SlideShare a Scribd company logo

Software testing and concolic execution LSE 2013

Jonathan Salwan
Jonathan Salwan

Software testing and concolic execution LSE 2013

TechnologyEducation
1 of 52
Download to read offline
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Software testing and concolic execution Jonathan Salwan LSE Summer Week 2013 July 18, 2013 Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End About me Who I am : Jonathan Salwan Where I work : Sysdream What is my job : R&D Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Definition Bug impact Certifications Software testing statistics Software testing Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Definition Bug impact Certifications Software testing statistics Definition From Wikipedia: Software testing is an investigation conducted to provide stakeholders with information about the quality of the product or service under test. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Definition Bug impact Certifications Software testing statistics Bug impact - $100 Billion per year in Europe - Rocket Arianne V : $370 Million - Therac-25 (Radiotherapy) : People died... Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Definition Bug impact Certifications Software testing statistics Certifications - ISO/IEC 9126 : Software engineering - Product quality - SGS : Certification services from SGS demonstrate that your products, processes, systems or services are compliant with national and international regulations and standards. - ED-12C/DO-178C : Software Considerations in Airborne Systems and Equipment Certification Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Definition Bug impact Certifications Software testing statistics Software testing statistics Fast Intelligent Code coverage Manual test KO OK OK Automatic test OK KO KO Formal proof KO OK OK Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Bugs hunting Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Bugs hunting To find bugs, we have several methodologies. - White box - Black box - Pattern matching - Dumb fuzzing - In-memory fuzzing - ... Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing White box PHP 5.3.6 - Stack buffer overflow in socket connect (CVE-2011-1938) Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Black box Most vulnerabilities are found in private softwares thanks to black box fuzzing - Same idea than white box fuzzing - Need to skill++ in assembly - Really more time consuming than white box fuzzing Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Pattern matching Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Dumb fuzzing The idea is to fuzz the program with semi-random data (based on a specification of the fileformat/protocol/whatever) 1 Focus a specific RFC (Ex: http, ftp, pdf, png...) 2 Send semi-random data based on the RFC’s fields. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Dumb fuzzing - http server Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing In-memory fuzzing The idea of this method is to instrument directly the target application’s code to fuzz it. Here are the different steps: 1 Break before and after the target function 2 Save the context execution 3 Send semi-random data 4 Restore the execution context previously saved 5 Repeat until a crash is triggered Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing In-memory fuzzing - Call graph Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing In-memory fuzzing - Concept Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Manual vs automatic testing With the classical automatic tests it’s difficult to detect some bugs : - Info leaks - All overflows without crashs - Design errors - ... Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Concrete execution Symbolic execution Concolic execution Concolic execution Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Concrete execution Symbolic execution Concolic execution Concrete execution The concrete execution is the execution of a real program. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Concrete execution Symbolic execution Concolic execution Symbolic execution The symbolic execution is used to determine a time T all conditions necessary to take the branch or not. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Concrete execution Symbolic execution Concolic execution Symbolic execution - Example Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Concrete execution Symbolic execution Concolic execution Symbolic execution - Example Three possible paths. One path for True and two paths for False. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Concrete execution Symbolic execution Concolic execution Concolic execution Concolic execution is a technic that uses both symbolic and concrete execution to solve a constraint path. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 IR and constraints solver Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 Valgrind Valgrind is an instrumentation framework for building dynamic analysis tools. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 Valgrind - VEX VEX is the Valgrind’s intermediate language. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 Valgrind - VEX sample Instruction: add eax, ebx t3 = GET:I32(0) # get %eax, a 32-bit integer (t3 = eax) t2 = GET:I32(12) # get %ebx, a 32-bit integer (t2 = ebx) t1 = Add32(t3,t2) # t1 = addl(eax, ebx) PUT(0) = t1 # put %eax (eax = t1) Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 Z3 Z3 is a high-performance theorem prover developed by Microsoft. