SlideShare una empresa de Scribd logo

Software testing and concolic execution LSE 2013

Jonathan Salwan
Jonathan Salwan

Software testing and concolic execution LSE 2013

TecnologíaEducación
1 de 52
Descargar para leer sin conexión
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Software testing and concolic execution Jonathan Salwan LSE Summer Week 2013 July 18, 2013 Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End About me Who I am : Jonathan Salwan Where I work : Sysdream What is my job : R&D Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Definition Bug impact Certifications Software testing statistics Software testing Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Definition Bug impact Certifications Software testing statistics Definition From Wikipedia: Software testing is an investigation conducted to provide stakeholders with information about the quality of the product or service under test. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Definition Bug impact Certifications Software testing statistics Bug impact - $100 Billion per year in Europe - Rocket Arianne V : $370 Million - Therac-25 (Radiotherapy) : People died... Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Definition Bug impact Certifications Software testing statistics Certifications - ISO/IEC 9126 : Software engineering - Product quality - SGS : Certification services from SGS demonstrate that your products, processes, systems or services are compliant with national and international regulations and standards. - ED-12C/DO-178C : Software Considerations in Airborne Systems and Equipment Certification Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Definition Bug impact Certifications Software testing statistics Software testing statistics Fast Intelligent Code coverage Manual test KO OK OK Automatic test OK KO KO Formal proof KO OK OK Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Bugs hunting Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Bugs hunting To find bugs, we have several methodologies. - White box - Black box - Pattern matching - Dumb fuzzing - In-memory fuzzing - ... Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing White box PHP 5.3.6 - Stack buffer overflow in socket connect (CVE-2011-1938) Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Black box Most vulnerabilities are found in private softwares thanks to black box fuzzing - Same idea than white box fuzzing - Need to skill++ in assembly - Really more time consuming than white box fuzzing Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Pattern matching Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Dumb fuzzing The idea is to fuzz the program with semi-random data (based on a specification of the fileformat/protocol/whatever) 1 Focus a specific RFC (Ex: http, ftp, pdf, png...) 2 Send semi-random data based on the RFC’s fields. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Dumb fuzzing - http server Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing In-memory fuzzing The idea of this method is to instrument directly the target application’s code to fuzz it. Here are the different steps: 1 Break before and after the target function 2 Save the context execution 3 Send semi-random data 4 Restore the execution context previously saved 5 Repeat until a crash is triggered Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing In-memory fuzzing - Call graph Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing In-memory fuzzing - Concept Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Manual vs automatic testing With the classical automatic tests it’s difficult to detect some bugs : - Info leaks - All overflows without crashs - Design errors - ... Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Concrete execution Symbolic execution Concolic execution Concolic execution Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Concrete execution Symbolic execution Concolic execution Concrete execution The concrete execution is the execution of a real program. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Concrete execution Symbolic execution Concolic execution Symbolic execution The symbolic execution is used to determine a time T all conditions necessary to take the branch or not. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Concrete execution Symbolic execution Concolic execution Symbolic execution - Example Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Concrete execution Symbolic execution Concolic execution Symbolic execution - Example Three possible paths. One path for True and two paths for False. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Concrete execution Symbolic execution Concolic execution Concolic execution Concolic execution is a technic that uses both symbolic and concrete execution to solve a constraint path. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 IR and constraints solver Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 Valgrind Valgrind is an instrumentation framework for building dynamic analysis tools. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 Valgrind - VEX VEX is the Valgrind’s intermediate language. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 Valgrind - VEX sample Instruction: add eax, ebx t3 = GET:I32(0) # get %eax, a 32-bit integer (t3 = eax) t2 = GET:I32(12) # get %ebx, a 32-bit integer (t2 = ebx) t1 = Add32(t3,t2) # t1 = addl(eax, ebx) PUT(0) = t1 # put %eax (eax = t1) Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 Z3 Z3 is a high-performance theorem prover developed by Microsoft. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 Z3 - Example $ cat ./ex.py from z3 import * x = BitVec(’x’, 32) s = Solver() s.add((x ^ 0x55) + (3 - (2 * 12)) == 0x30) print s.check() print s.model() $ ./ex.py sat [x = 16] Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 Z3 - Why ? We will use it to solve all the constraints from our VEX’s output. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Proof of concept Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 PoC for fun Last summer, with my friends Ahmed Bougacha and Pierre Collet, we worked on a concolic PoC just for fun. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Goal Objectif : Solve this dumb crackme Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Plan 1 Taint the user input (via Valgrind) 2 Spread the taints (via Valgrind) 3 Save all constraints (via Valgrind) 4 Solve all constraints (via Z3) Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Taint syscall entries - Diagram Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Taint syscall entries - in Valgrind With valgrind we can add a Pre and Post syscall handler. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Taint syscall entries - in Valgrind static void pre_syscall(ThreadId tId, UInt syscall_number, UWord* args, UInt nArgs){ } static void post_syscall(ThreadId tId, UInt syscall_number, UWord* args, UInt nArgs, SysRes res){ } static void init(void) { VG_(details_name) ("Taminoo"); VG_(details_version) (NULL); VG_(details_description) ("Taint analysis poc"); [...] VG_(basic_tool_funcs) (init, instrument, fini); [...] VG_(needs_syscall_wrapper) (pre_syscall, post_syscall); } VG_DETERMINE_INTERFACE_VERSION(init) Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Spread the taints To propagate correctly the taints, we instrument each instruction of the binary. If it is a GET, LOAD, PUT or STORE instruction we spread the taints. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Spread the taints The variable a is tainted. When b = a and c = b, b and c will also be tainted because they can be controlled via a. uint32_t a, b, c; a = atoi(user_input); b = a; /* b is tainted */ c = b; /* c is tainted */ Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Spread the taints - in Valgrind switch (st->tag) { case Ist_Store: INSERT_DIRTY(helper_store, /* dst_addr */ st->Ist.Store.addr, /* src_tmp */ INSERT_TMP_NUMBER(st->Ist.Store.data), /* size */ INSERT_EXPR_SIZE(st->Ist.Store.data)); break; case Ist_Put: INSERT_DIRTY(helper_put, /* dst_reg */ mkIRExpr_HWord(st->Ist.Put.offset), /* src_tmp */ INSERT_TMP_NUMBER(st->Ist.Put.data), /* size */ INSERT_EXPR_SIZE(st->Ist.Put.data)); break; case Iex_Get: INSERT_DIRTY(helper_get, /* dst_tmp */ mkIRExpr_HWord(dst), /* src_reg */ mkIRExpr_HWord(data->Iex.Get.offset), /* size */ mkIRExpr_HWord(sizeofIRType(data->Iex.Get.ty))); break; case Iex_Load: INSERT_DIRTY(helper_load, /* dst_tmp */ mkIRExpr_HWord(st->Ist.WrTmp.tmp), /* src_addr */ st->Ist.WrTmp.data->Iex.Load.addr, /* size */ INSERT_TYPE_SIZE(data->Iex.Load.ty)); break; [...] } Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Constraints - Output ==14567== #1:8 = Read(4,0) #2:8 = Read(4,1) #3:8 = Read(4,2) #4:8 = Read(4,3) #5:32 = 8Uto32(#1:8) #6:32 = Xor32(#5:32,0x55) #7:8 = 32to8_0(#6:32) #8:8 = 32to8_1(#6:32) #9:8 = 32to8_2(#6:32) #10:8 = 32to8_3(#6:32) #11:32 = 8Uto32(#7:8) #12:8 = 32to8(#11:32) #13:1 = CmpEQ8(#12:8,0x30) = False #14:32 = 1Uto32(#13:1) #15:1 = 32to1(#14:32) Jump(#15:1) = False #6 freed #5 freed #14 freed #13 freed #12 freed #15 freed #11 freed #7 freed ==14567== Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Constraints - List Every constraint depends of the previous constraint. Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Constraints - List Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Solve constraints with Z3 All the constraints are converted using the Z3 syntax Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Solve constraints with Z3 - Original constraint The first constraint is : CmpEQ8(Xor32(Read(4,0),0x55),0x30) Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Solve constraints with Z3 - Z3 pattern # First constraint in Z3 pattern x = BitVec(’x’, 32) s = Solver() s.add((x ^ 0x55) == 0x30) Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Solve constraints with Z3 - Concolic execution Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Solve constraints with Z3 - All constraints solved C1 = CmpEQ8(Xor32(Read(4,0),0x55),0x30) = ’e’ C2 = CmpEQ8(Xor32(Read(4,1),0x55),0x39) = ’l’ C3 = CmpEQ8(Xor32(Read(4,2),0x55),0x3c) = ’i’ C4 = CmpEQ8(Xor32(Read(4,3),0x55),0x21) = ’t’ C5 = CmpEQ8(Xor32(Read(4,4),0x55),0x30) = ’e’ Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Extra Questions ? Thanks ! Extra Blog post : http://shell-storm.org/blog/Concolic-execution-taint-analysis- with-valgrind-and-constraints-path-solver-with-z3/ Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Extra Questions ? Thanks ! Questions ? Questions ? Jonathan Salwan Software testing and concolic execution
About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Extra Questions ? Thanks ! Thanks ! http://sbxc.org http://twitter.com/JonathanSalwan Jonathan Salwan Software testing and concolic execution

