DOCSLIB.ORG

Concolic Testing

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Concolic Testing DART and CUTE: Concolic Testing Koushik Sen University of California, Berkeley Joint work with Gul Agha, Patrice Godefroid, Nils Klarlund, Rupak Majumdar, Darko Marinov Used and adapted by Jonathan Aldrich, with permission, for 17-355/17-655 Program Analysis 3/28/2017 1 Today, QA is mostly testing “50% of my company employees are testers, and the rest spends 50% of their time testing!” Bill Gates 1995 2 Software Reliability Importance Software is pervading every aspects of life Software everywhere Software failures were estimated to cost the US economy about $60 billion annually [NIST 2002] Improvements in software testing infrastructure may save one- third of this cost Testing accounts for an estimated 50%-80% of the cost of software development [Beizer 1990] 3 Big Picture Safe Programming Languages and Type systems Model Testing Checking Runtime Static Program and Monitoring Analysis Theorem Proving Dynamic Program Analysis Model Based Software Development and Analysis 4 Big Picture Safe Programming Languages and Type systems Model Testing Checking Runtime Static Program and Monitoring Analysis Theorem Proving Dynamic Program Analysis Model Based Software Development and Analysis 5 A Familiar Program: QuickSort void quicksort (int[] a, int lo, int hi) { int i=lo, j=hi, h; int x=a[(lo+hi)/2]; // partition do { while (a[i]<x) i++; while (a[j]>x) j--; if (i<=j) { h=a[i]; a[i]=a[j]; a[j]=h; i++; j--; } } while (i<=j); // recursion if (lo<j) quicksort(a, lo, j); if (i<hi) quicksort(a, i, hi); } 6 A Familiar Program: QuickSort void quicksort (int[] a, int lo, int hi) { Test QuickSort int i=lo, j=hi, h; int x=a[(lo+hi)/2]; Create an array Initialize the elements of // partition the array do { Execute the program on while (a[i]<x) i++; this array while (a[j]>x) j--; if (i<=j) { How much confidence h=a[i]; a[i]=a[j]; do I have in this testing a[j]=h; method? i++; Is my test suite j--; *Complete*? } } while (i<=j); Can someone generate a small and *Complete* // recursion test suite for me? if (lo<j) quicksort(a, lo, j); if (i<hi) quicksort(a, i, hi); } 7 Automated Test Generation Studied since 70’s King 76, Myers 79 30 years have passed, and yet no effective solution What Happened??? 8 Automated Test Generation Studied since 70’s King 76, Myers 79 30 years have passed, and yet no effective solution What Happened??? Program-analysis techniques were expensive Automated theorem proving and constraint solving techniques were not efficient 9 Automated Test Generation Studied since 70’s King 76, Myers 79 30 years have passed, and yet no effective solution What Happened??? Program-analysis techniques were expensive Automated theorem proving and constraint solving techniques were not efficient In the recent years we have seen remarkable progress in static program-analysis and constraint solving SLAM, BLAST, ESP, Bandera, Saturn, MAGIC 10 Automated Test Generation Studied since 70’s King 76, Myers 79 Question: Can we use similar 30 years have passed, and yet no effective solutiontechniques in Automated Testing? What Happened??? Program-analysis techniques were expensive Automated theorem proving and constraint solving techniques were not efficient In the recent years we have seen remarkable progress in static program-analysis and constraint solving SLAM, BLAST, ESP, Bandera, Saturn, MAGIC 11 Systematic Automated Testing Model-Checking Static Analysis and Formal Methods Testing Automated Constraint Theorem Proving Solving 12 CUTE and DART Combine random testing (concrete execution) and symbolic testing (symbolic execution) [PLDI’05, FSE’05, FASE’06, CAV’06,ISSTA’07, ICSE’07] Concrete + Symbolic = Concolic 13 Goal Automated Unit Testing of real-world C and Java Programs Generate test inputs Execute unit under test on generated test inputs so that all reachable statements are executed Any assertion violation gets caught Sub-problem: Input Generation Given a statement s in program P, compute input i, such that P(i) executes s This formulation is due to Wolfram Schulte 14 Execution Paths of a Program Can be seen as a binary tree with possibly infinite depth 0 1 Computation tree Each node represents the 1 execution of a “if then else” 001 statement Each edge represents the 0 1 execution of a sequence of 1 non-conditional statements Each path in the tree 1 represents an equivalence class of inputs 0 1 15 Example of Computation Tree void test_me(int x, int y) { if(2*x==y){ if(x != y+10){ printf(“I am fine here”); } else { NY2*x==y printf(“I should not reach here”); ERROR; } } NYx!