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 Z3 - Example $ cat ./ex.py from z3 import * x = BitVec(’x’, 32) s = Solver() s.add((x ^ 0x55) + (3 - (2 * 12)) == 0x30) print s.check() print s.model() $ ./ex.py sat [x = 16] Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 Z3 - Why ? We will use it to solve all the constraints from our VEX’s output. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Proof of concept Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 PoC for fun Last summer, with my friends Ahmed Bougacha and Pierre Collet, we worked on a concolic PoC just for fun. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Goal Objectif : Solve this dumb crackme Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Plan 1 Taint the user input (via Valgrind) 2 Spread the taints (via Valgrind) 3 Save all constraints (via Valgrind) 4 Solve all constraints (via Z3) Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Taint syscall entries - Diagram Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Taint syscall entries - in Valgrind With valgrind we can add a Pre and Post syscall handler. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Taint syscall entries - in Valgrind static void pre_syscall(ThreadId tId, UInt syscall_number, UWord* args, UInt nArgs){ } static void post_syscall(ThreadId tId, UInt syscall_number, UWord* args, UInt nArgs, SysRes res){ } static void init(void) { VG_(details_name) ("Taminoo"); VG_(details_version) (NULL); VG_(details_description) ("Taint analysis poc"); [...] VG_(basic_tool_funcs) (init, instrument, fini); [...] VG_(needs_syscall_wrapper) (pre_syscall, post_syscall); } VG_DETERMINE_INTERFACE_VERSION(init) Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Spread the taints To propagate correctly the taints, we instrument each instruction of the binary. If it is a GET, LOAD, PUT or STORE instruction we spread the taints. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Spread the taints The variable a is tainted. When b = a and c = b, b and c will also be tainted because they can be controlled via a. uint32_t a, b, c; a = atoi(user_input); b = a; /* b is tainted */ c = b; /* c is tainted */ Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Spread the taints - in Valgrind switch (st->tag) { case Ist_Store: INSERT_DIRTY(helper_store, /* dst_addr */ st->Ist.Store.addr, /* src_tmp */ INSERT_TMP_NUMBER(st->Ist.Store.data), /* size */ INSERT_EXPR_SIZE(st->Ist.Store.data)); break; case Ist_Put: INSERT_DIRTY(helper_put, /* dst_reg */ mkIRExpr_HWord(st->Ist.Put.offset), /* src_tmp */ INSERT_TMP_NUMBER(st->Ist.Put.data), /* size */ INSERT_EXPR_SIZE(st->Ist.Put.data)); break; case Iex_Get: INSERT_DIRTY(helper_get, /* dst_tmp */ mkIRExpr_HWord(dst), /* src_reg */ mkIRExpr_HWord(data->Iex.Get.offset), /* size */ mkIRExpr_HWord(sizeofIRType(data->Iex.Get.ty))); break; case Iex_Load: INSERT_DIRTY(helper_load, /* dst_tmp */ mkIRExpr_HWord(st->Ist.WrTmp.tmp), /* src_addr */ st->Ist.WrTmp.data->Iex.Load.addr, /* size */ INSERT_TYPE_SIZE(data->Iex.Load.ty)); break; [...] } Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Constraints - Output ==14567== #1:8 = Read(4,0) #2:8 = Read(4,1) #3:8 = Read(4,2) #4:8 = Read(4,3) #5:32 = 8Uto32(#1:8) #6:32 = Xor32(#5:32,0x55) #7:8 = 32to8_0(#6:32) #8:8 = 32to8_1(#6:32) #9:8 = 32to8_2(#6:32) #10:8 = 32to8_3(#6:32) #11:32 = 8Uto32(#7:8) #12:8 = 32to8(#11:32) #13:1 = CmpEQ8(#12:8,0x30) = False #14:32 = 1Uto32(#13:1) #15:1 = 32to1(#14:32) Jump(#15:1) = False #6 freed #5 freed #14 freed #13 freed #12 freed #15 freed #11 freed #7 freed ==14567== Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Constraints - List Every constraint depends of the previous constraint. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Constraints - List Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Solve constraints with Z3 All the constraints are converted using the Z3 syntax Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Solve constraints with Z3 - Original constraint The first constraint is : CmpEQ8(Xor32(Read(4,0),0x55),0x30) Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Solve constraints with Z3 - Z3 pattern # First constraint in Z3 pattern x = BitVec(’x’, 32) s = Solver() s.add((x ^ 0x55) == 0x30) Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Solve constraints with Z3 - Concolic execution Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Solve constraints with Z3 - All constraints solved C1 = CmpEQ8(Xor32(Read(4,0),0x55),0x30) = ’e’ C2 = CmpEQ8(Xor32(Read(4,1),0x55),0x39) = ’l’ C3 = CmpEQ8(Xor32(Read(4,2),0x55),0x3c) = ’i’ C4 = CmpEQ8(Xor32(Read(4,3),0x55),0x21) = ’t’ C5 = CmpEQ8(Xor32(Read(4,4),0x55),0x30) = ’e’ Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Extra Questions ? Thanks ! Extra Blog post : http://shell-storm.org/blog/Concolic-execution-taint-analysis- with-valgrind-and-constraints-path-solver-with-z3/ Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Extra Questions ? Thanks ! Questions ? Questions ? Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Extra Questions ? Thanks ! Thanks ! http://sbxc.org http://twitter.com/JonathanSalwan Jonathan Salwan Software testing and concolic execution