Recomendados

Investigating Code Review Practices in Defective Files
Investigating Code Review Practices in Defective FilesInvestigating Code Review Practices in Defective Files
Investigating Code Review Practices in Defective FilesThe University of Adelaide
 
Revisiting Code Ownership and Its Relationship with Software Quality in the S...
Revisiting Code Ownership and Its Relationship with Software Quality in the S...Revisiting Code Ownership and Its Relationship with Software Quality in the S...
Revisiting Code Ownership and Its Relationship with Software Quality in the S...The University of Adelaide
 
Symbolic Execution of Malicious Software: Countering Sandbox Evasion Techniques
Symbolic Execution of Malicious Software: Countering Sandbox Evasion TechniquesSymbolic Execution of Malicious Software: Countering Sandbox Evasion Techniques
Symbolic Execution of Malicious Software: Countering Sandbox Evasion TechniquesFabio Rosato
 
PhD Dissertation Defense (April 2015)
PhD Dissertation Defense (April 2015)PhD Dissertation Defense (April 2015)
PhD Dissertation Defense (April 2015)Shauvik Roy Choudhary, Ph.D.
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality ToolsСергей Гоменюк
 
What if Clippy Would Criticize Your Code? (benevol2015)
What if Clippy Would Criticize Your Code? (benevol2015)What if Clippy Would Criticize Your Code? (benevol2015)
What if Clippy Would Criticize Your Code? (benevol2015)Yuriy Tymchuk
 
Konstantin Knizhnik: static analysis, a view from aside
Konstantin Knizhnik: static analysis, a view from asideKonstantin Knizhnik: static analysis, a view from aside
Konstantin Knizhnik: static analysis, a view from asidePVS-Studio
 
Crowd debugging (FSE 2015)
Crowd debugging (FSE 2015)Crowd debugging (FSE 2015)
Crowd debugging (FSE 2015)Sung Kim
 

Recomendados

Investigating Code Review Practices in Defective Files
Investigating Code Review Practices in Defective FilesInvestigating Code Review Practices in Defective Files
Investigating Code Review Practices in Defective FilesThe University of Adelaide
 
Revisiting Code Ownership and Its Relationship with Software Quality in the S...
Revisiting Code Ownership and Its Relationship with Software Quality in the S...Revisiting Code Ownership and Its Relationship with Software Quality in the S...
Revisiting Code Ownership and Its Relationship with Software Quality in the S...The University of Adelaide
 
Symbolic Execution of Malicious Software: Countering Sandbox Evasion Techniques
Symbolic Execution of Malicious Software: Countering Sandbox Evasion TechniquesSymbolic Execution of Malicious Software: Countering Sandbox Evasion Techniques
Symbolic Execution of Malicious Software: Countering Sandbox Evasion TechniquesFabio Rosato
 
PhD Dissertation Defense (April 2015)
PhD Dissertation Defense (April 2015)PhD Dissertation Defense (April 2015)
PhD Dissertation Defense (April 2015)Shauvik Roy Choudhary, Ph.D.
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality ToolsСергей Гоменюк
 
What if Clippy Would Criticize Your Code? (benevol2015)
What if Clippy Would Criticize Your Code? (benevol2015)What if Clippy Would Criticize Your Code? (benevol2015)
What if Clippy Would Criticize Your Code? (benevol2015)Yuriy Tymchuk
 
Konstantin Knizhnik: static analysis, a view from aside
Konstantin Knizhnik: static analysis, a view from asideKonstantin Knizhnik: static analysis, a view from aside
Konstantin Knizhnik: static analysis, a view from asidePVS-Studio
 
Crowd debugging (FSE 2015)
Crowd debugging (FSE 2015)Crowd debugging (FSE 2015)
Crowd debugging (FSE 2015)Sung Kim
 
Automatic testing in DevOps
Automatic testing in DevOpsAutomatic testing in DevOps
Automatic testing in DevOpsBenoit Baudry
 
Assessing Unit Test Quality
Assessing Unit Test QualityAssessing Unit Test Quality
Assessing Unit Test Qualityguest268ee8
 
Videos about static code analysis
Videos about static code analysisVideos about static code analysis
Videos about static code analysisPVS-Studio
 
Peer Code Review An Agile Process
Peer Code Review An Agile ProcessPeer Code Review An Agile Process
Peer Code Review An Agile Processgsporar
 
Proactive Empirical Assessment of New Language Feature Adoption via Automated...
Proactive Empirical Assessment of New Language Feature Adoption via Automated...Proactive Empirical Assessment of New Language Feature Adoption via Automated...
Proactive Empirical Assessment of New Language Feature Adoption via Automated...Raffi Khatchadourian
 
Master the Concepts Behind the Java 10 Challenges and Eliminate Stressful Bugs
Master the Concepts Behind the Java 10 Challenges and Eliminate Stressful BugsMaster the Concepts Behind the Java 10 Challenges and Eliminate Stressful Bugs
Master the Concepts Behind the Java 10 Challenges and Eliminate Stressful BugsRafael Chinelato Del Nero
 
National software testing conference 2016 fergal hynes
National software testing conference 2016 fergal hynesNational software testing conference 2016 fergal hynes
National software testing conference 2016 fergal hynesFergal Hynes
 
Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Alexandre (Shura) Iline
 
Throwing Laravel into your Legacy App™
Throwing Laravel into your Legacy App™Throwing Laravel into your Legacy App™
Throwing Laravel into your Legacy App™Joe Ferguson
 
What's Spain's Paris? Mining Analogical Libraries from Q&A Discussions
What's Spain's Paris? Mining Analogical Libraries from Q&A DiscussionsWhat's Spain's Paris? Mining Analogical Libraries from Q&A Discussions
What's Spain's Paris? Mining Analogical Libraries from Q&A DiscussionsChunyang Chen
 
Concepts of Functional Programming for Java Brains (2010)
Concepts of Functional Programming for Java Brains (2010)Concepts of Functional Programming for Java Brains (2010)
Concepts of Functional Programming for Java Brains (2010)Peter Kofler
 
