A Journey from Symbolic Execution to Smart Fuzzing and Beyond Koushik Sen EECS Department University of California, Berkeley

Automated Test Generation: A Journey from Symbolic Execution to Smart Fuzzing and Beyond Koushik Sen EECS Department University of California, Berkeley https://people.eecs.berkeley.edu/~ksen/

1 Programs are still written by humans, and will be written by humans

2 To Err is Human Software Bugs

3 Programs Have Bugs

4 Why Program Testing?

 Programmer familiarity  Concrete input for debugging  No false positives  Easy regression

5 Why Automated Testing?

6 Automated Testing Hits the Mainstream

7 Automated Testing Hits the Mainstream

8 Automated Testing Hits the Mainstream

9 Automated Testing Hits the Mainstream

10 Automated Testing Hits the Mainstream

11 Automated Testing Hits the Mainstream

12 Automated Testing Hits the Mainstream

13 Automated Testing Hits the Mainstream

14 Automated Testing Hits the Mainstream

15 Goals of Automated Testing

Assumption: A program with optional assertions

Goal: Automatically generate test inputs Get “good” code coverage Find “most” assertion violations Find crashes Find security vulnerabilities

16 Approaches to Test Generation Symbolic execution Fuzz testing Hybrid Human-guidance AI guidance Many more ... Symbolic Execution and Concolic Testing

18 Symbolic Execution  Java PathFinder, KLEE, S2E, Veritesting

Concolic Testing  Combine concrete execution and symbolic execution  DART, CUTE, CREST, ConBol, Apollo, Jalangi, CATG Concrete + Symbolic = Concolic

19 Symbolic Execution and Concolic Testing void testme (int x, int y) {

1. z = 2 * y;

2. if (z == x) {

3. if (x > y+10) {

4. ERROR;

5. }

6. }

7.}

20 Symbolic Execution and Concolic Testing void testme (int x, int y) {

1. z = 2 * y;

2. if (z == x) {

3. if (x > y+10) {

4. ERROR;

5. }

6. } Path constraint x y z true x y undef 7.} 0 0

21 Symbolic Execution and Concolic Testing void testme (int x, int y) {

1. z = 2 * y;

2. if (z == x) {

3. if (x > y+10) {

4. ERROR;

5. }

6. } Path constraint x y z true x y 2y 7.} 0 0 0

22 Symbolic Execution and Concolic Testing void testme (int x, int y) {

1. z = 2 * y;

2. if (z == x) {

3. if (x > y+10) {

4. ERROR;

5. }

6. } Path constraint x y z 2y = x x y 2y 7.} 0 0 0 0 0

23 Symbolic Execution and Concolic Testing void testme (int x, int y) {

1. z = 2 * y;

2. if (z == x) {

3. if (x > y+10) {

4. ERROR;

5. }

6. } Path constraint x y z 2y = x /\ x > y + 10 x y 2y 7.} 0 0 0 0 0 0 0

24 Symbolic Execution and Concolic Testing void testme (int x, int y) {

1. z = 2 * y;

2. if (z == x) {

3. if (x > y+10) {

4. ERROR;

5. }

6. } Path constraint x y z 2y = x /\ x > y + 10 22 11 7.} 0 0 0 0

Solve Test Inputs

25 Concolic Testing in Practice • Led to the development of several industrial and academic automated testing and security tools – Projects at Intel, Google, MathWorks, NTT, SalesForce – PEX, SAGE, and YOGI at Microsoft – Apollo at IBM, and Conbol and Jalangi at Samsung – BitBlaze, jFuzz, Oasis, and SmartFuzz in academia

26 Coverage is Low

27 Why Coverage is Low?

✗ Expensive to explore each path (i.e. input) ✗ Astronomical # of paths ✗ Explores a small fraction of paths But finds complex logical bugs

28 Fuzz Testing

29 Fuzzing in One Slide

Program

30 Fuzzing in One Slide

Fuzzer Program

31 Fuzzing in One Slide

Randomly generate Input

Input Input Input Fuzzer Input Program H@5^23#t.f

./Program < /dev/random

32 Fuzzing in One Slide

Randomly generate Run on Input Inputs

Input Input Input Fuzzer Input Program H@5^23#t.f

./Program < /dev/random

33 Mutational Fuzzing in One Slide

Seed Interesting Input(s)

Input

Input. . . . Program .

