Pingfan Kong,Yi Li,Xiaohong Chen,Jun Sun,Meng Sun,Jingyi Wang

DOI: https://doi.org/10.1007/978-3-319-48989-6_28

2016-01-01

Abstract:Hybrid systems exhibit both continuous and discrete behavior. Analyzing hybrid systems is known to be hard. Inspired by the idea of concolic testing (of programs), we investigate whether we can combine random sampling and symbolic execution in order to effectively verify hybrid systems. We identify a sufficient condition under which such a combination is more effective than random sampling. Furthermore, we analyze different strategies of combining random sampling and symbolic execution and propose an algorithm which allows us to dynamically switch between them so as to reduce the overall cost. Our method has been implemented as a web-based checker named HyChecker. HyChecker has been evaluated with benchmark hybrid systems and a water treatment system in order to test its effectiveness.

Xinyu Wang,Jun Sun,Zhenbang Chen,Peixin Zhang,Jingyi Wang,Yun Lin

DOI: https://doi.org/10.1145/3180155.3180177

2018-01-01

Abstract:Concolic testing integrates concrete execution (e.g., random testing) and symbolic execution for test case generation. It is shown to be more cost-effective than random testing or symbolic execution sometimes. A concolic testing strategy is a function which decides when to apply random testing or symbolic execution, and if it is the latter case, which program path to symbolically execute. Many heuristics-based strategies have been proposed. It is still an open problem what is the optimal concolic testing strategy. In this work, we make two contributions towards solving this problem. First, we show the optimal strategy can be defined based on the probability of program paths and the cost of constraint solving. The problem of identifying the optimal strategy is then reduced to a model checking problem of Markov Decision Processes with Costs. Secondly, in view of the complexity in identifying the optimal strategy, we design a greedy algorithm for approximating the optimal strategy. We conduct two sets of experiments. One is based on randomly generated models and the other is based on a set of C programs. The results show that existing heuristics have much room to improve and our greedy algorithm often outperforms existing heuristics.

Koushik Sen,Swaroop Kalasapur,Tasneem Brutch,Simon Gibbs

DOI: https://doi.org/10.1145/2491411.2491447

2013-01-01

Abstract:JavaScript is widely used for writing client-side web applications and is getting increasingly popular for writing mobile applications. However, unlike C, C++, and Java, there are not that many tools available for analysis and testing of JavaScript applications. In this paper, we present a simple yet powerful framework, called Jalangi, for writing heavy-weight dynamic analyses. Our framework incorporates two key techniques: 1) selective record-replay, a technique which enables to record and to faithfully replay a user-selected part of the program, and 2) shadow values and shadow execution, which enables easy implementation of heavy-weight dynamic analyses. Our implementation makes no special assumption about JavaScript, which makes it applicable to real-world JavaScript programs running on multiple platforms. We have implemented concolic testing, an analysis to track origins of nulls and undefined, a simple form of taint analysis, an analysis to detect likely type inconsistencies, and an object allocation profiler in Jalangi. Our evaluation of Jalangi on the SunSpider benchmark suite and on five web applications shows that Jalangi has an average slowdown of 26X during recording and 30X slowdown during replay and analysis. The slowdowns are comparable with slowdowns reported for similar tools, such as PIN and Valgrind for x86 binaries. We believe that the techniques proposed in this paper are applicable to other dynamic languages.

Gao Pengfei,Xu Yongjie,Song Fu,Chen Taolue

DOI: https://doi.org/10.1007/s11704-020-0356-7

IF: 2.6688

2021-01-01

Frontiers of Computer Science

Abstract:JavaScript has become one of the most widely used languages for Web development. Its dynamic and event-driven features make it challenging to ensure the correctness of Web applications written in JavaScript. A variety of dynamic analysis techniques have been proposed which are, however, limited in either coverage or scalability. In this paper, we propose a simple, yet effective, model-based automated testing approach to achieve a high code-coverage within the time budget via testing with longer event sequences. We implement our approach as an open-source tool LJS, and perform extensive experiments on 21 publicly available benchmarks. On average, LJS is able to achieve 86.5% line coverage in 10 minutes. Compared with JSDEP, a state-of-the-art breadth-first search based automated testing tool enriched with partial order reduction, the coverage of LJS is 11%–19% higher than that of JSDEP on real-world large Web applications. Our empirical findings support that proper longer test sequences can achieve a higher code coverage in JavaScript Web application testing.