=y+10 } ERROR 16 Concolic Testing: Finding Security and Safety Bugs Divide by 0 Error Buffer Overflow x = 3 / i; a[i] = 4; 17 Concolic Testing: Finding Security and Safety Bugs Key: Add Checks Automatically and Perform Concolic Testing Divide by 0 Error Buffer Overflow if (i !=0) if (0<=i && i < a.length) x = 3 / i; a[i] = 4; else else ERROR; ERROR; 18 Existing Approach I Random testing test_me(int x){ generate random inputs if(x==94389){ execute the program on ERROR; generated inputs } Probability of reaching an error can be } astronomically less Probability of hitting ERROR = 1/232 19 Existing Approach II Symbolic Execution test_me(int x, int y){ use symbolic values for if((x%10)*4==y){ input variables ERROR; execute the program symbolically on symbolic } else { input values // OK collect symbolic path constraints } use theorem prover to } check if a branch can be taken Symbolic execution Does not scale for large cannot solve for x, y programs Missed error Cannot solve all constraints (or false positive) 20 Existing Approach II Symbolic Execution test_me(int x, int y){ use symbolic values for if(bbox(x)==y){ input variables ERROR; execute the program symbolically on symbolic } else { input values // OK collect symbolic path constraints } use theorem prover to } check if a branch can be taken Symbolic execution Does not scale for large cannot look inside the programs bbox function Cannot solve all Missed error constraints (or false positive) 21 Concolic Execution Concolic Execution test_me(int x, int y){ Randomly choose x and if(bbox(x)==y){ y the first time ERROR; Use concrete value of x and result of running } else { bbox(x) to solve for y // OK Finds the error! } } 22 Concolic Testing Approach int double (int v) { return 2*v; } Random Test Driver: random value for x void testme (int x, int y) { and y z = double (y); Probability of reaching if (z == x) { ERROR is extremely low if (x > y+10) { ERROR; } } } 23 Concolic Testing Approach Concrete Symbolic int double (int v) { Execution Execution return 2*v; concrete symbolic path } state state condition void testme (int x, int y) { x = 22, y = 7 x = x0, y = y0 z = double (y); if (z == x) { if (x > y+10) { ERROR; } } } 24 Concolic Testing Approach Concrete Symbolic int double (int v) { Execution Execution return 2*v; concrete symbolic path } state state condition void testme (int x, int y) { z = double (y); x = 22, y = 7, x = x0, y = y0, if (z == x) { z = 14 z = 2*y0 if (x > y+10) { ERROR; } } } 25 Concolic Testing Approach Concrete Symbolic int double (int v) { Execution Execution return 2*v; concrete symbolic path } state state condition void testme (int x, int y) { z = double (y); if (z == x) { 2*y0 != x0 if (x > y+10) { ERROR; } } x = 22, y = 7, x = x0, y = y0, } z = 14 z = 2*y0 26 Concolic Testing Approach Concrete Symbolic int double (int v) { Execution Execution return 2*v; concrete symbolic path } state state condition void testme (int x, int y) { Solve: 2*y0 == x0 z = double (y); Solution: x0 = 2, y0 = 1 if (z == x) { 2*y0 != x0 if (x > y+10) { ERROR; } } x = 22, y = 7, x = x0, y = y0, } z = 14 z = 2*y0 27 Concolic Testing Approach Concrete Symbolic int double (int v) { Execution Execution return 2*v; concrete symbolic path } state state condition void testme (int x, int y) { x = 2, y = 1 x = x0, y = y0 z = double (y); if (z == x) { if (x > y+10) { ERROR; } } } 28 Concolic Testing Approach Concrete Symbolic int double (int v) { Execution Execution return 2*v; concrete symbolic path } state state condition void testme (int x, int y) { z = double (y); x = 2, y = 1, x = x0, y = y0, if (z == x) { z = 2 z = 2*y0 if (x > y+10) { ERROR; } } } 29 Concolic Testing Approach Concrete Symbolic int double (int v) { Execution Execution return 2*v; concrete symbolic path } state state condition void testme (int x, int y) { z = double (y); if (z == x) { 2*y0 == x0 x = 2, y = 1, x = x0, y = y0, if (x > y+10) { z = 2 z = 2*y0 ERROR; } } } 30 Concolic Testing Approach Concrete Symbolic int double (int v) { Execution Execution return 2*v; concrete symbolic path } state state condition void testme (int x, int y) { z = double (y); if (z == x) { 2*y0 == x0 if (x > y+10) { x0 y0+10 ERROR; } } x = 2, y = 1, x = x0, y = y0, } z = 2 z = 2*y0 31 Concolic Testing