Input

34 Mutational Fuzzing in One Slide

Seed Interesting Input(s)

Input

Input. . . . Fuzzer Program .

Input

35 Mutational Fuzzing in One Slide

Seed Interesting Input(s)

Input Pick an Input Input. . . . Fuzzer Program .

Input

36 Mutational Fuzzing in One Slide

Seed Interesting Input(s)

Input

37 Mutational Fuzzing in One Slide

Seed Interesting Input(s)

Input

38 Mutational Fuzzing in One Slide

Seed Interesting Input(s)

Input

Mutational Fuzzers • Radamsa • Zzuf

39 Feedback-Directed Fuzzing

40 Feedback-directed Fuzzing 101

Seed Interesting Inputs Mutate Run on the Input Input Pick an Inputs Input Input. Input . Input . Input . Fuzzer Input Program . Inputs

Input

41 Feedback-directed Fuzzing 101

Seed Interesting Inputs Mutate Run on the Input Input Pick an Inputs Input Input. Input . Input . Input . Fuzzer Input Program . Inputs

Input

Feedback • Coverage • Execution length • Well-formed input • ...

42 Feedback-directed Fuzzing 101

Seed Interesting Inputs Mutate Run on the Input Input Pick an Inputs Input Input. Input . Input . Input . Fuzzer Input Program . Inputs

Input

Interesting? Feedback • New coverage? • Coverage • Longer execution? • Execution length • Valid input? • Well-formed input • ... • ...

43 Feedback-directed Fuzzing 101

Seed Interesting Inputs Mutate Run on the Input Input Pick an Inputs Input Input. Input . Input . Input . Fuzzer Input Program . Inputs

Input Yes: add Input

Interesting? Feedback • New coverage? • Coverage • Longer execution? • Execution length • Valid input? • Well-formed input • ... • ...

44 Feedback-directed Fuzzing 101

Seed Interesting Inputs Mutate Run on the Input Input Pick an Inputs Input Input. Input . Input . Input . Fuzzer Input Program . Inputs

Input Yes: add Input

Interesting? Feedback • New coverage? • Coverage • Longer execution? • Execution length • Valid input? • Well-formed input • ... • ... No: Discard input 45 Feedback-directed Fuzzing 101

Seed Interesting Lots of choices: Inputs Mutate 1. WhichRun oninput to pick? the Input Input Pick an 2. HowInputs to mutate an Input input? Input. Input . Input 3. How many mutants to . Input . Fuzzer Input generate?Program . Inputs4. What kind of feedback? Input 5. How to decide if an Yes: add input is interesting? Input Resolved using heuristics over a period of 10 years Interesting? Feedback • New coverage? • Coverage • Longer execution? • Execution length • Valid input? • Well-formed input • ... • ... No: Discard input 51 Feedback-directed Fuzzing 101 Fuzzers: Seed Interesting • AFL Inputs Mutate • AFLFastRun on the Input Input Pick an • LibfuzzerInputs Input • Angora Input. Input • . Input VUzzer . Input • Steelix . Fuzzer Input Program . Inputs• AFLGo • AFLSmart Input • Yes: add Nautilus Input • FairFuzz • PerfFuzz • JQF/Zest Interesting? Feedback• FuzzFactory • New coverage? • Coverage• RLCheck • Longer execution? • Execution length • Valid input? • Well-formed input • ... • ... No: Discard input 52 What Bugs Can Fuzzing Find?