Gary Wassermann,Dachuan Yu,Ajay Chander,Dinakar Dhurjati,Hiroshi Inamura,Zhendong Su

DOI: https://doi.org/10.1145/1390630.1390661

2008-01-01

Abstract:Web applications routinely handle sensitive data, and many people rely on them to support various daily activities, so errors can have severe and broad-reaching consequences. Unlike most desktop applications, many web applications are written in scripting languages, such as PHP. The dynamic features commonly supported by these languages significantly inhibit static analysis and existing static analysis of these languages can fail to produce meaningful results on realworld web applications. Automated test input generation using the concolic testing framework has proven useful for finding bugs and improving test coverage on C and Java programs, which generally emphasize numeric values and pointer-based data structures. However, scripting languages, such as PHP, promote a style of programming for developing web applications that emphasizes string values, objects, and arrays. In this paper, we propose an automated input test generation algorithm that uses runtime values to analyze dynamic code, models the semantics of string operations, and handles operations whose argument and return values may not share a common type. As in the standard concolic testing framework, our algorithm gathers constraints during symbolic execution. Our algorithm resolves constraints over multiple types by considering each variable instance individually, so that it only needs to invert each operation. By recording constraints selectively, our implementation successfully finds bugs in real-world web applications which state-of-the-art static analysis tools fail to analyze.

Hongbo Li,Sihuan Li,Zachary Benavides,Zizhong Chen,Rajiv Gupta

DOI: https://doi.org/10.1109/IPDPS.2018.00096

2018-01-01

Abstract:MPI is widely used as the bedrock of HPC applications, but there are no effective systematic software testing techniques for MPI programs. In this paper we develop COMPI, the first practical concolic testing tool for MPI applications. COMPI tackles two major challenges. First, it provides an automated testing tool for MPI programs - it performs concolic execution on a single process and records branch coverage across all. Infusing MPI semantics such as MPI rank and MPI_COMM_WORLD into COMPI enables it to automatically direct testing with various processes' executions as well as automatically determine the total number of processes used in the testing. Second, COMPI employs three techniques to effectively control the cost of testing as too high a cost may prevent its adoption. By capping input values, COMPI is made practical as too large an input can make the testing extremely slow and sometimes even fail as memory needed could exceed the computing platform's memory limit. With two-way instrumentation, we reduce the unnecessary memory and I/O overhead of COMPI and the target program. With constraint set reduction, COMPI keeps significantly fewer constraints by removing redundant ones in the presence of loops so as to avoid redundant tests against these branches. Our evaluation of COMPI uncovered four new bugs in a complex application and achieved 69-86% branch coverage which far exceeds the 1.8-38% coverage achieved via random testing.

Hao Jin,Yanyan Jiang,Na Liu,Chang Xu,Xiaoxing Ma,Jian Lu

DOI: https://doi.org/10.1109/COMPSAC.2015.79

2015-01-01

Abstract:Debugging is challenging and labor-intensive. Debugging programs with weak or no oracle is even more difficult due to lack of passing and failing test runs as well as their comparisons. To address these challenges, we exploit metamorphic relations to construct new programs that are enhanced with synthesized oracle, and combine concolic testing and branch-switching debugging to localize potentially faulty places in original programs. We name our approach concolic metamorphic debugging (or Comedy for short). We experimentally evaluated Comedy with real-world Java programs. The experimental results reported that Comedy successfully generated debugging report for 88.4% of 2,330 faulty programs. The average branch distance between the reported locations and the real fault places is only 1.68. Besides, 36% of the debugging reports precisely locate the fault.

