Write a Blog >>
ASE 2020
Mon 21 - Fri 25 September 2020 Melbourne, Australia
ASE 2020 (series) / Research Papers /

Multiplex Symbolic Execution: Exploring Multiple Paths by Solving Once

Yufeng Zhang, Zhenbang Chen, Ziqi Shuai, Tianqi Zhang, Kenli Li, Ji Wang
ASE 2020 Research Papers
Thu 24 Sep 2020 01:10 - 01:30 at Kangaroo - Test Efficiency Chair(s): Darko Marinov

Path explosion and constraint solving are two challenges to symbolic execution’s scalability. Symbolic execution explores the program’s path space with a searching strategy and invokes the underlying constraint solver in a black-box manner to check the feasibility of a path. Inside the constraint solver, another searching procedure is employed to prove or disprove the feasibility. Hence, there exists the problem of double searchings in symbolic execution. In this paper, we propose to unify the double searching procedures to improve the scalability of symbolic execution. We propose \textit{Multiplex Symbolic Execution} (MuSE) that utilizes the intermediate assignments during the constraint solving procedure to generate new program inputs. MuSE maps the constraint solving procedure to the path exploration in symbolic execution and explores multiple paths in one time of solving. We have implemented MuSE on two symbolic execution tools (based on KLEE and JPF) and three commonly used constraint solving algorithms. The results of the extensive experiments on real-world benchmarks indicate that MuSE has orders of magnitude speedup to achieve the same coverage.

http://zbchen.github.io/Papers_files/ase-2020-1.pdf
small-avatar
Yufeng Zhang
College of Information Science and Engineering, Hunan University
small-avatar
Zhenbang Chen
College of Computer, National University of Defense Technology, Changsha, PR China
China
small-avatar
Ziqi Shuai
National University of Defense Technology
small-avatar
Tianqi Zhang
National University of Defense Technology
small-avatar
Kenli Li
College of Information Science and Engineering, National Supercomputing Center in Changsha, Hunan University
small-avatar
Ji Wang
National University of Defense Technology

Thu 24 Sep
Times are displayed in time zone: (UTC) Coordinated Universal Time

01:10 - 02:10: Test EfficiencyResearch Papers / NIER track at Kangaroo
Chair(s): Darko MarinovUniversity of Illinois at Urbana-Champaign
01:10 - 01:30
Research paper		Multiplex Symbolic Execution: Exploring Multiple Paths by Solving Once
Research Papers
Yufeng ZhangCollege of Information Science and Engineering, Hunan University, Zhenbang ChenCollege of Computer, National University of Defense Technology, Changsha, PR China, Ziqi ShuaiNational University of Defense Technology, Tianqi ZhangNational University of Defense Technology, Kenli LiCollege of Information Science and Engineering, National Supercomputing Center in Changsha, Hunan University, Ji WangNational University of Defense Technology
Pre-print
01:30 - 01:50
Talk		Zeror: Speed Up Fuzzing with Coverage-sensitive Tracing and Scheduling
Research Papers
Chijin ZhouTsinghua University, Mingzhe WangSchool of Software, Tsinghua University, Jie LiangSchool of Software, Tsinghua University, Zhe LiuNanjing University of Aeronautics and Astronautics, Yu Jiang
01:50 - 02:00
Talk		SRRTA: Regression Testing Acceleration via State Reuse
NIER track
Jinhao DongPeking University, Yiling LouPeking University, China, Dan HaoPeking University, China

Multiplex Symbolic Execution: Exploring Multiple Paths by Solving Once Research Papers

Session: Test Efficiency Thu 24 Sep 2020 01:10 - 02:10 Chair(s): Darko MarinovUniversity of Illinois at Urbana-Champaign

Path explosion and constraint solving are two challenges to symbolic execution’s scalability. Symbolic execution explores the program’s path space with a searching strategy and invokes the underlying constraint solver in a black-box manner to check the feasibility of a path. Inside the constraint solver, another searching procedure is employed to prove or disprove the feasibility. Hence, there exists the problem of double searchings in symbolic execution. In this paper, we propose to unify the double searching procedures to improve the scalability of symbolic execution. We propose \textit{Multiplex Symbolic Execution} (MuSE) that utilizes the intermediate assignments during the constraint solving procedure to generate new program inputs. MuSE maps the constraint solving procedure to the path exploration in symbolic execution and explores multiple paths in one time of solving. We have implemented MuSE on two symbolic execution tools (based on KLEE and JPF) and three commonly used constraint solving algorithms. The results of the extensive experiments on real-world benchmarks indicate that MuSE has orders of magnitude speedup to achieve the same coverage.