Practical (J)Unit Testing (2009)
Practical (J)Unit Testing (2009)Practical (J)Unit Testing (2009)
Practical (J)Unit Testing (2009)Peter Kofler
 
Personalized Defect Prediction
Personalized Defect PredictionPersonalized Defect Prediction
Personalized Defect PredictionSung Kim
 
An exploratory study of the state of practice of performance testing in Java-...
An exploratory study of the state of practice of performance testing in Java-...An exploratory study of the state of practice of performance testing in Java-...
An exploratory study of the state of practice of performance testing in Java-...corpaulbezemer
 
QA for lecture 15.pptx
QA for lecture 15.pptxQA for lecture 15.pptx
QA for lecture 15.pptxMuneerUmar3
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code AnalysisGeneva, Switzerland
 
Software testing (2) trainingin-mumbai
Software testing (2) trainingin-mumbaiSoftware testing (2) trainingin-mumbai
Software testing (2) trainingin-mumbaivibrantuser
 
Software testing (2) trainingin-mumbai...
Software testing (2) trainingin-mumbai...Software testing (2) trainingin-mumbai...
Software testing (2) trainingin-mumbai...vibrantuser
 
Static code analysis
Static code analysisStatic code analysis
Static code analysisRune Sundling
 
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriageЭкспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriagePositive Hack Days
 
Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...
Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...
Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...jeromevdl
 
Software Horticulture
Software HorticultureSoftware Horticulture
Software HorticultureJieren Chen
 

Más contenido relacionado

La actualidad más candente

Automatic testing in DevOps
Automatic testing in DevOpsAutomatic testing in DevOps
Automatic testing in DevOpsBenoit Baudry
 
Assessing Unit Test Quality
Assessing Unit Test QualityAssessing Unit Test Quality
Assessing Unit Test Qualityguest268ee8
 
Videos about static code analysis
Videos about static code analysisVideos about static code analysis
Videos about static code analysisPVS-Studio
 
Peer Code Review An Agile Process
Peer Code Review An Agile ProcessPeer Code Review An Agile Process
Peer Code Review An Agile Processgsporar
 
Proactive Empirical Assessment of New Language Feature Adoption via Automated...
Proactive Empirical Assessment of New Language Feature Adoption via Automated...Proactive Empirical Assessment of New Language Feature Adoption via Automated...
Proactive Empirical Assessment of New Language Feature Adoption via Automated...Raffi Khatchadourian
 
Master the Concepts Behind the Java 10 Challenges and Eliminate Stressful Bugs
Master the Concepts Behind the Java 10 Challenges and Eliminate Stressful BugsMaster the Concepts Behind the Java 10 Challenges and Eliminate Stressful Bugs
Master the Concepts Behind the Java 10 Challenges and Eliminate Stressful BugsRafael Chinelato Del Nero
 
National software testing conference 2016 fergal hynes
National software testing conference 2016 fergal hynesNational software testing conference 2016 fergal hynes
National software testing conference 2016 fergal hynesFergal Hynes
 
Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Alexandre (Shura) Iline
 
Throwing Laravel into your Legacy App™
Throwing Laravel into your Legacy App™Throwing Laravel into your Legacy App™
Throwing Laravel into your Legacy App™Joe Ferguson
 
What's Spain's Paris? Mining Analogical Libraries from Q&A Discussions
What's Spain's Paris? Mining Analogical Libraries from Q&A DiscussionsWhat's Spain's Paris? Mining Analogical Libraries from Q&A Discussions
What's Spain's Paris? Mining Analogical Libraries from Q&A DiscussionsChunyang Chen
 
Concepts of Functional Programming for Java Brains (2010)
Concepts of Functional Programming for Java Brains (2010)Concepts of Functional Programming for Java Brains (2010)
Concepts of Functional Programming for Java Brains (2010)Peter Kofler
 
Practical (J)Unit Testing (2009)
Practical (J)Unit Testing (2009)Practical (J)Unit Testing (2009)
Practical (J)Unit Testing (2009)Peter Kofler
 
Personalized Defect Prediction
Personalized Defect PredictionPersonalized Defect Prediction
Personalized Defect PredictionSung Kim
 

La actualidad más candente (13)

Automatic testing in DevOps
Automatic testing in DevOpsAutomatic testing in DevOps
Automatic testing in DevOps
 
Assessing Unit Test Quality
Assessing Unit Test QualityAssessing Unit Test Quality
Assessing Unit Test Quality
 
Videos about static code analysis
Videos about static code analysisVideos about static code analysis
Videos about static code analysis
 
Peer Code Review An Agile Process
Peer Code Review An Agile ProcessPeer Code Review An Agile Process
Peer Code Review An Agile Process
 
Proactive Empirical Assessment of New Language Feature Adoption via Automated...
Proactive Empirical Assessment of New Language Feature Adoption via Automated...Proactive Empirical Assessment of New Language Feature Adoption via Automated...
Proactive Empirical Assessment of New Language Feature Adoption via Automated...
 
