Abstract
SUDS is a powerful infrastructure for creating dynamic software defect detection tools. It contains phases for both static analysis and dynamic instrumentation allowing users to create tools that take advantage of both paradigms. The results of static analysis phases can be used to improve the quality of dynamic defect detection tools created with SUDS by focusing the instrumentation on types of defects, sources of data, or regions of code. The instrumentation engine is designed in a manner that allows users to create their own correctness models quickly but is flexible to support construction of a wide range of different tools. The effectiveness of SUDS is demonstrated by showing that it is capable of finding bugs and that performance improves when static analysis is used to eliminate unnecessary instrumentation.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.References
Akritidis, P., Costa, M., Castro, M., Hand, S.: Baggy bounds checking: an efficient and backwards-compatible defense against out-of-bounds errors. In: 2009 USENIX Security Conference (2009)
Anand, S., Păsăreanu, C., Visser, W.: JPF-SE: a symbolic execution extension to Java pathfinder. In: Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems (2007)
Austin, T., Breach, S., Sohi, G.: Efficient detection of all pointer and array access errors. In: proceedings of the Conference on Programming Language Design and Implementation (1994)
Ball, T., Rajamani, S.K.: The SLAM project: debugging system software via static analysis. In: Proceedings of the Symposium on Principles of Programming Languages (2002)
Bessey, A., Block, K., Chelf, B., Chou, A., Fulton, B., Hallem, S., Henri-Gros, H., Kamsky, A., McPeak, S., Engler, D.: A few billion lines of code later: using static analysis to find bugs in the real world. In: Communications of the ACM (2010)
Binkley, S., Gold, N., Harman, M.: An empirical study of static program slice size. In: ACM Transactions on Software Engineering and Methodology (TOSEM) (2007)
Bodden, E., Lam, P., Hendren, L.: Finding programming errors earlier by evaluating runtime monitors ahead-of-time. In: Proceedings of the International Symposium on Foundations of Software Engineering (2008)
Bodik, R., Gupta, R., Sarkar, V.: ABCD: eliminating array bounds checks on demand. In: Proceedings of the Conference on Programming Language Design and Implementation (2000)
Bush, W., Pincus, J., Sielaff, D.: A static analyzer for finding dynamic programming errors. In: Software Practice and Experience (2000)
Cadar, C., Dunbar, D., Engler, D.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proceedings of the 8th USENIX Symposium on Operating Systems Design and Implementation (2008)
Chen, H., Wagner, D.: MOPS: an infrastructure for examining security properties of software. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (2002)
Chess, B., West, J.: Dynamic taint propagation: finding vulnerabilities without attacking. In: Information Security Technical Report, Vol. 13, No. 1 (2008)
Clause, J., Orso, A.: PENUMBRA: automatically identifying failure-relevant inputs using dynamic tainting. In: Proceedings of the International Symposium on Software Testing and Analysis (2009)
Clause, J., Doudalis, I., Orso, A., Prvulovic, M.: Effective memory protection using dynamic tainting. In: Proceedings of the International Conference on Automated Software Engineering (2007a)
Clause, J., Li, W., Orso, A.: Dytan: a generic dynamic taint analysis framework. In: Proceedings of the International Symposium on Software Testing and Analysis (2007b)
Coverity: http://www.coverity.com
cTool: http://ctool.sourceforge.net
DaCosta, D., Dahn, C., Mancoridis, S., Prevelakis, V.: Characterizing the ‘Security Vulnerability Likelihood’ of software functions. In: Proceedings of the International Conference on Software Maintenance (2003)
Do, H., Elbaum, S., Rothermel, G.: Infrastructure support for controlled experimentation with software testing and regression testing techniques. In: Proceedings of the International Symposium on Empirical Software Engineering (2004)
Dor, N., Rodeh, M., Sagiv, M.: CSSV: towards a realistic tool for statically detecting all buffer overflows in C. In: Proceedings of the Conference on Programming Language Design and Implementation (2003)