Recommended

Investigating Code Review Practices in Defective Files
Investigating Code Review Practices in Defective FilesInvestigating Code Review Practices in Defective Files
Investigating Code Review Practices in Defective Files
The University of Adelaide
 
Revisiting Code Ownership and Its Relationship with Software Quality in the S...
Revisiting Code Ownership and Its Relationship with Software Quality in the S...Revisiting Code Ownership and Its Relationship with Software Quality in the S...
Revisiting Code Ownership and Its Relationship with Software Quality in the S...
The University of Adelaide
 
Symbolic Execution of Malicious Software: Countering Sandbox Evasion Techniques
Symbolic Execution of Malicious Software: Countering Sandbox Evasion TechniquesSymbolic Execution of Malicious Software: Countering Sandbox Evasion Techniques
Symbolic Execution of Malicious Software: Countering Sandbox Evasion Techniques
Fabio Rosato
 
PhD Dissertation Defense (April 2015)
PhD Dissertation Defense (April 2015)PhD Dissertation Defense (April 2015)
PhD Dissertation Defense (April 2015)
Shauvik Roy Choudhary, Ph.D.
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality Tools
Сергей Гоменюк
 
What if Clippy Would Criticize Your Code? (benevol2015)
What if Clippy Would Criticize Your Code? (benevol2015)What if Clippy Would Criticize Your Code? (benevol2015)
What if Clippy Would Criticize Your Code? (benevol2015)
Yuriy Tymchuk
 
Konstantin Knizhnik: static analysis, a view from aside
Konstantin Knizhnik: static analysis, a view from asideKonstantin Knizhnik: static analysis, a view from aside
Konstantin Knizhnik: static analysis, a view from aside
PVS-Studio
 
Crowd debugging (FSE 2015)
Crowd debugging (FSE 2015)Crowd debugging (FSE 2015)
Crowd debugging (FSE 2015)
Sung Kim
 

Recommended

Investigating Code Review Practices in Defective Files
Investigating Code Review Practices in Defective FilesInvestigating Code Review Practices in Defective Files
Investigating Code Review Practices in Defective Files
The University of Adelaide
 
Revisiting Code Ownership and Its Relationship with Software Quality in the S...
Revisiting Code Ownership and Its Relationship with Software Quality in the S...Revisiting Code Ownership and Its Relationship with Software Quality in the S...
Revisiting Code Ownership and Its Relationship with Software Quality in the S...
The University of Adelaide
 
Symbolic Execution of Malicious Software: Countering Sandbox Evasion Techniques
Symbolic Execution of Malicious Software: Countering Sandbox Evasion TechniquesSymbolic Execution of Malicious Software: Countering Sandbox Evasion Techniques
Symbolic Execution of Malicious Software: Countering Sandbox Evasion Techniques
Fabio Rosato
 
PhD Dissertation Defense (April 2015)
PhD Dissertation Defense (April 2015)PhD Dissertation Defense (April 2015)
PhD Dissertation Defense (April 2015)
Shauvik Roy Choudhary, Ph.D.
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality Tools
Сергей Гоменюк
 
What if Clippy Would Criticize Your Code? (benevol2015)
What if Clippy Would Criticize Your Code? (benevol2015)What if Clippy Would Criticize Your Code? (benevol2015)
What if Clippy Would Criticize Your Code? (benevol2015)
Yuriy Tymchuk
 
Konstantin Knizhnik: static analysis, a view from aside
Konstantin Knizhnik: static analysis, a view from asideKonstantin Knizhnik: static analysis, a view from aside
Konstantin Knizhnik: static analysis, a view from aside
PVS-Studio
 
Crowd debugging (FSE 2015)
Crowd debugging (FSE 2015)Crowd debugging (FSE 2015)
Crowd debugging (FSE 2015)
Sung Kim
 
Automatic testing in DevOps
Automatic testing in DevOpsAutomatic testing in DevOps
Automatic testing in DevOps
Benoit Baudry
 
Assessing Unit Test Quality
Assessing Unit Test QualityAssessing Unit Test Quality
Assessing Unit Test Quality
guest268ee8
 
Videos about static code analysis
Videos about static code analysisVideos about static code analysis
Videos about static code analysis
PVS-Studio
 
Peer Code Review An Agile Process
Peer Code Review An Agile ProcessPeer Code Review An Agile Process
Peer Code Review An Agile Process
gsporar
 
Proactive Empirical Assessment of New Language Feature Adoption via Automated...
Proactive Empirical Assessment of New Language Feature Adoption via Automated...Proactive Empirical Assessment of New Language Feature Adoption via Automated...
Proactive Empirical Assessment of New Language Feature Adoption via Automated...
Raffi Khatchadourian
 
