Automated Test Generation: A Journey from Symbolic Execution to Smart Fuzzing and Beyond Koushik Sen EECS Department University of California, Berkeley https://people.eecs.berkeley.edu/~ksen/
1 Programs are still written by humans, and will be written by humans
2 To Err is Human Software Bugs
3 Programs Have Bugs
4 Why Program Testing?
Programmer familiarity Concrete input for debugging No false positives Easy regression
5 Why Automated Testing?
6 Automated Testing Hits the Mainstream
7 Automated Testing Hits the Mainstream
8 Automated Testing Hits the Mainstream
9 Automated Testing Hits the Mainstream
10 Automated Testing Hits the Mainstream
11 Automated Testing Hits the Mainstream
12 Automated Testing Hits the Mainstream
13 Automated Testing Hits the Mainstream
14 Automated Testing Hits the Mainstream
15 Goals of Automated Testing
Assumption: A program with optional assertions
Goal: Automatically generate test inputs Get “good” code coverage Find “most” assertion violations Find crashes Find security vulnerabilities
16 Approaches to Test Generation Symbolic execution Fuzz testing Hybrid Human-guidance AI guidance Many more ... Symbolic Execution and Concolic Testing
18 Symbolic Execution Java PathFinder, KLEE, S2E, Veritesting
Concolic Testing Combine concrete execution and symbolic execution DART, CUTE, CREST, ConBol, Apollo, Jalangi, CATG Concrete + Symbolic = Concolic
19 Symbolic Execution and Concolic Testing void testme (int x, int y) {
1. z = 2 * y;
2. if (z == x) {
3. if (x > y+10) {
4. ERROR;
5. }
6. }
7.}
20 Symbolic Execution and Concolic Testing void testme (int x, int y) {
1. z = 2 * y;
2. if (z == x) {
3. if (x > y+10) {
4. ERROR;
5. }
6. } Path constraint x y z true x y undef 7.} 0 0
21 Symbolic Execution and Concolic Testing void testme (int x, int y) {
1. z = 2 * y;
2. if (z == x) {
3. if (x > y+10) {
4. ERROR;
5. }
6. } Path constraint x y z true x y 2y 7.} 0 0 0
22 Symbolic Execution and Concolic Testing void testme (int x, int y) {
1. z = 2 * y;
2. if (z == x) {
3. if (x > y+10) {
4. ERROR;
5. }
6. } Path constraint x y z 2y = x x y 2y 7.} 0 0 0 0 0
23 Symbolic Execution and Concolic Testing void testme (int x, int y) {
1. z = 2 * y;
2. if (z == x) {
3. if (x > y+10) {
4. ERROR;
5. }
6. } Path constraint x y z 2y = x /\ x > y + 10 x y 2y 7.} 0 0 0 0 0 0 0
24 Symbolic Execution and Concolic Testing void testme (int x, int y) {
1. z = 2 * y;
2. if (z == x) {
3. if (x > y+10) {
4. ERROR;
5. }
6. } Path constraint x y z 2y = x /\ x > y + 10 22 11 7.} 0 0 0 0
Solve Test Inputs
25 Concolic Testing in Practice • Led to the development of several industrial and academic automated testing and security tools – Projects at Intel, Google, MathWorks, NTT, SalesForce – PEX, SAGE, and YOGI at Microsoft – Apollo at IBM, and Conbol and Jalangi at Samsung – BitBlaze, jFuzz, Oasis, and SmartFuzz in academia
26 Coverage is Low
27 Why Coverage is Low?
✗ Expensive to explore each path (i.e. input) ✗ Astronomical # of paths ✗ Explores a small fraction of paths But finds complex logical bugs
28 Fuzz Testing
29 Fuzzing in One Slide
Program
30 Fuzzing in One Slide
Fuzzer Program
31 Fuzzing in One Slide
Randomly generate Input
Input Input Input Fuzzer Input Program H@5^23#t.f
./Program < /dev/random
32 Fuzzing in One Slide
Randomly generate Run on Input Inputs
Input Input Input Fuzzer Input Program H@5^23#t.f
./Program < /dev/random
33 Mutational Fuzzing in One Slide
Seed Interesting Input(s)
Input
Input. . . . Program .
