一种应用于动态污点分析的路径自动生成方法

在对现有动态污点分析平台研究和分析的基础上,提出一种路径自动生成技术。借助二进制静态分析技术获取目标程序的指令序列,以基本块为粒度计算执行覆盖率,在目标程序动态执行中抓取其运行轨迹,由收集到的路径约束条件构造新的路径约束条件,经约束求解生成覆盖其它路径的新的测试用例。借助虚拟化技术实现动态污点分析各用例的并行执行,较大幅度提高污点分析的路径覆盖率和执行效率。     

基于污点指针的二进制代码缺陷检测

污点指针严重影响二进制代码数据流和控制流的安全。为此,提出一种二进制代码缺陷检测方法。引入指针污点传播规则,结合路径约束条件和边界约束条件得到缺陷引发条件,构造能够引发4类污点指针代码缺陷的输入数据。在Linux系统下实现ELF二进制代码缺陷检测工具,测试结果表明,该方法能降低测试用例生成数量,并发现Linux系统工具的1个虚函数调用控制缺陷和2个指针内存破坏缺陷。     

基于深度学习的模糊测试种子生成技术

模糊测试被广泛应用于各种软件和系统的漏洞挖掘中.而模糊测试的效果与其采用的变异策略以及初始种子文件的代码覆盖率有直接的关系.本文提出了一种基于深度学习的种子文件生成方法,分析并学习初始种子文件和其在目标程序中的执行路径之间的关系,最终输出可能覆盖新执行路径的种子文件,从而提高初始种子文件集合的代码覆盖率.我们以PDF阅读器作为目标程序进行了实验,实验结果表明该方法所生成的种子文件保证了良好的通过率,而且明显提高了代码覆盖率.同时实验证明该方法在针对多种PDF阅读器进行模糊测试时都获得了更高的代码覆盖率.     

一种基于动态插桩的JavaScript反事实执行方法

目前,静态分析技术已被广泛用于JavaScript程序的安全性分析。但是由于JavaScript支持通过eval等方法在运行时动态生成代码,仅靠静态分析难以取得动态生成代码。一种可行的解决方法是通过动态运行目标程序取得动态生成代码,再对其进行静态分析。然而,动态运行目标程序只能覆盖有限的执行路径,会遗漏其他执行路径中的动态生成代码。针对这一问题,基于动态插桩实现了一个反事实执行方法。该方法通过修改JavaScript引擎,在其语法解析阶段动态插入反事实执行体,使条件不成立的分支路径和当前执行路径均能够得到执行。通过该插桩方式,即使嵌套调用eval等方法,也能在其动态生成代码中完成插桩。同时,还实现了一种按需undo方法,以消除反事实执行体中赋值操作带来的影响,且能够避免冗余操作。实验结果表明,实现的方法能够有效地扩大动态分析中执行路径的覆盖面。     

汇编代码中的热路径搜寻工具

介绍并实现了一种热路径搜索算法,它能在汇编代码中搜寻出执行频率最高的若干条路径。编译器开发人员可以专注精力分析热路径上的代码,大大节省了工作量。该工具配合ORC编译器的开发,为改善性能做出了重要贡献。     

基于路径覆盖插桩的可执行代码测试工具实现

为解决传统程序插桩技术存在代码膨胀和运行时间较长的问题,提出对可执行代码进行控制流路径覆盖消除冗余的插桩策略。依据该策略设计一种针对Java可执行代码的单元测试工具,完成程序执行路径跟踪和覆盖率分析。对测试工具进行功能验证和性能分析,结果表明,该策略能够有效减少插桩点数量,降低插桩对被测程序时间特性的影响。     

有效覆盖引导的定向灰盒模糊测试

定向灰盒模糊测试技术在度量种子对目标执行状态的搜索能力时,除了考虑种子逼近目标代码的程度之外,还需要分析种子对多样化执行状态的发现能力,从而避免陷入局部最优.现有的定向灰盒模糊测试主要根据全程序的覆盖统计来度量种子搜索多样化执行路径的能力.然而,目标执行状态仅依赖于部分程序代码.如果带来新覆盖的种子并未探索到目标状态计算所依赖的新执行状态,其不仅不能扩大种子队列对目标执行状态的搜索能力,而且会诱导测试目标无关的代码和功能,阻碍定向测试向目标代码的收敛.为了缓解该问题,从待发现目标执行状态依赖代码的覆盖统计着手,提出了一种有效覆盖引导的定向灰盒模糊测试方法.利用程序切片技术提取影响目标执行状态计算的代码.通过能量调度（即控制种子后代生成数量）,提升引发该部分代码控制流新覆盖变化的种子能量,降低其他冗余种子的能量,使定向灰盒模糊测试专注于搜索目标相关的执行状态.在测试集上的实验结果显示,该方法显著提升了目标状态发现效率.     