Elkarablieh, B., Godefroid, P., Levin, M.: Precise pointer reasoning for dynamic test generation. In: Proceedings of the International Symposium on Software Testing and Analysis (2009)
Forrester, J., Miller, B.: An empirical study of the robustness of Windows NT applications using random testing. In: Proceedings of the 4th USENIX Windows Systems Symposium (2000)
Ganesh, V., Leek, T., Rinard, M.: Taint-based directed whitebox fuzzing. In: Proceedings of the International Conference on Software Engineering (2009)
Godefroid, P., Klarlund, N., Sen, K.: DART: directed automated random testing. In: Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (2005)
Godefroid, P., Levin, M., Molnar, D.: Active property checking. In: Proceedings of the 8th ACM International Conference on Embedded Software (2008a)
Godefroid, P., Levin, M., Molnar, D.: Automated whitebox fuzz testing. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium (2008b)
GrammaTech, Inc.: http://www.grammatech.com
Hastings, R., Joyce, B.: Purify: fast detection of memory leaks and access errors. In: Proceedings of the 1992 Winter Usenix Conference (1992)
Haldar, V., Chandra, D., Franz, M.: Dynamic taint propagation for Java. In: Proceedings of the 21st Annual Computer Security Applications Conference (2005)
Haugh, E., Bishop, M.: Testing C programs for buffer overflow vulnerabilities. In: Proceedings of the 10th Network and Distributed System Security Symposium (2003)
Hendren, L., Donawa, C., Emami, M., Gao, G., Justiani, Sridharan, B.: Designing the McCAT compiler based on a family of structured intermediate representations. In: Proceedings of the 5th International Workshop on Languages and Compilers for Parallel Computing (1992)
Hind, M., Burke, M., Carini, P., Choi, J.: Interprocedural pointer alias analysis. In: ACM Transactions on Programming Languages and Systems (1999)
Holzmann, G.: The model checker spin. In: IEEE Transactions of Software Engineering (1997)
ISO/IEC 9899:1999: Programming Languages—C (1999)
Java Pathfinder: http://babelfish.arc.nasa.gov/trac/jpf
Jones, R., Kelly, P.: Backwards-compatible bounds checking for arrays and pointers in C programs. In: Proceedings of the 3rd International Workshop on Automated Debugging (1997)
Kieżun, A., Ganesh, V., Guo, P., Hooimeijer, P., Ernst, M.: HAMPI: a solver for string constraints. In: Proceedings of the International Symposium on Software Testing and Analysis (2009)
King, J.: Symbolic execution and program testing. In: Communications of the ACM (1976)
Larson, E.: A plethora of paths. In: Proceedings of the 17th IEEE International Conference on Program Comprehension (2009)
Larson, E., Austin, T.: High coverage detection of input-related security faults. In: Proceedings of the 12th USENIX Security Symposium (2003)
Le, W., Soffa, M.L.: Marple: a demand-driven path-sensitive buffer overflow detector. In: Proceedings of the International Symposium on Foundations of Software Engineering (2008)
Lhee, K., Chapin, S.: Type-assisted dynamic buffer overflow detection. In: Proceedings of the 11th USENIX Security Symposium (2002)
Luk, C., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V., Hazelwood, K.: Pin: building customized program analysis tools with dynamic instrumentation. In: Proceedings of the Conference on Programming Language Design and Implementation (2005)
McMillan, K.: Symbolic Model Checking (1993)
Merrill, J.: GENERIC and GIMPLE: a new tree representation for entire functions. In: Proceedings of the GCC Developers Summit (2003)
Microsoft Corporation: Phoenix Compiler and Shared Source Common Language Infrastructure. http://research.microsoft.com/en-us/collaboration/focus/cs/phoenix.aspx
Molnar, D., Li, X., Wagner, D.: Dynamic test generation to find integer bugs in x86 binary Linux programs. In: Proceedings of the 2009 USENIX Security Conference (2009)
Musuvathi, M., Park, D., Chou, A., Engler, D., Dill, D.: CMC: a pragmatic approach to model checking real code. In: Proceedings of the 5th Symposium on Operating Systems Design and Implementation (2002)
Myers, A.C.: JFlow: practical mostly-static information flow control. In: Proceedings of the Symposium on Principles of Programming Languages (1999)
Myers, A.C., Liskov, B.: Protecting privacy using the decentralized label model. In: ACM Transactions of Software Engineering Methodology, vol. 9, No. 4 (2000)
