本文的主要内容:
1 介绍了符号执行的主要内容(略)
(1)Generalized Symbolic Execution
GSE具有处理多线程、多程序段和递归数据的能力;GSE通过利用lazy initialization实现对递归数据的处理--当第一次调用该变量的值时,
把它初始化为NULL或一个具有未初始化字段的新对象的引用或前面初始化过程中产生的对象的引用。
(2)Dynamic Test Generation
Recent work on using symbolic execution for dynamic test case generation such as Directed Automated Random Testing (DART) , EXecution Generated Executions (EGT/EXE) or Concolic Testing (CUTE) improve classical symbolic execution by making a distinction between the concrete and the symbolic state of a program。
A signi cant scalability challenge for this technique is how to handle the exponential number of paths in the code.Recent extensions have tried to address this challenge by using heuristics to guide path exploration , interleaving symbolic execution with random testing , caching func-
tion summaries for later use by higher-level functions or eliminating redundant paths by analyzing the values read and written by the program.
2 一些工具及其影响:
(1)JPF-SE and Symbolic (Java) PathFinder
The original GSE framework was developed for Java programs and used NASA's Java PathFinder (JPF) model checker as an enabling technology;Since JPF is a general purpose model checker,GSE benefits from its collection of built-in state space exploration capabilities, such as diferent search strategies (e.g.,heuristic search) as well as partial order and symmetry reductions; (abstract) state matching can be used to avoid performing redundant work ;SPF implements a non-standard interpretation of Java bytecode using a modi ed JPF JVM,thereby performing symbolic execution more directly.
(2) DART(Directed Automated Random Testing)
DART blends dynamic test generation with random testing and model checking techniques with the goal of systematically executing all (or as many as possible) feasible paths of a program, while checking each execution for various types of errors.
(3) CUTE and jCUTE.
CUTE (A Concolic Unit Testing Engine) and jCUTE (CUTE for Java) extends DART to handle multi-threaded programs that manipulates dynamic data structures using pointer operations.CUTE and jCUTE were developed in University of Illinois at Urbana-Champaign for C and Java programs, respectively.
(4) CREST.
CREST is an open-source tool for concolic testing of C programs. CREST is an extensible platform for building and experimenting with heuristics for selecting which paths to test for programs with far too many executions paths to exhaustively explore.
(5)SAGE: Automated Whitebox Fuzzing
Whitebox fuzzing is a recent approach to security testing which extends the scope of systematic dynamic test generation from unit testing to whole-application testing. Whitebox fuzzing is able to scale to large le parsers embedded in applications with millions of lines of code and execution traces with billions of machine instructions, such as Microsoft Excel.
(6)Pex.
Pex implements Dynamic Symbolic Execution to generate test inputs for .NET code, supporting languages such as C#, VisualBasic, and F#. Pex extends the basic approach in several unique ways: While Pex can use concrete values to simplify constraints, Pex usually faithfully represents the semantics of almost all .NET instructions symbolically, including safe and unsafe code, as well as instructions that refer to the object oriented .NET type system, suchas type tests and virtual method invocations.
(7)EXE.
EXE is a symbolic execution tool for C designed for comprehensively testing complex software, with an emphasis on systems code. To deal with the complexities of systems code, EXE models memory with bit-level accuracy.
(8) KLEE.
KLEE is a redesign of EXE, built on top of the LLVM compiler infrastructure. Like EXE, it performs mixed concrete/symbolic execution, models memory with bit-level accuracy, employs a variety of constraint solving optimizations, and uses search heuristics to get high code
coverage.
857
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