Approach Concrete Symbolic int double (int v) { Execution Execution return 2*v; concrete symbolic path } state state condition void testme (int x, int y) { Solve: (2*y0 == x0) $ (x0 > y0 + 10) z = double (y); Solution: x0 = 30, y0 = 15 if (z == x) { 2*y0 == x0 if (x > y+10) { x0 y0+10 ERROR; } } x = 2, y = 1, x = x0, y = y0, } z = 2 z = 2*y0 32 Concolic Testing Approach Concrete Symbolic int double (int v) { Execution Execution return 2*v; concrete symbolic path } state state condition void testme (int x, int y) { x = 30, y = 15 x = x0, y = y0 z = double (y); if (z == x) { if (x > y+10) { ERROR; } } } 33 Concolic Testing Approach Concrete Symbolic int double (int v) { Execution Execution return 2*v; concrete
Load more

Recommended publications
  • A Scalable Concolic Testing Tool for Reliable Embedded Software
    SCORE: a Scalable Concolic Testing Tool for Reliable Embedded Software Yunho Kim and Moonzoo Kim Computer Science Department Korea Advanced Institute of Science and Technology Daejeon, South Korea [email protected], [email protected] ABSTRACT cases to explore execution paths of a program, to achieve full path Current industrial testing practices often generate test cases in a coverage (or at least, coverage of paths up to some bound). manual manner, which degrades both the effectiveness and effi- A concolic testing tool extracts symbolic information from a ciency of testing. To alleviate this problem, concolic testing gen- concrete execution of a target program at runtime. In other words, erates test cases that can achieve high coverage in an automated to build a corresponding symbolic path formula, a concolic testing fashion. One main task of concolic testing is to extract symbolic in- tool monitors every update of symbolic variables and branching de- formation from a concrete execution of a target program at runtime. cisions in an execution of a target program. Thus, a design decision Thus, a design decision on how to extract symbolic information af- on how to extract symbolic information affects efficiency, effective- fects efficiency, effectiveness, and applicability of concolic testing. ness, and applicability of concolic testing. We have developed a Scalable COncolic testing tool for REliable We have developed a Scalable COncolic testing tool for REli- embedded software (SCORE) that targets embedded C programs. abile embedded software (SCORE) that targets sequential embed- SCORE instruments a target C program to extract symbolic infor- ded C programs. SCORE instruments a target C source code by mation and applies concolic testing to a target program in a scal- inserting probes to extract symbolic information at runtime.
    [Show full text]
  • Automated Concolic Testing of Smartphone Apps
    Automated Concolic Testing of Smartphone Apps Saswat Anand Mayur Naik Hongseok Yang Georgia Tech Georgia Tech University of Oxford [email protected] [email protected] [email protected] Mary Jean Harrold Georgia Tech [email protected] ABSTRACT tap on the device’s touch screen, a key press on the device’s We present an algorithm and a system for generating in- keyboard, and an 0,0 message are all instances of events. put events to exercise smartphone apps. Our approach is This paper presents an algorithm and a system for gener- based on concolic testing and generates sequences of events ating input events to exercise apps. pps can have inputs automatically and systematically. It alleviates the path- besides events! such as files on disk and secure web content. explosion problem by checking a condition on program exe- Our work is orthogonal and complementary to approaches cutions that identifies subsumption between different event that provide such inputs. sequences. We also describe our implementation of the ap- Apps are instances of a class of programs we call event- proach for Android, the most popular smartphone app plat- driven programs' programs embodying computation that form! and the results of an evaluation that demonstrates its is architected to react to a possibly unbounded sequence effectiveness on five ndroid apps. of events. 7vent-driven programs are ubiquitous and, be- sides apps! include stream-processing programs, web servers! GUIs, and embedded systems. 8ormally! we address the fol- Categories and Subject Descriptors lowing problem in the setting of event-driven programs in D.2.$ %Software Engineering&' (esting and Debugging) general, and apps in particular.