动态二进制翻译器CrossBit的性能分析与评估

动态二进制翻译是广泛应用于虚拟机系统的一种二进制代码的翻译技术。动态二进制翻译由于拥有代码缓存、本地执行、代码块链接、动态热路径生成等优化技术的支持,有着很高的性能。CrossBit是一个多元多目标的动态二进制翻译系统,通过对CrossBit二进制翻译器的性能进行的研究,分析动态二进制翻译器性能提升中所必须解决的若干问题,并通过定量的分析总结了一些二进制翻译系统的在不同的配置和负载下系统优化手段的执行时策略。     

关于数据执行保护的检测方法

在CPU史持的前提下，Microsoft Windows XP Service Pack 2使用一项新的敖据执行保护（DEP）功能，可禁止执行数据页中的代码。当要尝试运行标记为数据页中的代码时．就会立即发生异常并禁止执行代码。这样可以有效地防止攻击者使用代码致使数据缓冲区溢出，然后执行该代码。     

基于多目标全局约束的任务分配和调度算法

针对嵌入式系统中大多数任务执行算法不考虑目标成本问题,提出了一种基于多目标全局约束的任务分配和调度算法。算法使用约束逻辑编程来对任务执行资源如处理单元、通信设备以及代码和数据存储量的使用进行多目标全局约束。算法假设ROM和RAM分别用于代码存储和数据存储,算法还考虑数据在数据存储器中的位置。实验结果表明,尽管在多个约束条件下,提出的任务分配和调度算法无论在代码存储和数据存储量使用方面,还是在对任务有效求解方面都能取得比普遍采用的贪婪调度算法更好的结果。     

Extending symbolic execution for automated testing of stored procedures

Stored procedures in database management systems are often used to implement complex business logic. Correctness of these procedures is critical for flawless working of the system. However, testing them remains difficult due to many possible database states and constraints on data. This leads to mostly manual testing. Newer tools offer automated execution for unit testing of stored procedures but the test cases are still written manually. We propose an approach of using dynamic symbolic execution for generating automated test cases and corresponding database states for stored procedures. We model the constraints on data imposed by the schema and the SQL statements, treating values in database tables as symbolic. We use SMT solver to find values that will drive the stored procedure on a particular execution path. We instrument the internal execution plans generated by PostgreSQL to extract constraints. We use Z3 to generate test cases consisting of table data and procedure inputs. Our evaluation using stored procedures from a large business application and various GitHub repositories quantifies the evidence of effectiveness of our technique by generating test cases that lead to schema constraint violations and user-defined exceptions.     

Linear Approximation of Execution-Time Constraints

This paper defines an algorithm for predicting worst-case and best-case execution times, and determining execution-time constraints of control-flow paths through real-time programs using their partial correctness semantics. The algorithm produces a linear approximation of path traversal conditions, worst-case and best-case execution times and strongest postconditions for timed paths in abstract real-time programs. Also shown are techniques for determining the set of control-flow paths with decidable worst-case and best-case execution times. The approach is based on a weakest liberal precondition semantics and relies on supremum and infimum calculations similar to standard computations from linear programming and Presburger arithmetic. The methodology is applicable to any executable language with a predicate transformer semantics and hence provides a verification basis for both high-level language and assembly code execution-time analysis.     

Unit Test Data Generation for C Using Rule-Directed Symbolic Execution

Unit testing is widely used in software development. One important activity in unit testing is automatic test data generation. Constraint-based test data generation is a technique for automatic generation of test data, which uses symbolic execution to generate constraints. Unit testing only tests functions instead of the whole program, where individual functions typically have preconditions imposed on their inputs. Conventional symbolic execution cannot detect these preconditions, let alone converting these preconditions into constraints. To overcome these limitations, we propose a novel unit test data generation approach using rule-directed symbolic execution for dealing with functions with missing input preconditions. Rule-directed symbolic execution uses predefined rules to detect preconditions in the individual function, and generates constraints for inputs based on preconditions. We introduce implicit constraints to represent preconditions, and unify implicit constraints and program constraints into integrated constraints. Test data generated based on integrated constraints can explore previously unreachable code and help developers find more functional faults and logical faults. We have implemented our approach in a tool called CTS-IC, and applied it to real-world projects. The experimental results show that rule-directed symbolic execution can find preconditions (implicit constraints) automatically from an individual function. Moreover, the unit test data generated by our approach achieves higher coverage than similar tools and efficiently mitigates missing input preconditions problems in unit testing for individual functions.