Input
34 Mutational Fuzzing in One Slide
Seed Interesting Input(s)
Input
Input. . . . Fuzzer Program .
Input
35 Mutational Fuzzing in One Slide
Seed Interesting Input(s)
Input Pick an Input Input. . . . Fuzzer Program .
Input
36 Mutational Fuzzing in One Slide
Seed Interesting Input(s)
Input
37 Mutational Fuzzing in One Slide
Seed Interesting Input(s)
Input
38 Mutational Fuzzing in One Slide
Seed Interesting Input(s)
Input
Mutational Fuzzers • Radamsa • Zzuf
39 Feedback-Directed Fuzzing
40 Feedback-directed Fuzzing 101
Seed Interesting Inputs Mutate Run on the Input Input Pick an Inputs Input Input. Input . Input . Input . Fuzzer Input Program . Inputs
Input
41 Feedback-directed Fuzzing 101
Seed Interesting Inputs Mutate Run on the Input Input Pick an Inputs Input Input. Input . Input . Input . Fuzzer Input Program . Inputs
Input
Feedback • Coverage • Execution length • Well-formed input • ...
42 Feedback-directed Fuzzing 101
Seed Interesting Inputs Mutate Run on the Input Input Pick an Inputs Input Input. Input . Input . Input . Fuzzer Input Program . Inputs
Input
Interesting? Feedback • New coverage? • Coverage • Longer execution? • Execution length • Valid input? • Well-formed input • ... • ...
43 Feedback-directed Fuzzing 101
Seed Interesting Inputs Mutate Run on the Input Input Pick an Inputs Input Input. Input . Input . Input . Fuzzer Input Program . Inputs
Input Yes: add Input
Interesting? Feedback • New coverage? • Coverage • Longer execution? • Execution length • Valid input? • Well-formed input • ... • ...
44 Feedback-directed Fuzzing 101
Seed Interesting Inputs Mutate Run on the Input Input Pick an Inputs Input Input. Input . Input . Input . Fuzzer Input Program . Inputs
Input Yes: add Input
Interesting? Feedback • New coverage? • Coverage • Longer execution? • Execution length • Valid input? • Well-formed input • ... • ... No: Discard input 45 Feedback-directed Fuzzing 101
Seed Interesting Lots of choices: Inputs Mutate 1. WhichRun oninput to pick? the Input Input Pick an 2. HowInputs to mutate an Input input? Input. Input . Input 3. How many mutants to . Input . Fuzzer Input generate?Program . Inputs4. What kind of feedback? Input 5. How to decide if an Yes: add input is interesting? Input Resolved using heuristics over a period of 10 years Interesting? Feedback • New coverage? • Coverage • Longer execution? • Execution length • Valid input? • Well-formed input • ... • ... No: Discard input 46 Feedback-directed Fuzzing 101
Seed Interesting Lots of choices: Inputs Mutate 1. WhichRun oninput to pick? the Input Input Pick an 2. HowInputs to mutate an Input input? Input. Input . Input 3. How many mutants to . Input . Fuzzer Input generate?Program . Inputs4. What kind of feedback? Input 5. How to decide if an Yes: add input is interesting? Input Resolved using heuristics over a period of 10 years Interesting? Feedback • New coverage? • Coverage • Longer execution? • Execution length • Valid input? • Well-formed input • ... • ... No: Discard input 47 Feedback-directed Fuzzing 101
Seed Interesting Lots of choices: Inputs Mutate 1. WhichRun oninput to pick? the Input Input Pick an 2. HowInputs to mutate an Input input? Input. Input . Input 3. How many mutants to . Input . Fuzzer Input generate?Program . Inputs4. What kind of feedback? Input 5. How to decide if an Yes: add input is interesting? Input Resolved using heuristics over a period of 10 years Interesting? Feedback • New coverage? • Coverage • Longer execution? • Execution length • Valid input? • Well-formed input • ... • ... No: Discard input 48 Feedback-directed Fuzzing 101