• Assertion violations • Segmentation faults • Buffer overflows • Use-after-frees • Integer signedness • etc. …

53 What Bugs Have Fuzzing Found?

• Tons of them ... • CVE-2014-6277: ShellShock bug in Bash: – GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment ... • CVE-2014-0160: Heartbleed bug in OpenSSL: – A read buffer overflow allowed an attacker to extract information from servers using OpenSSL • CVE-2016-8677: ImageMagick – imagemagick: memory allocate failure in AcquireQuantumPixels (quantum.c) • CVE-2014-1564: Firefox – Mozilla Firefox before 32.0, Firefox ESR 31.x before 31.1, and Thunderbird 31.x before 31.1 do not properly initialize memory for GIF rendering • CVE-2010-0539: Safari Remote Execution – Integer signedness error in the window drawing implementation in Apple Java for Mac OS X 10.5 ...

• See http://lcamtuf.coredump.cx/afl/ for an exhaustive list of bugs and security vulnerabilities found by a state-of-the-art fuzzer AFL

54 How Good is Fuzzing?

55 What’s Missing? Uneven Coverage

Observation: some parts of the program easier to int process_xml(char * fuzzed_data, cover int fuzzed_data_len) { Hit by 100k+ inputs if (fuzzed_data_len >= 10) {  Code under is // more code well-covered } // ... Hit by 1 input if (starts_with(fuzzed_data, “

} // ... return process_result; }

56 Fair Fuzz FairFuzz: A Targeted Mutation Strategy for Fuz! ?uzr Increasing Greybox Fuzz Testing Coverage Fzuz

Caroline Lemieux, Koushik Sen University of California, Berkeley

source: https://github.com/carolemieux/afl-rb

57 Feedback-directed Fuzzing 101

Seed Interesting Inputs Mutate Run on the Input Input Pick an Inputs Input Input. Input . Input . Input . Fuzzer Input Program . Inputs

Input Yes: add Input

Interesting? Feedback • New coverage? • Coverage • Longer execution? • Execution length • Valid input? • Well-formed input • ... • ... No: Discard input 58 FairFuzz: Ideas

Seed Interesting FairFuzz Ideas: Inputs Mutate Run on the Input 2 heuristics Input Pick an Inputs Input Input. Input 1. Identify: branches hit . Input by few inputs (rare . Fuzzer Input Program . Input branches) . Inputs

Input 2. Identify: where input Yes: add can be mutated and hit Input branch

Interesting? Feedback • New coverage? • Coverage • Longer execution? • Execution length • Valid input? • Well-formed input • ... • ... No: Discard input 59 FairFuzz: Ideas

Input 2. Identify: where an Yes: add input can be mutated Input and hit branch

Interesting? Feedback • New coverage? • Coverage • Longer execution? • Execution length • Valid input? • Well-formed input • ... • ... No: Discard input 60 Summary Results – Coverage Leaders

61 Summary Results – Coverage Leaders

 FairFuzz achieves the highest coverage fast, for nearly all benchmarks

62 PerfFuzz: Automatically Generating Pathological Inputs

Caroline Lemieux, Rohan Padhye, Koushik Sen, Dawn Song University of California, Berkeley

source: https://github.com/carolemieux/perffuzz

63 Performance Problems Have Consequences

poor user experience security vulnerabilities (DoS)

excessive resource consumption

64 Feedback-directed Fuzzing 101

Seed Interesting Inputs Mutate Run on the Input Input Pick an Inputs Input Input. Input . Input . Input . Fuzzer Input Program . Inputs

Input Yes: add Input

Interesting? Feedback • New coverage? • Coverage • Longer execution? • Execution length • Valid input? • Well-formed input • ... • ... No: Discard input 65 PerfFuzz: Idea

Seed Interesting Inputs PerfFuzz Ideas: Mutate Run on the Input Input Pick an changeInputs heuristic Input Input. Input 1. Feedback: # of . Input . Input times each branch . Fuzzer Input Program . Inputs is executed 2. Interesting: Longer Input execution of some Yes: add Input branch

Interesting? Feedback • Longer execution • # of times each of some branch? branch is executed

