Hydiff: hybrid differential software analysis

Yannic Noller, Corina S. Pasareanu, Marcel Bohme, Youcheng Sun, Hoang Lam Nguyen, Lars Grunske

Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

37 Citations (Scopus)

Abstract

Detecting regression bugs in software evolution, analyzing sidechannels in programs and evaluating robustness in deep neural networks (DNNs) can all be seen as instances of differential software analysis, where the goal is to generate diverging executions of program paths. Two executions are said to be diverging if the observable program behavior differs, e.g., in terms of program output, execution time, or (DNN) classification. The key challenge of differential software analysis is to simultaneously reason about multiple program paths, often across program variants. This paper presents HyDiff, the first hybrid approach for differential software analysis. HyDiff integrates and extends two very successful testing techniques: Feedback-directed greybox fuzzing for efficient program testing and shadow symbolic execution for systematic program exploration. HyDiff extends greybox fuzzing with divergence-driven feedback based on novel cost metrics that also take into account the control flow graph of the program. Furthermore HyDiff extends shadow symbolic execution by applying four-way forking in a systematic exploration and still having the ability to incorporate concrete inputs in the analysis. HyDiff applies divergence revealing heuristics based on resource consumption and control-flow information to efficiently guide the symbolic exploration, which allows its efficient usage beyond regression testing applications. We introduce differential metrics such as output, decision and cost difference, as well as patch distance, to assist the fuzzing and symbolic execution components in maximizing the execution divergence. We implemented our approach on top of the fuzzer AFL and the symbolic execution framework Symbolic PathFinder.We illustrate HyDiff on regression and side-channel analysis for Java bytecode programs, and further show how to use HyDiff for robustness analysis of neural networks.

Original languageEnglish
Title of host publicationProceedings - 2020 ACM/IEEE 42nd International Conference on Software Engineering, ICSE 2020
EditorsJane Cleland-Huang, Darko Marinov
Place of PublicationNew York NY USA
PublisherAssociation for Computing Machinery (ACM)
Pages1273-1285
Number of pages13
ISBN (Electronic)9781450371216
DOIs
Publication statusPublished - 2020
EventInternational Conference on Software Engineering 2020 - Online, Seoul, Korea, South
Duration: 27 Jun 202019 Jul 2020
Conference number: 42nd
https://dl.acm.org/doi/proceedings/10.1145/3377811 (Proceedings)
https://conf.researchr.org/home/icse-2020 (Website)

Conference

ConferenceInternational Conference on Software Engineering 2020
Abbreviated titleICSE 2020
Country/TerritoryKorea, South
CitySeoul
Period27/06/2019/07/20
Internet address

Keywords

  • Differential program analysis
  • Fuzzing
  • Symbolic execution

Cite this