    [Show full text]
  • Advanced Software Testing and Debugging (CS598) Symbolic Execution
    Advanced Software Testing and Debugging (CS598) Symbolic Execution Fall 2020 Lingming Zhang Brief history • 1976: A system to generate test data and symbolically execute programs (Lori Clarke) • 1976: Symbolic execution and program testing (James King) • 2005-present: practical symbolic execution • Using SMT solvers • Heuristics to control exponential explosion • Heap modeling and reasoning about pointers • Environment modeling • Dealing with solver limitations 2 Program execution paths if (a) • Program can be viewed as binary … tree with possibly infinite depth if (b) … • Each node represents the execution of a conditional statement if(a) • Each edge represents the F T execution of a sequence of non- if(b) if(b) conditional statements F T F T • Each path in the tree represents an equivalence class of inputs 3 Example a==null F T Code under test a.Length>0 void CoverMe(int[] a) { T a==null if (a == null) F return; a[0]==123… if (a.Length > 0) a!=null && F T if (a[0] == 1234567890) a.Length<=0 throw new Exception("bug"); } a!=null && a!=null && a.Length>0 && a.Length>0 && a[0]!=1234567890 a[0]==1234567890 4 Random testing? • Random Testing Code under test • Generate random inputs void CoverMe(int[] a) { if (a == null) • Execute the program on return; those (concrete) inputs if (a.Length > 0) if (a[0] == 1234567890) • Problem: throw new Exception("bug"); • Probability of reaching error could } be astronomically small Probability of ERROR for the gray branch: 1/232 ≈ 0.000000023% 5 The spectrum of program testing/verification Verification
    [Show full text]
  • Symbolic Execution for Software Testing: Three Decades Later
    Symbolic Execution for Software Testing: Three Decades Later Cristian Cadar Koushik Sen Imperial College London University of California, Berkeley [email protected] [email protected] Abstract A key goal of symbolic execution in the context of soft- Recent years have witnessed a surge of interest in symbolic ware testing is to explore as many different program paths execution for software testing, due to its ability to generate as possible in a given amount of time, and for each path to high-coverage test suites and find deep errors in complex (1) generate a set of concrete input values exercising that software applications. In this article, we give an overview path, and (2) check for the presence of various kinds of errors of modern symbolic execution techniques, discuss their key including assertion violations, uncaught exceptions, security challenges in terms of path exploration, constraint solving, vulnerabilities, and memory corruption. The ability to gener- and memory modeling, and discuss several solutions drawn ate concrete test inputs is one of the major strengths of sym- primarily from the authors’ own work. bolic execution: from a test generation perspective, it allows the creation of high-coverage test suites, while from a bug- Categories and Subject Descriptors D.2.5 [Testing and finding perspective, it provides developers with a concrete Debugging]: Symbolic execution input that triggers the bug, which can be used to confirm and debug the error independently of the symbolic execution tool General Terms Reliability that generated it. Furthermore, note that in terms of finding errors on a 1. Introduction given program path, symbolic execution is more powerful Symbolic execution has gathered a lot of attention in re- than traditional dynamic execution techniques such as those cent years as an effective technique for generating high- implemented by popular tools like Valgrind or Purify, which coverage test suites and for finding deep errors in com- depend on the availability of concrete inputs triggering the plex software applications.
