SlideShare a Scribd company logo

Language-Based Testing and Debugging.pdf

CISPA Helmholtz Center for Information Security
CISPA Helmholtz Center for Information Security

Language-Based Testing and Debugging Andreas Zeller, CISPA Helmholtz Center for Information Security Joint work with Dominic Steinhöfel and the CISPA team If one knows the input language of a software system, one can use it for generating test inputs or for determining input patterns that cause specific behavior. But how does one specify an input language such that all properties of inputs are covered? In this talk, I introduce the ISLa specification language, combining grammars and constraints over nonterminals to capture even the most complex input languages. ISLa serves as a fuzzer, allowing to test programs with a large variety of inputs systematically, but also as a parser, decomposing inputs and outputs into individual elements. This opens up new directions for debugging, determining the exact conditions under which a program fails: "The program fails if the <check-temperature-option> is given and <temperature> < 0 holds." Includes live demos! Andreas Zeller is faculty at the CISPA Helmholtz Center for Information Security and professor for Software Engineering at Saarland University. His research on automated debugging, mining software archives, specification mining, and security testing has proven highly influential. Zeller is one of the few researchers to have received two ERC Advanced Grants, most recently for his S3 project. Zeller is an ACM Fellow and holds an ACM SIGSOFT Outstanding Research Award.