small-avatar
Yufeng Zhang
College of Information Science and Engineering, Hunan University
small-avatar
Zhenbang Chen
College of Computer, National University of Defense Technology, Changsha, PR China
China
small-avatar
Ziqi Shuai
National University of Defense Technology
small-avatar
Tianqi Zhang
National University of Defense Technology
small-avatar
Kenli Li
College of Information Science and Engineering, National Supercomputing Center in Changsha, Hunan University
small-avatar
Ji Wang
National University of Defense Technology
All Details Close

Zeror: Speed Up Fuzzing with Coverage-sensitive Tracing and Scheduling Research Papers

Session: Test Efficiency Thu 24 Sep 2020 01:10 - 02:10 Chair(s): Darko MarinovUniversity of Illinois at Urbana-Champaign

Coverage-guided fuzzing is one of the most popular software testing techniques for vulnerability detection. While effective, current fuzzing methods suffer from significant performance penalty due to instrumentation overhead, which limits its practical use. Existing solutions improve the fuzzing speed by decreasing instrumentation overheads but sacrificing coverage accuracy, which results in unstable performance of vulnerability detection.

In this paper, we propose a coverage-sensitive tracing and scheduling framework Zeror that can improve the performance of existing fuzzers, especially in their speed and vulnerability detection. The Zeror is mainly made up of two parts: (1) a self-modifying tracing mechanism to provide a zero-overhead instrumentation for more effective coverage collection, and (2) a real-time scheduling mechanism to support adaptive switch between the zero-overhead instrumented binary and the fully instrumented binary for better vulnerability detection. In this way, Zeror is able to decrease collection overhead and preserve fine-grained coverage for guidance.

For evaluation, we implement a prototype of Zeror and evaluate it on Google fuzzer-test-suite, which consists of 24 widely-used applications. The results show that Zeror performs better than existing fuzzing speed-up frameworks such as Untracer and INSTRIM, improves the execution speed of the state-of-the-art fuzzers such as AFL and MOPT by 159.80%, helps them achieve better coverage (averagely 10.14% for AFL, 6.91% for MOPT) and detect vulnerabilities faster (averagely 29.00% for AFL, 46.99% for MOPT).

small-avatar
Chijin Zhou
Tsinghua University
small-avatar
Mingzhe Wang
School of Software, Tsinghua University
small-avatar
Jie Liang
School of Software, Tsinghua University
small-avatar
Zhe Liu
Nanjing University of Aeronautics and Astronautics
small-avatar
Yu Jiang
All Details Close

SRRTA: Regression Testing Acceleration via State Reuse New Ideas and Emerging Results (NIER) track

Session: Test Efficiency Thu 24 Sep 2020 01:10 - 02:10 Chair(s): Darko MarinovUniversity of Illinois at Urbana-Champaign

Regression testing is widely recognized as an important but time-consuming process. In the literature, researchers have put dedicated efforts in test selection, reduction, and prioritization, to alleviate this cost issue. These techniques share the commonality that they improve regression testing by optimizing the execution of the whole test suite. In this paper, we attempt to accelerate regression testing from a totally new perspective, i.e., skipping some execution of a new program by reusing program states of an old program. Following this intuition, we propose a state-reuse based acceleration approach SRRTA, which consists of state storage and loading. With the former, SRRTA collects some program states during the execution of an old version through three heuristic-based storage strategies; with the latter, SRRTA loads the stored program states with efficiency optimization strategies. Finally, we conduct a preliminary study on \emph{commons-math} and find that SRRTA reduces 80.3% of the regression testing time, indicating it is very promising in accelerating regression testing.

small-avatar
Jinhao Dong
Peking University
Yiling Lou
Yiling Lou
Peking University, China
Dan Hao
Dan Hao
Peking University, China
China
All Details Close