No: Discard input 66 Macro-Benchmarks: Maximum Path Length

• Path length: total number of hits of CFG edges by an input

libpng libxml2

libjpeg- zlib turbo

67 Macro-Benchmarks: Maximum Path Length

• Path length: total number of hits of CFG edges by an input

libpng 24.7x libxml2

libjpeg- zlib turbo

68 PerfFuzz: Memory-alloc Fuzzing

Seed Interesting PerfFuzz Ideas: Inputs Mutate Run on the Input change heuristic Input Pick an Inputs Input Input. Input 1. Feedback: # of Input . Input bytes allocated at . Fuzzer Input Program . Inputs each malloc() call . 2. Interesting: More Input bytes allocated Yes: add than any other Input input

Interesting? Feedback • More bytes • # of bytes allocated allocated at some call? at each malloc()

No: Discard input 69 Memory-alloc fuzzing: OOMs and Bombs

• Libpng 1. 100 bytes Input with large dimensions • Reader allocates 2 billion bytes 2. 100 bytes Input with large color space, but fixed dimension • Color table allocated with 4 GB space • Libarchive 1. 50 bytes zipped file: 4GB output 2. Memory leaks with LZMA compression (32 byte ZIP leaks 96 bytes)

70 FuzzFactory: Domain-Specific Fuzzing with Waypoints

Rohan Padhye and Caroline Lemieux and Koushik Sen and Laurent Simon and Hayawardh Vijayakumar

source: https://github.com/rohanpadhye/FuzzFactory

71 Domain-Specific Fuzzers

• Zest [Padhye et al. 2018] – “increase coverage amongst valid inputs” • SlowFuzz [Petsios et al. 2017] – “increase path length” Common Strategy: • PerfFuzz [Lemieux et al. 2018] Save intermediate inputs – “maximize branch exec counts” “Waypoints” • DifFuzz [Nilizadeh et al. 2019] – “leak more info on the side channel” • MemFuzz [Coppik et al. 2019] – “access new input-dependent memory locations”

72 Can we rapidly create domain- specific fuzzers?

Without touching the underlying search algorithm

73 Feedback-directed Fuzzing 101

Seed Interesting Inputs Mutate Run on the Input Input Pick an Inputs Input Input. Input . Input . Input . Fuzzer Input Program . Inputs

Input Yes: add Input

Interesting? Feedback • Better value of dsf(k) for some k? (key-value map) No: Discard input 74 Example Fuzzers using FuzzFactory

• CMP – Goal: Test programs whose inputs require magic bytes, checksums, etc. – Waypoints: inputs which increase progress of strcmp, memcmp, strstr, etc.

• MEM – Goal: Find memory allocation and management related bugs – Waypoints: input which which increase args to malloc()

• CMP+MEM – Goal: Find memory mgmt bugs in programs with magic bytes, checksums, etc. – Waypoints: CMP or MEM

75 Super-Fuzzer: CMP + MEM

76 Super-Fuzzer: CMP + MEM

LZ4 Bomb (4GB alloc when decoding 21-byte input)

PNG Bomb (2GB alloc when reading ~100 byte 20px image)

77 Coverage is Still Low

78 Why Coverage is Still Low?

✗ Cannot explore “deep states” ✗ Cannot find complex logical bugs ✗ Gets stuck in input parsing stage ✗ Hardly gets 20%-30% code coverage on real-world software But cheap and simple

79 Time to Bring Human in the Loop

Approach: Human restricts the set of inputs to be explored by providing

A Randomized A Precondition on or or ... Generator Inputs

Algorithms to search the restricted input space

80 Semantic Fuzzing with Zest

Rohan Padhye (UC Berkeley), Caroline Lemieux (UC Berkeley), Koushik Sen (UC Berkeley), Mike Papadakis (U. Luxembourg), Yves Le Traon (U. Luxembourg)

source: https://github.com/rohanpadhye/jqf

81 ? How do I test ...