Necula, G., McPeak, S., Rahul, P., Weimer, W.: CIL: intermediate language and tools for analysis and transformation of C programs. In: Proceedings of the International Conference on Compiler Construction (2002a)
Necula, G., McPeak, S., Weimer, W.: CCured: type-safe retrofitting of legacy code. In: Proceedings of the Symposium on Principles of Programming Languages (2002b)
Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: Proceedings of the conference on Programming Language Design and Implementation (2007)
Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis and signature generation of exploits on commodity software. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium (2005)
Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting. In: Proceedings of the 20th IFIP International Information Security Conference (2005)
Pan, K., Kim, S., Whitehead, E.J.: Bug classification using program slicing metrics. In: Proceedings of the Sixth IEEE International Workshop on Source Code Analysis and Manipulation, pp. 31–42 (2006)
Parasoft Corporation: automating C/C++ runtime error detection with parasoft Insure++: http://www.parasoft.com/jsp/printables/InsureWhitePaper.pdf
Păsăreanu, C., Mehlitz, P., Bushnell, D., Gundy-Burlet, K., Lowry, M., Person, S., Pape, M.: Combining unit-level symbolic execution and system-level concrete execution for testing NASA software. In: Proceedings of the International Symposium on Software Testing and Analysis (2008)
perlsec: Perl Security. http://search.cpan.org/dist/perl/pod/perlsec.pod
Pointer-Intensive Benchmark Suite (1995). http://www.cs.wisc.edu/~austin/ptr-dist.html
Ringenburg, M., Grossman, D.: Preventing format-string attacks via automatic and efficient dynamic checking. In: Proceedings of the Conference on Computer and Communications Security (2005)
Sen, K., Marinov, D., Agha, G.: CUTE: a concolic unit testing engine for C. In: Proceedings of the Symposium on the Foundations of Software Engineering (2005)
Shankar, U., Talwar, K., Foster, J., Wagner, D.: Detecting format-string vulnerabilities with type qualifiers. In: Proceedings of the 10th USENIX Security Symposium (2001)
SLOCcount: http://www.dwheeler.com/sloccount
Srivastava, A., Eustace, A.: ATOM: a system for building customized program analysis tools. In: Proceedings of the Conference on Programming Language Design and Implementation (1994)
Tikir, M., Hollingsworth, J.: Efficient instrumentation for code coverage testing. In: Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis (2002)
Tillmann, N., de Halleux, J.: Pex—white box test generation for .NET. In: Proceedings of the 2nd International Conference on Tests and Proofs (2008)
Tip, F.: A survey of program slicing techniques. J. Program. Lang. (1995)
Visser, W., Havelend, K., Brat, G., Park, S., Lerda, F.: Model checking programs. Autom. Softw. Eng. J. (2003)
Wagner, D., Foster, J., Brewer, E., Aiken, A.: A first step towards automated detection of buffer overrun vulnerabilities. In: Proceedings of the Network and Distributed System Security Symposium (2000)
Weiser, M.: Program slicing. In: Proceedings of the 5th International Conference on Software Engineering (1981)
Williams, N., Marre, B., Mouy, P., Roger, M.: PathCrawler: automatic generation of path tests by combining static and dynamic analysis. In: Proceedings of Fifth European Dependable Computing Conference (2005)
Xie, Y., Chou, A., Engler, D.: ARCHER: using symbolic, path-sensitive analysis to detect memory access errors. In: Proceedings of the 9th European Software Engineering Conference Held Jointly with 11th International Symposium on Foundations of Software Engineering (2003)
Xin, B., Zhang, X.: Memory slicing. In: Proceedings of the International Symposium on Software Testing and Analysis (2009)
Xu, R., Godefroid, P., Majumdar, R.: Testing for buffer overflows with length abstraction. In: Proceedings of the International Symposium on Software Testing and Analysis (2008)
Zeller, A.: Isolating cause-effect chains from computer programs. In: Proceedings of the 10th ACM SIGSOFT Symposium on Foundations of Software Engineering, pp. 1–10 (2002)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Larson, E. SUDS: an infrastructure for creating dynamic software defect detection tools. Autom Softw Eng 17, 301–346 (2010). https://doi.org/10.1007/s10515-010-0067-7
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10515-010-0067-7