Master the Concepts Behind the Java 10 Challenges and Eliminate Stressful Bugs
Master the Concepts Behind the Java 10 Challenges and Eliminate Stressful BugsMaster the Concepts Behind the Java 10 Challenges and Eliminate Stressful Bugs
Master the Concepts Behind the Java 10 Challenges and Eliminate Stressful Bugs
 
National software testing conference 2016 fergal hynes
National software testing conference 2016 fergal hynesNational software testing conference 2016 fergal hynes
National software testing conference 2016 fergal hynes
 
Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.
 
Throwing Laravel into your Legacy App™
Throwing Laravel into your Legacy App™Throwing Laravel into your Legacy App™
Throwing Laravel into your Legacy App™
 
What's Spain's Paris? Mining Analogical Libraries from Q&A Discussions
What's Spain's Paris? Mining Analogical Libraries from Q&A DiscussionsWhat's Spain's Paris? Mining Analogical Libraries from Q&A Discussions
What's Spain's Paris? Mining Analogical Libraries from Q&A Discussions
 
Concepts of Functional Programming for Java Brains (2010)
Concepts of Functional Programming for Java Brains (2010)Concepts of Functional Programming for Java Brains (2010)
Concepts of Functional Programming for Java Brains (2010)
 
Practical (J)Unit Testing (2009)
Practical (J)Unit Testing (2009)Practical (J)Unit Testing (2009)
Practical (J)Unit Testing (2009)
 
Personalized Defect Prediction
Personalized Defect PredictionPersonalized Defect Prediction
Personalized Defect Prediction
 

Similar a Software testing and concolic execution LSE 2013

An exploratory study of the state of practice of performance testing in Java-...
An exploratory study of the state of practice of performance testing in Java-...An exploratory study of the state of practice of performance testing in Java-...
An exploratory study of the state of practice of performance testing in Java-...corpaulbezemer
 
QA for lecture 15.pptx
QA for lecture 15.pptxQA for lecture 15.pptx
QA for lecture 15.pptxMuneerUmar3
 
Software testing (2) trainingin-mumbai
Software testing (2) trainingin-mumbaiSoftware testing (2) trainingin-mumbai
Software testing (2) trainingin-mumbaivibrantuser
 
Software testing (2) trainingin-mumbai...
Software testing (2) trainingin-mumbai...Software testing (2) trainingin-mumbai...
Software testing (2) trainingin-mumbai...vibrantuser
 
Static code analysis
Static code analysisStatic code analysis
Static code analysisRune Sundling
 
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriageЭкспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriagePositive Hack Days
 
Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...
Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...
Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...jeromevdl
 
Software Horticulture
Software HorticultureSoftware Horticulture
Software HorticultureJieren Chen
 
Refactoring 2TheMax (con ReSharper)
Refactoring 2TheMax (con ReSharper)Refactoring 2TheMax (con ReSharper)
Refactoring 2TheMax (con ReSharper)DotNetMarche
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
 
Black box testing
Black box testingBlack box testing
Black box testingAbdul Basit
 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementCodenomicon
 
Black box testing lecture 11
Black box testing lecture 11Black box testing lecture 11
Black box testing lecture 11Abdul Basit
 
SFSCON23 - Denver Gingerich - How do you really do GPL enforcement
SFSCON23 - Denver Gingerich - How do you really do GPL enforcementSFSCON23 - Denver Gingerich - How do you really do GPL enforcement
SFSCON23 - Denver Gingerich - How do you really do GPL enforcementSouth Tyrol Free Software Conference
 
Concurrency and Parallelism with Scala
Concurrency and Parallelism with ScalaConcurrency and Parallelism with Scala
Concurrency and Parallelism with ScalaTimothy Perrett
 
Complexity is Outside the Code, JS Remote Conf
Complexity is Outside the Code, JS Remote ConfComplexity is Outside the Code, JS Remote Conf
Complexity is Outside the Code, JS Remote Confjessitron
 
How penetration testing techniques can help you improve your qa skills
How penetration testing techniques can help you improve your qa skillsHow penetration testing techniques can help you improve your qa skills
How penetration testing techniques can help you improve your qa skillsMarian Marinov
 
Clearly, I Have Made Some Bad Decisions
Clearly, I Have Made Some Bad DecisionsClearly, I Have Made Some Bad Decisions
Clearly, I Have Made Some Bad DecisionsJonathan Hitchcock
 

Similar a Software testing and concolic execution LSE 2013 (20)

An exploratory study of the state of practice of performance testing in Java-...
An exploratory study of the state of practice of performance testing in Java-...An exploratory study of the state of practice of performance testing in Java-...
An exploratory study of the state of practice of performance testing in Java-...
 
QA for lecture 15.pptx
QA for lecture 15.pptxQA for lecture 15.pptx
QA for lecture 15.pptx
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code Analysis
 
Software testing (2) trainingin-mumbai
Software testing (2) trainingin-mumbaiSoftware testing (2) trainingin-mumbai
Software testing (2) trainingin-mumbai
 
Software testing (2) trainingin-mumbai...
Software testing (2) trainingin-mumbai...Software testing (2) trainingin-mumbai...
Software testing (2) trainingin-mumbai...
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
 
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware TriageЭкспресс-анализ вредоносов / Crowdsourced Malware Triage
Экспресс-анализ вредоносов / Crowdsourced Malware Triage
 
Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...
Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...
Droidcon Paris 2013 - Musclez vos applications Android avec les outils du mon...
 