• a program taking an XML file as input – (e.g. Maven, Ant)

• a compiler – (e.g. closure or Rhino compilers for JavaScript)

• In general, a program taking structurally complex inputs

82 Human Writes a Simple Input Generator public XMLElement genXML(Random random) {  // Generate a random tag name Generates random String name = random.nextString(MAX_TAG_LENGTH); syntactically valid XMLElement node = new XMLElement(name); XML documents // Generate a random number of children ✗ May not conform to int n = random.nextInt(MAX_CHILDREN); for (int i = 0; i < n; i++) { a given schema // Generate child nodes recursively node.addChild(genXML(random)); } // Maybe insert text inside element if (random.nextBoolean()) { node.addText(random.nextString(MAX_TEXT_LENGTH)); } return node; }

foo Example generated: xyz
i br

xyz 83 Zest: Mutate Params to Generator

Seed Interesting Augmented Program Inputs Mutate the params params Pick a set Generator of params params. Input . Input . Fuzzer Input . Input Program . params

params Yes: add Input

Interesting? Feedback • New coverage? • Coverage • Valid input? • Input validity

No: Discard input 84 Zest: New bugs discovered

 Google Closure Compiler: #2842, #2843, #3220, #3173  OpenJDK: JDK-8190332, JDK-8190511, JDK-8190512, JDK-8190997, JDK- 8191023, JDK-8191076, JDK-8191109, JDK-8191174,JDK-8191073, JDK- 8193444, JDK-8193877, CVE-2018-3214  Apache Commons: LANG-1385, COMPRESS-424, COLLECTIONS-714, CVE-2018- 11771  Apache Ant: #62655  Apache Maven: #34, #57  Apache PDFBox: PDFBOX-4333, PDFBOX-4338, PDFBOX-4339, CVE-2018-8036  Apache TIKA: CVE-2018-8017, CVE-2018-12418  Apache BCEL: BCEL-303, BCEL-307, BCEL-308, BCEL-309, BCEL-310, BCEL- 311, BCEL-312, BCEL-313  Mozilla Rhino: #405, #406, #407, #409, #410

85 Zest finds complex semantic bugs

On this JavaScript input, Google’s Closure compiler throws an “IllegalStateException: Unexpected variable” during optimization passes

86 Time to Bring Human in the Loop

Approach: Human restricts the set of inputs to be explored by providing

A Randomized A Precondition on or or ... Generator Inputs

Algorithms to search the restricted input space

87 Efficient Sampling of SAT and SMT Constraints

Rafael Dutra, Kevin Laeufer, Jonathan Bachrach, and Koushik Sen EECS Department UC Berkeley source: https://github.com/RafaelTupynamba/quicksampler

88 Human Writes a Pre-condition on Inputs

 An over-approximation

In SMT (Satisfiability Modulo Theories) of valid inputs  Restricts the set of (x + y = 4 ∧ x ≥ 0 ∧ x < 4) inputs to be generated ∧ (mem’[1] < 0 ∨ mem’[1] ≥ 4), where x = mem[0], y = mem[1], Goal: sample inputs from mem’ = store(mem, mem[0], -1 * mem[mem[0]]) the restricted input space

mem ∈ Array(BV[4], BV[4])

89 Sampling SAT and SMT Constraints

Input: Logical constraint (SAT formula) Goal: Quickly generate lots of solutions that satisfy the constraint (x1 x4) (x1 ¬x3 ¬x8) x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 1 0 0 0 1 0 0 0 1 0 (x1 x8 x6) σ0 0 0 0 1 1 0 0 1 1 0 (x2 x5) σ1 1 1 0 0 1 0 0 0 1 0 (¬x7 ¬x3 x9) σ2 0 1 0 1 1 0 0 1 1 0 (¬x7 x8 ¬x9) σ3

(x7 x8 ¬x10) σ4 1 0 1 0 1 0 0 0 1 0

(x7 x10 ¬x6) σ5 1 1 1 0 1 0 0 0 1 0 QuickSampler

Our goals: Our approach:

• Generate samples • Compute patterns of bit >100x faster than other flips which preserve techniques satisfiability • Sampling should be • Combine those bit flip close to uniform patterns to generate lots of samples

