research-article

S-looper: automatic summarization for multipath string loops

Authors:

Hongxu ChenAuthors Info & Claims

ISSTA 2015: Proceedings of the 2015 International Symposium on Software Testing and Analysis

Pages 188 - 198

https://doi.org/10.1145/2771783.2771815

Published: 13 July 2015 Publication History

Abstract

Loops are important yet most challenging program constructs to analyze for various program analysis tasks. Existing loop analysis techniques mainly handle well loops that contain only integer variables with a single path in the loop body. The key challenge in summarizing a multiple-path loop is that a loop traversal can yield a large number of possibilities due to the different execution orders of these paths located in the loop; when a loop contains a conditional branch related to string content, we potentially need to track every character in the string for loop summarization, which is expensive. In this paper, we propose an approach, named S-Looper, to automatically summarize a type of loops related to a string traversal. This type of loops can contain multiple paths, and the branch conditions in the loop can be related to string content. Our approach is to identify patterns of the string based on the branch conditions along each path in the loop. Based on such patterns, we then generate a loop summary that describes the path conditions of a loop traversal as well as the symbolic values of each variable at the exit of a loop. Combined with vulnerability conditions, we are thus able to generate test inputs that traverse a loop in a specific way and lead to exploitation. Our experiments show that handling such string loops can largely improve the buffer overflow detection capabilities of the existing symbolic analysis tool. We also compared our techniques with KLEE and PEX, and show that we can generate test inputs more effectively and efficiently.

References

[1]

Cve-common vulnerabilities and exposures. http://cve.mitre.org/.

[2]

C. Barrett and C. Tinelli. Cvc3. In CAV, volume 4590, pages 298–302, 2007.

Digital Library

[3]

D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha. Towards automatic generation of vulnerability-based signatures. IEEE Symposium on Security and Privacy, pages 2 – 16, 2006.

Digital Library

[4]

C. Cadar, D. Dunbar, and D. Engler. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In OSDI, pages 209–224, 2008.

Digital Library

[5]

C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. EXE: Automatically generating inputs of death. In CCS, pages 322 – 335, 2006.

Digital Library

[6]

E. Clarke, D. Kroening, and F. Lerda. A tool for checking ansi-c programs. In TACAS, volume 2988, pages 168–176, 2004.

[7]

L. Clarke. A system to generate test data and symbolically execute programs. IEEE Transactions on Software Engineering, SE-2(3):215–222, September 1976.

Digital Library

[8]

L. de Moura and N. Bjørner. Z3: An efficient smt solver. In TACAS, volume 4963, pages 337–340, 2008.

Digital Library

[9]

V. Ganesh and D. L. Dill. A decision procedure for bit-vectors and arrays. In CAV, volume 4590, pages 519–531, 2007.

Digital Library

[10]

P. Garg, C. Löding, P. Madhusudan, and D. Neider. ICE: A robust framework for learning invariants. In CAV, volume 8559, pages 69–87, November 2014.

Digital Library

[11]

P. Godefroid, N. Klarlund, and K. Sen. DART: directed automated random testing. In Proceedings of ACM SIGPLAN, volume 40(6), pages 213–223, June 2005.

Digital Library

[12]

P. Godefroid, M. Levin, and D. Molnar. Automated whitebox fuzz testing. In NDSS, volume 2988, 2008.

[13]

P. Godefroid, M. Y. Levin, and D. Molnar. SAGE: Whitebox fuzzing for security testing. In Queue, volume 10(1), page 20, January 2012.

Digital Library

[14]

P. Godefroid and D. Luchaup. Automatic partial loop summarization in dynamic test generation. In ISSTA, volume 8559, pages 23–33, 2011.

Digital Library

[15]

J. C. King. Symbolic execution and program testing. Communications of the ACM, 19(7):385–394, July 1976.

Digital Library

[16]

S. Kong, Y. Jung, C. David, B.-Y. Wang, and K. Yi. Automatically inferring quantified loop invariants by algorithmic learning from simple templates. In APLAS, volume 6461, pages 328–343, November 2010.

