This dissertation presents a novel symbolic execution technique for comprehensively testing complex software. The main insight behind our technique is that code can automatically generate its own (potentially highly complex) test cases. To this end, the code is run on symbolic input, whose value is initially unconstrained. As the checked code runs, we track the constraints on each memory location whose value depends on the symbolic input. If the code reaches a branch involving such a memory location and both sides are feasible, we fork execution and follow each path, constraining the expression to be true on the true path and false on the other. When a path terminates or hits a bug, we can automatically generate a test case exercising that path by solving the current path constraints for concrete values.;By keeping track of the exact constraints on each explored path, our technique gains the ability to reason about all possible values on these paths, and thus can be effectively used to find deep errors. At potentially dangerous operations (e.g., a pointer dereference), our technique can detect if the current path constraints allow any values that cause a bug. This is a significant advantage over traditional dynamic execution techniques, which can only detect an error if they are provided with a specific test case that triggers it (e.g., one where the pointer value is out-of-bounds).;We present two main systems based on this technique, EXE and KLEE, and show that they can automatically generate high-coverage test suites and find deep errors in a variety of complex applications, ranging from user-level utilities to network servers, device drivers, packet filters and file systems. For example, we apply KLEE to all 89 stand-alone applications in the GNU C OREUTILS suite, which forms the core user-level environment installed on millions of UNIX systems, and is arguably one of the most heavily tested sets of open-source programs in existence. KLEE-generated test suites achieve on average over 90% line coverage, significantly beating the coverage of an extensive manual test suite built incrementally over a period of more than fifteen years. As an additional illustrative example we use EXE to mount attacks against file systems code, by automatically generating raw ext2, ext3 and JFS disk images that cause the kernel to panic when mounted under LINUX.
展开▼
机译:本文提出了一种用于全面测试复杂软件的符号执行技术。我们的技术背后的主要见解是,代码可以自动生成自己的(可能非常复杂的)测试用例。为此,代码在符号输入上运行,其值最初不受限制。在运行已检查的代码时,我们跟踪每个存储位置的约束,这些约束的值取决于符号输入。如果代码到达一个涉及该内存位置的分支,并且双方都是可行的,我们将派生执行并遵循每个路径,将表达式在真路径上约束为true,在另一个路径上约束为false。当路径终止或遇到错误时,我们可以通过解决当前路径约束的具体值来自动生成测试该路径的测试用例。通过跟踪每个探索路径上的确切约束,我们的技术可以获得推理的能力这些路径上所有可能的值,因此可以有效地用于发现严重错误。在潜在危险的操作中(例如,指针取消引用),我们的技术可以检测当前路径约束是否允许任何导致错误的值。与传统的动态执行技术相比,这是一个显着的优势,传统的动态执行技术仅在错误被提供了触发它的特定测试用例(例如,指针值超出界限的一种测试用例)的情况下才能检测到错误。基于EXE和KLEE这项技术的系统,表明它们可以自动生成高覆盖率的测试套件,并在各种复杂的应用程序中发现深层错误,这些复杂的应用程序从用户级实用程序到网络服务器,设备驱动程序,数据包筛选器和文件系统。例如,我们将KLEE应用于GNU C OREUTILS套件中的所有89个独立应用程序,该套件形成了安装在数百万个UNIX系统上的核心用户级环境,并且可以说是经过最严格测试的开源程序集之一存在。 KLEE生成的测试套件平均达到90%以上的线路覆盖率,大大超过了十五年以上逐步构建的广泛的手动测试套件的覆盖率。作为另一个说明性示例,我们使用EXE通过自动生成原始ext2,ext3和JFS磁盘映像来对文件系统代码发起攻击,而这些原始映像在LINUX下安装时会导致内核崩溃。
展开▼