Software
1 of 44
Download to read offline
Andreas Zeller • DEBT Workshop • 2023-07-17 Joint work with Dominic Steinhöfel • Martin Eberlein • Lars Grunske Language-Based Testing and Debugging Why and When Does My Program Fail?
Testing Challenges program inputs program outputs Test generation problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / Oracle problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /
Testing and Debugging Challenges program inputs program outputs Test generation problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / Oracle problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /
Testing and Debugging Challenges Language problem } Test generation problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / Oracle problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /
Testing the SSL/TLS Heartbeat Protocol 0x1 0x5 "Hello" ... 0x2 0x5 "Hello" ... Client Server payload must be identical
Testing the SSL/TLS Heartbeat Protocol 0x1 <length> <payload> <padding> 0x2 <length> <payload> <padding> Client Server
Testing the SSL/TLS Heartbeat Protocol 0x2 <length> <payload> <padding> <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <length> ::= <uint16> length must match ... 0x1 <length> <payload> <padding> <client-request> ::= payload must be identical <server-response> ::= Client Server
Specifying Languages <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= length must match payload must be identical syntax alone does not su ffi • A language to specify inputs (and outputs) • A fuzzer to produce inputs that are valid syntactically and semantically • A checker to parse, check, mutate, and repair inputs according to constraints <exchange>
ISLa Language Numbers uint16(<id>) = str.len(<name>) + str.len(<email>) + 2 Strings str.suffixof(<email>, '@cispa.de', True) Based on SMT-LIB Theories Booleans str.len(<email>) > 4096 and str.contains(<email>, '0', True) Quanti fi ers exists <option> in <command_line>: <option> = '--config' or <option> = '-C' S-Expressions (>= (str.len <buffer> 4096)) • A language to specify inputs (and outputs) • A fuzzer to produce inputs that are valid syntactically and semantically • A checker to parse, check, mutate, and repair inputs according to constraints
ISLa Usage Fuzzing $ isla solve grammar.bnf --constraint 'str.len(<payload>) > 65536' Checking $ isla find customers.bnf --constraint '<company> = "CISPA"' *.csv Command Line + Python API Mutating $ isla mutate grammar.bnf spec.isla input.txt Repairing $ isla repair grammar.bnf spec.isla input.txt Python API from isla import ISLaSolver • A language to specify inputs (and outputs) • A fuzzer to produce inputs that are valid syntactically and semantically • A checker to parse, check, mutate, and repair inputs according to constraints
Specifying Languages <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= <exchange>
Producing Inputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= <exchange> <client-request> <server-response>
Producing Inputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= <exchange> <client-request> <server-response>
<client-request> Producing Inputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= <exchange> <server-response>
<client-request> <server-response> Producing Inputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= <exchange> <length> <payload> <padding> 0x1
<server-response> Producing Inputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= <exchange> <length> <payload> <padding> 0x1 <client-request>
<server-response> Producing Inputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= <length> <payload> <padding> 0x1
Producing Inputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= <server-response> <length> <payload> <padding> 0x1 <uint16>
Producing Inputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= <server-response> <length> <payload> <padding> 0x1 <uint16>
0x1 0x0005 <payload> <padding> <server-response> Producing Inputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::=
0x1 0x0005 "hello" <padding> <server-response> Producing Inputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::=
0x1 0x0005 "hello" 0x0 0x0... <server-response> Producing Inputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= complete and valid input
0x1 0x0005 "hello" 0x0 0x0... <server-response> Parsing Outputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= 0x0005 "hello" 0x2 0x0 0x0...
0x1 0x0005 "hello" 0x0 0x0... 0x2 <length> <payload> <padding> Parsing Outputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= 0x0005 "hello" 0x2 0x0 0x0...
0x1 0x0005 "hello" 0x0 0x0... 0x2 <uint16> <payload> <padding> Parsing Outputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= 0x0005 "hello" 0x2 0x0 0x0...
0x1 0x0005 "hello" 0x0 0x0... 0x2 0x0005 "hello" 0x0 0x0... Parsing Outputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= Test generation problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / Oracle problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /
Test generation problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / Oracle problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / Language Specifications <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints Testing Mocking 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= Monitoring
Where does the Language Come From? Language problem } Test generation problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / Oracle problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /
0x1 0x5 "Hello" ... 0x1 0x4 "Dear" ... 0x1 0x5 "World" ... Synthesizing Language Specifications <client-request> ::= uint16(<length>) = Learning Grammars Learning Constraints Learn language speci fi cations from existing interactions Di ff erent I/O elements take di ff erent paths in processing program 0x1 0x5 "Hello" ... 0x1 <length> <payload> <padding> Synthesize predicates that match all observed values len(<payload>) Interactions Learner Language Spec Test Generator
Exploring Program Behavior Re fi ne language specs through generated tests Gradually negate constraints uint16(<length>) len(<payload>) uint16(<length>) = len(<payload>) => <client-request>.<payload> = <server-response>.<payload> Re fi ned language spec (and failure diagnosis) ≠ = uint16(<length>) ≥ len(<payload>) => str.prefixof(<server-response>.<payload>, <client-request>.<payload>, True) length no longer matches Interactions Learner Language Spec Test Generator length matches: payload is identical length is too high: payload di ff "hello" 0x1 0x2000 ... ... 0x2 0x2000 "hello0secret0password0"
Features on Demand "hello" ... <length> <payload> <length> <payload> <client-request> <server-response> <exchange> 0x1 0x2000 ... 0x2 0x2000 "hello0secret0password0" "37h%$" 0x1 0x5 ... "0" 0x1 0x1 ... "37h%$" 0x2 0x5 ... "0" 0x2 0x1 ... Learner Test Generator Perfect conditions for automated learners "${}" 0x1 0x3 ... "${}" 0x2 0x3 ... "" 0x1 0x0 ... "" 0x2 0x0 ... "'; --" 0x1 0x5 ... "'; --" 0x2 0x5 ...
AVICENNA Semantic Debugging Input Language Spec Failure Circumstances <client-request> ::= 0x1 <length> <payload> uint16(<length>) > len(<payload>) Failing Inputs "hello" 0x1 0x2000
AVICENNA Semantic Debugging Input Language Spec Failure Circumstances <client-request> ::= 0x1 <length> <payload> uint16(<length>) > len(<payload>) Failing Inputs "hello" 0x1 0x2000 Determine relevant input elements Determine failure- related properties Generate new inputs to re fi ne theory Negate constraints <length> <payload> <length> = 0x2000 <payload> = "hello" <length> ≠ 0x2000 <payload> ≠ "hello" "xyz" 0x1 0x0003
TABLE II AVICENNA DIAGNOSES VS. HUMAN DIAGNOSES Bug AVICENNA diagnosis (using ISLa syntax [13]) Expert Bug Description HeartBleed str.to.int(<length>) > str.len(<payload>) “Attackers can send Heartbeat requests with the value of the length field greater than the actual length of the payload” [37] grep.7aa698d3 exists <utf8> in <lc_all>: <utf8> = "UTF-8" and exists <ignore_case> in <general_options>: <ignore_case> = "-i" “If grep conducts a case-insensitive search (-i) on an input that contains multibyte characters and the locale is UTF8, then grep prints a match of incorrect length.” [36] grep.5fa8c7c9 exists <patterns> in <command>: <patterns> = "’’" and exists <utf8> in <lc_all>: inside(<utf8>, <lc_all>) and exists <fixed_string> in <cmd_1>: inside(<fixed_string>, <cmd_1>) “Searching with grep -F for an empty string in a multibyte locals [sic] would freeze grep.” [36] (Note: hfixed stringi expands to -F and --fixed-strings) grep.c96b0f2c exists <regex_> in <patterns>: <regex_> = "ˆ$" and (exists <ignore_case> in <matching_control>: inside(<ignore_case>, <matching_control>) or exists <line_no> in <output_line_prefix_control>: inside(<line_no>, <output_line_prefix_control>)) “Options -i and -n will not work when applied to an empty line” [36] [in a UTF-8 locale] (Note: hignore casei expands to -i and --ignore-case; hline noi expands to -n and --line-number) “Core dump with pattern ’(ˆ| )*( |$)’” [36] Some Benchmark Results Subject AVICENNA Diagnosis Expert Diagnosis (from DBGBench)
grep.c96b0f2c exists <regex_> in <patterns>: <regex_> = "ˆ$" and (exists <ignore_case> in <matching_control>: inside(<ignore_case>, <matching_control>) or exists <line_no> in <output_line_prefix_control>: inside(<line_no>, <output_line_prefix_control>)) “Options -i and -n will not work when applied to an empty line” [36] [in a UTF-8 locale] (Note: hignore casei expands to -i and --ignore-case; hline noi expands to -n and --line-number) grep.3c3bdace exists <extended_regex> in <matcher_selection>: inside(<extended_regex>, <matcher_selection>) and exists <repetition> in <patterns>: <repetition> = "*" “Core dump with pattern ’(ˆ| )*( |$)’” [36] [and -E option] (Note: hextended regexi expands to -E and --extended-regexp) grep.3220317a exists <bracket_expr> in <first_expression>: inside(<bracket_expr>, <first_expression>) and exists <utf_characters> in <bracket_char>: inside(<utf_characters>, <bracket_char>) “Segmentation fault on multibyte character classes” [36] (Note: hbracket expri expands to [...] in a regular expression; hutf charactersi occur within hbracket chari, i.e. the characters within hbracket expri) find.07b941b1 exists <match_opts> in <find_expression>: <match_opts> = "-regex " and exists <character_expr_no_minus> in <first_expression>: <character_expr_no_minus> = "." “find segfaults when using -regex, for instance ./find -regex ’.*’” [36] find.091557f6 exists <file_properties> elem in <find_expression>: <file_properties> = "-type f" and exists <directory_name> elem_0 in <starting_dir_list>: inside(<directory_name>, <starting_dir_list>) “assertion failure on symbolic link loop: Let’s say we accidentally create a symlink loop $ mkdir tmp; cd tmp and $ ln -s a b; ln -s b a and use find to find files and follow symlinks inside the tmp- folder: ../find -L -type f” [36] Some Benchmark Results Subject AVICENNA Diagnosis Expert Diagnosis (from DBGBench)
find.091557f6 exists <file_properties> elem in <find_expression>: <file_properties> = "-type f" and exists <directory_name> elem_0 in <starting_dir_list>: inside(<directory_name>, <starting_dir_list>) “assertion failure on symbolic link loop: Let’s say we accidentally create a symlink loop $ mkdir tmp; cd tmp and $ ln -s a b; ln -s b a and use find to find files and follow symlinks inside the tmp- folder: ../find -L -type f” [36] find.dbcb10e9 exists <digit> in <last_modified>: inside(<digit>, <last_modified>) and exists <numeric_arg> in <find_command>: inside(<numeric_arg>, <find_command>) “-mtime produces segmentation fault, e.g., ./find -mtime 2” [36] (Note: hlast modifiedi expands to -mtime) find.ff248a20 exists <ln_file> in <ln>: <ln_file> = "al_ln -s . link" and exists <find_expression_or_empty> in <command>: <find_expression_or_empty> = " -follow" “infinite loop with -follow; e.g., $ mkdir testingfindagain; ln -s . testingfindagain/symlink; ./find testingfindagain -follow” [36] For details on all DBGBench bugs (including expert bug descriptions), visit https://dbgbench.github.io/. For the HeartBleed description, see https://www.synopsys.com/blogs/software-security/heartbleed-bug/. Some Benchmark Results Subject AVICENNA Diagnosis Expert Diagnosis (from DBGBench) At FSE 2023
Demo
Testing and Debugging Challenges Language problem } Test generation problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / Oracle problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /
The Future of Software Development Bot #2 Debugger Bot #1 Tester Ursula UI Designer Bob Backend Developer Frederica Frontend Developer Omar Operator Bot #3 Monitor
Andreas Zeller • APR Launch Event • National University of Singapore • 2022-11-11 Joint work with Dominic Steinhöfel • Martin Eberlein • Lars Grunske Semantic Debugging Why and When Does My Program Fail? TABLE II AVICENNA DIAGNOSES VS. HUMAN DIAGNOSES Bug AVICENNA diagnosis (using ISLa syntax [13]) Expert Bug Description HeartBleed str.to.int(<length>) > str.len(<payload>) “Attackers can send Heartbeat requests with the value of the length field greater than the actual length of the payload” [37] grep.7aa698d3 exists <utf8> in <lc_all>: <utf8> = "UTF-8" and exists <ignore_case> in <general_options>: <ignore_case> = "-i" “If grep conducts a case-insensitive search (-i) on an input that contains multibyte characters and the locale is UTF8, then grep prints a match of incorrect length.” [36] grep.5fa8c7c9 exists <patterns> in <command>: <patterns> = "’’" and exists <utf8> in <lc_all>: inside(<utf8>, <lc_all>) and exists <fixed_string> in <cmd_1>: inside(<fixed_string>, <cmd_1>) “Searching with grep -F for an empty string in a multibyte locals [sic] would freeze grep.” [36] (Note: hfixed stringi expands to -F and --fixed-strings) grep.c96b0f2c exists <regex_> in <patterns>: <regex_> = "ˆ$" and (exists <ignore_case> in <matching_control>: inside(<ignore_case>, <matching_control>) or exists <line_no> in <output_line_prefix_control>: inside(<line_no>, <output_line_prefix_control>)) “Options -i and -n will not work when applied to an empty line” [36] [in a UTF-8 locale] (Note: hignore casei expands to -i and --ignore-case; hline noi expands to -n and --line-number) “Core dump with pattern ’(ˆ| )*( |$)’” [36] Some Benchmark Results Subject AVICENNA Diagnosis Expert Diagnosis (from DBGBench) Features on Demand "hello" ... <length> <payload> <length> <payload> <client-request> <server-response> <exchange> 0x1 0x2000 ... 0x2 0x2000 "hello0secret0password0" "37h%$" 0x1 0x5 ... "0" 0x1 0x1 ... "37h%$" 0x2 0x5 ... "0" 0x2 0x1 ... Learner Test Generator Perfect conditions for automated learners "${}" 0x1 0x3 ... "${}" 0x2 0x3 ... "" 0x1 0x0 ... "" 0x2 0x0 ... "'; --" 0x1 0x5 ... "'; --" 0x2 0x5 ... Test generation problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / Oracle problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / Testing with Language Specs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints Testing Mocking 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= Monitoring AVICENNA Learning Failure Circumstances Input Language Spec Failure Circumstances <client-request> ::= 0x1 <length> <payload> uint16(<length>) > len(<payload>) Failing Inputs "hello" 0x1 0x2000 Determine relevant input elements Determine failure- related properties Generate new inputs to refine theory Negate constraints <length> <payload> <length> = 0x2000 <payload> = "hello" <length> ≠ 0x2000 <payload> ≠ "hello" "xyz" 0x1 0x0003 @AndreasZeller
Backup Slides
The Fuzzing Book
The Debugging Book