Digital Library

[17]

K. Ku, T. E. Hart, M. Chechik, and D. Lie. A buffer overflow benchmark for software model checkers. In ASE, pages 389–392, 2007.

Digital Library

[18]

C. Lattner and V. Adve. LLVM: A compilation framework for lifelong program analysis & transformation. In CGO, pages 75––88, 2004.

Digital Library

[19]

W. Le. Segmented symbolic analysis. In ICSE, pages 212–221, 2013.

Digital Library

[20]

W. Le and M. L. Soffa. Marple: a demand-driven path-sensitive buffer overflow detector. In FSE, pages 272–282, November 2008.

Digital Library

[21]

F. Merz, S. Falke, and C. Sinz. LLBMC: Bounded model checking of C and C++ programs using a compiler IR. In VSTTE, volume 7152, pages 146–161, 2012.

Digital Library

[22]

P. Saxena, P. Poosankam, S. McCamant, and D. Song. Loop-extended symbolic execution on binary programs. In ISSTA, pages 225–236, 2009.

Digital Library

[23]

K. Sen, D. Marinov, and G. Agha. CUTE: a concolic unit testing engine for C. ACM SIGSOFT Software Engineering Notes, 30(5):263–272, September 2005.

Digital Library

[24]

R. Sharma and A. Aiken. From invariant checking to invariant inference using randomized search. In CAV, volume 8559, pages 88 – 105, November 2014.

Digital Library

[25]

J. Strejˇcek and M. Trtík. Abstracting path conditions. In ISSTA, pages 155–165, 2012.

Digital Library

[26]

N. Tillmann and J. de Halleux. Pex-white box test generation for .NET. In NDSS, volume 4966, pages 134–153, 2008.

Digital Library

[27]

M.-T. Trinh, D.-H. Chu, and J. Jaffar. S3: A symbolic string solver for vulnerability detection in web applications. In CCS, volume 8559, pages 1232–1243, 2014.

Digital Library

[28]

X. Xiao, S. Li, T. Xie, and N. Tillmann. Characteristic studies of loop problems for structural test generation via symbolic execution. In ASE, pages 246 – 256, November 2013.

Digital Library

[29]

T. Xie, N. Tillmann, J. de Halleux, and W. Schulte. Fitness-guided path exploration in dynamic symbolic execution. In DSN, pages 359–368, 2009.

[30]

Y. Zheng, X. Zhang, and V. Ganesh. Z3-str: A z3-based string solver for web application analysis. In FSE, pages 114–124, 2013.

Digital Library

Cited By

Verbeek FSefat MFu ZRavindran B(2025)On Extending Incorrectness Logic with Backwards ReasoningProceedings of the ACM on Programming Languages10.1145/37048509:POPL(391-415)Online publication date: 9-Jan-2025
https://dl.acm.org/doi/10.1145/3704850
Vandercammen MDe Roover C(2025)State Merging for Concolic Testing of Event-driven ApplicationsScience of Computer Programming10.1016/j.scico.2025.103264(103264)Online publication date: Jan-2025
https://doi.org/10.1016/j.scico.2025.103264
Trabish DRinetzky NShoham SSharma VChandra SBlincoe KTonella P(2023)State Merging with Quantifiers in Symbolic ExecutionProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616287(1140-1152)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616287
Show More Cited By

Index Terms

S-looper: automatic summarization for multipath string loops

Recommendations

Summarization of branching loops
SAC '22: Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing

Handling loops and capturing their semantics represent a significant challenge in software verification; they are one of the causes of the undecidability of this process. In this paper, we present a novel algorithm for the summarization of loops with ...
Automatic tiling of iterative stencil loops

Iterative stencil loops are used in scientific programs to implement relaxation methods for numerical simulation and signal processing. Such loops iteratively modify the same array elements over different time steps, which presents opportunities for the ...
Automatic parallelization of nonuniform loops

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ISSTA 2015: Proceedings of the 2015 International Symposium on Software Testing and Analysis