Master the Concepts Behind the Java 10 Challenges and Eliminate Stressful Bugs
Master the Concepts Behind the Java 10 Challenges and Eliminate Stressful BugsMaster the Concepts Behind the Java 10 Challenges and Eliminate Stressful Bugs
Master the Concepts Behind the Java 10 Challenges and Eliminate Stressful Bugs
Rafael Chinelato Del Nero
 
National software testing conference 2016 fergal hynes
National software testing conference 2016 fergal hynesNational software testing conference 2016 fergal hynes
National software testing conference 2016 fergal hynes
Fergal Hynes
 
Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.
Alexandre (Shura) Iline
 
Throwing Laravel into your Legacy App™
Throwing Laravel into your Legacy App™Throwing Laravel into your Legacy App™
Throwing Laravel into your Legacy App™
Joe Ferguson
 
What's Spain's Paris? Mining Analogical Libraries from Q&A Discussions
What's Spain's Paris? Mining Analogical Libraries from Q&A DiscussionsWhat's Spain's Paris? Mining Analogical Libraries from Q&A Discussions
What's Spain's Paris? Mining Analogical Libraries from Q&A Discussions
Chunyang Chen
 
Concepts of Functional Programming for Java Brains (2010)
Concepts of Functional Programming for Java Brains (2010)Concepts of Functional Programming for Java Brains (2010)
Concepts of Functional Programming for Java Brains (2010)
Peter Kofler
 
Practical (J)Unit Testing (2009)
Practical (J)Unit Testing (2009)Practical (J)Unit Testing (2009)
Practical (J)Unit Testing (2009)
Peter Kofler
 
Personalized Defect Prediction
Personalized Defect PredictionPersonalized Defect Prediction
Personalized Defect Prediction
Sung Kim
 
An exploratory study of the state of practice of performance testing in Java-...
An exploratory study of the state of practice of performance testing in Java-...An exploratory study of the state of practice of performance testing in Java-...
An exploratory study of the state of practice of performance testing in Java-...
corpaulbezemer
 
QA for lecture 15.pptx
QA for lecture 15.pptxQA for lecture 15.pptx
QA for lecture 15.pptx
MuneerUmar3
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code Analysis
Geneva, Switzerland
 
Software testing (2) trainingin-mumbai
Software testing (2) trainingin-mumbaiSoftware testing (2) trainingin-mumbai
Software testing (2) trainingin-mumbai
vibrantuser
 
Software testing (2) trainingin-mumbai...
Software testing (2) trainingin-mumbai...Software testing (2) trainingin-mumbai...
Software testing (2) trainingin-mumbai...
vibrantuser
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
Rune Sundling
 
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriageЭкспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Positive Hack Days
 
Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...
Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...
Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...
jeromevdl
 
Software Horticulture
Software HorticultureSoftware Horticulture
Software Horticulture
Jieren Chen
 

More Related Content

What's hot

Assessing Unit Test Quality
Assessing Unit Test QualityAssessing Unit Test Quality
Assessing Unit Test Quality
guest268ee8
 
Peer Code Review An Agile Process
Peer Code Review An Agile ProcessPeer Code Review An Agile Process
Peer Code Review An Agile Process
gsporar
 
Proactive Empirical Assessment of New Language Feature Adoption via Automated...
Proactive Empirical Assessment of New Language Feature Adoption via Automated...Proactive Empirical Assessment of New Language Feature Adoption via Automated...
Proactive Empirical Assessment of New Language Feature Adoption via Automated...
Raffi Khatchadourian
 
What's Spain's Paris? Mining Analogical Libraries from Q&A Discussions
What's Spain's Paris? Mining Analogical Libraries from Q&A DiscussionsWhat's Spain's Paris? Mining Analogical Libraries from Q&A Discussions
What's Spain's Paris? Mining Analogical Libraries from Q&A Discussions
Chunyang Chen
 
Concepts of Functional Programming for Java Brains (2010)
Concepts of Functional Programming for Java Brains (2010)Concepts of Functional Programming for Java Brains (2010)
Concepts of Functional Programming for Java Brains (2010)
Peter Kofler
 
Practical (J)Unit Testing (2009)
Practical (J)Unit Testing (2009)Practical (J)Unit Testing (2009)
Practical (J)Unit Testing (2009)
Peter Kofler
 

What's hot (13)

Automatic testing in DevOps
Automatic testing in DevOpsAutomatic testing in DevOps
Automatic testing in DevOps
 
Assessing Unit Test Quality
Assessing Unit Test QualityAssessing Unit Test Quality
Assessing Unit Test Quality
 
Videos about static code analysis
Videos about static code analysisVideos about static code analysis
Videos about static code analysis
 
Peer Code Review An Agile Process
Peer Code Review An Agile ProcessPeer Code Review An Agile Process
Peer Code Review An Agile Process
 
Proactive Empirical Assessment of New Language Feature Adoption via Automated...
Proactive Empirical Assessment of New Language Feature Adoption via Automated...Proactive Empirical Assessment of New Language Feature Adoption via Automated...
Proactive Empirical Assessment of New Language Feature Adoption via Automated...
 