Recommended

Mux loves Clickhouse. By Adam Brown, Mux founder
Mux loves Clickhouse. By Adam Brown, Mux founderMux loves Clickhouse. By Adam Brown, Mux founder
Mux loves Clickhouse. By Adam Brown, Mux founderAltinity Ltd
 
Performance Analysis and Optimizations for Kafka Streams Applications (Guozha...
Performance Analysis and Optimizations for Kafka Streams Applications (Guozha...Performance Analysis and Optimizations for Kafka Streams Applications (Guozha...
Performance Analysis and Optimizations for Kafka Streams Applications (Guozha...confluent
 
Performance Tuning RocksDB for Kafka Streams' State Stores (Dhruba Borthakur,...
Performance Tuning RocksDB for Kafka Streams' State Stores (Dhruba Borthakur,...Performance Tuning RocksDB for Kafka Streams' State Stores (Dhruba Borthakur,...
Performance Tuning RocksDB for Kafka Streams' State Stores (Dhruba Borthakur,...confluent
 
Introduction to Apache Flink - Fast and reliable big data processing
Introduction to Apache Flink - Fast and reliable big data processingIntroduction to Apache Flink - Fast and reliable big data processing
Introduction to Apache Flink - Fast and reliable big data processingTill Rohrmann
 
Spark Performance Tuning .pdf
Spark Performance Tuning .pdfSpark Performance Tuning .pdf
Spark Performance Tuning .pdfAmit Raj
 
Plny12 galera-cluster-best-practices
Plny12 galera-cluster-best-practicesPlny12 galera-cluster-best-practices
Plny12 galera-cluster-best-practicesDimas Prasetyo
 
ACID ORC, Iceberg, and Delta Lake—An Overview of Table Formats for Large Scal...
ACID ORC, Iceberg, and Delta Lake—An Overview of Table Formats for Large Scal...ACID ORC, Iceberg, and Delta Lake—An Overview of Table Formats for Large Scal...
ACID ORC, Iceberg, and Delta Lake—An Overview of Table Formats for Large Scal...Databricks
 
Spark Summit EU talk by Nimbus Goehausen
Spark Summit EU talk by Nimbus GoehausenSpark Summit EU talk by Nimbus Goehausen
Spark Summit EU talk by Nimbus GoehausenSpark Summit
 

Recommended

Mux loves Clickhouse. By Adam Brown, Mux founder
Mux loves Clickhouse. By Adam Brown, Mux founderMux loves Clickhouse. By Adam Brown, Mux founder
Mux loves Clickhouse. By Adam Brown, Mux founderAltinity Ltd
 
Performance Analysis and Optimizations for Kafka Streams Applications (Guozha...
Performance Analysis and Optimizations for Kafka Streams Applications (Guozha...Performance Analysis and Optimizations for Kafka Streams Applications (Guozha...
Performance Analysis and Optimizations for Kafka Streams Applications (Guozha...confluent
 
Performance Tuning RocksDB for Kafka Streams' State Stores (Dhruba Borthakur,...
Performance Tuning RocksDB for Kafka Streams' State Stores (Dhruba Borthakur,...Performance Tuning RocksDB for Kafka Streams' State Stores (Dhruba Borthakur,...
Performance Tuning RocksDB for Kafka Streams' State Stores (Dhruba Borthakur,...confluent
 
Introduction to Apache Flink - Fast and reliable big data processing
Introduction to Apache Flink - Fast and reliable big data processingIntroduction to Apache Flink - Fast and reliable big data processing
Introduction to Apache Flink - Fast and reliable big data processingTill Rohrmann
 
Spark Performance Tuning .pdf
Spark Performance Tuning .pdfSpark Performance Tuning .pdf
Spark Performance Tuning .pdfAmit Raj
 
Plny12 galera-cluster-best-practices
Plny12 galera-cluster-best-practicesPlny12 galera-cluster-best-practices
Plny12 galera-cluster-best-practicesDimas Prasetyo
 
ACID ORC, Iceberg, and Delta Lake—An Overview of Table Formats for Large Scal...
ACID ORC, Iceberg, and Delta Lake—An Overview of Table Formats for Large Scal...ACID ORC, Iceberg, and Delta Lake—An Overview of Table Formats for Large Scal...
ACID ORC, Iceberg, and Delta Lake—An Overview of Table Formats for Large Scal...Databricks
 
Spark Summit EU talk by Nimbus Goehausen
Spark Summit EU talk by Nimbus GoehausenSpark Summit EU talk by Nimbus Goehausen
Spark Summit EU talk by Nimbus GoehausenSpark Summit
 
Top 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applicationsTop 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applicationshadooparchbook
 
Functional and non functional application logging
Functional and non functional application loggingFunctional and non functional application logging
Functional and non functional application loggingSander De Vos
 
카프카, 산전수전 노하우
카프카, 산전수전 노하우카프카, 산전수전 노하우
카프카, 산전수전 노하우if kakao
 
Performance Tuning RocksDB for Kafka Streams’ State Stores
Performance Tuning RocksDB for Kafka Streams’ State StoresPerformance Tuning RocksDB for Kafka Streams’ State Stores
Performance Tuning RocksDB for Kafka Streams’ State Storesconfluent
 
The Five Stages of Enterprise Jupyter Deployment
The Five Stages of Enterprise Jupyter DeploymentThe Five Stages of Enterprise Jupyter Deployment
The Five Stages of Enterprise Jupyter DeploymentFrederick Reiss
 
Building a Streaming Microservice Architecture: with Apache Spark Structured ...
Building a Streaming Microservice Architecture: with Apache Spark Structured ...Building a Streaming Microservice Architecture: with Apache Spark Structured ...
Building a Streaming Microservice Architecture: with Apache Spark Structured ...Databricks
 
ClickHouse in Real Life. Case Studies and Best Practices, by Alexander Zaitsev
ClickHouse in Real Life. Case Studies and Best Practices, by Alexander ZaitsevClickHouse in Real Life. Case Studies and Best Practices, by Alexander Zaitsev
ClickHouse in Real Life. Case Studies and Best Practices, by Alexander ZaitsevAltinity Ltd
 