    [Show full text]
  • Security Testing Vs “Regular” Testing
    Security testing vs “regular” testing ▪ “Regular” testing aims to ensure that the program meets customer requirements in terms of features and functionality. ▪ Tests “normal” use cases Test with regards to common expected usage patterns. ▪ Security testing aims to ensure that program fulfills security requirements. ▪ Often non-functional. ▪ More interested in misuse cases Attackers taking advantage of “weird” corner cases. 2 Functional vs non-functional security requirements ▪ Functional requirements – What shall the software do? ▪ Non-functional requirements – How should it be done? ▪ Regular functional requirement example (Webmail system): It should be possible to use HTML formatting in e-mails ▪ Functional security requirement example: The system should check upon user registration that passwords are at least 8 characters long ▪ Non-functional security requirement example: All user input must be sanitized before being used in database queries How would you write a unit test for this? 3 Software Vulnerabilities Common software vulnerabilties include ● Memory safety violations ● Buffer overflows ● Dangling pointers ● Privilege confusion ● Input Validation errors ● Clickjacking ● Code injection ● Cross-site request ● Cross site scripting in forgery web applications ● FTP bounce attack ● Email injection ● Format string attacks ● Side-channel attack ● HTTP header injection ● Timing attack ● Race conditions ● Symlink races ● Time of check to time of use bugs ● SQL injection Common security testing approaches Often difficult to craft e.g. unit tests from non-functional requirements Two common approaches: ▪ Test for known vulnerability types ▪ Attempt directed or random search of program state space to uncover the “weird corner cases” In today’s lecture: ▪ Penetration testing (briefly) ▪ Fuzz testing or “fuzzing” ▪ Concolic testing 4 Penetration testing ▪ Manually try to “break” software ▪ Relies on human intuition and experience.
    [Show full text]
  • Efficient Concolic Execution Via Branch Condition Synthesis
    SYNFUZZ: Efficient Concolic Execution via Branch Condition Synthesis Wookhyun Han∗, Md Lutfor Rahmany, Yuxuan Chenz, Chengyu Songy, Byoungyoung Leex, Insik Shin∗ ∗KAIST, yUC Riverside, zPurdue, xSeoul National University Abstract—Concolic execution is a powerful program analysis the path exploration as if the target branch has been taken. To technique for exploring execution paths in a systematic manner. generate a concrete input that can follow the same path, the Compare to random-mutation-based fuzzing, concolic execution engine can ask the SMT solver to provide a feasible assignment is especially good at exploring paths that are guarded by complex and tight branch predicates (e.g., (a*b) == 0xdeadbeef). The to all the symbolic input bytes that satisfy the collected path drawback, however, is that concolic execution engines are much constraints. Thanks to the recent advances in SMT solvers, slower than native execution. One major source of the slowness is compare to random mutation based fuzzing, concolic execution that concolic execution engines have to the interpret instructions is known to be much more efficient at exploring paths that to maintain the symbolic expression of program variables. In this are guarded by complex and tight branch predicates (e.g., work, we propose SYNFUZZ, a novel approach to perform scal- (a*b) == 0xdeadbeef able concolic execution. SYNFUZZ achieves this goal by replacing ). interpretation with dynamic taint analysis and program synthesis. However, a critical limitation of concolic execution is its In particular, to flip a conditional branch, SYNFUZZ first uses scalability [6, 9, 61]. More specifically, a concolic execution operation-aware taint analysis to record a partial expression (i.e., engine usually takes a very long time to explore “deep” a sketch) of its branch predicate.
    [Show full text]
  • Multi-Platform Binary Program Testing Using Concolic Execution Master’S Thesis in Computer Systems and Networks
    Multi-Platform Binary Program Testing Using Concolic Execution Master's Thesis in Computer Systems and Networks EIKE SIEWERTSEN Chalmers University of Technology Department of Computer Science and Engineering Gothenburg, Sweden 2015 The Author grants to Chalmers University of Technology and University of Gothenburg the non-exclusive right to publish the Work electronically and in a non-commercial purpose make it accessible on the Internet. The Author warrants that he/she is the author to the Work, and warrants that the Work does not contain text, pictures or other material that violates copyright law. The Author shall, when transferring the rights of the Work to a third party (for example a publisher or a company), acknowledge the third party about this agreement. If the Author has signed a copyright agreement with a third party regarding the Work, the Author warrants hereby that he/she has obtained any necessary permission from this third party to let Chalmers University of Tech- nology and University of Gothenburg store the Work electronically and make it accessible on the Internet. Multi-Platform Binary Program Testing Using Concolic Execution c Eike Siewertsen, September 2015. Examiner: Magnus Almgren Supervisor: Vincenzo Massimiliano Gulisano Chalmers University of Technology University of Gothenburg Department of Computer Science and Engineering SE-412 96 G¨oteborg Sweden Telephone + 46 (0)31-772 1000 Department of Computer Science and Engineering G¨oteborg, Sweden September 2015 Abstract In today's world, computer systems have long since made the move from the desktop to numerous locations in the form of routers, intelligent light bulbs, elec- tricity meters and more.