Seed Interesting Lots of choices: Inputs Mutate 1. WhichRun oninput to pick? the Input Input Pick an 2. HowInputs to mutate an Input input? Input. Input . Input 3. How many mutants to . Input . Fuzzer Input generate?Program . Inputs4. What kind of feedback? Input 5. How to decide if an Yes: add input is interesting? Input Resolved using heuristics over a period of 10 years Interesting? Feedback • New coverage? • Coverage • Longer execution? • Execution length • Valid input? • Well-formed input • ... • ... No: Discard input 49 Feedback-directed Fuzzing 101
Seed Interesting Lots of choices: Inputs Mutate 1. WhichRun oninput to pick? the Input Input Pick an 2. HowInputs to mutate an Input input? Input. Input . Input 3. How many mutants to . Input . Fuzzer Input generate?Program . Inputs4. What kind of feedback? Input 5. How to decide if an Yes: add input is interesting? Input Resolved using heuristics over a period of 10 years Interesting? Feedback • New coverage? • Coverage • Longer execution? • Execution length • Valid input? • Well-formed input • ... • ... No: Discard input 50 Feedback-directed Fuzzing 101
Seed Interesting Lots of choices: Inputs Mutate 1. WhichRun oninput to pick? the Input Input Pick an 2. HowInputs to mutate an Input input? Input. Input . Input 3. How many mutants to . Input . Fuzzer Input generate?Program . Inputs4. What kind of feedback? Input 5. How to decide if an Yes: add input is interesting? Input Resolved using heuristics over a period of 10 years Interesting? Feedback • New coverage? • Coverage • Longer execution? • Execution length • Valid input? • Well-formed input • ... • ... No: Discard input 51 Feedback-directed Fuzzing 101 Fuzzers: Seed Interesting • AFL Inputs Mutate • AFLFastRun on the Input Input Pick an • LibfuzzerInputs Input • Angora Input. Input • . Input VUzzer . Input • Steelix . Fuzzer Input Program . Inputs• AFLGo • AFLSmart Input • Yes: add Nautilus Input • FairFuzz • PerfFuzz • JQF/Zest Interesting? Feedback• FuzzFactory • New coverage? • Coverage• RLCheck • Longer execution? • Execution length • Valid input? • Well-formed input • ... • ... No: Discard input 52 What Bugs Can Fuzzing Find?
• Assertion violations • Segmentation faults • Buffer overflows • Use-after-frees • Integer signedness • etc. …
53 What Bugs Have Fuzzing Found?
• Tons of them ... • CVE-2014-6277: ShellShock bug in Bash: – GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment ... • CVE-2014-0160: Heartbleed bug in OpenSSL: – A read buffer overflow allowed an attacker to extract information from servers using OpenSSL • CVE-2016-8677: ImageMagick – imagemagick: memory allocate failure in AcquireQuantumPixels (quantum.c) • CVE-2014-1564: Firefox – Mozilla Firefox before 32.0, Firefox ESR 31.x before 31.1, and Thunderbird 31.x before 31.1 do not properly initialize memory for GIF rendering • CVE-2010-0539: Safari Remote Execution – Integer signedness error in the window drawing implementation in Apple Java for Mac OS X 10.5 ...
• See http://lcamtuf.coredump.cx/afl/ for an exhaustive list of bugs and security vulnerabilities found by a state-of-the-art fuzzer AFL