Top 5 Mistakes When Writing Spark Applications
Top 5 Mistakes When Writing Spark ApplicationsTop 5 Mistakes When Writing Spark Applications
Top 5 Mistakes When Writing Spark ApplicationsSpark Summit
 
Performance Analysis of Apache Spark and Presto in Cloud Environments
Performance Analysis of Apache Spark and Presto in Cloud EnvironmentsPerformance Analysis of Apache Spark and Presto in Cloud Environments
Performance Analysis of Apache Spark and Presto in Cloud EnvironmentsDatabricks
 
A Solution for Leveraging Kafka to Provide End-to-End ACID Transactions
A Solution for Leveraging Kafka to Provide End-to-End ACID TransactionsA Solution for Leveraging Kafka to Provide End-to-End ACID Transactions
A Solution for Leveraging Kafka to Provide End-to-End ACID Transactionsconfluent
 
Think2018 2314-Microservices and BPM-can they coexist?
Think2018 2314-Microservices and BPM-can they coexist?Think2018 2314-Microservices and BPM-can they coexist?
Think2018 2314-Microservices and BPM-can they coexist?Brian Petrini
 
Top 5 Mistakes to Avoid When Writing Apache Spark Applications
Top 5 Mistakes to Avoid When Writing Apache Spark ApplicationsTop 5 Mistakes to Avoid When Writing Apache Spark Applications
Top 5 Mistakes to Avoid When Writing Apache Spark ApplicationsCloudera, Inc.
 
Making Apache Spark Better with Delta Lake
Making Apache Spark Better with Delta LakeMaking Apache Spark Better with Delta Lake
Making Apache Spark Better with Delta LakeDatabricks
 
Introduction to Actor Model and Akka
Introduction to Actor Model and AkkaIntroduction to Actor Model and Akka
Introduction to Actor Model and AkkaYung-Lin Ho
 
Building an Event Streaming Architecture with Apache Pulsar
Building an Event Streaming Architecture with Apache PulsarBuilding an Event Streaming Architecture with Apache Pulsar
Building an Event Streaming Architecture with Apache PulsarScyllaDB
 
Apache kafka performance(latency)_benchmark_v0.3
Apache kafka performance(latency)_benchmark_v0.3Apache kafka performance(latency)_benchmark_v0.3
Apache kafka performance(latency)_benchmark_v0.3SANG WON PARK
 
S108283 svc-storwize-lagos-v1905d
S108283 svc-storwize-lagos-v1905dS108283 svc-storwize-lagos-v1905d
S108283 svc-storwize-lagos-v1905dTony Pearson
 
Oracle GoldenGate Architecture Performance
Oracle GoldenGate Architecture PerformanceOracle GoldenGate Architecture Performance
Oracle GoldenGate Architecture PerformanceEnkitec
 
Tips & Tricks for Apache Kafka®
Tips & Tricks for Apache Kafka®Tips & Tricks for Apache Kafka®
Tips & Tricks for Apache Kafka®confluent
 
Getting Started with Databricks SQL Analytics
Getting Started with Databricks SQL AnalyticsGetting Started with Databricks SQL Analytics
Getting Started with Databricks SQL AnalyticsDatabricks
 
03 sockets
03 sockets03 sockets
03 socketsPavan Illa
 
FMS Administration Seminar
FMS Administration SeminarFMS Administration Seminar
FMS Administration SeminarYoss Cohen
 

More Related Content

What's hot

Top 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applicationsTop 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applicationshadooparchbook
 
Functional and non functional application logging
Functional and non functional application loggingFunctional and non functional application logging
Functional and non functional application loggingSander De Vos
 
카프카, 산전수전 노하우
카프카, 산전수전 노하우카프카, 산전수전 노하우
카프카, 산전수전 노하우if kakao
 
Performance Tuning RocksDB for Kafka Streams’ State Stores
Performance Tuning RocksDB for Kafka Streams’ State StoresPerformance Tuning RocksDB for Kafka Streams’ State Stores
Performance Tuning RocksDB for Kafka Streams’ State Storesconfluent
 
The Five Stages of Enterprise Jupyter Deployment
The Five Stages of Enterprise Jupyter DeploymentThe Five Stages of Enterprise Jupyter Deployment
The Five Stages of Enterprise Jupyter DeploymentFrederick Reiss
 
Building a Streaming Microservice Architecture: with Apache Spark Structured ...
Building a Streaming Microservice Architecture: with Apache Spark Structured ...Building a Streaming Microservice Architecture: with Apache Spark Structured ...
Building a Streaming Microservice Architecture: with Apache Spark Structured ...Databricks
 
ClickHouse in Real Life. Case Studies and Best Practices, by Alexander Zaitsev
ClickHouse in Real Life. Case Studies and Best Practices, by Alexander ZaitsevClickHouse in Real Life. Case Studies and Best Practices, by Alexander Zaitsev
ClickHouse in Real Life. Case Studies and Best Practices, by Alexander ZaitsevAltinity Ltd
 
Top 5 Mistakes When Writing Spark Applications
Top 5 Mistakes When Writing Spark ApplicationsTop 5 Mistakes When Writing Spark Applications
Top 5 Mistakes When Writing Spark ApplicationsSpark Summit
 
Performance Analysis of Apache Spark and Presto in Cloud Environments
Performance Analysis of Apache Spark and Presto in Cloud EnvironmentsPerformance Analysis of Apache Spark and Presto in Cloud Environments
Performance Analysis of Apache Spark and Presto in Cloud EnvironmentsDatabricks
 
A Solution for Leveraging Kafka to Provide End-to-End ACID Transactions
A Solution for Leveraging Kafka to Provide End-to-End ACID TransactionsA Solution for Leveraging Kafka to Provide End-to-End ACID Transactions
A Solution for Leveraging Kafka to Provide End-to-End ACID Transactionsconfluent
 
Think2018 2314-Microservices and BPM-can they coexist?
Think2018 2314-Microservices and BPM-can they coexist?Think2018 2314-Microservices and BPM-can they coexist?
Think2018 2314-Microservices and BPM-can they coexist?Brian Petrini
 
Top 5 Mistakes to Avoid When Writing Apache Spark Applications
Top 5 Mistakes to Avoid When Writing Apache Spark ApplicationsTop 5 Mistakes to Avoid When Writing Apache Spark Applications
Top 5 Mistakes to Avoid When Writing Apache Spark ApplicationsCloudera, Inc.
 