Master the Concepts Behind the Java 10 Challenges and Eliminate Stressful Bugs
Master the Concepts Behind the Java 10 Challenges and Eliminate Stressful BugsMaster the Concepts Behind the Java 10 Challenges and Eliminate Stressful Bugs
Master the Concepts Behind the Java 10 Challenges and Eliminate Stressful Bugs
 
National software testing conference 2016 fergal hynes
National software testing conference 2016 fergal hynesNational software testing conference 2016 fergal hynes
National software testing conference 2016 fergal hynes
 
Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.
 
Throwing Laravel into your Legacy App™
Throwing Laravel into your Legacy App™Throwing Laravel into your Legacy App™
Throwing Laravel into your Legacy App™
 
What's Spain's Paris? Mining Analogical Libraries from Q&A Discussions
What's Spain's Paris? Mining Analogical Libraries from Q&A DiscussionsWhat's Spain's Paris? Mining Analogical Libraries from Q&A Discussions
What's Spain's Paris? Mining Analogical Libraries from Q&A Discussions
 
Concepts of Functional Programming for Java Brains (2010)
Concepts of Functional Programming for Java Brains (2010)Concepts of Functional Programming for Java Brains (2010)
Concepts of Functional Programming for Java Brains (2010)
 
Practical (J)Unit Testing (2009)
Practical (J)Unit Testing (2009)Practical (J)Unit Testing (2009)
Practical (J)Unit Testing (2009)
 
Personalized Defect Prediction
Personalized Defect PredictionPersonalized Defect Prediction
Personalized Defect Prediction
 

Similar to Software testing and concolic execution LSE 2013

Software testing (2) trainingin-mumbai
Software testing (2) trainingin-mumbaiSoftware testing (2) trainingin-mumbai
Software testing (2) trainingin-mumbai
vibrantuser
 
Software testing (2) trainingin-mumbai...
Software testing (2) trainingin-mumbai...Software testing (2) trainingin-mumbai...
Software testing (2) trainingin-mumbai...
vibrantuser
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
Rune Sundling
 
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriageЭкспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Positive Hack Days
 
Black box testing lecture 11
Black box testing lecture 11Black box testing lecture 11
Black box testing lecture 11
Abdul Basit
 
SFSCON23 - Denver Gingerich - How do you really do GPL enforcement
SFSCON23 - Denver Gingerich - How do you really do GPL enforcementSFSCON23 - Denver Gingerich - How do you really do GPL enforcement
SFSCON23 - Denver Gingerich - How do you really do GPL enforcement
South Tyrol Free Software Conference
 
Concurrency and Parallelism with Scala
Concurrency and Parallelism with ScalaConcurrency and Parallelism with Scala
Concurrency and Parallelism with Scala
Timothy Perrett
 

Similar to Software testing and concolic execution LSE 2013 (20)

An exploratory study of the state of practice of performance testing in Java-...
An exploratory study of the state of practice of performance testing in Java-...An exploratory study of the state of practice of performance testing in Java-...
An exploratory study of the state of practice of performance testing in Java-...
 
QA for lecture 15.pptx
QA for lecture 15.pptxQA for lecture 15.pptx
QA for lecture 15.pptx
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code Analysis
 
Software testing (2) trainingin-mumbai
Software testing (2) trainingin-mumbaiSoftware testing (2) trainingin-mumbai
Software testing (2) trainingin-mumbai
 
Software testing (2) trainingin-mumbai...
Software testing (2) trainingin-mumbai...Software testing (2) trainingin-mumbai...
Software testing (2) trainingin-mumbai...
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
 
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriageЭкспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
 
Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...
Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...
Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...
 
