Goal-oriented dynamic test generation

• Published in: Information and software technology Vol. 66; pp. 40 - 57
• Main Authors: Do, TheAnh, Khoo, Siau-Cheng, Fong, Alvis Cheuk Ming, Pears, Russel, Quan, Tho Thanh
• Format: Journal Article
• Language: English
• Published: Amsterdam Elsevier B.V 01.10.2015; Elsevier Science Ltd
• Subjects: Algorithms; Buffer overflow vulnerabilities; Data and control dependence analysis; Dynamic symbolic execution; Security management; Software; Software quality; Studies; Type inference analysis; Buffer overflow vulnerabilities; Type inference analysis; Dynamic symbolic execution; Data and control dependence analysis
• ISSN: 0950-5849; 1873-6025
• DOI: 10.1016/j.infsof.2015.05.007

Memory safety errors such as buffer overflow vulnerabilities are one of the most serious classes of security threats. Detecting and removing such security errors are important tasks of software testing for improving the quality and reliability of software in practice. This paper presents a goal-oriented testing approach for effectively and efficiently exploring security vulnerability errors. A goal is a potential safety violation and the testing approach is to automatically generate test inputs to uncover the violation. We use type inference analysis to diagnose potential safety violations and dynamic symbolic execution to perform test input generation. A major challenge facing dynamic symbolic execution in such application is the combinatorial explosion of the path space. To address this fundamental scalability issue, we employ data dependence analysis to identify a root cause leading to the execution of the goal and propose a path exploration algorithm to guide dynamic symbolic execution for effectively discovering the goal. To evaluate the effectiveness of our proposed approach, we conducted experiments against 23 buffer overflow vulnerabilities. We observed a significant improvement of our proposed algorithm over two widely adopted search algorithms. Specifically, our algorithm discovered security vulnerability errors within a matter of a few seconds, whereas the two baseline algorithms failed even after 30min of testing on a number of test subjects. The experimental results highlight the potential of utilizing data dependence analysis to address the combinatorial path space explosion issue faced by dynamic symbolic execution for effective security testing.