Making Apache Spark Better with Delta Lake
Making Apache Spark Better with Delta LakeMaking Apache Spark Better with Delta Lake
Making Apache Spark Better with Delta LakeDatabricks
 
Introduction to Actor Model and Akka
Introduction to Actor Model and AkkaIntroduction to Actor Model and Akka
Introduction to Actor Model and AkkaYung-Lin Ho
 
Building an Event Streaming Architecture with Apache Pulsar
Building an Event Streaming Architecture with Apache PulsarBuilding an Event Streaming Architecture with Apache Pulsar
Building an Event Streaming Architecture with Apache PulsarScyllaDB
 
Apache kafka performance(latency)_benchmark_v0.3
Apache kafka performance(latency)_benchmark_v0.3Apache kafka performance(latency)_benchmark_v0.3
Apache kafka performance(latency)_benchmark_v0.3SANG WON PARK
 
S108283 svc-storwize-lagos-v1905d
S108283 svc-storwize-lagos-v1905dS108283 svc-storwize-lagos-v1905d
S108283 svc-storwize-lagos-v1905dTony Pearson
 
Oracle GoldenGate Architecture Performance
Oracle GoldenGate Architecture PerformanceOracle GoldenGate Architecture Performance
Oracle GoldenGate Architecture PerformanceEnkitec
 
Tips & Tricks for Apache Kafka®
Tips & Tricks for Apache Kafka®Tips & Tricks for Apache Kafka®
Tips & Tricks for Apache Kafka®confluent
 
Getting Started with Databricks SQL Analytics
Getting Started with Databricks SQL AnalyticsGetting Started with Databricks SQL Analytics
Getting Started with Databricks SQL AnalyticsDatabricks
 

What's hot (20)

Top 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applicationsTop 5 mistakes when writing Spark applications
Top 5 mistakes when writing Spark applications
 
Functional and non functional application logging
Functional and non functional application loggingFunctional and non functional application logging
Functional and non functional application logging
 
카프카, 산전수전 노하우
카프카, 산전수전 노하우카프카, 산전수전 노하우
카프카, 산전수전 노하우
 
Performance Tuning RocksDB for Kafka Streams’ State Stores
Performance Tuning RocksDB for Kafka Streams’ State StoresPerformance Tuning RocksDB for Kafka Streams’ State Stores
Performance Tuning RocksDB for Kafka Streams’ State Stores
 
The Five Stages of Enterprise Jupyter Deployment
The Five Stages of Enterprise Jupyter DeploymentThe Five Stages of Enterprise Jupyter Deployment
The Five Stages of Enterprise Jupyter Deployment
 
Building a Streaming Microservice Architecture: with Apache Spark Structured ...
Building a Streaming Microservice Architecture: with Apache Spark Structured ...Building a Streaming Microservice Architecture: with Apache Spark Structured ...
Building a Streaming Microservice Architecture: with Apache Spark Structured ...
 
ClickHouse in Real Life. Case Studies and Best Practices, by Alexander Zaitsev
ClickHouse in Real Life. Case Studies and Best Practices, by Alexander ZaitsevClickHouse in Real Life. Case Studies and Best Practices, by Alexander Zaitsev
ClickHouse in Real Life. Case Studies and Best Practices, by Alexander Zaitsev
 
Top 5 Mistakes When Writing Spark Applications
Top 5 Mistakes When Writing Spark ApplicationsTop 5 Mistakes When Writing Spark Applications
Top 5 Mistakes When Writing Spark Applications
 
Performance Analysis of Apache Spark and Presto in Cloud Environments
Performance Analysis of Apache Spark and Presto in Cloud EnvironmentsPerformance Analysis of Apache Spark and Presto in Cloud Environments
Performance Analysis of Apache Spark and Presto in Cloud Environments
 
A Solution for Leveraging Kafka to Provide End-to-End ACID Transactions
A Solution for Leveraging Kafka to Provide End-to-End ACID TransactionsA Solution for Leveraging Kafka to Provide End-to-End ACID Transactions
A Solution for Leveraging Kafka to Provide End-to-End ACID Transactions
 
Think2018 2314-Microservices and BPM-can they coexist?
Think2018 2314-Microservices and BPM-can they coexist?Think2018 2314-Microservices and BPM-can they coexist?
Think2018 2314-Microservices and BPM-can they coexist?
 
Top 5 Mistakes to Avoid When Writing Apache Spark Applications
Top 5 Mistakes to Avoid When Writing Apache Spark ApplicationsTop 5 Mistakes to Avoid When Writing Apache Spark Applications
Top 5 Mistakes to Avoid When Writing Apache Spark Applications
 
Making Apache Spark Better with Delta Lake
Making Apache Spark Better with Delta LakeMaking Apache Spark Better with Delta Lake
Making Apache Spark Better with Delta Lake
 
Introduction to Actor Model and Akka
Introduction to Actor Model and AkkaIntroduction to Actor Model and Akka
Introduction to Actor Model and Akka
 
Building an Event Streaming Architecture with Apache Pulsar
Building an Event Streaming Architecture with Apache PulsarBuilding an Event Streaming Architecture with Apache Pulsar
Building an Event Streaming Architecture with Apache Pulsar
 
Apache kafka performance(latency)_benchmark_v0.3
Apache kafka performance(latency)_benchmark_v0.3Apache kafka performance(latency)_benchmark_v0.3
Apache kafka performance(latency)_benchmark_v0.3
 
S108283 svc-storwize-lagos-v1905d
S108283 svc-storwize-lagos-v1905dS108283 svc-storwize-lagos-v1905d
S108283 svc-storwize-lagos-v1905d
 
Oracle GoldenGate Architecture Performance
Oracle GoldenGate Architecture PerformanceOracle GoldenGate Architecture Performance
Oracle GoldenGate Architecture Performance
 
Tips & Tricks for Apache Kafka®
Tips & Tricks for Apache Kafka®Tips & Tricks for Apache Kafka®
Tips & Tricks for Apache Kafka®
 
Getting Started with Databricks SQL Analytics
Getting Started with Databricks SQL AnalyticsGetting Started with Databricks SQL Analytics
Getting Started with Databricks SQL Analytics
 

Similar to Language-Based Testing and Debugging.pdf

FMS Administration Seminar
FMS Administration SeminarFMS Administration Seminar
FMS Administration SeminarYoss Cohen
 
Running Head IMPLEMENTING THE LIST AND SEARCH FEATURES IN THE DIS.docx
Running Head IMPLEMENTING THE LIST AND SEARCH FEATURES IN THE DIS.docxRunning Head IMPLEMENTING THE LIST AND SEARCH FEATURES IN THE DIS.docx
Running Head IMPLEMENTING THE LIST AND SEARCH FEATURES IN THE DIS.docxcowinhelen
 
Java Networking
Java NetworkingJava Networking
Java NetworkingSunil OS
 
Socket programming in C
Socket programming in CSocket programming in C
Socket programming in CDeepak Swain
 
Better Open Source Enterprise C++ Web Services
Better Open Source Enterprise C++ Web ServicesBetter Open Source Enterprise C++ Web Services
Better Open Source Enterprise C++ Web ServicesWSO2
 
Socket Programming - nitish nagar
Socket Programming - nitish nagarSocket Programming - nitish nagar
Socket Programming - nitish nagarNitish Nagar
 
Voxxed Days Vienna - The Why and How of Reactive Web-Applications on the JVM
Voxxed Days Vienna - The Why and How of Reactive Web-Applications on the JVMVoxxed Days Vienna - The Why and How of Reactive Web-Applications on the JVM
Voxxed Days Vienna - The Why and How of Reactive Web-Applications on the JVMManuel Bernhardt
 
Service discovery like a pro (presented at reversimX)
Service discovery like a pro (presented at reversimX)Service discovery like a pro (presented at reversimX)
Service discovery like a pro (presented at reversimX)Eran Harel
 
Complex Event Processor 3.0.0 - An overview of upcoming features
Complex Event Processor 3.0.0 - An overview of upcoming features Complex Event Processor 3.0.0 - An overview of upcoming features
Complex Event Processor 3.0.0 - An overview of upcoming features WSO2
 
Network Programming Clients
Network Programming ClientsNetwork Programming Clients
Network Programming ClientsAdil Jafri
 
15network Programming Clients
15network Programming Clients15network Programming Clients
15network Programming ClientsAdil Jafri
 

Similar to Language-Based Testing and Debugging.pdf (20)

03 sockets
03 sockets03 sockets
03 sockets
 
FMS Administration Seminar
FMS Administration SeminarFMS Administration Seminar
FMS Administration Seminar
 
Running Head IMPLEMENTING THE LIST AND SEARCH FEATURES IN THE DIS.docx
Running Head IMPLEMENTING THE LIST AND SEARCH FEATURES IN THE DIS.docxRunning Head IMPLEMENTING THE LIST AND SEARCH FEATURES IN THE DIS.docx
Running Head IMPLEMENTING THE LIST AND SEARCH FEATURES IN THE DIS.docx
 
Java Networking
Java NetworkingJava Networking
Java Networking
 
Socket programming in C
Socket programming in CSocket programming in C
Socket programming in C
 
Python, do you even async?
Python, do you even async?Python, do you even async?
Python, do you even async?
 
Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Pycon - Python for ethical hackers
Pycon - Python for ethical hackers
 
Better Open Source Enterprise C++ Web Services
Better Open Source Enterprise C++ Web ServicesBetter Open Source Enterprise C++ Web Services
Better Open Source Enterprise C++ Web Services
 
Socket Programming - nitish nagar
Socket Programming - nitish nagarSocket Programming - nitish nagar
Socket Programming - nitish nagar
 
Voxxed Days Vienna - The Why and How of Reactive Web-Applications on the JVM
Voxxed Days Vienna - The Why and How of Reactive Web-Applications on the JVMVoxxed Days Vienna - The Why and How of Reactive Web-Applications on the JVM
Voxxed Days Vienna - The Why and How of Reactive Web-Applications on the JVM
 
Service discovery like a pro (presented at reversimX)
Service discovery like a pro (presented at reversimX)Service discovery like a pro (presented at reversimX)
Service discovery like a pro (presented at reversimX)
 
web3j Overview
web3j Overviewweb3j Overview
web3j Overview
 
6 app-tcp
6 app-tcp6 app-tcp
6 app-tcp
 
Complex Event Processor 3.0.0 - An overview of upcoming features
Complex Event Processor 3.0.0 - An overview of upcoming features Complex Event Processor 3.0.0 - An overview of upcoming features
Complex Event Processor 3.0.0 - An overview of upcoming features
 
Steps india technologies
Steps india technologiesSteps india technologies
Steps india technologies
 
Steps india technologies .com
Steps india technologies .comSteps india technologies .com
Steps india technologies .com
 
Sockets
SocketsSockets
Sockets
 
SDAccel Design Contest: Vivado HLS
SDAccel Design Contest: Vivado HLSSDAccel Design Contest: Vivado HLS
SDAccel Design Contest: Vivado HLS
 
Network Programming Clients
Network Programming ClientsNetwork Programming Clients
Network Programming Clients
 
15network Programming Clients
15network Programming Clients15network Programming Clients
15network Programming Clients
 

More from CISPA Helmholtz Center for Information Security

More from CISPA Helmholtz Center for Information Security (19)

Digital Networking and Community
Digital Networking and CommunityDigital Networking and Community
Digital Networking and Community
 
Fuzzing - A Tale of Two Cultures
Fuzzing - A Tale of Two CulturesFuzzing - A Tale of Two Cultures
Fuzzing - A Tale of Two Cultures
 
Illustrated Code (ASE 2021)
Illustrated Code (ASE 2021)Illustrated Code (ASE 2021)
Illustrated Code (ASE 2021)
 
On Impact in Software Engineering Research (HU Berlin 2021)
On Impact in Software Engineering Research (HU Berlin 2021)On Impact in Software Engineering Research (HU Berlin 2021)
On Impact in Software Engineering Research (HU Berlin 2021)
 
On Impact in Software Engineering Research (Dagstuhl 2020)
On Impact in Software Engineering Research (Dagstuhl 2020)On Impact in Software Engineering Research (Dagstuhl 2020)
On Impact in Software Engineering Research (Dagstuhl 2020)
 
Fast and Effective Fuzz Testing (Facebook TAV 2019)
Fast and Effective Fuzz Testing (Facebook TAV 2019)Fast and Effective Fuzz Testing (Facebook TAV 2019)
Fast and Effective Fuzz Testing (Facebook TAV 2019)
 
Software-Tests automatisch erzeugen: Frische Ansätze für Forschung, Praxis un...
Software-Tests automatisch erzeugen: Frische Ansätze für Forschung, Praxis un...Software-Tests automatisch erzeugen: Frische Ansätze für Forschung, Praxis un...
Software-Tests automatisch erzeugen: Frische Ansätze für Forschung, Praxis un...
 
On impact in Software Engineering Research (ICSE 2018 New Faculty Symposium)
On impact in Software Engineering Research (ICSE 2018 New Faculty Symposium)On impact in Software Engineering Research (ICSE 2018 New Faculty Symposium)
On impact in Software Engineering Research (ICSE 2018 New Faculty Symposium)
 
On Impact in Software Engineering Research
On Impact in Software Engineering ResearchOn Impact in Software Engineering Research
On Impact in Software Engineering Research
 
Twelve tips on how to prepare an ERC grant proposal
Twelve tips on how to prepare an ERC grant proposalTwelve tips on how to prepare an ERC grant proposal
Twelve tips on how to prepare an ERC grant proposal
 
Getting your work funded
Getting your work fundedGetting your work funded
Getting your work funded
 
Learning from 6,000 projects mining specifications in the large
Learning from 6,000 projects mining specifications in the largeLearning from 6,000 projects mining specifications in the large
Learning from 6,000 projects mining specifications in the large
 
Debugging Debugging
Debugging DebuggingDebugging Debugging
Debugging Debugging
 
Seeding Bugs To Find Bugs
Seeding Bugs To Find BugsSeeding Bugs To Find Bugs
Seeding Bugs To Find Bugs
 
Mining Processes
Mining ProcessesMining Processes
Mining Processes
 
Mining Programs
Mining ProgramsMining Programs
Mining Programs
 
Getting your paper accepted (at ISSTA 2008)
Getting your paper accepted (at ISSTA 2008)Getting your paper accepted (at ISSTA 2008)
Getting your paper accepted (at ISSTA 2008)
 
Woher kommen Software-Fehler?
Woher kommen Software-Fehler?Woher kommen Software-Fehler?
Woher kommen Software-Fehler?
 
Do Bugs Reside in Complex Code?
Do Bugs Reside in Complex Code?Do Bugs Reside in Complex Code?
Do Bugs Reside in Complex Code?
 

Recently uploaded

Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noidabntitsolutionsrishis
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 

Recently uploaded (20)

Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 

Language-Based Testing and Debugging.pdf

  • 1. Andreas Zeller • DEBT Workshop • 2023-07-17 Joint work with Dominic Steinhöfel • Martin Eberlein • Lars Grunske Language-Based Testing and Debugging Why and When Does My Program Fail?
  • 2. Testing Challenges program inputs program outputs Test generation problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / Oracle problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /
  • 3. Testing and Debugging Challenges program inputs program outputs Test generation problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / Oracle problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /
  • 4. Testing and Debugging Challenges Language problem } Test generation problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / Oracle problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /
  • 5. Testing the SSL/TLS Heartbeat Protocol 0x1 0x5 "Hello" ... 0x2 0x5 "Hello" ... Client Server payload must be identical
  • 6. Testing the SSL/TLS Heartbeat Protocol 0x1 <length> <payload> <padding> 0x2 <length> <payload> <padding> Client Server
  • 7. Testing the SSL/TLS Heartbeat Protocol 0x2 <length> <payload> <padding> <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <length> ::= <uint16> length must match ... 0x1 <length> <payload> <padding> <client-request> ::= payload must be identical <server-response> ::= Client Server
  • 8. Specifying Languages <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= length must match payload must be identical syntax alone does not su ffi • A language to specify inputs (and outputs) • A fuzzer to produce inputs that are valid syntactically and semantically • A checker to parse, check, mutate, and repair inputs according to constraints <exchange>
  • 9. ISLa Language Numbers uint16(<id>) = str.len(<name>) + str.len(<email>) + 2 Strings str.suffixof(<email>, '@cispa.de', True) Based on SMT-LIB Theories Booleans str.len(<email>) > 4096 and str.contains(<email>, '0', True) Quanti fi ers exists <option> in <command_line>: <option> = '--config' or <option> = '-C' S-Expressions (>= (str.len <buffer> 4096)) • A language to specify inputs (and outputs) • A fuzzer to produce inputs that are valid syntactically and semantically • A checker to parse, check, mutate, and repair inputs according to constraints
  • 10. ISLa Usage Fuzzing $ isla solve grammar.bnf --constraint 'str.len(<payload>) > 65536' Checking $ isla find customers.bnf --constraint '<company> = "CISPA"' *.csv Command Line + Python API Mutating $ isla mutate grammar.bnf spec.isla input.txt Repairing $ isla repair grammar.bnf spec.isla input.txt Python API from isla import ISLaSolver • A language to specify inputs (and outputs) • A fuzzer to produce inputs that are valid syntactically and semantically • A checker to parse, check, mutate, and repair inputs according to constraints
  • 11. Specifying Languages <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= <exchange>
  • 12. Producing Inputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= <exchange> <client-request> <server-response>
  • 13. Producing Inputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= <exchange> <client-request> <server-response>
  • 14. <client-request> Producing Inputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= <exchange> <server-response>
  • 15. <client-request> <server-response> Producing Inputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= <exchange> <length> <payload> <padding> 0x1
  • 16. <server-response> Producing Inputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= <exchange> <length> <payload> <padding> 0x1 <client-request>
  • 17. <server-response> Producing Inputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= <length> <payload> <padding> 0x1
  • 18. Producing Inputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= <server-response> <length> <payload> <padding> 0x1 <uint16>
  • 19. Producing Inputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= <server-response> <length> <payload> <padding> 0x1 <uint16>
  • 20. 0x1 0x0005 <payload> <padding> <server-response> Producing Inputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::=
  • 21. 0x1 0x0005 "hello" <padding> <server-response> Producing Inputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::=
  • 22. 0x1 0x0005 "hello" 0x0 0x0... <server-response> Producing Inputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= complete and valid input
  • 23. 0x1 0x0005 "hello" 0x0 0x0... <server-response> Parsing Outputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= 0x0005 "hello" 0x2 0x0 0x0...
  • 24. 0x1 0x0005 "hello" 0x0 0x0... 0x2 <length> <payload> <padding> Parsing Outputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= 0x0005 "hello" 0x2 0x0 0x0...
  • 25. 0x1 0x0005 "hello" 0x0 0x0... 0x2 <uint16> <payload> <padding> Parsing Outputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= 0x0005 "hello" 0x2 0x0 0x0...
  • 26. 0x1 0x0005 "hello" 0x0 0x0... 0x2 0x0005 "hello" 0x0 0x0... Parsing Outputs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= Test generation problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / Oracle problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /
  • 27. Test generation problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / Oracle problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / Language Specifications <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints Testing Mocking 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= Monitoring
  • 28.
  • 29. Where does the Language Come From? Language problem } Test generation problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / Oracle problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /
  • 30. 0x1 0x5 "Hello" ... 0x1 0x4 "Dear" ... 0x1 0x5 "World" ... Synthesizing Language Specifications <client-request> ::= uint16(<length>) = Learning Grammars Learning Constraints Learn language speci fi cations from existing interactions Di ff erent I/O elements take di ff erent paths in processing program 0x1 0x5 "Hello" ... 0x1 <length> <payload> <padding> Synthesize predicates that match all observed values len(<payload>) Interactions Learner Language Spec Test Generator
  • 31. Exploring Program Behavior Re fi ne language specs through generated tests Gradually negate constraints uint16(<length>) len(<payload>) uint16(<length>) = len(<payload>) => <client-request>.<payload> = <server-response>.<payload> Re fi ned language spec (and failure diagnosis) ≠ = uint16(<length>) ≥ len(<payload>) => str.prefixof(<server-response>.<payload>, <client-request>.<payload>, True) length no longer matches Interactions Learner Language Spec Test Generator length matches: payload is identical length is too high: payload di ff "hello" 0x1 0x2000 ... ... 0x2 0x2000 "hello0secret0password0"
  • 32. Features on Demand "hello" ... <length> <payload> <length> <payload> <client-request> <server-response> <exchange> 0x1 0x2000 ... 0x2 0x2000 "hello0secret0password0" "37h%$" 0x1 0x5 ... "0" 0x1 0x1 ... "37h%$" 0x2 0x5 ... "0" 0x2 0x1 ... Learner Test Generator Perfect conditions for automated learners "${}" 0x1 0x3 ... "${}" 0x2 0x3 ... "" 0x1 0x0 ... "" 0x2 0x0 ... "'; --" 0x1 0x5 ... "'; --" 0x2 0x5 ...
  • 33. AVICENNA Semantic Debugging Input Language Spec Failure Circumstances <client-request> ::= 0x1 <length> <payload> uint16(<length>) > len(<payload>) Failing Inputs "hello" 0x1 0x2000
  • 34. AVICENNA Semantic Debugging Input Language Spec Failure Circumstances <client-request> ::= 0x1 <length> <payload> uint16(<length>) > len(<payload>) Failing Inputs "hello" 0x1 0x2000 Determine relevant input elements Determine failure- related properties Generate new inputs to re fi ne theory Negate constraints <length> <payload> <length> = 0x2000 <payload> = "hello" <length> ≠ 0x2000 <payload> ≠ "hello" "xyz" 0x1 0x0003