54 How Good is Fuzzing?
55 What’s Missing? Uneven Coverage
Observation: some parts of the program easier to int process_xml(char * fuzzed_data, cover int fuzzed_data_len) { Hit by 100k+ inputs if (fuzzed_data_len >= 10) { Code under is // more code well-covered } // ... Hit by 1 input if (starts_with(fuzzed_data, “
} // ... return process_result; }
56 Fair Fuzz FairFuzz: A Targeted Mutation Strategy for Fuz! ?uzr Increasing Greybox Fuzz Testing Coverage Fzuz
Caroline Lemieux, Koushik Sen University of California, Berkeley
source: https://github.com/carolemieux/afl-rb
57 Feedback-directed Fuzzing 101
Seed Interesting Inputs Mutate Run on the Input Input Pick an Inputs Input Input. Input . Input . Input . Fuzzer Input Program . Inputs
Input Yes: add Input
Interesting? Feedback • New coverage? • Coverage • Longer execution? • Execution length • Valid input? • Well-formed input • ... • ... No: Discard input 58 FairFuzz: Ideas
Seed Interesting FairFuzz Ideas: Inputs Mutate Run on the Input 2 heuristics Input Pick an Inputs Input Input. Input 1. Identify: branches hit . Input by few inputs (rare . Fuzzer Input Program . Input branches) . Inputs
Input 2. Identify: where input Yes: add can be mutated and hit Input branch
Interesting? Feedback • New coverage? • Coverage • Longer execution? • Execution length • Valid input? • Well-formed input • ... • ... No: Discard input 59 FairFuzz: Ideas
Seed Interesting FairFuzz Ideas: Inputs Mutate Run on the Input 2 heuristics Input Pick an Inputs Input Input. Input 1. Identify: branches hit . Input by few inputs (rare . Fuzzer Input Program . Input branches) . Inputs
Input 2. Identify: where an Yes: add input can be mutated Input and hit branch
Interesting? Feedback • New coverage? • Coverage • Longer execution? • Execution length • Valid input? • Well-formed input • ... • ... No: Discard input 60 Summary Results – Coverage Leaders
61 Summary Results – Coverage Leaders
FairFuzz achieves the highest coverage fast, for nearly all benchmarks
62 PerfFuzz: Automatically Generating Pathological Inputs
Caroline Lemieux, Rohan Padhye, Koushik Sen, Dawn Song University of California, Berkeley
source: https://github.com/carolemieux/perffuzz
63 Performance Problems Have Consequences
poor user experience security vulnerabilities (DoS)
excessive resource consumption
64 Feedback-directed Fuzzing 101
Seed Interesting Inputs Mutate Run on the Input Input Pick an Inputs Input Input. Input . Input . Input . Fuzzer Input Program . Inputs
Input Yes: add Input
Interesting? Feedback • New coverage? • Coverage • Longer execution? • Execution length • Valid input? • Well-formed input • ... • ... No: Discard input 65 PerfFuzz: Idea
Seed Interesting Inputs PerfFuzz Ideas: Mutate Run on the Input Input Pick an changeInputs heuristic Input Input. Input 1. Feedback: # of . Input . Input times each branch . Fuzzer Input Program . Inputs is executed 2. Interesting: Longer Input execution of some Yes: add Input branch
Interesting? Feedback • Longer execution • # of times each of some branch? branch is executed
No: Discard input 66 Macro-Benchmarks: Maximum Path Length
• Path length: total number of hits of CFG edges by an input
libpng libxml2
libjpeg- zlib turbo
67 Macro-Benchmarks: Maximum Path Length
• Path length: total number of hits of CFG edges by an input
libpng 24.7x libxml2
libjpeg- zlib turbo
68 PerfFuzz: Memory-alloc Fuzzing
Seed Interesting PerfFuzz Ideas: Inputs Mutate Run on the Input change heuristic Input Pick an Inputs Input Input. Input 1. Feedback: # of Input . Input bytes allocated at . Fuzzer Input Program . Inputs each malloc() call . 2. Interesting: More Input bytes allocated Yes: add than any other Input input
Interesting? Feedback • More bytes • # of bytes allocated allocated at some call? at each malloc()
No: Discard input 69 Memory-alloc fuzzing: OOMs and Bombs
• Libpng 1. 100 bytes Input with large dimensions • Reader allocates 2 billion bytes 2. 100 bytes Input with large color space, but fixed dimension • Color table allocated with 4 GB space • Libarchive 1. 50 bytes zipped file: 4GB output 2. Memory leaks with LZMA compression (32 byte ZIP leaks 96 bytes)
70 FuzzFactory: Domain-Specific Fuzzing with Waypoints
Rohan Padhye and Caroline Lemieux and Koushik Sen and Laurent Simon and Hayawardh Vijayakumar
source: https://github.com/rohanpadhye/FuzzFactory
71 Domain-Specific Fuzzers
• Zest [Padhye et al. 2018] – “increase coverage amongst valid inputs” • SlowFuzz [Petsios et al. 2017] – “increase path length” Common Strategy: • PerfFuzz [Lemieux et al. 2018] Save intermediate inputs – “maximize branch exec counts” “Waypoints” • DifFuzz [Nilizadeh et al. 2019] – “leak more info on the side channel” • MemFuzz [Coppik et al. 2019] – “access new input-dependent memory locations”