Software Horticulture
Software HorticultureSoftware Horticulture
Software Horticulture
 
Refactoring 2TheMax (con ReSharper)
Refactoring 2TheMax (con ReSharper)Refactoring 2TheMax (con ReSharper)
Refactoring 2TheMax (con ReSharper)
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
 
Black box testing
Black box testingBlack box testing
Black box testing
 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day Management
 
Black box testing lecture 11
Black box testing lecture 11Black box testing lecture 11
Black box testing lecture 11
 
SFSCON23 - Denver Gingerich - How do you really do GPL enforcement
SFSCON23 - Denver Gingerich - How do you really do GPL enforcementSFSCON23 - Denver Gingerich - How do you really do GPL enforcement
SFSCON23 - Denver Gingerich - How do you really do GPL enforcement
 
Concurrency and Parallelism with Scala
Concurrency and Parallelism with ScalaConcurrency and Parallelism with Scala
Concurrency and Parallelism with Scala
 
Manual testing ppt
Manual testing pptManual testing ppt
Manual testing ppt
 
Complexity is Outside the Code, JS Remote Conf
Complexity is Outside the Code, JS Remote ConfComplexity is Outside the Code, JS Remote Conf
Complexity is Outside the Code, JS Remote Conf
 
How penetration testing techniques can help you improve your qa skills
How penetration testing techniques can help you improve your qa skillsHow penetration testing techniques can help you improve your qa skills
How penetration testing techniques can help you improve your qa skills
 
Clearly, I Have Made Some Bad Decisions
Clearly, I Have Made Some Bad DecisionsClearly, I Have Made Some Bad Decisions
Clearly, I Have Made Some Bad Decisions
 

More from Jonathan Salwan

St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...
St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...
St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...
Jonathan Salwan
 

More from Jonathan Salwan (6)

How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protections
 
Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes
 
Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...
Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...
Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...
 
St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...
St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...
St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...
 
Covering a function using a Dynamic Symbolic Execution approach
Covering a function using a Dynamic Symbolic Execution approach Covering a function using a Dynamic Symbolic Execution approach
Covering a function using a Dynamic Symbolic Execution approach
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented Programming
 

