution of Java bytecode
Proceedings of the IEEE/ACM international conference on Automated software engineering
Stable deterministic multithreading through schedule memoization
OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
S2E: a platform for in-vivo multi-path analysis of software systems
Proceedings of the sixteenth international conference on Architectural support for programming languages and operating systems
Parallel symbolic execution for automated real-world software testing
Proceedings of the sixth conference on Computer systems
Symbolic crosschecking of floating-point and SIMD code
Proceedings of the sixth conference on Computer systems
Life, death, and the critical transition: finding liveness bugs in systems code
NSDI'07 Proceedings of the 4th USENIX conference on Networked systems design & implementation
DyTa: dynamic symbolic execution guided with static verification results
Proceedings of the 33rd International Conference on Software Engineering
Directed incremental symbolic execution
Proceedings of the 32nd ACM SIGPLAN conference on Programming language design and implementation
Symbolic execution with mixed concrete-symbolic solving
Proceedings of the 2011 International Symposium on Software Testing and Analysis
Practical, low-effort equivalence verification of real code
CAV'11 Proceedings of the 23rd international conference on Computer aided verification
SAS'11 Proceedings of the 18th international conference on Static analysis
Practical software model checking via dynamic interface reduction
SOSP '11 Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles
Efficient deterministic multithreading through schedule relaxation
SOSP '11 Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles
Efficient state merging in symbolic execution
Proceedings of the 33rd ACM SIGPLAN conference on Programming Language Design and Implementation
TRACER: a symbolic execution tool for verification
CAV'12 Proceedings of the 24th international conference on Computer Aided Verification
Dynamically validating static memory leak warnings
Proceedings of the 2013 International Symposium on Software Testing and Analysis
Effective dynamic detection of alias analysis errors
Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering
| Hi-index | 0.00 |
Systems code must obey many rules, such as "opened files must be closed." One approach to verifying rules is static analysis, but this technique cannot infer precise runtime effects of code, often emitting many false positives. An alternative is symbolic execution, a technique that verifies program paths over all inputs up to a bounded size. However, when applied to verify rules, existing symbolic execution systems often blindly explore many redundant program paths while missing relevant ones that may contain bugs. Our key insight is that only a small portion of paths are relevant to rules, and the rest (majority) of paths are irrelevant and do not need to be verified. Based on this insight, we create WOODPECKER, a new symbolic execution system for effectively checking rules on systems programs. It provides a set of builtin checkers for common rules, and an interface for users to easily check new rules. It directs symbolic execution toward the program paths relevant to a checked rule, and soundly prunes redundant paths, exponentially speeding up symbolic execution. It is designed to be heuristic-agnostic, enabling users to leverage existing powerful search heuristics. Evaluation on 136 systems programs totaling 545K lines of code, including some of the most widely used programs, shows that, with a time limit of typically just one hour for each verification run, WOODPECKER effectively verifies 28.7% of the program and rule combinations over bounded input, whereas an existing symbolic execution system KLEE verifies only 8.5%. For the remaining combinations, WOODPECKER verifies 4.6 times as many relevant paths as KLEE. With a longer time limit, WOODPECKER verifies much more paths than KLEE, e.g., 17 times as many with a fourhour limit. WOODPECKER detects 113 rule violations, including 10 serious data loss errors with 2 most serious ones already confirmed by the corresponding developers.