TY - GEN
T1 - Tutorial
T2 - 3rd Annual IEEE Cybersecurity Development Conference, SecDev 2018
AU - Goodman, Peter
AU - Grieco, Gustavo
AU - Groce, Alex
N1 - Publisher Copyright:
© 2018 IEEE.
PY - 2018/11/21
Y1 - 2018/11/21
N2 - Traditionally, methods such as binary analysis, symbolic execution, and fuzzing have been used in a context that is strongly geared towards discovering existing vulnerabilities, rather than use in the development cycle to prevent vulnerabilities from arising. Unit testing, in contrast, is firmly in place as part of the development cycle, but is usually very limited in its ability to explore 'deep' paths in a system, or expose completely un-Anticipated aspects of system behavior. Incorporating the tools used for vulnerability discovery into the development cycle requires large expansion in the expertise that developers must possess, and significant changes in their practices. DeepState is an open-source tool that provides a Google Test-like API to give C and C++ developers push-button access to symbolic execution engines, such as Manticore and angr, and fuzzers, such as Dr. Fuzz. Rather than learning multiple complex tools, developers can learn one (familiar) interface for defining a test harness, and can use tools built to find security vulnerabilities to automatically generate more powerful unit tests for software, in an approach that merges traditional unit testing, security analysis methods, and property-based testing. This tutorial will show how to use DeepState in development, including to produce complex library and API tests, and how to take advantage of both the ability to easily apply multiple security-oriented back-ends for test generation during development and the novel strategies for improving back-end performance provided by DeepState.
AB - Traditionally, methods such as binary analysis, symbolic execution, and fuzzing have been used in a context that is strongly geared towards discovering existing vulnerabilities, rather than use in the development cycle to prevent vulnerabilities from arising. Unit testing, in contrast, is firmly in place as part of the development cycle, but is usually very limited in its ability to explore 'deep' paths in a system, or expose completely un-Anticipated aspects of system behavior. Incorporating the tools used for vulnerability discovery into the development cycle requires large expansion in the expertise that developers must possess, and significant changes in their practices. DeepState is an open-source tool that provides a Google Test-like API to give C and C++ developers push-button access to symbolic execution engines, such as Manticore and angr, and fuzzers, such as Dr. Fuzz. Rather than learning multiple complex tools, developers can learn one (familiar) interface for defining a test harness, and can use tools built to find security vulnerabilities to automatically generate more powerful unit tests for software, in an approach that merges traditional unit testing, security analysis methods, and property-based testing. This tutorial will show how to use DeepState in development, including to produce complex library and API tests, and how to take advantage of both the ability to easily apply multiple security-oriented back-ends for test generation during development and the novel strategies for improving back-end performance provided by DeepState.
KW - Binary Analysis
KW - Symbolic Execution
KW - Testing
UR - http://www.scopus.com/inward/record.url?scp=85059835947&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85059835947&partnerID=8YFLogxK
U2 - 10.1109/SecDev.2018.00028
DO - 10.1109/SecDev.2018.00028
M3 - Conference contribution
AN - SCOPUS:85059835947
T3 - Proceedings - 2018 IEEE Cybersecurity Development Conference, SecDev 2018
SP - 130
EP - 131
BT - Proceedings - 2018 IEEE Cybersecurity Development Conference, SecDev 2018
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 30 September 2018 through 2 October 2018
ER -