91 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

92 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0

93 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0

94 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT

95 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT 1 0 1 0 0 1 1 0 σ0

96 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT 1 0 1 0 0 1 1 0 σ0

97 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 σ0 σ1

98 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 σ0 σ1

99 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 0 σ0 σ1

100 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT UNSAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 σ0 σ1

101 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT UNSAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 σ0 σ1

102 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT UNSAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0 σ0 σ1 σ3

103 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT ...... UNSAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0 σ0 σ1 σ3

104 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT ...... UNSAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0 σ0 σ1 σ3 1 0 0 0 1 0 0 0 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0 δ0 δ1 δ3

= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3

105 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3

1 1 0 1 1 1 0 0 δ01

= δ0 ∨ δ1

106 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3

1 1 0 1 1 1 0 0 δ01

σ01 1 1 1 1 0 0 1 0

= σ ⊕ δ01

107 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3

1 1 0 1 1 1 0 0 1 0 0 1 1 0 0 0 δ01 δ03 = δ0 ∨ δ3 σ01 1 1 1 1 0 0 1 0

= σ ⊕ δ01

108 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3

1 1 0 1 1 1 0 0 1 0 0 1 1 0 0 0 δ01 δ03 1 0 1 1 0 1 1 0 σ01 1 1 1 1 0 0 1 0 σ03

= σ ⊕ δ01 = σ ⊕ δ03

109 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3

1 1 0 1 1 1 0 0 1 0 0 1 1 0 0 0 0 1 0 1 0 1 0 0 δ01 δ03 δ13 = δ δ 1 0 1 1 0 1 1 0 1 ∨ 3 σ01 1 1 1 1 0 0 1 0 σ03

= σ ⊕ δ01 = σ ⊕ δ03

110 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3

1 1 0 1 1 1 0 0 1 0 0 1 1 0 0 0 0 1 0 1 0 1 0 0 δ01 δ03 δ13 = δ δ 1 0 1 1 0 1 1 0 1 ∨ 3 σ01 1 1 1 1 0 0 1 0 σ03

= σ ⊕ δ01 = σ ⊕ δ03

111 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3

1 1 0 1 1 1 0 0 1 0 0 1 1 0 0 0 1 1 0 1 1 1 0 0 δ01 δ03 δ013 = δ δ δ 1 0 1 1 0 1 1 0 0 ∨ 1 ∨ 3 σ01 1 1 1 1 0 0 1 0 σ03

= σ ⊕ δ01 = σ ⊕ δ03

112 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3

1 1 0 1 1 1 0 0 1 0 0 1 1 0 0 0 1 1 0 1 1 1 0 0 δ01 δ03 δ013 = δ δ δ 1 0 1 1 0 1 1 0 0 ∨ 1 ∨ 3 σ01 1 1 1 1 0 0 1 0 σ03

= σ ⊕ δ01 = σ ⊕ δ03

113 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3

1 1 0 1 1 1 0 0 1 0 0 1 1 0 0 0 δ01 δ03 1 0 1 1 0 1 1 0 σ01 1 1 1 1 0 0 1 0 σ03

= σ ⊕ δ01 = σ ⊕ δ03

114 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3 At most n MAX-SAT calls to generate atomic δ 1 1 0 1 1 1 0 0 δ 1 0 0 1 1 0 0 0 01 03 mutations σ 1 1 1 1 0 0 1 0 σ 1 0 1 1 0 1 1 0 01 03 n ( 6) 6 samples by = σ ⊕ δ01 = σ ⊕ δ03 =O(n ) combining mutations: NO MAX-SAT 115 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3 At most 50 MAX-SAT calls to generate atomic δ 1 1 0 1 1 1 0 0 δ 1 0 0 1 1 0 0 0 01 03 mutations 1 0 1 1 0 1 1 0 σ01 1 1 1 1 0 0 1 0 σ03 15 890 700 samples by = σ ⊕ δ01 = σ ⊕ δ03 combining mutations: NO MAX-SAT 116 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3

