Date : 13-07-03
[Seminar] Prof. Moonzoo Kim of KAIST
Author : Admin
Views : 2,874
Title: Industrial Application of Concolic Testing to Detect Crash Bugs: A Case Study on libexif



Speaker: 김 문주 (Moonzoo Kim)

Date: 2013.07.03 4:00 pm

Location: 과학 도서관 (Science Library), 614A lecture room, Korea University



Bio:

Moonzoo Kim is an associate professor in the department of computer science

at KAIST. He received his Ph.D. degree on runtime verification system at

Univ. of Pennsylvania in 2001. After working as a researcher at Samsung

SECUi.COM and POSTECH, he joined the faculty of KAIST in 2006. He focuses

on automated software testing and debugging techniques through model

checking, symbolic execution, and concurrent program analysis. In addition,

he has closely collaborated with Samsung Electronics since 2006 to apply

advanced testing techniques to commercial flash memory and smartphone

platforms. He has served research communities actively as program co-

chairs (ATVA 2008, VALID 2009), an invited speaker (ATVA 2011), and PC

members (ICSE 2014, ASE tool track 2013, etc).

Home page: http://pswlab.kaist.ac.kr/~moonzoo



Abstract:

As smartphones become popular, manufacturers such as Samsung Electronics

are developing smartphones with rich functionality such as a camera and

photo editing quickly, which accelerates the adoption of open source

applications. However, industrial developers often do not know the detail

of open source applications and it is a challenging problem to test open

source applications effectively and quickly.



This talk shares our experience of applying concolic testing (a.k.a.,

dynamic symbolic execution, white-box fuzzing) as an automated test case

generation technique to test libexif, which is an open source library to

manipulate EXIF information in image files. In this case study, we detected

a memory access bug, a null pointer dereference bug, and four divide-by-

zero bugs, which are reported to CVE. Furthermore, we compare the concolic

testing results with the analysis result of a commercial static analyzer,

which failed to detect none of these bugs.