How can we generate valid system inputs? Grammar-based fuzzers are highly efficient in producing syntactically valid system inputs. However, programs will often reject inputs that are semantically invalid. We introduce ISLa, a declarative specification language for context-sensitive properties of structured system inputs based on context-free grammars. With ISLa, it is possible to specify input constraints like “a variable has to be defined before it is used”; “the ‘file name’ block must be 100 bytes long,” or “the number of columns in all CSV rows must be identical.”
Such constraints go into the ISLa fuzzer which leverages the power of solvers like Z3 to solve semantic constraints and, on top, handles quantifiers and predicates over grammar structure. We show that a few ISLa constraints suffice to produce 100% semantically valid inputs while still maintaining input diversity. ISLa can also parse and precisely validate; inputs against semantic constraints.
ISLa constraints can be mined from existing input samples. For this, our ISLearn prototype uses a catalog of common patterns, instantiates these over input elements, and retains those candidates that hold for the inputs observed and whose instantiations are fully accepted by input-processing programs. The resulting constraints can then again be used for fuzzing and parsing.
Tue 15 NovDisplayed time zone: Beijing, Chongqing, Hong Kong, Urumqi change
14:00 - 15:30 | |||
14:00 15mTalk | Input Invariants Research Papers Dominic Steinhöfel CISPA Helmholtz Center for Information Security, Andreas Zeller CISPA Helmholtz Center for Information Security DOI Pre-print | ||
14:15 15mTalk | Modus: A Datalog Dialect for Building Container Images Research Papers Chris Tomy University College London, Tingmao Wang University College London, Earl T. Barr University College London, Sergey Mechtaev University College London DOI | ||
14:30 15mTalk | Multi-Phase Invariant Synthesis Research Papers DOI | ||
14:45 15mTalk | Parasol: Efficient Parallel Synthesis of Large Model Spaces Research Papers DOI | ||
15:00 15mTalk | Neural Termination Analysis Research Papers Mirco Giacobbe University of Birmingham, Daniel Kroening University of Oxford, Julian Parsert University of Oxford DOI | ||
15:15 7mTalk | SolSEE: A Source-Level Symbolic Execution Engine for Solidity Demonstrations Shang-Wei Lin Nanyang Technological University, Palina Tolmach Nanyang Technological University, Singapore, Institute of High Performance Computing, Agency for Science, Technology and Research (A*STAR), Singapore, Ye Liu , Yi Li Nanyang Technological University Pre-print | ||
15:23 7mTalk | MpBP: Verifying Robustness of Neural Networks with Multi-Path Bound Propagation Demonstrations Ye Zheng Shenzhen University, Shenzhen, China, Jiaxiang Liu Shenzhen University, Xiaomu Shi Shenzhen University | ||