Recently uploaded

Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 

Software testing and concolic execution LSE 2013

  • 1. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Software testing and concolic execution Jonathan Salwan LSE Summer Week 2013 July 18, 2013 Jonathan Salwan Software testing and concolic execution
  • 2. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End About me Who I am : Jonathan Salwan Where I work : Sysdream What is my job : R&D Jonathan Salwan Software testing and concolic execution
  • 3. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Definition Bug impact Certifications Software testing statistics Software testing Jonathan Salwan Software testing and concolic execution
  • 4. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Definition Bug impact Certifications Software testing statistics Definition From Wikipedia: Software testing is an investigation conducted to provide stakeholders with information about the quality of the product or service under test. Jonathan Salwan Software testing and concolic execution
  • 5. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Definition Bug impact Certifications Software testing statistics Bug impact - $100 Billion per year in Europe - Rocket Arianne V : $370 Million - Therac-25 (Radiotherapy) : People died... Jonathan Salwan Software testing and concolic execution
  • 6. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Definition Bug impact Certifications Software testing statistics Certifications - ISO/IEC 9126 : Software engineering - Product quality - SGS : Certification services from SGS demonstrate that your products, processes, systems or services are compliant with national and international regulations and standards. - ED-12C/DO-178C : Software Considerations in Airborne Systems and Equipment Certification Jonathan Salwan Software testing and concolic execution
  • 7. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Definition Bug impact Certifications Software testing statistics Software testing statistics Fast Intelligent Code coverage Manual test KO OK OK Automatic test OK KO KO Formal proof KO OK OK Jonathan Salwan Software testing and concolic execution
  • 8. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Bugs hunting Jonathan Salwan Software testing and concolic execution
  • 9. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Bugs hunting To find bugs, we have several methodologies. - White box - Black box - Pattern matching - Dumb fuzzing - In-memory fuzzing - ... Jonathan Salwan Software testing and concolic execution
  • 10. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing White box PHP 5.3.6 - Stack buffer overflow in socket connect (CVE-2011-1938) Jonathan Salwan Software testing and concolic execution
  • 11. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Black box Most vulnerabilities are found in private softwares thanks to black box fuzzing - Same idea than white box fuzzing - Need to skill++ in assembly - Really more time consuming than white box fuzzing Jonathan Salwan Software testing and concolic execution
  • 12. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Pattern matching Jonathan Salwan Software testing and concolic execution
  • 13. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Dumb fuzzing The idea is to fuzz the program with semi-random data (based on a specification of the fileformat/protocol/whatever) 1 Focus a specific RFC (Ex: http, ftp, pdf, png...) 2 Send semi-random data based on the RFC’s fields. Jonathan Salwan Software testing and concolic execution
  • 14. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Dumb fuzzing - http server Jonathan Salwan Software testing and concolic execution
  • 15. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing In-memory fuzzing The idea of this method is to instrument directly the target application’s code to fuzz it. Here are the different steps: 1 Break before and after the target function 2 Save the context execution 3 Send semi-random data 4 Restore the execution context previously saved 5 Repeat until a crash is triggered Jonathan Salwan Software testing and concolic execution
  • 16. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing In-memory fuzzing - Call graph Jonathan Salwan Software testing and concolic execution
  • 17. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing In-memory fuzzing - Concept Jonathan Salwan Software testing and concolic execution
  • 18. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Manual vs automatic testing With the classical automatic tests it’s difficult to detect some bugs : - Info leaks - All overflows without crashs - Design errors - ... Jonathan Salwan Software testing and concolic execution
  • 19. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Concrete execution Symbolic execution Concolic execution Concolic execution Jonathan Salwan Software testing and concolic execution
  • 20. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Concrete execution Symbolic execution Concolic execution Concrete execution The concrete execution is the execution of a real program. Jonathan Salwan Software testing and concolic execution
  • 21. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Concrete execution Symbolic execution Concolic execution Symbolic execution The symbolic execution is used to determine a time T all conditions necessary to take the branch or not. Jonathan Salwan Software testing and concolic execution
  • 22. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Concrete execution Symbolic execution Concolic execution Symbolic execution - Example Jonathan Salwan Software testing and concolic execution
  • 23. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Concrete execution Symbolic execution Concolic execution Symbolic execution - Example Three possible paths. One path for True and two paths for False. Jonathan Salwan Software testing and concolic execution
  • 24. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Concrete execution Symbolic execution Concolic execution Concolic execution Concolic execution is a technic that uses both symbolic and concrete execution to solve a constraint path. Jonathan Salwan Software testing and concolic execution
  • 25. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 IR and constraints solver Jonathan Salwan Software testing and concolic execution
  • 26. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 Valgrind Valgrind is an instrumentation framework for building dynamic analysis tools. Jonathan Salwan Software testing and concolic execution
  • 27. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 Valgrind - VEX VEX is the Valgrind’s intermediate language. Jonathan Salwan Software testing and concolic execution