Software Horticulture
Software HorticultureSoftware Horticulture
Software Horticulture
 
Refactoring 2TheMax (con ReSharper)
Refactoring 2TheMax (con ReSharper)Refactoring 2TheMax (con ReSharper)
Refactoring 2TheMax (con ReSharper)
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
 
Black box testing
Black box testingBlack box testing
Black box testing
 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day Management
 
Black box testing lecture 11
Black box testing lecture 11Black box testing lecture 11
Black box testing lecture 11
 
SFSCON23 - Denver Gingerich - How do you really do GPL enforcement
SFSCON23 - Denver Gingerich - How do you really do GPL enforcementSFSCON23 - Denver Gingerich - How do you really do GPL enforcement
SFSCON23 - Denver Gingerich - How do you really do GPL enforcement
 
Concurrency and Parallelism with Scala
Concurrency and Parallelism with ScalaConcurrency and Parallelism with Scala
Concurrency and Parallelism with Scala
 
Manual testing ppt
Manual testing pptManual testing ppt
Manual testing ppt
 
Complexity is Outside the Code, JS Remote Conf
Complexity is Outside the Code, JS Remote ConfComplexity is Outside the Code, JS Remote Conf
Complexity is Outside the Code, JS Remote Conf
 
How penetration testing techniques can help you improve your qa skills
How penetration testing techniques can help you improve your qa skillsHow penetration testing techniques can help you improve your qa skills
How penetration testing techniques can help you improve your qa skills
 
Clearly, I Have Made Some Bad Decisions
Clearly, I Have Made Some Bad DecisionsClearly, I Have Made Some Bad Decisions
Clearly, I Have Made Some Bad Decisions
 

Más de Jonathan Salwan

How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
 
Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes Jonathan Salwan
 
Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...
Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...
Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...Jonathan Salwan
 
St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...
St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...
St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...Jonathan Salwan
 
Covering a function using a Dynamic Symbolic Execution approach
Covering a function using a Dynamic Symbolic Execution approach Covering a function using a Dynamic Symbolic Execution approach
Covering a function using a Dynamic Symbolic Execution approach Jonathan Salwan
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingJonathan Salwan
 

Más de Jonathan Salwan (6)

How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protections
 
Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes Dynamic Binary Analysis and Obfuscated Codes
Dynamic Binary Analysis and Obfuscated Codes
 
Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...
Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...
Sstic 2015 detailed_version_triton_concolic_execution_frame_work_f_saudel_jsa...
 
St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...
St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...
St hack2015 dynamic_behavior_analysis_using_binary_instrumentation_jonathan_s...
 
Covering a function using a Dynamic Symbolic Execution approach
Covering a function using a Dynamic Symbolic Execution approach Covering a function using a Dynamic Symbolic Execution approach
Covering a function using a Dynamic Symbolic Execution approach
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented Programming
 

Último

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 

Último (20)

