Tutorial: DeepState: Bringing vulnerability detection tools into the development cycle

Peter Goodman, Gustavo Grieco, Alex Groce

Research output: Chapter in Book/Report/Conference proceedingConference contribution

4 Scopus citations

Abstract

Traditionally, methods such as binary analysis, symbolic execution, and fuzzing have been used in a context that is strongly geared towards discovering existing vulnerabilities, rather than use in the development cycle to prevent vulnerabilities from arising. Unit testing, in contrast, is firmly in place as part of the development cycle, but is usually very limited in its ability to explore 'deep' paths in a system, or expose completely un-Anticipated aspects of system behavior. Incorporating the tools used for vulnerability discovery into the development cycle requires large expansion in the expertise that developers must possess, and significant changes in their practices. DeepState is an open-source tool that provides a Google Test-like API to give C and C++ developers push-button access to symbolic execution engines, such as Manticore and angr, and fuzzers, such as Dr. Fuzz. Rather than learning multiple complex tools, developers can learn one (familiar) interface for defining a test harness, and can use tools built to find security vulnerabilities to automatically generate more powerful unit tests for software, in an approach that merges traditional unit testing, security analysis methods, and property-based testing. This tutorial will show how to use DeepState in development, including to produce complex library and API tests, and how to take advantage of both the ability to easily apply multiple security-oriented back-ends for test generation during development and the novel strategies for improving back-end performance provided by DeepState.

Original languageEnglish (US)
Title of host publicationProceedings - 2018 IEEE Cybersecurity Development Conference, SecDev 2018
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages130-131
Number of pages2
ISBN (Electronic)9781538676622
DOIs
StatePublished - Nov 21 2018
Externally publishedYes
Event3rd Annual IEEE Cybersecurity Development Conference, SecDev 2018 - Cambridge, United States
Duration: Sep 30 2018Oct 2 2018

Publication series

NameProceedings - 2018 IEEE Cybersecurity Development Conference, SecDev 2018

Conference

Conference3rd Annual IEEE Cybersecurity Development Conference, SecDev 2018
Country/TerritoryUnited States
CityCambridge
Period9/30/1810/2/18

Keywords

  • Binary Analysis
  • Symbolic Execution
  • Testing

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Software
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'Tutorial: DeepState: Bringing vulnerability detection tools into the development cycle'. Together they form a unique fingerprint.

Cite this