TY - GEN
T1 - S-Looper
T2 - 24th International Symposium on Software Testing and Analysis, ISSTA 2015
AU - Xie, Xiaofei
AU - Liu, Yang
AU - Le, Wei
AU - Li, Xiaohong
AU - Chen, Hongxu
N1 - Publisher Copyright:
© 2015 ACM.
PY - 2015/7/13
Y1 - 2015/7/13
N2 - Loops are important yet most challenging program constructs to analyze for various program analysis tasks. Existing loop analysis techniques mainly handle well loops that contain only integer variables with a single path in the loop body. The key challenge in summarizing a multiple-path loop is that a loop traversal can yield a large number of possibilities due to the different execution orders of these paths located in the loop; when a loop contains a conditional branch related to string content, we potentially need to track every character in the string for loop summarization, which is expensive. In this paper, we propose an approach, named S-Looper, to automatically summarize a type of loops related to a string traversal. This type of loops can contain multiple paths, and the branch conditions in the loop can be related to string content. Our approach is to identify patterns of the string based on the branch conditions along each path in the loop. Based on such patterns, we then generate a loop summary that describes the path conditions of a loop traversal as well as the symbolic values of each variable at the exit of a loop. Combined with vulnerability conditions, we are thus able to generate test inputs that traverse a loop in a specific way and lead to exploitation. Our experiments show that handling such string loops can largely improve the buffer overflow detection capabilities of the existing symbolic analysis tool. We also compared our techniques with KLEE and PEX, and show that we can generate test inputs more effectively and efficiently.
AB - Loops are important yet most challenging program constructs to analyze for various program analysis tasks. Existing loop analysis techniques mainly handle well loops that contain only integer variables with a single path in the loop body. The key challenge in summarizing a multiple-path loop is that a loop traversal can yield a large number of possibilities due to the different execution orders of these paths located in the loop; when a loop contains a conditional branch related to string content, we potentially need to track every character in the string for loop summarization, which is expensive. In this paper, we propose an approach, named S-Looper, to automatically summarize a type of loops related to a string traversal. This type of loops can contain multiple paths, and the branch conditions in the loop can be related to string content. Our approach is to identify patterns of the string based on the branch conditions along each path in the loop. Based on such patterns, we then generate a loop summary that describes the path conditions of a loop traversal as well as the symbolic values of each variable at the exit of a loop. Combined with vulnerability conditions, we are thus able to generate test inputs that traverse a loop in a specific way and lead to exploitation. Our experiments show that handling such string loops can largely improve the buffer overflow detection capabilities of the existing symbolic analysis tool. We also compared our techniques with KLEE and PEX, and show that we can generate test inputs more effectively and efficiently.
UR - http://www.scopus.com/inward/record.url?scp=84975709172&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84975709172&partnerID=8YFLogxK
U2 - 10.1145/2771783.2771815
DO - 10.1145/2771783.2771815
M3 - Conference contribution
AN - SCOPUS:84975709172
T3 - 2015 International Symposium on Software Testing and Analysis, ISSTA 2015 - Proceedings
SP - 188
EP - 198
BT - 2015 International Symposium on Software Testing and Analysis, ISSTA 2015 - Proceedings
PB - Association for Computing Machinery, Inc
Y2 - 13 July 2015 through 17 July 2015
ER -