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 

Software testing and concolic execution LSE 2013

  • 1. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Software testing and concolic execution Jonathan Salwan LSE Summer Week 2013 July 18, 2013 Jonathan Salwan Software testing and concolic execution
  • 2. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End About me Who I am : Jonathan Salwan Where I work : Sysdream What is my job : R&D Jonathan Salwan Software testing and concolic execution
  • 3. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Definition Bug impact Certifications Software testing statistics Software testing Jonathan Salwan Software testing and concolic execution
  • 4. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Definition Bug impact Certifications Software testing statistics Definition From Wikipedia: Software testing is an investigation conducted to provide stakeholders with information about the quality of the product or service under test. Jonathan Salwan Software testing and concolic execution
  • 5. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Definition Bug impact Certifications Software testing statistics Bug impact - $100 Billion per year in Europe - Rocket Arianne V : $370 Million - Therac-25 (Radiotherapy) : People died... Jonathan Salwan Software testing and concolic execution
  • 6. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Definition Bug impact Certifications Software testing statistics Certifications - ISO/IEC 9126 : Software engineering - Product quality - SGS : Certification services from SGS demonstrate that your products, processes, systems or services are compliant with national and international regulations and standards. - ED-12C/DO-178C : Software Considerations in Airborne Systems and Equipment Certification Jonathan Salwan Software testing and concolic execution
  • 7. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Definition Bug impact Certifications Software testing statistics Software testing statistics Fast Intelligent Code coverage Manual test KO OK OK Automatic test OK KO KO Formal proof KO OK OK Jonathan Salwan Software testing and concolic execution
  • 8. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Bugs hunting Jonathan Salwan Software testing and concolic execution
  • 9. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Bugs hunting To find bugs, we have several methodologies. - White box - Black box - Pattern matching - Dumb fuzzing - In-memory fuzzing - ... Jonathan Salwan Software testing and concolic execution
  • 10. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing White box PHP 5.3.6 - Stack buffer overflow in socket connect (CVE-2011-1938) Jonathan Salwan Software testing and concolic execution
  • 11. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Black box Most vulnerabilities are found in private softwares thanks to black box fuzzing - Same idea than white box fuzzing - Need to skill++ in assembly - Really more time consuming than white box fuzzing Jonathan Salwan Software testing and concolic execution
  • 12. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Pattern matching Jonathan Salwan Software testing and concolic execution
  • 13. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Dumb fuzzing The idea is to fuzz the program with semi-random data (based on a specification of the fileformat/protocol/whatever) 1 Focus a specific RFC (Ex: http, ftp, pdf, png...) 2 Send semi-random data based on the RFC’s fields. Jonathan Salwan Software testing and concolic execution
  • 14. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Dumb fuzzing - http server Jonathan Salwan Software testing and concolic execution
  • 15. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing In-memory fuzzing The idea of this method is to instrument directly the target application’s code to fuzz it. Here are the different steps: 1 Break before and after the target function 2 Save the context execution 3 Send semi-random data 4 Restore the execution context previously saved 5 Repeat until a crash is triggered Jonathan Salwan Software testing and concolic execution
  • 16. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing In-memory fuzzing - Call graph Jonathan Salwan Software testing and concolic execution
  • 17. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing In-memory fuzzing - Concept Jonathan Salwan Software testing and concolic execution
  • 18. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Bugs hunting White box Black box Pattern matching Dumb fuzzing In-memory fuzzing Manual vs automatic testing Manual vs automatic testing With the classical automatic tests it’s difficult to detect some bugs : - Info leaks - All overflows without crashs - Design errors - ... Jonathan Salwan Software testing and concolic execution
  • 19. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Concrete execution Symbolic execution Concolic execution Concolic execution Jonathan Salwan Software testing and concolic execution
  • 20. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Concrete execution Symbolic execution Concolic execution Concrete execution The concrete execution is the execution of a real program. Jonathan Salwan Software testing and concolic execution
  • 21. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Concrete execution Symbolic execution Concolic execution Symbolic execution The symbolic execution is used to determine a time T all conditions necessary to take the branch or not. Jonathan Salwan Software testing and concolic execution
  • 22. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Concrete execution Symbolic execution Concolic execution Symbolic execution - Example Jonathan Salwan Software testing and concolic execution
  • 23. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Concrete execution Symbolic execution Concolic execution Symbolic execution - Example Three possible paths. One path for True and two paths for False. Jonathan Salwan Software testing and concolic execution
  • 24. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Concrete execution Symbolic execution Concolic execution Concolic execution Concolic execution is a technic that uses both symbolic and concrete execution to solve a constraint path. Jonathan Salwan Software testing and concolic execution
  • 25. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 IR and constraints solver Jonathan Salwan Software testing and concolic execution
  • 26. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 Valgrind Valgrind is an instrumentation framework for building dynamic analysis tools. Jonathan Salwan Software testing and concolic execution
  • 27. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 Valgrind - VEX VEX is the Valgrind’s intermediate language. Jonathan Salwan Software testing and concolic execution
  • 28. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 Valgrind - VEX sample Instruction: add eax, ebx t3 = GET:I32(0) # get %eax, a 32-bit integer (t3 = eax) t2 = GET:I32(12) # get %ebx, a 32-bit integer (t2 = ebx) t1 = Add32(t3,t2) # t1 = addl(eax, ebx) PUT(0) = t1 # put %eax (eax = t1) Jonathan Salwan Software testing and concolic execution