72 Can we rapidly create domain- specific fuzzers?
Without touching the underlying search algorithm
73 Feedback-directed Fuzzing 101
Seed Interesting Inputs Mutate Run on the Input Input Pick an Inputs Input Input. Input . Input . Input . Fuzzer Input Program . Inputs
Input Yes: add Input
Interesting? Feedback • Better value of dsf(k) for some k? (key-value map) No: Discard input 74 Example Fuzzers using FuzzFactory
• CMP – Goal: Test programs whose inputs require magic bytes, checksums, etc. – Waypoints: inputs which increase progress of strcmp, memcmp, strstr, etc.
• MEM – Goal: Find memory allocation and management related bugs – Waypoints: input which which increase args to malloc()
• CMP+MEM – Goal: Find memory mgmt bugs in programs with magic bytes, checksums, etc. – Waypoints: CMP or MEM
75 Super-Fuzzer: CMP + MEM
76 Super-Fuzzer: CMP + MEM
LZ4 Bomb (4GB alloc when decoding 21-byte input)
PNG Bomb (2GB alloc when reading ~100 byte 20px image)
77 Coverage is Still Low
78 Why Coverage is Still Low?
✗ Cannot explore “deep states” ✗ Cannot find complex logical bugs ✗ Gets stuck in input parsing stage ✗ Hardly gets 20%-30% code coverage on real-world software But cheap and simple
79 Time to Bring Human in the Loop
Approach: Human restricts the set of inputs to be explored by providing
A Randomized A Precondition on or or ... Generator Inputs
Algorithms to search the restricted input space
80 Semantic Fuzzing with Zest
Rohan Padhye (UC Berkeley), Caroline Lemieux (UC Berkeley), Koushik Sen (UC Berkeley), Mike Papadakis (U. Luxembourg), Yves Le Traon (U. Luxembourg)
source: https://github.com/rohanpadhye/jqf
81 ? How do I test ...
• a program taking an XML file as input – (e.g. Maven, Ant)
• a compiler – (e.g. closure or Rhino compilers for JavaScript)
• In general, a program taking structurally complex inputs
82 Human Writes a Simple Input Generator public XMLElement genXML(Random random) { // Generate a random tag name Generates random String name = random.nextString(MAX_TAG_LENGTH); syntactically valid XMLElement node = new XMLElement(name); XML documents // Generate a random number of children ✗ May not conform to int n = random.nextInt(MAX_CHILDREN); for (int i = 0; i < n; i++) { a given schema // Generate child nodes recursively node.addChild(genXML(random)); } // Maybe insert text inside element if (random.nextBoolean()) { node.addText(random.nextString(MAX_TEXT_LENGTH)); } return node; }
foo Example generated:
xyz 83 Zest: Mutate Params to Generator
Seed Interesting Augmented Program Inputs Mutate the params params Pick a set Generator of params params. Input . Input . Fuzzer Input . Input Program . params
params Yes: add Input
Interesting? Feedback • New coverage? • Coverage • Valid input? • Input validity
No: Discard input 84 Zest: New bugs discovered
Google Closure Compiler: #2842, #2843, #3220, #3173 OpenJDK: JDK-8190332, JDK-8190511, JDK-8190512, JDK-8190997, JDK- 8191023, JDK-8191076, JDK-8191109, JDK-8191174,JDK-8191073, JDK- 8193444, JDK-8193877, CVE-2018-3214 Apache Commons: LANG-1385, COMPRESS-424, COLLECTIONS-714, CVE-2018- 11771 Apache Ant: #62655 Apache Maven: #34, #57 Apache PDFBox: PDFBOX-4333, PDFBOX-4338, PDFBOX-4339, CVE-2018-8036 Apache TIKA: CVE-2018-8017, CVE-2018-12418 Apache BCEL: BCEL-303, BCEL-307, BCEL-308, BCEL-309, BCEL-310, BCEL- 311, BCEL-312, BCEL-313 Mozilla Rhino: #405, #406, #407, #409, #410
85 Zest finds complex semantic bugs
On this JavaScript input, Google’s Closure compiler throws an “IllegalStateException: Unexpected variable” during optimization passes
86 Time to Bring Human in the Loop
Approach: Human restricts the set of inputs to be explored by providing
A Randomized A Precondition on or or ... Generator Inputs
Algorithms to search the restricted input space
87 Efficient Sampling of SAT and SMT Constraints
Rafael Dutra, Kevin Laeufer, Jonathan Bachrach, and Koushik Sen EECS Department UC Berkeley source: https://github.com/RafaelTupynamba/quicksampler
