Enhancing symbolic execution with veritesting

@article{Avgerinos2014EnhancingSE,
  title={Enhancing symbolic execution with veritesting},
  author={Thanassis Avgerinos and Alexandre Rebert and Sang Kil Cha and David Brumley},
  journal={Proceedings of the 36th International Conference on Software Engineering},
  year={2014}
}
We present MergePoint, a new binary-only symbolic execution system for large-scale and fully unassisted testing of commodity off-the-shelf (COTS) software. MergePoint introduces veritesting, a new technique that employs static symbolic execution to amplify the effect of dynamic symbolic execution. Veritesting allows MergePoint to find twice as many bugs, explore orders of magnitude more paths, and achieve higher code coverage than previous dynamic symbolic execution systems. MergePoint is… 
Veritesting Challenges in Symbolic Execution of Java
TLDR
It is found that while veritesting can be applied in thousands of regions, allowing static symbolic execution involving non-local control jumps amplifies the performance improvement obtained from veritests.
Java Ranger at SV-COMP 2020 (Competition Contribution)
TLDR
The architecture of Java Ranger is briefly described, its setup for SV-COMP 2020 is described, and its extension of veritesting to summarize dynamically dispatched methods and exceptional control-flow is described.
Enhancing symbolic execution method with a taint layer
TLDR
A taint-based symbolic execution method that employs a taint layer to perform data flow analysis and quickly locate the first instruction related with symbolic inputs, and has the ability of vulnerability detection.
Finding the needle in the heap: combining static analysis and dynamic symbolic execution to trigger use-after-free
This paper presents a fully automated technique to find and trigger Use-After-Free vulnerabilities (UAF) on binary code. The approach combines a static analyzer and a dynamic symbolic execution
A hybrid symbolic execution assisted fuzzing method
  • Li Zhang, V. Thing
  • Computer Science
    TENCON 2017 - 2017 IEEE Region 10 Conference
  • 2017
TLDR
A new automated method for efficient detection of security vulnerabilities in binary programs that can effectively prevent the fuzzing guided exploration from converging to the less interesting but easy-to-fuzz branches.
Dynamic symbolic execution for the analysis of web server applications in Java
TLDR
This paper describes a dynamic symbolic execution framework for Java that was designed with features such as multithreading and callbacks in mind and uses bytecode instrumentation combined with a run-time agent to perform the symbolic execution.
Java Ranger: statically summarizing regions for efficient symbolic execution of Java
Merging execution paths is a powerful technique for reducing path explosion in symbolic execution. One approach, introduced and dubbed “veritesting” by Avgerinos et al., works by translating abounded
Boost Symbolic Execution Using Dynamic State Merging and Forking
TLDR
A merge-fork framework enabling states under exploration to switch automatically between merging mode and forking mode is proposed, and active state forking is introduced to enable forking a state into multiple ones as if a certain merging action taken before were eliminated.
Transparently improving regression testing using symbolic execution
TLDR
Two techniques for amplifying the effect of existing test suites using a lightweight symbolic execution mechanism are presented and katch can automatically synthesise inputs that significantly increase the patch coverage achieved by the existing manual test suites, and find bugs at the moment they are introduced.
Symbolic backward simulation of Java bytecode program
TLDR
A new method, symbolic backward simulation, for detecting bugs in Java bytecode programs by determining conditions on the input side by tracing back from the tail of the program while performing reverse execution for each bytecode.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 58 REFERENCES
RWset: Attacking Path Explosion in Constraint-Based Test Generation
TLDR
This paper presents a new technique for reducing the number of traversed code paths by discarding those that must have side-effects identical to some previously explored path, often achieving program coverage far out of reach for a standard constraint-based execution system.
make test-zesti: A symbolic execution solution for improving regression testing
TLDR
This paper presents a technique for amplifying the effect of existing test suites using a lightweight symbolic execution mechanism, which thoroughly checks all sensitive operations executed by the test suite for errors, and explores additional paths around sensitive operations.
Unleashing Mayhem on Binary Code
TLDR
This paper proposes two novel techniques: 1) hybrid symbolic execution for combining online and offline (concolic) execution to maximize the benefits of both techniques, and 2) index-based memory modeling, a technique that allows Mayhem to efficiently reason about symbolic memory at the binary level.
All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask)
TLDR
The algorithms for dynamic taint analysis and forward symbolic execution are described as extensions to the run-time semantics of a general language to highlight important implementation choices, common pitfalls, and considerations when using these techniques in a security context.
Efficient state merging in symbolic execution
TLDR
A way to automatically choose when and how to merge states such that the performance of symbolic execution is significantly increased and query count estimation, a method for statically estimating the impact that each symbolic variable has on solver queries that follow a potential merge point, is presented.
Parallel symbolic execution for automated real-world software testing
TLDR
This paper introduces Cloud9, a platform for automated testing of real-world software that provides a systematic interface for writing "symbolic tests" that concisely specify entire families of inputs and behaviors to be tested, thus improving testing productivity.
Scalable error detection using boolean satisfiability
TLDR
A software error-detection tool that exploits recent advances in boolean satisfiability (SAT) solvers, and is path sensitive, precise down to the bit level, and models pointers and heap data.
Calysto: scalable and precise extended static checking
TLDR
The Calysto static checker achieves an unprecedented combination of precision and scalability in a completely automatic extendedstatic checker, which scales comparably to the leading, less precise, static-analysis-based tool for similar properties.
Configurable Software Verification: Concretizing the Convergence of Model Checking and Program Analysis
TLDR
An algorithm and tool are designed and built that can be configured to perform not only a purely tree-based or a purely lattice-based analysis, but offers many intermediate settings that have not been evaluated before.
KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs
TLDR
A new symbolic execution tool, KLEE, capable of automatically generating tests that achieve high coverage on a diverse set of complex and environmentally-intensive programs, and significantly beat the coverage of the developers' own hand-written test suite is presented.
...
1
2
3
4
5
...