    [Show full text]
  • Hyperfuzzing for Soc Security Validation
    HyperFuzzing for SoC Security Validation Sujit Kumar Muduli Gourav Takhar Pramod Subramanyan∗ IIT Kanpur IIT Kanpur IIT Kanpur [email protected] [email protected] [email protected] ABSTRACT pressing need for systematic and automated validation techniques Automated validation of security properties in modern systems- to ensure the security of systems-on-chip platforms. on-chip (SoC) designs is challenging due to three reasons: (i) spec- Unfortunately, automated security validation is a challenging ification of security in the presence of adversarial behavior, (ii) problem for three reasons. First, we have a specification problem. co-validation of hardware (HW) and firmware (FW) as security Existing property specification languages are often not sufficient bugs may span the HW/FW interface, and (iii) scaling verification to precisely specify the security properties of a design. This is espe- to the analysis of large systems-on-chip designs. cially true in attempting to capture end-to-end security of protocols In this paper, we address the above concerns via the development (aka “flows”), rather than piecemeal checking of necessary but in- of a unified co-validation framework for SoC security property sufficient conditions that detect known attacks. Second, system specification. On the specification side, we introduce a new logic, specification and modeling must incorporate an adversary model HyperPLTL (Hyper Past-time Linear Temporal Logic), that enables and reason about the state changes introduced by adversarial com- intuitive specification of SoC security concerns. On the validation ponents in the SoC. An important complication in SoCs is that side, we introduce a framework for mutational coverage-guided adversarial behavior appears not just at SoC inputs, but may in fact, fuzzing of hyperproperties.
    [Show full text]
  • UCLA Electronic Theses and Dissertations
    UCLA UCLA Electronic Theses and Dissertations Title Applications of Formal And Semi-formal Verification on Software Testing, High-level Synthesis And Energy Internet Permalink https://escholarship.org/uc/item/6jj2b6jn Author Gao, Min Publication Date 2018 Peer reviewed|Thesis/dissertation eScholarship.org Powered by the California Digital Library University of California UNIVERSITY OF CALIFORNIA Los Angeles Applications of Formal And Semi-formal Verification on Software Testing, High-level Synthesis And Energy Internet A dissertation submitted in partial satisfaction of the requirements for the degree Doctor of Philosophy in Electrical And Computer Engineering by Min Gao 2018 © Copyright by Min Gao 2018 ABSTRACT OF THE DISSERTATION Applications of Formal And Semi-formal Verification on Software Testing, High-level Synthesis And Energy Internet by Min Gao Doctor of Philosophy in Electrical And Computer Engineering University of California, Los Angeles, 2018 Professor Lei He, Chair With the increasing power of computers and advances in constraint solving technologies, formal and semi-formal verification have received great attentions on many applications. Formal verification is the act of proving or disproving the correctness of intended algorithms underlying a system with respect to a certain formal specification or property. These verification techniques have wide range of applications in real life. This dissertation describes the applications of formal and semi-formal verification in four parts. The first part of the dissertation focuses on software testing. For software testing, symbolic/concolic testing reasons about data symbolically but enumerates program paths. The existing concolic technique enumerates paths sequentially, leading to poor branch coverage in limited time. We improve concolic testing by bounded model checking.
