Loading...
Please wait, while we are loading the content...
Similar Documents
EXE: A system for automatically generating inputs of death using symbolic execution
| Content Provider | Semantic Scholar |
|---|---|
| Author | Cadar, Cristian Ganesh, Vijay Pawlowski, Peter M. Dill, David L. Engler, Dawson R. |
| Copyright Year | 2006 |
| Abstract | Systems code defines an error-prone execution state space built from deeply nested conditionals and function call chains, massive amounts of code, and enthusiastic use of casting and pointer operations. Such code is hard to test and difficult to inspect, yet a single error can crash a machine or form the basis of a security breach. This paper presents EXE, a system designed to automatically find bugs in such code using symbolic execution. At a high level, rather than running the code on manually-constructed concrete input, EXE instead runs it on symbolic input that is initially allowed to be “anything.” As input (and derived) values are observed through conditional statements and other checks, symbolic constraints are incrementally added to those values. EXE then generates concrete test cases by solving these symbolic constraints for concrete values with bit-level precision. EXE has several novel features. First, it implements a complete, precise symbolic pointer theory that correctly handles both pointer arithmetic expressions and reads and writes to memory locations referenced by pointers with symbolic values. Second, it handles all of the C language with bit-level precision. Third, EXE greatly amplifies the effect of running a single code path since it uses a powerful constraint solver to reason about all possible values that the path could be run with, rather than a single set of concrete values from an individual test case. EXE has been successfully applied to applications ranging from running the Linux kernel symbolically in order to find numerous security holes in the ext2, ext3, and JFS file systems [26] to detecting invalid memory reads and writes in a DHCPD server implementation to finding buffer overflow attacks in the BSD and Linux packet filter implementations. |
| File Format | PDF HTM / HTML |
| Alternate Webpage(s) | http://hci.stanford.edu/cstr/reports/2006-01.pdf |
| Alternate Webpage(s) | http://diyhpl.us/~bryan/papers2/security/EXE%20-%20A%20System%20for%20Automatically%20Generating%20Inputs%20of%20Death%20Using%20Symbolic%20Execution.pdf |
| Journal | CCS 2006 |
| Language | English |
| Access Restriction | Open |
| Content Type | Text |
| Resource Type | Article |
