Binary-Level Testing of Embedded Programs

Bardin, Sébastien; Baufreton, Philippe; Cornuet, Nicolas; Herrmann, P.; Labbé, Sébastien

doi:10.1109/qsic.2013.49

Cited by 8 publications

(6 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This approach allows to precisely define a wide-range of exploration strategies. Several strategies are already implemented such as DFS, BFS, random path, MinCall-DFS and MinCall-BFS [1].…”

Section: Path Selectionmentioning

confidence: 99%

BINSEC/SE: A Dynamic Symbolic Execution Toolkit for Binary-Level Analysis

David

Bardin

et al. 2016

2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER)

Self Cite

View full text Add to dashboard Cite

When it comes to software analysis, several approaches exist from heuristic techniques to formal methods, which are helpful at solving different kinds of problems. Unfortunately very few initiative seek to aggregate this techniques in the same platform. BINSEC intend to fulfill this lack of binary analysis platform by allowing to perform modular analysis. This work focusses on BINSEC/SE, the new dynamic symbolic execution engine (DSE) implemented in BINSEC. We will highlight the novelties of the engine, especially in terms of interactions between concrete and symbolic execution or optimization of formula generation. Finally, two reverse engineering applications are shown in order to emphasize the tool effectiveness.

show abstract

“…This approach allows to precisely define a wide-range of exploration strategies. Several strategies are already implemented such as DFS, BFS, random path, MinCall-DFS and MinCall-BFS [1].…”

Section: Path Selectionmentioning

confidence: 99%

BINSEC/SE: A Dynamic Symbolic Execution Toolkit for Binary-Level Analysis

David

Bardin

et al. 2016

2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER)

Self Cite

View full text Add to dashboard Cite

show abstract

“…This program is therefore vulnerable: variable buf can be overflowed at lines 7 and 8. In both cases, the pointer ptr could be overwritten 3 , potentially hijacking the function call at line 9.…”

Section: The Case For Dedicated C/s Policiesmentioning

confidence: 99%

“…SE has quickly become the most promising technique for code-based automatic test generation, leading to impressive case studies [12,16,2,14] and a promise of industrial adoption at large scale [9,22]. Its usage for security purposes have also been considered, especially because of its straightforward adaptation to binary-level analysis [22,4,27,3]. SE has successfully been applied in a wide range of security applications, such as vulnerability [1,23] or malware analysis [10].…”

Section: Introductionmentioning

confidence: 99%

Specification of concretization and symbolization policies in symbolic execution

David

Bardin

Feist

et al. 2016

Proceedings of the 25th International Symposium on Software Testing and Analysis

View full text Add to dashboard Cite

Symbolic Execution (SE) is a popular and profitable approach to automatic code-based software testing. Concretization and symbolization (C/S) is a crucial part of modern SE tools, since it directly impacts the trade-offs between correctness, completeness and efficiency of the approach. Yet, C/S policies have been barely studied. We intend to remedy to this situation and to establish C/S policies on a firm ground. To this end, we propose a clear separation of concerns between C/S specification on one side, through the new rule-based description language CSml, and the algorithmic core of SE on the other side, revisited to take C/S policies into account. This view is implemented on top of an existing SE tool, demonstrating the feasibility and the benefits of the method. This work paves the way for more flexible SE tools with well-documented and reusable C/S policies, as well as for a systematic study of C/S policies.

show abstract

“…Object-Branch Coverage (OBC) is a structural coverage criterion at the object-code level which requires that a test suite executes both branches of conditional jumps [1]. It is frequently used as a measure of the thoroughness of tests suites in safety critical domains [2], [3], augmenting or substituting source-code based structural criteria such as (source code) branch coverage and modified condition/decision coverage (MC/DC). OBC may also be used in aeronautics, as DO-178C [?]…”

Section: Introductionmentioning

confidence: 99%

Toward Rigorous Object-Code Coverage Criteria

Byun¹,

Sharma²,

Rayadurgam

et al. 2017

2017 IEEE 28th International Symposium on Software Reliability Engineering (ISSRE)

View full text Add to dashboard Cite

Object-branch coverage (OBC) is often used as a measure of the thoroughness of tests suites, augmenting or substituting source-code based structural criteria such as branch coverage and modified condition/decision coverage (MC/DC). In addition, with the increasing use of third-party components for which source-code access may be unavailable, robust object-code coverage criteria are essential to assess how well the components are exercised during testing. While OBC has the advantage of being programming language independent and is amenable to non-intrusive coverage measurement techniques, variations in compilers, and the optimizations they perform can substantially change what is seen as an object branch, which itself appears to be an informally understood concept. To address the need for a robust object coverage criterion, this paper proposes a rigorous definition of OBC such that it captures well the semantic of source code branches for a given instruction set architecture. We report an empirical assessment of these criteria for the Intel x86 instruction set on several examples from embedded control systems software. Preliminary results indicate that object-code coverage can be made robust to compilation variations and is comparable in its bug-finding efficacy to source level MC/DC.

show abstract

Binary-Level Testing of Embedded Programs

Cited by 8 publications

References 23 publications

BINSEC/SE: A Dynamic Symbolic Execution Toolkit for Binary-Level Analysis

BINSEC/SE: A Dynamic Symbolic Execution Toolkit for Binary-Level Analysis

Specification of concretization and symbolization policies in symbolic execution

Toward Rigorous Object-Code Coverage Criteria

Contact Info

Product

Resources

About