July 2015

447 pages

ISBN:9781450336208

DOI:10.1145/2771783

General Chair:
Michal Young
University of Oregon, USA
,
Program Chair:
Tao Xie
University of Illinois at Urbana-Champaign, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

In-Cooperation

SIGPLAN: ACM Special Interest Group on Programming Languages

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 July 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation of China
National Research Foundation, Prime Minister's Office, Singapore
US National Science Foundation (NSF)

Conference

ISSTA '15

Sponsor:

SIGSOFT

ISSTA '15: International Symposium on Software Testing and Analysis

July 13 - 17, 2015

MD, Baltimore, USA

Acceptance Rates

Overall Acceptance Rate 58 of 213 submissions, 27%

Upcoming Conference

ISSTA '25

Sponsor:
sigsoft

34th ACM SIGSOFT International Symposium on Software Testing and Analysis

June 25 - 28, 2025

Trondheim , Norway

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

20
Total Citations
View Citations
314
Total Downloads

Downloads (Last 12 months)25
Downloads (Last 6 weeks)2

Reflects downloads up to 12 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Verbeek FSefat MFu ZRavindran B(2025)On Extending Incorrectness Logic with Backwards ReasoningProceedings of the ACM on Programming Languages10.1145/37048509:POPL(391-415)Online publication date: 9-Jan-2025
https://dl.acm.org/doi/10.1145/3704850
Vandercammen MDe Roover C(2025)State Merging for Concolic Testing of Event-driven ApplicationsScience of Computer Programming10.1016/j.scico.2025.103264(103264)Online publication date: Jan-2025
https://doi.org/10.1016/j.scico.2025.103264
Trabish DRinetzky NShoham SSharma VChandra SBlincoe KTonella P(2023)State Merging with Quantifiers in Symbolic ExecutionProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616287(1140-1152)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616287
Wang CWang WYao PShi QZhou JXiao XZhang C(2023) Anchor: Fast and Precise Value-flow Analysis for Containers via Memory OrientationACM Transactions on Software Engineering and Methodology10.1145/356580032:3(1-39)Online publication date: 26-Apr-2023
https://dl.acm.org/doi/10.1145/3565800
Shi XXie XLi YZhang YChen SLi XRoychoudhury ACadar CKim M(2022)Large-scale analysis of non-termination bugs in real-world OSS projectsProceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3540250.3549129(256-268)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3540250.3549129
Blicha MKofroň JTatarko WHong JBures MPark JCerny T(2022)Summarization of branching loopsProceedings of the 37th ACM/SIGAPP Symposium on Applied Computing10.1145/3477314.3507042(1808-1816)Online publication date: 25-Apr-2022
https://dl.acm.org/doi/10.1145/3477314.3507042
Lin YSun JFraser GXiu ZLiu TDong JKhurshid SPăsăreanu C(2020)Recovering fitness gradients for interprocedural Boolean flags in search-based testingProceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3395363.3397358(440-451)Online publication date: 18-Jul-2020
https://dl.acm.org/doi/10.1145/3395363.3397358
Wang HXie XLin SLin YLi YQin SLiu YLiu TDumas MPfahl DApel SRusso A(2019)Locating vulnerabilities in binaries via memory layout recoveringProceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3338906.3338966(718-728)Online publication date: 12-Aug-2019
https://dl.acm.org/doi/10.1145/3338906.3338966
Kapus TIsh-Shalom OItzhaky SRinetzky NCadar CMcKinley KFisher K(2019)Computing summaries of string loops in C for better testing and refactoringProceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation10.1145/3314221.3314610(874-888)Online publication date: 8-Jun-2019
https://dl.acm.org/doi/10.1145/3314221.3314610
Kiezun AGuo PHooimeijer PErnst MGanesh VZhang DMøller A(2019)Theory and practice of string solvers (invited talk abstract)Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3293882.3338993(6-7)Online publication date: 10-Jul-2019
https://dl.acm.org/doi/10.1145/3293882.3338993
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten