DeepState: Symbolic Unit Testing for C and C++

Goodman, P.; Groce, Alex

doi:10.14722/bar.2018.23009

Cited by 9 publications

(9 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Manticore is also fully integrated into the DeepState parameterized unit testing tool [9], where it has proved useful in cases where angr failed to produce useful results.…”

Section: Native Binary Analysis Evaluationmentioning

confidence: 99%

Manticore: A User-Friendly Symbolic Execution Framework for Binaries and Smart Contracts

Mossberg¹,

Manzano²,

Hennenfent³

et al. 2019

2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE)

Self Cite

235

View full text Add to dashboard Cite

An effective way to maximize code coverage in software tests is through dynamic symbolic execution-a technique that uses constraint solving to systematically explore a program's state space. We introduce an open-source dynamic symbolic execution framework called Manticore for analyzing binaries and Ethereum smart contracts. Manticore's flexible architecture allows it to support both traditional and exotic execution environments, and its API allows users to customize their analysis. Here, we discuss Manticore's architecture and demonstrate the capabilities we have used to find bugs and verify the correctness of code for our commercial clients.

show abstract

“…Manticore is also fully integrated into the DeepState parameterized unit testing tool [9], where it has proved useful in cases where angr failed to produce useful results.…”

Section: Native Binary Analysis Evaluationmentioning

confidence: 99%

Manticore: A User-Friendly Symbolic Execution Framework for Binaries and Smart Contracts

Mossberg¹,

Manzano²,

Hennenfent³

et al. 2019

2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE)

Self Cite

235

View full text Add to dashboard Cite

show abstract

“…More practically, we would like to tightly integrate our approach with automated test generation tools, such as TSTL , DeepState , Echidna and Manticore . Automated test generation tools tend to produce a large number of passing and failing tests and are often used in ‘overnight’ runs where adding a step to use mutants to triage failing tests and provide localization suggestions for the highly ranked tests may not even impose a noticeable overhead on current usage practices.…”

Section: Discussionmentioning

confidence: 99%

“…The SCB team added the fuzzgoat example to their published VM and plan to use it to drive development of patch templates and analysis for use‐after‐frees; this will, at some point, likely make it possible for SCB to handle fuzzgoat effectively. However, in the long term, if fuzzing is applied to find assertion violations, differential testing divergences , or other more complex ‘custom’ properties, as is likely with the appearance of tools such as DeepState that merge fuzzing and property‐based testing, it is hard to see how SCB will handle these ‘custom’ bug types.…”

Section: Fuzzer Taming For a Non‐compiler Target: Fuzzgoatmentioning

confidence: 99%

“…The selectivity of SCB dramatically improves its scalability and ease of use but limits applicability to cases where a patch template has been manually constructed, for example, buffer overruns and null pointer dereferences. While these cases are by far the most common in traditional security/crash‐based fuzzing, crashes are usually the uninteresting cases in compiler fuzzing, or fuzzing/symbolic‐execution‐based property‐based testing . It is unlikely that enough patch templates for the interesting changes to compiler code, or invariant‐preserving code in other fuzzing, can be manually produced to make SCB alone generalize to these settings.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Using mutants to help developers distinguish and debug (compiler) faults

Holmes

Groce

2020

Software Testing Verif & Rel

Self Cite

View full text Add to dashboard Cite

Summary Measuring the distance between two program executions is a fundamental problem in dynamic analysis of software and useful in many test generation and debugging algorithms. This paper proposes a metric for measuring distance between executions and specializes it to an important application: determining similarity of failing test cases for the purpose of automated fault identification and localization in debugging based on automatically generated compiler tests. The metric is based on a causal concept of distance where executions are similar to the degree that changes in the program itself, introduced by mutation, cause similar changes in the correctness of the executions. Specifically, if two failing test cases for a compiler can be made to pass by applying the same mutant, those two tests are more likely to be due to the same fault. We evaluate our metric using more than 50 faults and 2,800 test cases for two widely used real‐world compilers and demonstrate improvements over state‐of‐the‐art methods for fault identification and localization. A simple operator selection approach to reducing the number of mutants can reduce the cost of our approach by 70%, while producing a gain in fault identification accuracy. We additionally show that our approach, although devised for compilers, is applicable as a conservative fault localization algorithm for other types of programs and can help triage certain types of crashes found in fuzzing non‐compiler programs more effectively than a state‐of‐the‐art technique.

show abstract

“…These are the typical oracles used in general fuzzers [34]. Tools such as DeepState [37] make it possible to use QuickCheck-style property-based specifications with off-the-shelf fuzzers like AFL. Sanitizers are one of the most common types of implicit oracles used for fuzzing.…”

Section: A Fuzzingmentioning

confidence: 99%