Cong Li,Yanyan Jiang,Chang Xu,Zhendong Su

DOI: https://doi.org/10.1145/3600006.3613140

2023-01-01

Abstract:This paper introduces the novel concept of compilation space, which facilitates the thorough validation of just-in-time (JIT) compilers in modern language virtual machines (LVMs). The compilation space, even for a single program, consists of an extensive array of JIT compilation choices, which can be cross-validated for the correctness of JIT compilation. To thoroughly explore the compilation space in a lightweight and LVM-agnostic manner, we strategically mutate test programs with JIT-relevant, yet semantics-preserving code structures to trigger diverse JIT compilation choices. We realize our technique in Artemis, a tool for the Java virtual machine (JVM). Our evaluation has led to 85 bug reports for three widely used production JVMs, namely HotSpot, OpenJ9, and the Android Runtime. Among them, 53 have already been confirmed or fixed with many being critical. It is also worth mentioning that all the reported bugs concern JIT compilers, demonstrating the clear effectiveness and strong practicability of our technique. We expect that the generality and practicability of our approach will make it broadly applicable for understanding and validating JIT compilers.

Weiguang Wang,Qingkai Zeng

DOI: https://doi.org/10.1109/tase.2015.14

2015-01-01

Abstract:Concolic testing is a powerful technique for vulnerability detection. Current concolic testing tools usually randomly select one well-formed concrete input to start their workflow, then employ different path selection methods to explore the execution space. However, experiments have shown that concolic testing tools have different vulnerability detection performance when starting with different well-formed concrete inputs. In this paper, we present an evaluation method to help concolic testing tools select better initial inputs. The key idea is that: if the concolic execution triggered by one candidate initial input covers more error-prone operations with different execution contexts, it is likely to detect more bugs. Specifically, we firstly identify error-prone operations using fine-grained dynamic taint analysis. Then we propose a scoring algorithm to evaluate the vulnerability detection ability of different candidate initial inputs. We implemented this method in a new tool called CrashFinderHB, and applied it to four applications in Linux: readelf, convert, cjpeg, swftool. Experimental results show that using our evaluation method to select starting points can improve the effectiveness of concolic testing. Moreover, starting with carefully selected initial inputs, we found 4 previously unknown errors in readelf and convert.

Emilio Coppa,Alessio Izzillo

DOI: https://doi.org/10.1016/j.jss.2024.112001

IF: 3.5

2024-02-17

Journal of Systems and Software

Abstract:Symbolic execution is a well-known software testing technique that evaluates how a program runs when considering a symbolic input, i.e., an input that can initially assume any concrete value admissible for its data type. The dynamic twist of this technique is dubbed concolic execution and has been demonstrated to be a practical technique for testing even complex real-world programs. Unfortunately, developing concolic engines is hard. Indeed, an engine has to correctly instrument the program to build accurate symbolic expressions, which represent the program computation. Furthermore, to reason over such expressions, it has to interact with an SMT solver. Hence, several implementation bugs may emerge within the different layers of an engine. In this article, we consider the problem of testing concolic engines. In particular, we propose several testing strategies whose main intuition is to exploit the concrete state kept by the executor to identify inconsistencies within the symbolic state. We integrated our strategies into three state-of-the-art concolic executors ( SymCC , SymQEMU , and Fuzzolic , respectively) and then performed several experiments to show that our ideas can find bugs in these frameworks. Overall, our approach was able to discover more than 12 bugs across these engines.

computer science, theory & methods, software engineering

Igor Lima,Jefferson Silva,Breno Miranda,Gustavo Pinto,Marcelo d'Amorim

DOI: https://doi.org/10.48550/arXiv.2012.03759

2020-12-07

Abstract:Context. JavaScript is a popular programming language today with several implementations competing for market dominance. Although a specification document and a conformance test suite exist to guide engine development, bugs occur and have important practical consequences. Implementing correct engines is challenging because the spec is intentionally incomplete and evolves frequently. Objective. This paper investigates the use of test transplantation and differential testing for revealing functional bugs in JavaScript engines. The former technique runs the regression test suite of a given engine on another engine. The latter technique fuzzes existing inputs and then compares the output produced by different engines with a differential oracle. Method. We conducted experiments with engines from five major players-Apple, Facebook, Google, Microsoft, and Mozilla-to assess the effectiveness of test transplantation and differential testing. Results. Our results indicate that both techniques revealed several bugs, many of which confirmed by developers. We reported 35 bugs with test transplantation (23 of these bugs confirmed and 19 fixed) and reported 24 bugs with differential testing (17 of these confirmed and 10 fixed). Results indicate that most of these bugs affected two engines-Apple's JSC and Microsoft's ChakraCore (24 and 26 bugs, respectively). To summarize, our results show that test transplantation and differential testing are easy to apply and very effective in finding bugs in complex software, such as JavaScript engines.