88 Human Writes a Pre-condition on Inputs
An over-approximation
In SMT (Satisfiability Modulo Theories) of valid inputs Restricts the set of (x + y = 4 ∧ x ≥ 0 ∧ x < 4) inputs to be generated ∧ (mem’[1] < 0 ∨ mem’[1] ≥ 4), where x = mem[0], y = mem[1], Goal: sample inputs from mem’ = store(mem, mem[0], -1 * mem[mem[0]]) the restricted input space
mem ∈ Array(BV[4], BV[4])
89 Sampling SAT and SMT Constraints
Input: Logical constraint (SAT formula) Goal: Quickly generate lots of solutions that satisfy the constraint (x1 x4) (x1 ¬x3 ¬x8) x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 1 0 0 0 1 0 0 0 1 0 (x1 x8 x6) σ0 0 0 0 1 1 0 0 1 1 0 (x2 x5) σ1 1 1 0 0 1 0 0 0 1 0 (¬x7 ¬x3 x9) σ2 0 1 0 1 1 0 0 1 1 0 (¬x7 x8 ¬x9) σ3
(x7 x8 ¬x10) σ4 1 0 1 0 1 0 0 0 1 0
(x7 x10 ¬x6) σ5 1 1 1 0 1 0 0 0 1 0 QuickSampler
Our goals: Our approach:
• Generate samples • Compute patterns of bit >100x faster than other flips which preserve techniques satisfiability • Sampling should be • Combine those bit flip close to uniform patterns to generate lots of samples
91 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)
92 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)
x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0
93 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)
x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0
94 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)
x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT
95 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)
x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT 1 0 1 0 0 1 1 0 σ0
96 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)
x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT 1 0 1 0 0 1 1 0 σ0
97 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)
x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 σ0 σ1
98 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)
x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 σ0 σ1
99 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)
x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 0 σ0 σ1
100 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)
x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT UNSAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 σ0 σ1
101 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)
x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT UNSAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 σ0 σ1
102 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)
x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT UNSAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0 σ0 σ1 σ3
103 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)
x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT ...... UNSAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0 σ0 σ1 σ3
104 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)
x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT ...... UNSAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0 σ0 σ1 σ3 1 0 0 0 1 0 0 0 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0 δ0 δ1 δ3
= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3
105 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)
x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT ...... UNSAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0 σ0 σ1 σ3 1 0 0 0 1 0 0 0 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0 δ0 δ1 δ3
= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3
1 1 0 1 1 1 0 0 δ01
= δ0 ∨ δ1
106 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)
x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT ...... UNSAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0 σ0 σ1 σ3 1 0 0 0 1 0 0 0 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0 δ0 δ1 δ3
= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3
1 1 0 1 1 1 0 0 δ01
σ01 1 1 1 1 0 0 1 0
= σ ⊕ δ01
107 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)
x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT ...... UNSAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0 σ0 σ1 σ3 1 0 0 0 1 0 0 0 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0 δ0 δ1 δ3
= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3
1 1 0 1 1 1 0 0 1 0 0 1 1 0 0 0 δ01 δ03 = δ0 ∨ δ3 σ01 1 1 1 1 0 0 1 0
= σ ⊕ δ01
108 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)
x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT ...... UNSAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0 σ0 σ1 σ3 1 0 0 0 1 0 0 0 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0 δ0 δ1 δ3
= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3
1 1 0 1 1 1 0 0 1 0 0 1 1 0 0 0 δ01 δ03 1 0 1 1 0 1 1 0 σ01 1 1 1 1 0 0 1 0 σ03
= σ ⊕ δ01 = σ ⊕ δ03
109 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)
x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT ...... UNSAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0 σ0 σ1 σ3 1 0 0 0 1 0 0 0 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0 δ0 δ1 δ3
= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3
1 1 0 1 1 1 0 0 1 0 0 1 1 0 0 0 0 1 0 1 0 1 0 0 δ01 δ03 δ13 = δ δ 1 0 1 1 0 1 1 0 1 ∨ 3 σ01 1 1 1 1 0 0 1 0 σ03
= σ ⊕ δ01 = σ ⊕ δ03
110 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)
x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT ...... UNSAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0 σ0 σ1 σ3 1 0 0 0 1 0 0 0 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0 δ0 δ1 δ3
= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3
1 1 0 1 1 1 0 0 1 0 0 1 1 0 0 0 0 1 0 1 0 1 0 0 δ01 δ03 δ13 = δ δ 1 0 1 1 0 1 1 0 1 ∨ 3 σ01 1 1 1 1 0 0 1 0 σ03
= σ ⊕ δ01 = σ ⊕ δ03
111 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)
x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT ...... UNSAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0 σ0 σ1 σ3 1 0 0 0 1 0 0 0 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0 δ0 δ1 δ3
= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3
1 1 0 1 1 1 0 0 1 0 0 1 1 0 0 0 1 1 0 1 1 1 0 0 δ01 δ03 δ013 = δ δ δ 1 0 1 1 0 1 1 0 0 ∨ 1 ∨ 3 σ01 1 1 1 1 0 0 1 0 σ03
= σ ⊕ δ01 = σ ⊕ δ03
112 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)
x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT ...... UNSAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0 σ0 σ1 σ3 1 0 0 0 1 0 0 0 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0 δ0 δ1 δ3
= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3
1 1 0 1 1 1 0 0 1 0 0 1 1 0 0 0 1 1 0 1 1 1 0 0 δ01 δ03 δ013 = δ δ δ 1 0 1 1 0 1 1 0 0 ∨ 1 ∨ 3 σ01 1 1 1 1 0 0 1 0 σ03
= σ ⊕ δ01 = σ ⊕ δ03
113 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)
x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT ...... UNSAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0 σ0 σ1 σ3 1 0 0 0 1 0 0 0 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0 δ0 δ1 δ3
= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3
1 1 0 1 1 1 0 0 1 0 0 1 1 0 0 0 δ01 δ03 1 0 1 1 0 1 1 0 σ01 1 1 1 1 0 0 1 0 σ03
= σ ⊕ δ01 = σ ⊕ δ03
114 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)
x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT ...... UNSAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0 σ0 σ1 σ3 1 0 0 0 1 0 0 0 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0 δ0 δ1 δ3
= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3 At most n MAX-SAT calls to generate atomic δ 1 1 0 1 1 1 0 0 δ 1 0 0 1 1 0 0 0 01 03 mutations σ 1 1 1 1 0 0 1 0 σ 1 0 1 1 0 1 1 0 01 03 n ( 6) 6 samples by = σ ⊕ δ01 = σ ⊕ δ03 =O(n ) combining mutations: NO MAX-SAT 115 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)
x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT ...... UNSAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0 σ0 σ1 σ3 1 0 0 0 1 0 0 0 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0 δ0 δ1 δ3
= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3 At most 50 MAX-SAT calls to generate atomic δ 1 1 0 1 1 1 0 0 δ 1 0 0 1 1 0 0 0 01 03 mutations 1 0 1 1 0 1 1 0 σ01 1 1 1 1 0 0 1 0 σ03 15 890 700 samples by = σ ⊕ δ01 = σ ⊕ δ03 combining mutations: NO MAX-SAT 116 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)
x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT ...... UNSAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0 σ0 σ1 σ3 1 0 0 0 1 0 0 0 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0 δ0 δ1 δ3
= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3
1 1 0 1 1 1 0 0 1 0 0 1 1 0 0 0 δ01 δ03 1 0 1 1 0 1 1 0 σ01 1 1 1 1 0 0 1 0 σ03
= σ ⊕ δ01 = σ ⊕ δ03
117 Formula φ(x0,x1,x2,x3,y0,y1,y2,y3)
x0 x1 x2 x3 y0 y1 y2 y3 Random assignment σ’ 0 0 1 0 1 1 0 0 MAX-SAT Solution σ 0 0 1 0 1 1 1 0 MAX-SAT ...... UNSAT 1 0 1 0 0 1 1 0 0 1 1 1 1 0 1 0 0 0 1 1 1 1 1 0 σ0 σ1 σ3 1 0 0 0 1 0 0 0 0 1 0 1 0 1 0 0 0 0 0 1 0 0 0 0 δ0 δ1 δ3
= σ ⊕ σ0 = σ ⊕ σ1 = σ ⊕ σ3
1 1 0 1 1 1 0 0 1 0 0 1 1 0 0 0 δ01 δ03 1 0 1 1 0 1 1 0 σ01 1 1 1 1 0 0 1 0 σ03
= σ ⊕ δ01 = σ ⊕ δ03
118 SMTSampler: Sampling Solutions of SMT Formulas
SMT (Satisfiability Modulo Theories) • Extend the mutations to work over bit-vectors, (x + y = 4 ∧ x ≥ 0 ∧ x < 4) arrays and uninterpreted ∧ (mem’[1] < 0 ∨ mem’[1] ≥ 4), where functions x = mem[0], • Adaptive generation of y = mem[1], mem’ = store(mem, mem[0], -1 * mem[mem[0]]) solutions based on accuracy • Improved scalability for mem ∈ Array(BV[4], BV[4]) more complex formulas • Dutra et al. [ICCAD 2018]
120 Implementation
• Implemented in C++ using Z3 as the constraint solver • https://github.com/RafaelTupynamba/quicksampler • https://github.com/RafaelTupynamba/SMTsampler Optimizations: • Eager generation of samples • Independent support • Unsatisfiable variables
121 Experiments
We compared QuickSampler against two state-of-the-art samplers: • UniGen2 [1] – Uses universal hashing to partition the solution space and produce provably uniform samples • SearchTreeSampler [2] – Generates pseudo-solutions: partial assignments that can be completed to full solutions
[1] Supratik Chakraborty, Daniel J Fremont, Kuldeep S Meel, Sanjit A Seshia, and Moshe Y Vardi. 2015. On Parallel Scalable Uniform SAT Witness Generation. In TACAS 2015. [2] Stefano Ermon, Carla P Gomes, and Bart Selman. 2012. Uniform solution sampling using a constraint solver as an oracle. In UAI 2012.
122 ● QuickSampler generates valid solutions ○ 102.5±0.8 times faster than SearchTreeSampler ○ 104.7±1.0 times faster than UniGen2 ● QuickSampler generates unique valid solutions ○ 102.3±0.7 times faster than SearchTreeSampler ○ 104.4±1.1 times faster than UniGen2
124 Experiments: Unique Solutions
Higher is better
125 Experiments: Uniformity
126 QuickSampler and SMTSampler: Limitations • Lacks diversity of samples: (x ≥ 4) φ(x, y, z) • Need to solve the following problem:
● Sample solutions from φ given the coverage predicates
ψ1, ψ2, …, ψn ● Uniformly sample solutions from the coverage classes
127 Solution: GuidedSampler
Our approach extends SMTSampler by:
• Pick a random coverage class of initial solution
• Flip coverage predicates to compute neighboring solutions
• Discard new solutions that repeat a previously seen coverage class https://github.com/RafaelTupynamba/GuidedSampler
128 Experiments: Uniformity over Coverage Classes
129 Experiments: Uniformity over Coverage Classes
130 Experiments: Uniformity over Coverage Classes
131 Automated Test Generation: Past, Present, and Future
Symbolic Smart Execution Fuzzing
132 Automated Test Generation: Past, Present, and Future
Symbolic Smart Hybrid Execution Fuzzing
133 Automated Test Generation: Past, Present, and Future
Symbolic Smart Hybrid Execution Fuzzing
Human Guidance
Path Generators Preconditions ... Annotations
134 Automated Test Generation: Past, Present, and Future
Symbolic Smart Hybrid Execution Fuzzing
AI Guidance
Path Generators Preconditions ... Annotations
135 Our team
Abdus Salam Rohan Rafael Kevin Azad Bavishi Dutra Laeufer
Caroline Rohan Koushik Ed Lemieux Padhye Sen Younis
Thank you! 136