  • 35. TABLE II AVICENNA DIAGNOSES VS. HUMAN DIAGNOSES Bug AVICENNA diagnosis (using ISLa syntax [13]) Expert Bug Description HeartBleed str.to.int(<length>) > str.len(<payload>) “Attackers can send Heartbeat requests with the value of the length field greater than the actual length of the payload” [37] grep.7aa698d3 exists <utf8> in <lc_all>: <utf8> = "UTF-8" and exists <ignore_case> in <general_options>: <ignore_case> = "-i" “If grep conducts a case-insensitive search (-i) on an input that contains multibyte characters and the locale is UTF8, then grep prints a match of incorrect length.” [36] grep.5fa8c7c9 exists <patterns> in <command>: <patterns> = "’’" and exists <utf8> in <lc_all>: inside(<utf8>, <lc_all>) and exists <fixed_string> in <cmd_1>: inside(<fixed_string>, <cmd_1>) “Searching with grep -F for an empty string in a multibyte locals [sic] would freeze grep.” [36] (Note: hfixed stringi expands to -F and --fixed-strings) grep.c96b0f2c exists <regex_> in <patterns>: <regex_> = "ˆ$" and (exists <ignore_case> in <matching_control>: inside(<ignore_case>, <matching_control>) or exists <line_no> in <output_line_prefix_control>: inside(<line_no>, <output_line_prefix_control>)) “Options -i and -n will not work when applied to an empty line” [36] [in a UTF-8 locale] (Note: hignore casei expands to -i and --ignore-case; hline noi expands to -n and --line-number) “Core dump with pattern ’(ˆ| )*( |$)’” [36] Some Benchmark Results Subject AVICENNA Diagnosis Expert Diagnosis (from DBGBench)
  • 36. grep.c96b0f2c exists <regex_> in <patterns>: <regex_> = "ˆ$" and (exists <ignore_case> in <matching_control>: inside(<ignore_case>, <matching_control>) or exists <line_no> in <output_line_prefix_control>: inside(<line_no>, <output_line_prefix_control>)) “Options -i and -n will not work when applied to an empty line” [36] [in a UTF-8 locale] (Note: hignore casei expands to -i and --ignore-case; hline noi expands to -n and --line-number) grep.3c3bdace exists <extended_regex> in <matcher_selection>: inside(<extended_regex>, <matcher_selection>) and exists <repetition> in <patterns>: <repetition> = "*" “Core dump with pattern ’(ˆ| )*( |$)’” [36] [and -E option] (Note: hextended regexi expands to -E and --extended-regexp) grep.3220317a exists <bracket_expr> in <first_expression>: inside(<bracket_expr>, <first_expression>) and exists <utf_characters> in <bracket_char>: inside(<utf_characters>, <bracket_char>) “Segmentation fault on multibyte character classes” [36] (Note: hbracket expri expands to [...] in a regular expression; hutf charactersi occur within hbracket chari, i.e. the characters within hbracket expri) find.07b941b1 exists <match_opts> in <find_expression>: <match_opts> = "-regex " and exists <character_expr_no_minus> in <first_expression>: <character_expr_no_minus> = "." “find segfaults when using -regex, for instance ./find -regex ’.*’” [36] find.091557f6 exists <file_properties> elem in <find_expression>: <file_properties> = "-type f" and exists <directory_name> elem_0 in <starting_dir_list>: inside(<directory_name>, <starting_dir_list>) “assertion failure on symbolic link loop: Let’s say we accidentally create a symlink loop $ mkdir tmp; cd tmp and $ ln -s a b; ln -s b a and use find to find files and follow symlinks inside the tmp- folder: ../find -L -type f” [36] Some Benchmark Results Subject AVICENNA Diagnosis Expert Diagnosis (from DBGBench)
  • 37. find.091557f6 exists <file_properties> elem in <find_expression>: <file_properties> = "-type f" and exists <directory_name> elem_0 in <starting_dir_list>: inside(<directory_name>, <starting_dir_list>) “assertion failure on symbolic link loop: Let’s say we accidentally create a symlink loop $ mkdir tmp; cd tmp and $ ln -s a b; ln -s b a and use find to find files and follow symlinks inside the tmp- folder: ../find -L -type f” [36] find.dbcb10e9 exists <digit> in <last_modified>: inside(<digit>, <last_modified>) and exists <numeric_arg> in <find_command>: inside(<numeric_arg>, <find_command>) “-mtime produces segmentation fault, e.g., ./find -mtime 2” [36] (Note: hlast modifiedi expands to -mtime) find.ff248a20 exists <ln_file> in <ln>: <ln_file> = "al_ln -s . link" and exists <find_expression_or_empty> in <command>: <find_expression_or_empty> = " -follow" “infinite loop with -follow; e.g., $ mkdir testingfindagain; ln -s . testingfindagain/symlink; ./find testingfindagain -follow” [36] For details on all DBGBench bugs (including expert bug descriptions), visit https://dbgbench.github.io/. For the HeartBleed description, see https://www.synopsys.com/blogs/software-security/heartbleed-bug/. Some Benchmark Results Subject AVICENNA Diagnosis Expert Diagnosis (from DBGBench) At FSE 2023
  • 38. Demo
  • 39. Testing and Debugging Challenges Language problem } Test generation problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / Oracle problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /
  • 40. The Future of Software Development Bot #2 Debugger Bot #1 Tester Ursula UI Designer Bob Backend Developer Frederica Frontend Developer Omar Operator Bot #3 Monitor
  • 41. Andreas Zeller • APR Launch Event • National University of Singapore • 2022-11-11 Joint work with Dominic Steinhöfel • Martin Eberlein • Lars Grunske Semantic Debugging Why and When Does My Program Fail? TABLE II AVICENNA DIAGNOSES VS. HUMAN DIAGNOSES Bug AVICENNA diagnosis (using ISLa syntax [13]) Expert Bug Description HeartBleed str.to.int(<length>) > str.len(<payload>) “Attackers can send Heartbeat requests with the value of the length field greater than the actual length of the payload” [37] grep.7aa698d3 exists <utf8> in <lc_all>: <utf8> = "UTF-8" and exists <ignore_case> in <general_options>: <ignore_case> = "-i" “If grep conducts a case-insensitive search (-i) on an input that contains multibyte characters and the locale is UTF8, then grep prints a match of incorrect length.” [36] grep.5fa8c7c9 exists <patterns> in <command>: <patterns> = "’’" and exists <utf8> in <lc_all>: inside(<utf8>, <lc_all>) and exists <fixed_string> in <cmd_1>: inside(<fixed_string>, <cmd_1>) “Searching with grep -F for an empty string in a multibyte locals [sic] would freeze grep.” [36] (Note: hfixed stringi expands to -F and --fixed-strings) grep.c96b0f2c exists <regex_> in <patterns>: <regex_> = "ˆ$" and (exists <ignore_case> in <matching_control>: inside(<ignore_case>, <matching_control>) or exists <line_no> in <output_line_prefix_control>: inside(<line_no>, <output_line_prefix_control>)) “Options -i and -n will not work when applied to an empty line” [36] [in a UTF-8 locale] (Note: hignore casei expands to -i and --ignore-case; hline noi expands to -n and --line-number) “Core dump with pattern ’(ˆ| )*( |$)’” [36] Some Benchmark Results Subject AVICENNA Diagnosis Expert Diagnosis (from DBGBench) Features on Demand "hello" ... <length> <payload> <length> <payload> <client-request> <server-response> <exchange> 0x1 0x2000 ... 0x2 0x2000 "hello0secret0password0" "37h%$" 0x1 0x5 ... "0" 0x1 0x1 ... "37h%$" 0x2 0x5 ... "0" 0x2 0x1 ... Learner Test Generator Perfect conditions for automated learners "${}" 0x1 0x3 ... "${}" 0x2 0x3 ... "" 0x1 0x0 ... "" 0x2 0x0 ... "'; --" 0x1 0x5 ... "'; --" 0x2 0x5 ... Test generation problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / Oracle problem / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / Testing with Language Specs <length> ::= <uint16> <payload> ::= <byte>* <padding> ::= <byte>* <exchange> ::= <client-request> <server-response> uint16(<length>) = len(<payload>) <client-request>.<payload> = <server-response>.<payload> Syntax I/O Grammar Semantics Constraints Testing Mocking 0x1 <length> <payload> <padding> <client-request> ::= 0x2 <length> <payload> <padding> <server-response> ::= Monitoring AVICENNA Learning Failure Circumstances Input Language Spec Failure Circumstances <client-request> ::= 0x1 <length> <payload> uint16(<length>) > len(<payload>) Failing Inputs "hello" 0x1 0x2000 Determine relevant input elements Determine failure- related properties Generate new inputs to refine theory Negate constraints <length> <payload> <length> = 0x2000 <payload> = "hello" <length> ≠ 0x2000 <payload> ≠ "hello" "xyz" 0x1 0x0003 @AndreasZeller