Automated synthesis of symbolic instruction encodings from I/O samples

GodefroidPatrice,; TalyAnkur,

doi:10.1145/2345156.2254116

Cited by 11 publications

(3 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Given the significant number of embedded devices not running Linux on ARM or MIPS, an important research task is to find ways of making it easier to create fast and accurate VXEs. There has been some encouraging recent work on automated synthesis of semantic specifications for specific ISAs such as x86 [34,39]. TaintInduce [14] shows that higher level semantics (i.e., taint propagation rules) can be dynamically inferred for an ISA.…”

Section: Creating Virtual Execution Enginesmentioning

confidence: 99%

SoK: Enabling Security Analyses of Embedded Systems via Rehosting

Fasano

Ballo

Muench

et al. 2021

Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

Closely monitoring the behavior of a software system during its execution enables developers and analysts to observe, and ultimately understand, how it works. This kind of dynamic analysis can be instrumental to reverse engineering, vulnerability discovery, exploit development, and debugging. While these analyses are typically wellsupported for homogeneous desktop platforms (e.g., x86 desktop PCs), they can rarely be applied in the heterogeneous world of embedded systems. One approach to enable dynamic analyses of embedded systems is to move software stacks from physical systems into virtual environments that sufficiently model hardware behavior. This process which we call "rehosting" poses a significant research challenge with major implications for security analyses. Although rehosting has traditionally been an unscientific and ad-hoc endeavor undertaken by domain experts with varying time and resources at their disposal, researchers are beginning to address rehosting challenges systematically and in earnest. In this paper, we establish that emulation is insufficient to conduct large-scale dynamic analysis of real-world hardware systems and present rehosting as a firmwarecentric alternative. Furthermore, we taxonomize preliminary rehosting efforts, identify the fundamental components of the rehosting process, and propose directions for future research.

show abstract

Section: Creating Virtual Execution Enginesmentioning

confidence: 99%

SoK: Enabling Security Analyses of Embedded Systems via Rehosting

Fasano

Ballo

Muench

et al. 2021

Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…Although automated test generation techniques such as concolic testing [4–7] generate test inputs achieving high test coverage, they sometimes fail to cover target branches due to several limitations of the techniques (e.g. external binary library APIs [8–10], symbolic pointers [11–13] and loop conditions with symbolic bound variables [14–16]).…”

Section: Motivating Examplementioning

confidence: 99%

DEMINER: test generation for high test coverage through mutant exploration

Kim

Hong

2019

Software Testing Verif & Rel

View full text Add to dashboard Cite

Summary Most software testing techniques test a target program as it is and fail to utilize valuable information of diverse test executions on many variants/mutants of the original program in test generation. This paper proposes a new test generation technique DEMINER, which utilizes mutant executions to guide test generation on the original program for high test coverage. DEMINER first generates various mutants of an original target program and then extracts runtime information of mutant executions, which covered unreached branches by the mutation effects. Using the obtained runtime information, DEMINER inserts guideposts, artificial branches to replay the observed mutation effects, to the original target programs. Finally, DEMINER runs automated test generation on the original program with guideposts and achieves higher test coverage. We implemented DEMINER for C programs through software mutation and guided test generation such as concolic testing and fuzzing. We have shown the effectiveness of DEMINER on six real‐world target programs: Busybox‐ls, Busybox‐printf, Coreutils‐sort, GNU‐find, GNU‐grep and GNU‐sed. The experiment results show that DEMINER improved branch coverage by 63.4% and 19.6% compared with those of the conventional concolic testing techniques and the conventional fuzzing techniques on average, respectively.

show abstract

“…Each formula was tested extensively against hardware semi-automatically to check correctness. In the process we rediscovered known instances in which the x86 instruction set deviates from its specification [12]. For such instances, our formulas encode a sound over-approximation of the observed hardware behavior and the specification.…”

Section: Vc Generationmentioning

confidence: 99%

Data-driven equivalence checking

Sharma

Schkufza

Churchill

et al. 2013

Proceedings of the 2013 ACM SIGPLAN International Conference on Object Oriented Programming Systems Languages &Amp; Application

View full text Add to dashboard Cite

We present a data driven algorithm for equivalence checking of two loops. The algorithm infers simulation relations using data from test runs. Once a candidate simulation relation has been obtained, off-the-shelf SMT solvers are used to check whether the simulation relation actually holds. The algorithm is sound: insufficient data will cause the proof to fail. We demonstrate a prototype implementation, called DDEC, of our algorithm, which is the first sound equivalence checker for loops written in x86 assembly.

show abstract

Automated synthesis of symbolic instruction encodings from I/O samples

Cited by 11 publications

References 27 publications

SoK: Enabling Security Analyses of Embedded Systems via Rehosting

SoK: Enabling Security Analyses of Embedded Systems via Rehosting

DEMINER: test generation for high test coverage through mutant exploration

Data-driven equivalence checking

Contact Info

Product

Resources

About