Software Engineering

Wookhyun Han,Md Lutfor Rahman,Yuxuan Chen,Chengyu Song,Byoungyoung Lee,Insik Shin

DOI: https://doi.org/10.48550/arXiv.1905.09532

2019-05-23

Abstract:Concolic execution is a powerful program analysis technique for exploring execution paths in a systematic manner. Compare to random-mutation-based fuzzing, concolic execution is especially good at exploring paths that are guarded by complex and tight branch predicates (e.g., (a*b) == 0xdeadbeef). The drawback, however, is that concolic execution engines are much slower than native execution. One major source of the slowness is that concolic execution engines have to the interpret instructions to maintain the symbolic expression of program variables. In this work, we propose SynFuzz, a novel approach to perform scalable concolic execution. SynFuzz achieves this goal by replacing interpretation with dynamic taint analysis and program synthesis. In particular, to flip a conditional branch, SynFuzz first uses operation-aware taint analysis to record a partial expression (i.e., a sketch) of its branch predicate. Then it uses oracle-guided program synthesis to reconstruct the symbolic expression based on input-output pairs. The last step is the same as traditional concolic execution - SynFuzz consults a SMT solver to generate an input that can flip the target branch. By doing so, SynFuzz can achieve an execution speed that is close to fuzzing while retain concolic execution's capability of flipping complex branch predicates. We have implemented a prototype of SynFuzz and evaluated it with three sets of programs: real-world applications, the LAVA-M benchmark, and the Google Fuzzer Test Suite (FTS). The evaluation results showed that SynFuzz was much more scalable than traditional concolic execution engines, was able to find more bugs in LAVA-M than most state-of-the-art concolic execution engine (QSYM), and achieved better code coverage on real-world applications and FTS.

Cryptography and Security

Yufeng Chen

DOI: https://doi.org/10.48550/arXiv.2104.00142

2021-04-01

Abstract:<a class="link-external link-http" href="http://Node.js" rel="external noopener nofollow">this http URL</a> is one of the most popular frameworks for building web applications. As software systems mature, the cost of running their entire regression test suite can become significant. Selective Regression Testing (SRT) is a technique that executes only a subset of tests the regression test suite can detect software failures more efficiently. Previous SRT studies mainly focused on standard desktop applications. <a class="link-external link-http" href="http://Node.js" rel="external noopener nofollow">this http URL</a> applications are considered hard to perform test reduction because of Node's asynchronous, event-driven programming model and because JavaScript is a dynamic programming language. In this paper, we present NodeSRT, a Selective Regression Testing framework for <a class="link-external link-http" href="http://Node.js" rel="external noopener nofollow">this http URL</a> applications. By performing static and dynamic analysis, NodeSRT identifies the relationship between changed methods and tests, then reduces the regression test suite to only tests that are affected by the change to improve the execution time of the regression test suite. To evaluate our selection technique, we applied NodeSRT to two open-source projects: Uppy and Simorgh, then compared our approach with the retest-all strategy and current industry-standard SRT technique: Jest OnlyChange. The results demonstrate that NodeSRT correctly selects affected tests based on changes and is 250% faster, 450% more precise than the Jest OnlyChange.

Software Engineering

Chen Bing,Qingkai Zeng,Weiguang Wang

DOI: https://doi.org/10.1145/2554850.2554875

2014-01-01

Abstract:Concolic testing is a popular method based on symbolic execution and constraint solving, designed for security testing of applications. Unfortunately, the current effectiveness of concolic testing tools are limited when testing large applications due to the enormous number of control paths and limited budget. In this paper, we introduce selective symbolic execution, path selecting, random and incorrect seed input, three approaches to ease the path explosion and speed up bugs exploration. We also develop Crashmaker, a dynamic symbolic execution tool based on Valgrind and constraints solver STP, implementing our three improvement measures. To check the effectiveness and efficiency of Crashmaker, we make experiments with 7 different real-life programs, and compare with Avalanche. The evaluation results show that Crashmaker can effectively find more bugs in a more efficient way.

Thorsten Holz,Tobias Scharnowski,Tim Blazytko,Moritz Schloegel,Lukas Bernhard

DOI: https://doi.org/10.1145/3548606.3560624

2022-11-07

Abstract:Modern JavaScript engines that power websites and even full applications on the Web are driven by the need for an increasingly fast and snappy user experience. These engines use several complex and potentially error-prone mechanisms to optimize their performance. Unsurprisingly, the inevitable complexity results in a huge attack surface and varioustypes of software vulnerabilities. On the defender's side, fuzz testing has proven to be an invaluable tool for uncovering different kinds of memory safety violations. Although it is difficult to test interpreters and JIT compilers in an automated way, recent proposals for input generation based on grammars or target-specific intermediate representations helped uncovering many software faults. However, subtle logic bugs and miscomputations that arise from optimization passes in JIT engines continue to elude state-of-the-art testing methods. While such flaws might seem unremarkable at first glance, they are often still exploitable in practice. In this paper, we propose a novel technique for effectively uncovering this class of subtle bugs during fuzzing. The key idea is to take advantage of the tight coupling between a JavaScript engine's interpreter and its corresponding JIT compiler as a domain-specific and generic bug oracle, which in turn yields a highly sensitive fault detection mechanism. We have designed and implemented a prototype of the proposed approach in a tool called JIT-Picker. In an empirical evaluation, we show that our method enables us to detect subtle software faults that prior work missed. In total, we uncovered 32 bugs that were not publicly known and received a $10.000 bug bounty from Mozilla as a reward for our contributions to JIT engine security.

Computer Science

Fred Mesnard,Étienne Payet,Germán Vidal

DOI: https://doi.org/10.1017/S1471068415000332

2015-07-20

Abstract:Software testing is one of the most popular validation techniques in the software industry. Surprisingly, we can only find a few approaches to testing in the context of logic programming. In this paper, we introduce a systematic approach for dynamic testing that combines both concrete and symbolic execution. Our approach is fully automatic and guarantees full path coverage when it terminates. We prove some basic properties of our technique and illustrate its practical usefulness through a prototype implementation.

Programming Languages

Lianpei Zhou,Xi Xiao,Guangwu Hu,Hao Li,Xiangbo Wu,Tao Zhou

DOI: https://doi.org/10.1109/trustcom60117.2023.00138

2024-01-01

Abstract:Traditional coverage-based fuzzing gives equal attention to every part of a code. Despite much progress, we observe that existing schemes still not comprehensively use the coverage feedback mechanism when fuzzing bulky JavaScript engines because of severe path collisions. To improve the precision of coverage feedback and target the vulnerable JIT compiler of Javascript engines, we presented our fuzzer, called LF(Light Fuzzer), a lightweight and high-precision fuzzer for bulky JavaScript engines fuzzing. First, LF advocates a technique to confine instrumentation to the JIT-related "critical functions" to mitigate collisions. Additionally, LF utilizes static analysis to establish dominant relationships between critical functions. Lastly, LF incorporates seed scheduling with feedback information of control flow at the function level to dynamically target JIT. These combined strategies make LF a lightweight and high-precision fuzzer for fuzzing bulky JavaScript engines. In our evaluation, LF outperforms the state-of-art coverage-guided JavaScript fuzzer DIE in different coverage types, and LF is also more effective in triggering unique crashes compared to DIE.

Ting Chen,Xiao-Song Zhang,Xiao-Li Ji,Cong Zhu,Yang Bai,Yue Wu

DOI: https://doi.org/10.1109/tr.2014.2363153

IF: 5.883

2015-01-01

IEEE Transactions on Reliability

Abstract:Traditional software testing methods are not effective for testing embedded software thoroughly due to the fact that generating effective test inputs to cover all code is extremely difficult. In this work, we propose an automatic method to generate test inputs for embedded executables which is based on concolic execution. The core idea of our method is to divide concolic execution into symbolic execution on hosts, and concrete execution on targets, so considerable development work can be saved. Our method overcomes the limitations of the software and hardware abilities of embedded systems by restricting heavy-weight work on resourceful hosts. One feature of our method is that it targets executables, so the source of tested software is not needed. Another feature is that tested programs run in a real environment rather than in a simulator, so accurate run-time information can be acquired. Symbolic execution and concrete execution are coordinated by cross-debugging functions. Then we implement our method on Wind River VxWorks. Experiments show that our method achieves high code coverage with acceptable speed.

Gábor Antal,Péter Hegedűs,Zoltán Tóth,Rudolf Ferenc,Tibor Gyimóthy

DOI: https://doi.org/10.48550/arXiv.2405.07206

2024-05-12

Abstract:The popularity and wide adoption of JavaScript both at the client and server side makes its code analysis more important than ever before. Most of the algorithms for vulnerability analysis, coding issue detection, or type inference rely on the call graph representation of the underlying program. Despite some obvious advantages of dynamic analysis, static algorithms should also be considered for call graph construction as they do not require extensive test beds for programs and their costly execution and tracing. In this paper, we systematically compare five widely adopted static algorithms - implemented by the npm call graph, IBM WALA, Google Closure Compiler, Approximate Call Graph, and Type Analyzer for JavaScript tools - for building JavaScript call graphs on 26 WebKit SunSpider benchmark programs and 6 real-world <a class="link-external link-http" href="http://Node.js" rel="external noopener nofollow">this http URL</a> modules. We provide a performance analysis as well as a quantitative and qualitative evaluation of the results. We found that there was a relatively large intersection of the found call edges among the algorithms, which proved to be 100 precise. However, most of the tools found edges that were missed by all others. ACG had the highest precision followed immediately by TAJS, but ACG found significantly more call edges. As for the combination of tools, ACG and TAJS together covered 99% of the found true edges by all algorithms, while maintaining a precision as high as 98%. Only two of the tools were able to analyze up-to-date multi-file <a class="link-external link-http" href="http://Node.js" rel="external noopener nofollow">this http URL</a> modules due to incomplete language features support. They agreed on almost 60% of the call edges, but each of them found valid edges that the other missed.

Software Engineering

Alexi Turcotte,Ellen Arteca,Ashish Mishra,Saba Alimadadi,Frank Tip

DOI: https://doi.org/10.48550/arXiv.2110.14162

2021-10-27

Abstract:JavaScript is an increasingly popular language for server-side development, thanks in part to the <a class="link-external link-http" href="http://Node.js" rel="external noopener nofollow">this http URL</a> runtime environment and its vast ecosystem of modules. With the <a class="link-external link-http" href="http://Node.js" rel="external noopener nofollow">this http URL</a> package manager npm, users are able to easily include external modules as dependencies in their projects. However, npm installs modules with all of their functionality, even if only a fraction is needed, which causes an undue increase in code size. Eliminating this unused functionality from distributions is desirable, but the sound analysis required to find unused code is difficult due to JavaScript's extreme dynamicity. We present a fully automatic technique that identifies unused code by constructing static or dynamic call graphs from the application's tests, and replacing code deemed unreachable with either file- or function-level stubs. If a stub is called, it will fetch and execute the original code on-demand, thus relaxing the requirement that the call graph be sound. The technique also provides an optional guarded execution mode to guard application against injection vulnerabilities in untested code that resulted from stub expansion. This technique is implemented in an open source tool called Stubbifier, which supports the ECMAScript 2019 standard. In an empirical evaluation on 15 <a class="link-external link-http" href="http://Node.js" rel="external noopener nofollow">this http URL</a> applications and 75 clients of these applications, Stubbifier reduced application size by 56% on average while incurring only minor performance overhead. The evaluation also shows that Stubbifier's guarded execution mode is capable of preventing several known injection vulnerabilities that are manifested in stubbed-out code. Finally, Stubbifier can work alongside bundlers, popular JavaScript tools for bundling an application with its dependencies. For the considered subject applications, we measured an average size reduction of 37% in bundled distributions.

Software Engineering