1 1 0 1 1 1 0 0 1 0 0 1 1 0 0 0 δ01 δ03 1 0 1 1 0 1 1 0 σ01 1 1 1 1 0 0 1 0 σ03

= σ ⊕ δ01 = σ ⊕ δ03

117 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)

= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3

1 1 0 1 1 1 0 0 1 0 0 1 1 0 0 0 δ01 δ03 1 0 1 1 0 1 1 0 σ01 1 1 1 1 0 0 1 0 σ03

= σ ⊕ δ01 = σ ⊕ δ03

118 SMTSampler: Sampling Solutions of SMT Formulas

SMT (Satisfiability Modulo Theories) • Extend the mutations to work over bit-vectors, (x + y = 4 ∧ x ≥ 0 ∧ x < 4) arrays and uninterpreted ∧ (mem’[1] < 0 ∨ mem’[1] ≥ 4), where functions x = mem[0], • Adaptive generation of y = mem[1], mem’ = store(mem, mem[0], -1 * mem[mem[0]]) solutions based on accuracy • Improved scalability for mem ∈ Array(BV[4], BV[4]) more complex formulas • Dutra et al. [ICCAD 2018]

120 Implementation

• Implemented in C++ using Z3 as the constraint solver • https://github.com/RafaelTupynamba/quicksampler • https://github.com/RafaelTupynamba/SMTsampler Optimizations: • Eager generation of samples • Independent support • Unsatisfiable variables

121 Experiments

We compared QuickSampler against two state-of-the-art samplers: • UniGen2 [1] – Uses universal hashing to partition the solution space and produce provably uniform samples • SearchTreeSampler [2] – Generates pseudo-solutions: partial assignments that can be completed to full solutions

[1] Supratik Chakraborty, Daniel J Fremont, Kuldeep S Meel, Sanjit A Seshia, and Moshe Y Vardi. 2015. On Parallel Scalable Uniform SAT Witness Generation. In TACAS 2015. [2] Stefano Ermon, Carla P Gomes, and Bart Selman. 2012. Uniform solution sampling using a constraint solver as an oracle. In UAI 2012.

122 ● QuickSampler generates valid solutions ○ 102.5±0.8 times faster than SearchTreeSampler ○ 104.7±1.0 times faster than UniGen2 ● QuickSampler generates unique valid solutions ○ 102.3±0.7 times faster than SearchTreeSampler ○ 104.4±1.1 times faster than UniGen2

124 Experiments: Unique Solutions

Higher is better

125 Experiments: Uniformity

126 QuickSampler and SMTSampler: Limitations • Lacks diversity of samples: (x ≥ 4) φ(x, y, z) • Need to solve the following problem:

● Sample solutions from φ given the coverage predicates

ψ1, ψ2, …, ψn ● Uniformly sample solutions from the coverage classes

127 Solution: GuidedSampler

Our approach extends SMTSampler by:

• Pick a random coverage class of initial solution

• Flip coverage predicates to compute neighboring solutions

• Discard new solutions that repeat a previously seen coverage class https://github.com/RafaelTupynamba/GuidedSampler

128 Experiments: Uniformity over Coverage Classes

129 Experiments: Uniformity over Coverage Classes

130 Experiments: Uniformity over Coverage Classes

131 Automated Test Generation: Past, Present, and Future

Symbolic Smart Execution Fuzzing

132 Automated Test Generation: Past, Present, and Future

Symbolic Smart Hybrid Execution Fuzzing

133 Automated Test Generation: Past, Present, and Future

Symbolic Smart Hybrid Execution Fuzzing

Human Guidance

Path Generators Preconditions ... Annotations

134 Automated Test Generation: Past, Present, and Future

Symbolic Smart Hybrid Execution Fuzzing

AI Guidance

Path Generators Preconditions ... Annotations

135 Our team

Abdus Salam Rohan Rafael Kevin Azad Bavishi Dutra Laeufer

Caroline Rohan Koushik Ed Lemieux Padhye Sen Younis

Thank you! 136