    [Show full text]
  • Automatic Concolic Test Generation with Virtual Prototypes for Post-Silicon Validation
    Automatic Concolic Test Generation with Virtual Prototypes for Post-silicon Validation Kai Cong Fei Xie Li Lei Department of Computer Science Department of Computer Science Department of Computer Science Portland State University Portland State University Portland State University Portland, OR 97207, USA Portland, OR 97207, USA Portland, OR 97207, USA [email protected] [email protected] [email protected] Abstract—Post-silicon validation is a crucial stage in the specific, therefore often leading to insufficient coverage of system development cycle. To accelerate post-silicon validation, device functionalities. high-quality tests should be ready before the first silicon pro- totype becomes available. In this paper, we present a concolic Recently virtual prototypes are increasingly used in hard- testing approach to generation of post-silicon tests with virtual ware/software co-development to enable early driver develop- prototypes. We identify device states under test from concrete ment and validation before hardware devices become avail- executions of a virtual prototype based on the concept of device able [5], [6]. Virtual prototypes also have major potential to transaction, symbolically execute the virtual prototype from these play a crucial role in test generation for post-silicon validation. device states to generate tests, and issue the generated tests concretely to the silicon device. We have applied this approach This paper presents a concolic testing approach to auto- to virtual prototypes of three network adapters to generate their matic post-silicon test generation with virtual prototypes. This tests. The generated test cases have been issued to both virtual work is inspired by recent advances in concolic testing [7], [8].
    [Show full text]
  • Testing Database Applications Using Coverage Analysis and Mutation Analysis Tanmoy Sarkar Iowa State University
    Iowa State University Capstones, Theses and Graduate Theses and Dissertations Dissertations 2013 Testing database applications using coverage analysis and mutation analysis Tanmoy Sarkar Iowa State University Follow this and additional works at: https://lib.dr.iastate.edu/etd Part of the Computer Sciences Commons Recommended Citation Sarkar, Tanmoy, "Testing database applications using coverage analysis and mutation analysis" (2013). Graduate Theses and Dissertations. 13308. https://lib.dr.iastate.edu/etd/13308 This Dissertation is brought to you for free and open access by the Iowa State University Capstones, Theses and Dissertations at Iowa State University Digital Repository. It has been accepted for inclusion in Graduate Theses and Dissertations by an authorized administrator of Iowa State University Digital Repository. For more information, please contact [email protected]. Testing database applications using coverage analysis and mutation analysis by Tanmoy Sarkar A dissertation submitted to the graduate faculty in partial fulfillment of the requirements for the degree of DOCTOR OF PHILOSOPHY Major: Computer Science Program of Study Committee: Samik Basu, Co-major Professor Johnny S. Wong, Co-major Professor Arka P. Ghosh Shashi K. Gadia Wensheng Zhang Iowa State University Ames, Iowa 2013 Copyright c Tanmoy Sarkar, 2013. All rights reserved. ii DEDICATION I would like to dedicate this thesis to my parents Tapas Sarkar, Sikha Sarkar and my girlfriend Beas Roy, who were always there to support me to move forward. I would also like to thank my friends and family in USA and in India for their loving guidance and all sorts of assistance during the writing of this work. iii TABLE OF CONTENTS LIST OF TABLES .
    [Show full text]
  • Concolic Testing on Embedded Software - Case Studies on Mobile Platform Programs
    Concolic Testing on Embedded Software - Case Studies on Mobile Platform Programs Yunho Kim†, Moonzoo Kim†, Yoonkyu Jang∗ † ∗ Computer Science Department Digital Media and Communication Department Korea Advanced Institute of Science and Technology Samsung Electronics [email protected], [email protected] [email protected] ABSTRACT ciency must be investigated further through case studies. Current industrial testing practices often build test cases in a man- This paper reports case studies on the application of CREST [2] ual manner, which degrades both the effectiveness and efficiency (an open-source concolic testing tool) to mobile platform C pro- of testing. To alleviate this problem, concolic testing generates test grams developed by Samsung Electronics. Through the project, we cases that can achieve high coverage in an automated fashion. This have detected new faults in the Samsung Linux Platform (SLP) file paper describes case studies of applying concolic testing to mobile manager and the security library: an infinite loop fault was detected platform C programs that have been developed by Samsung Elec- in the SLP file manager and an invalid memory access fault was de- tronics. Through this work, we have detected new faults in the tected in the security library functions that handle large integers. Samsung Linux Platform (SLP) file manager and security library. 2. PROJECT BACKGROUND 1. INTRODUCTION In this project, the Samsung Linux Platform (SLP) file manager and a security library were selected as target programs, because In industry, testing is a standard method to improve the quality they are important in the mobile phone products and proper targets of software.
    [Show full text]