  • 28. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 Valgrind - VEX sample Instruction: add eax, ebx t3 = GET:I32(0) # get %eax, a 32-bit integer (t3 = eax) t2 = GET:I32(12) # get %ebx, a 32-bit integer (t2 = ebx) t1 = Add32(t3,t2) # t1 = addl(eax, ebx) PUT(0) = t1 # put %eax (eax = t1) Jonathan Salwan Software testing and concolic execution
  • 29. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 Z3 Z3 is a high-performance theorem prover developed by Microsoft. Jonathan Salwan Software testing and concolic execution
  • 30. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 Z3 - Example $ cat ./ex.py from z3 import * x = BitVec(’x’, 32) s = Solver() s.add((x ^ 0x55) + (3 - (2 * 12)) == 0x30) print s.check() print s.model() $ ./ex.py sat [x = 16] Jonathan Salwan Software testing and concolic execution
  • 31. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 Z3 - Why ? We will use it to solve all the constraints from our VEX’s output. Jonathan Salwan Software testing and concolic execution
  • 32. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Proof of concept Jonathan Salwan Software testing and concolic execution
  • 33. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 PoC for fun Last summer, with my friends Ahmed Bougacha and Pierre Collet, we worked on a concolic PoC just for fun. Jonathan Salwan Software testing and concolic execution
  • 34. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Goal Objectif : Solve this dumb crackme Jonathan Salwan Software testing and concolic execution
  • 35. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Plan 1 Taint the user input (via Valgrind) 2 Spread the taints (via Valgrind) 3 Save all constraints (via Valgrind) 4 Solve all constraints (via Z3) Jonathan Salwan Software testing and concolic execution
  • 36. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Taint syscall entries - Diagram Jonathan Salwan Software testing and concolic execution
  • 37. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Taint syscall entries - in Valgrind With valgrind we can add a Pre and Post syscall handler. Jonathan Salwan Software testing and concolic execution
  • 38. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Taint syscall entries - in Valgrind static void pre_syscall(ThreadId tId, UInt syscall_number, UWord* args, UInt nArgs){ } static void post_syscall(ThreadId tId, UInt syscall_number, UWord* args, UInt nArgs, SysRes res){ } static void init(void) { VG_(details_name) ("Taminoo"); VG_(details_version) (NULL); VG_(details_description) ("Taint analysis poc"); [...] VG_(basic_tool_funcs) (init, instrument, fini); [...] VG_(needs_syscall_wrapper) (pre_syscall, post_syscall); } VG_DETERMINE_INTERFACE_VERSION(init) Jonathan Salwan Software testing and concolic execution
  • 39. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Spread the taints To propagate correctly the taints, we instrument each instruction of the binary. If it is a GET, LOAD, PUT or STORE instruction we spread the taints. Jonathan Salwan Software testing and concolic execution
  • 40. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Spread the taints The variable a is tainted. When b = a and c = b, b and c will also be tainted because they can be controlled via a. uint32_t a, b, c; a = atoi(user_input); b = a; /* b is tainted */ c = b; /* c is tainted */ Jonathan Salwan Software testing and concolic execution
  • 41. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Spread the taints - in Valgrind switch (st->tag) { case Ist_Store: INSERT_DIRTY(helper_store, /* dst_addr */ st->Ist.Store.addr, /* src_tmp */ INSERT_TMP_NUMBER(st->Ist.Store.data), /* size */ INSERT_EXPR_SIZE(st->Ist.Store.data)); break; case Ist_Put: INSERT_DIRTY(helper_put, /* dst_reg */ mkIRExpr_HWord(st->Ist.Put.offset), /* src_tmp */ INSERT_TMP_NUMBER(st->Ist.Put.data), /* size */ INSERT_EXPR_SIZE(st->Ist.Put.data)); break; case Iex_Get: INSERT_DIRTY(helper_get, /* dst_tmp */ mkIRExpr_HWord(dst), /* src_reg */ mkIRExpr_HWord(data->Iex.Get.offset), /* size */ mkIRExpr_HWord(sizeofIRType(data->Iex.Get.ty))); break; case Iex_Load: INSERT_DIRTY(helper_load, /* dst_tmp */ mkIRExpr_HWord(st->Ist.WrTmp.tmp), /* src_addr */ st->Ist.WrTmp.data->Iex.Load.addr, /* size */ INSERT_TYPE_SIZE(data->Iex.Load.ty)); break; [...] } Jonathan Salwan Software testing and concolic execution
  • 42. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Constraints - Output ==14567== #1:8 = Read(4,0) #2:8 = Read(4,1) #3:8 = Read(4,2) #4:8 = Read(4,3) #5:32 = 8Uto32(#1:8) #6:32 = Xor32(#5:32,0x55) #7:8 = 32to8_0(#6:32) #8:8 = 32to8_1(#6:32) #9:8 = 32to8_2(#6:32) #10:8 = 32to8_3(#6:32) #11:32 = 8Uto32(#7:8) #12:8 = 32to8(#11:32) #13:1 = CmpEQ8(#12:8,0x30) = False #14:32 = 1Uto32(#13:1) #15:1 = 32to1(#14:32) Jump(#15:1) = False #6 freed #5 freed #14 freed #13 freed #12 freed #15 freed #11 freed #7 freed ==14567== Jonathan Salwan Software testing and concolic execution
  • 43. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Constraints - List Every constraint depends of the previous constraint. Jonathan Salwan Software testing and concolic execution
  • 44. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Constraints - List Jonathan Salwan Software testing and concolic execution
  • 45. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Solve constraints with Z3 All the constraints are converted using the Z3 syntax Jonathan Salwan Software testing and concolic execution
  • 46. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Solve constraints with Z3 - Original constraint The first constraint is : CmpEQ8(Xor32(Read(4,0),0x55),0x30) Jonathan Salwan Software testing and concolic execution
  • 47. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Solve constraints with Z3 - Z3 pattern # First constraint in Z3 pattern x = BitVec(’x’, 32) s = Solver() s.add((x ^ 0x55) == 0x30) Jonathan Salwan Software testing and concolic execution
  • 48. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Solve constraints with Z3 - Concolic execution Jonathan Salwan Software testing and concolic execution
  • 49. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Solve constraints with Z3 - All constraints solved C1 = CmpEQ8(Xor32(Read(4,0),0x55),0x30) = ’e’ C2 = CmpEQ8(Xor32(Read(4,1),0x55),0x39) = ’l’ C3 = CmpEQ8(Xor32(Read(4,2),0x55),0x3c) = ’i’ C4 = CmpEQ8(Xor32(Read(4,3),0x55),0x21) = ’t’ C5 = CmpEQ8(Xor32(Read(4,4),0x55),0x30) = ’e’ Jonathan Salwan Software testing and concolic execution
  • 50. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Extra Questions ? Thanks ! Extra Blog post : http://shell-storm.org/blog/Concolic-execution-taint-analysis- with-valgrind-and-constraints-path-solver-with-z3/ Jonathan Salwan Software testing and concolic execution
  • 51. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Extra Questions ? Thanks ! Questions ? Questions ? Jonathan Salwan Software testing and concolic execution
  • 52. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Extra Questions ? Thanks ! Thanks ! http://sbxc.org http://twitter.com/JonathanSalwan Jonathan Salwan Software testing and concolic execution