program analysis and testing using satisfiability modulo theories yandex 2 october 2012, moscow
DESCRIPTION
Program Analysis and Testing using Satisfiability Modulo Theories Yandex 2 October 2012, Moscow. Nikolaj Bjørner Senior Researcher Microsoft Research. Agenda. Context : Software Engineering Research @ Microsoft Application : Fuzzing and Test C ase G eneration - PowerPoint PPT PresentationTRANSCRIPT
PowerPoint Presentation
Program Analysis and Testing using Satisfiability Modulo Theories
Yandex2 October 2012, MoscowNikolaj BjrnerSenior ResearcherMicrosoft Research1AgendaContext: Software Engineering Research @ Microsoft
Application: Fuzzing and Test Case Generation
Application: Program Verification & Bit precise Analysis
Application: String analysis - Formal Language Theory for Security
Technology: Z3 An Efficient SMT Solver - Basics and Research
Propaganda: Software Engineering Research Tools2
An Efficient SMT SolverLeonardo de Moura, Nikolaj Bjrner, Christoph WintersteigerTeamContext3
Research in Software EngineeringImprove Software Development ProductivityGroupContext4Context
Hardware and Devices Health and Well-being Human-computer InteractionInformation Retrieval & Management Machine Learning Security and Privacy Social Science Software EngineeringBiologyCommunication & Collaboration Computational Linguistics Systems and Networking Economics Education Gaming Graphics and Multimedia Theory Organization Microsoft Research5Microsoft Research Labs
R & D~40000Research :1%Context6Company6Fuzzing and Test Case GenerationSAGE
Internal. For Security Fuzzing
Runs on x86 instructionsExternal. For Developers
Runs on .NET code
Try it on: http://pex4fun.com
Finding security bugs before the hackersblack hat Dr. Strangelove?
Bug: ***4332/29/2012 3:41 PM Edited by *****SubStatus -> Local Fix
I think the fuzzers are starting to become sentient. We must crush them before it is too late.
In this case, the fuzzer figured out that if [X was between A and B then Y would get set to Z triggering U and V to happen]..And if this fuzzer asks for the nuclear launch codes, dont tell it what they are Application: Fuzzing and Testing7SAGE by numbers100s CPU-years - largest dedicated fuzz lab in the world
100s apps - fuzzed using SAGE
100s previously unknown bugs found
Billion+ computers updated with bug fixes
Millions of $ saved for Users and Microsoft
10s of related tools (incl. Pex), 100s DART citations
3+ Billion constraints - largest usage for any SMT solverAdapted from [Patrice Godefroid, ISSTA 2010]
8Application: Fuzzing and TestingTest case generationunsigned GCD(x, y) { requires(y > 0); while (true) {unsigned m = x % y; if (m == 0) return y; x = y; y = m; }}We want a trace where the loop is executed twice.(y0 > 0) and(m0 = x0 % y0) andnot (m0 = 0) and(x1 = y0) and(y1 = m0) and(m1 = x1 % y1) and(m1 = 0)Solverx0 = 2y0 = 4m0 = 2x1 = 4y1 = 2m1 = 0SSA9Application: Fuzzing and Testing9Execution PathRun Test and MonitorPath ConditionUnexplored pathSolveseedNew inputTestInputsConstraint SystemKnownPathsTest Case Generation Procedure
10Application: Fuzzing and Testing9/28/2012 1:20 AM 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
10int binary_search(int[] arr, int low, int high, int key) while (low 100mc(x) = mc(mc(x+11)) if x 100 assert (x 101 mc(x) = 91) Research: Solving Horn ClausesKrystof Hoder & Nikolaj Bjorner, SAT 2012Bjorner, McMillan, Rybalchenko, SMT 2012
Technology38 Research: SolvingR Efficiently
A key idea: Use partial solution to guide the searchFeasible RegionWhat is the core?Dejan Jojanovich & Leonardo de Moura, IJCAR 2012
Technology39
.comPropaganda40 Core ExpertiseEmpirical Software EngineeringFoundations:LogicProgram Analysis:Performance, Reliability, SecurityProgramming LanguagesDesign & Implementation
Propaganda4141
42http://rise4fun.com/z3py 42 Academic Interns
Propaganda4343SummaryAn outline of an efficient SMT solverEfficient logic solver for SE tools tackling intractable problemshttp://research.microsoft.com/projects/z3
Software Engineering Research @ Microsoft http://rise4fun.com
Academic internships http://research.microsoft.com/en-us/jobs/intern
Contacthttp://research.microsoft.com/~nbjorner [email protected]
44