  • 29. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 Z3 Z3 is a high-performance theorem prover developed by Microsoft. Jonathan Salwan Software testing and concolic execution
  • 30. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 Z3 - Example $ cat ./ex.py from z3 import * x = BitVec(’x’, 32) s = Solver() s.add((x ^ 0x55) + (3 - (2 * 12)) == 0x30) print s.check() print s.model() $ ./ex.py sat [x = 16] Jonathan Salwan Software testing and concolic execution
  • 31. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Valgrind Z3 Z3 - Why ? We will use it to solve all the constraints from our VEX’s output. Jonathan Salwan Software testing and concolic execution
  • 32. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Proof of concept Jonathan Salwan Software testing and concolic execution
  • 33. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 PoC for fun Last summer, with my friends Ahmed Bougacha and Pierre Collet, we worked on a concolic PoC just for fun. Jonathan Salwan Software testing and concolic execution
  • 34. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Goal Objectif : Solve this dumb crackme Jonathan Salwan Software testing and concolic execution
  • 35. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Plan 1 Taint the user input (via Valgrind) 2 Spread the taints (via Valgrind) 3 Save all constraints (via Valgrind) 4 Solve all constraints (via Z3) Jonathan Salwan Software testing and concolic execution
  • 36. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Taint syscall entries - Diagram Jonathan Salwan Software testing and concolic execution
  • 37. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Taint syscall entries - in Valgrind With valgrind we can add a Pre and Post syscall handler. Jonathan Salwan Software testing and concolic execution
  • 38. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Taint syscall entries - in Valgrind static void pre_syscall(ThreadId tId, UInt syscall_number, UWord* args, UInt nArgs){ } static void post_syscall(ThreadId tId, UInt syscall_number, UWord* args, UInt nArgs, SysRes res){ } static void init(void) { VG_(details_name) ("Taminoo"); VG_(details_version) (NULL); VG_(details_description) ("Taint analysis poc"); [...] VG_(basic_tool_funcs) (init, instrument, fini); [...] VG_(needs_syscall_wrapper) (pre_syscall, post_syscall); } VG_DETERMINE_INTERFACE_VERSION(init) Jonathan Salwan Software testing and concolic execution
  • 39. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Spread the taints To propagate correctly the taints, we instrument each instruction of the binary. If it is a GET, LOAD, PUT or STORE instruction we spread the taints. Jonathan Salwan Software testing and concolic execution
  • 40. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Spread the taints The variable a is tainted. When b = a and c = b, b and c will also be tainted because they can be controlled via a. uint32_t a, b, c; a = atoi(user_input); b = a; /* b is tainted */ c = b; /* c is tainted */ Jonathan Salwan Software testing and concolic execution
  • 41. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Spread the taints - in Valgrind switch (st->tag) { case Ist_Store: INSERT_DIRTY(helper_store, /* dst_addr */ st->Ist.Store.addr, /* src_tmp */ INSERT_TMP_NUMBER(st->Ist.Store.data), /* size */ INSERT_EXPR_SIZE(st->Ist.Store.data)); break; case Ist_Put: INSERT_DIRTY(helper_put, /* dst_reg */ mkIRExpr_HWord(st->Ist.Put.offset), /* src_tmp */ INSERT_TMP_NUMBER(st->Ist.Put.data), /* size */ INSERT_EXPR_SIZE(st->Ist.Put.data)); break; case Iex_Get: INSERT_DIRTY(helper_get, /* dst_tmp */ mkIRExpr_HWord(dst), /* src_reg */ mkIRExpr_HWord(data->Iex.Get.offset), /* size */ mkIRExpr_HWord(sizeofIRType(data->Iex.Get.ty))); break; case Iex_Load: INSERT_DIRTY(helper_load, /* dst_tmp */ mkIRExpr_HWord(st->Ist.WrTmp.tmp), /* src_addr */ st->Ist.WrTmp.data->Iex.Load.addr, /* size */ INSERT_TYPE_SIZE(data->Iex.Load.ty)); break; [...] } Jonathan Salwan Software testing and concolic execution
  • 42. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Constraints - Output ==14567== #1:8 = Read(4,0) #2:8 = Read(4,1) #3:8 = Read(4,2) #4:8 = Read(4,3) #5:32 = 8Uto32(#1:8) #6:32 = Xor32(#5:32,0x55) #7:8 = 32to8_0(#6:32) #8:8 = 32to8_1(#6:32) #9:8 = 32to8_2(#6:32) #10:8 = 32to8_3(#6:32) #11:32 = 8Uto32(#7:8) #12:8 = 32to8(#11:32) #13:1 = CmpEQ8(#12:8,0x30) = False #14:32 = 1Uto32(#13:1) #15:1 = 32to1(#14:32) Jump(#15:1) = False #6 freed #5 freed #14 freed #13 freed #12 freed #15 freed #11 freed #7 freed ==14567== Jonathan Salwan Software testing and concolic execution
  • 43. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Constraints - List Every constraint depends of the previous constraint. Jonathan Salwan Software testing and concolic execution
  • 44. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Constraints - List Jonathan Salwan Software testing and concolic execution
  • 45. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Solve constraints with Z3 All the constraints are converted using the Z3 syntax Jonathan Salwan Software testing and concolic execution
  • 46. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Solve constraints with Z3 - Original constraint The first constraint is : CmpEQ8(Xor32(Read(4,0),0x55),0x30) Jonathan Salwan Software testing and concolic execution
  • 47. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Solve constraints with Z3 - Z3 pattern # First constraint in Z3 pattern x = BitVec(’x’, 32) s = Solver() s.add((x ^ 0x55) == 0x30) Jonathan Salwan Software testing and concolic execution
  • 48. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Solve constraints with Z3 - Concolic execution Jonathan Salwan Software testing and concolic execution
  • 49. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Goal Plan Taint syscall entries Spread the taints Constraints Solve constraints with Z3 Solve constraints with Z3 - All constraints solved C1 = CmpEQ8(Xor32(Read(4,0),0x55),0x30) = ’e’ C2 = CmpEQ8(Xor32(Read(4,1),0x55),0x39) = ’l’ C3 = CmpEQ8(Xor32(Read(4,2),0x55),0x3c) = ’i’ C4 = CmpEQ8(Xor32(Read(4,3),0x55),0x21) = ’t’ C5 = CmpEQ8(Xor32(Read(4,4),0x55),0x30) = ’e’ Jonathan Salwan Software testing and concolic execution
  • 50. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Extra Questions ? Thanks ! Extra Blog post : http://shell-storm.org/blog/Concolic-execution-taint-analysis- with-valgrind-and-constraints-path-solver-with-z3/ Jonathan Salwan Software testing and concolic execution
  • 51. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Extra Questions ? Thanks ! Questions ? Questions ? Jonathan Salwan Software testing and concolic execution
  • 52. About me Software testing Bugs hunting Concolic execution IR and constraints solver Proof of concept End Extra Questions ? Thanks ! Thanks ! http://sbxc.org http://twitter.com/JonathanSalwan Jonathan Salwan Software testing and concolic execution