     

模型学习与符号执行结合的安全协议代码分析技术

符号执行技术从理论上可以全面分析程序执行空间,但对安全协议这样的大型程序,路径空间爆炸和约束求解困难的局限性导致其在实践上不可行。结合安全协议程序自身特点,提出用模型学习得到的协议状态机信息指导安全协议代码符号执行思路;同时,通过将协议代码中的密码学逻辑与协议交互逻辑相分离,避免了因密码逻辑的复杂性导致路径约束无法求解的问题。在SSH协议开源项目Dropbear上的成功实践表明了所提方法的可行性;通过与 Dropbear 自带的模糊测试套件对比,验证了所提方法在代码覆盖率与错误点发现上均具有一定优势。     

Symbolic PathFinder: integrating symbolic execution with model checking for Java bytecode analysis

Symbolic PathFinder (SPF) is a software analysis tool that combines symbolic execution with model checking for automated test case generation and error detection in Java bytecode programs. In SPF, programs are executed on symbolic inputs representing multiple concrete inputs and the values of program variables are represented by expressions over those symbolic inputs. Constraints over these expressions are generated from the analysis of different paths through the program. The constraints are solved with off-the-shelf solvers to determine path feasibility and to generate test inputs. Model checking is used to explore different symbolic program executions, to systematically handle aliasing in the input data structures, and to analyze the multithreading present in the code. SPF incorporates techniques for handling input data structures, strings, and native calls to external libraries, as well as for solving complex mathematical constraints. We describe the tool and its application at NASA, in academia, and in industry.     

Feed-rate and trajectory optimization for CNC machine tools

The key task performed by CNCs is the generation of the time-sequence of set-points for driving each physical axis of the machine tool during program execution. This interpolation of axes movement must satisfy a number of constraints on axes dynamics (velocity, acceleration, and jerk), and on process outcome (smooth tool movement and precise tracking of the nominal tool-path at the desired feed-rate). This paper presents an algorithm for CNC kernels that aims at solving the axes interpolation problem by exploiting an Optimal Control Problem formulation. With respect to other solutions proposed in the literature, the approach presented here takes an original approach by assuming a predefined path tracking tolerance—to be added to the constraints listed above—and calculating the whole trajectory (path and feed-rate profile) that satisfies the given constraints. The effectiveness of the proposed solution is benchmarked against the trajectory generated by an industrial, state-of-the-art CNC, proving a significant advantage in efficiency and smoothness of axes velocity profiles.     

An automated approach for merging business process fragments

In the field of business process management, adopting efficient building strategies can improve the quality of companies’ business processes. The reuse of existing business processes or even fragments of them is a practical approach to build complete business processes or coarser-grained process fragments. In the present paper, we deal with the merge of a set of business process fragments for the construction of new complete processes. Our merge mechanism relies on a particular path matrix, that we call gateway path matrix. We use gateway path matrices to represent business process fragments to systematically compose shared components with individual ones. Moreover, our approach ensures that the resulting business process fragments subsume the behavior of initial ones and allows for adding new execution scenarios while controlling undesirable ones. In fact, we detect newly generated behaviors, and alert process designers of undesirable ones through behavioral constraints. We provide extensive experimental results derived from an implementation of our approach applied on a well-known industrial library of business process fragments.     

Adaptability mechanisms for autonomic system implementation with AAOP

This paper presents a new approach to implementing an adaptability loop in Autonomic Computing (AC) systems, which is based on adaptable aspects. The approach utilizes the concept of adaptable aspect‐oriented programming (AAOP) in which a set of AOP aspects is used to run an application in the manner specified by its adaptability strategy. We present a model execution environment based on this concept, enabling the execution of applications with applied adaptability strategies. In the AAOP‐based AC system, the application is instrumented with aspects selected by the system from a set of all available aspects (sensors, effectors, and goal aspects) in such a way that the system can monitor and manage the application. This model can be used to implement systems that are able to monitor an application and its execution environment, and perform actions such as changing the current set of non‐functional constraints in response to changes in the application or its environment. The model can be used for various types of non‐functional goals, in various programming languages, both in centralized and distributed environments. This paper describes its Java‐based implementation and non‐functional goals referring to resource management. As a consequence, the application uses resources in a way specified in its adaptability strategy. Resource consumption management logic is transparent for the application, meaning that no modifications in the application source code are needed. Copyright © 2010 John Wiley & Sons, Ltd.