Goal-oriented dynamic test generation

 http://repository.vnu.edu.vn/handle/VNU_123/27816
Context:
Memory safety errors such as buffer overflow vulnerabilities are one of the most serious classes of security threats.


Detecting and removing such security errors are important tasks of software testing for improving the quality and reliability of software in practice.
Objective:
This paper presents a goal-oriented testing approach for effectively and efficiently exploring security vulnerability errors.
 A goal is a potential safety violation and the testing approach is to automatically generate test inputs to uncover the violation.
Method: We use type inference analysis to diagnose potential safety violations and dynamic symbolic execution to perform test input generation.
 A major challenge facing dynamic symbolic execution in such application is the combinatorial explosion of the path space.
To address this fundamental scalability issue, we employ data dependence analysis to identify a root cause leading to the execution of the goal and propose a path exploration algorithm to guide dynamic symbolic execution for effectively discovering the goal.
Results: To evaluate the effectiveness of our proposed approach, we conducted experiments against 23 buffer overflow vulnerabilities.
We observed a significant improvement of our proposed algorithm over two widely adopted search algorithms.
Specifically, our algorithm discovered security vulnerability errors within a matter of a few seconds, whereas the two baseline algorithms failed even after 30 min of testing on a number of test subjects.
Conclusion: The experimental results highlight the potential of utilizing data dependence analysis to address the combinatorial path space explosion issue faced by dynamic symbolic execution for effective security testing.

Title: Goal-oriented dynamic test generation
Authors: Do, The Anh
Khoo, Siau-Cheng
Fong, Alvis Cheuk Ming
Keywords: Buffer overflow vulnerabilities
Dynamic symbolic execution
Data and control dependence analysis
Type inference analysis
Issue Date: 2015
Publisher: Đại học Quốc gia Hà Nội
Citation: ISIKNOWLEDGE
Abstract: Context: Memory safety errors such as buffer overflow vulnerabilities are one of the most serious classes of security threats. Detecting and removing such security errors are important tasks of software testing for improving the quality and reliability of software in practice. Objective: This paper presents a goal-oriented testing approach for effectively and efficiently exploring security vulnerability errors. A goal is a potential safety violation and the testing approach is to automatically generate test inputs to uncover the violation. Method: We use type inference analysis to diagnose potential safety violations and dynamic symbolic execution to perform test input generation. A major challenge facing dynamic symbolic execution in such application is the combinatorial explosion of the path space. To address this fundamental scalability issue, we employ data dependence analysis to identify a root cause leading to the execution of the goal and propose a path exploration algorithm to guide dynamic symbolic execution for effectively discovering the goal. Results: To evaluate the effectiveness of our proposed approach, we conducted experiments against 23 buffer overflow vulnerabilities. We observed a significant improvement of our proposed algorithm over two widely adopted search algorithms. Specifically, our algorithm discovered security vulnerability errors within a matter of a few seconds, whereas the two baseline algorithms failed even after 30 min of testing on a number of test subjects. Conclusion: The experimental results highlight the potential of utilizing data dependence analysis to address the combinatorial path space explosion issue faced by dynamic symbolic execution for effective security testing.
Description: INFORMATION AND SOFTWARE TECHNOLOGY Volume: 66 Pages: 40-57 Published: OCT 2015 ; TNS05592
URI: http://repository.vnu.edu.vn/handle/VNU_123/27816
Appears in Collections:Bài báo của ĐHQGHN trong Web of Science

Nhận xét

Bài đăng phổ biến