Trapezoidal Generalization over Linear Constraints
We are developing a model-based fuzzing framework that employs mathematical models of system behavior to guide the fuzzing process. Whereas traditional fuzzing frameworks generate tests randomly, a model-based framework can deduce tests from a behavioral model using a constraint solver. Because the...
| Main Authors: | , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Open Publishing Association
2018-10-01
|
| Series: | Electronic Proceedings in Theoretical Computer Science |
| Online Access: | http://arxiv.org/pdf/1810.04310v1 |
| id |
doaj-64e4e56030834224ad42e789867db914 |
|---|---|
| record_format |
Article |
| spelling |
doaj-64e4e56030834224ad42e789867db9142020-11-25T02:32:45ZengOpen Publishing AssociationElectronic Proceedings in Theoretical Computer Science2075-21802018-10-01280Proc. ACL2 2018304610.4204/EPTCS.280.3:10Trapezoidal Generalization over Linear ConstraintsDavid Greve0Andrew Gacek1 Rockwell Collins Rockwell Collins We are developing a model-based fuzzing framework that employs mathematical models of system behavior to guide the fuzzing process. Whereas traditional fuzzing frameworks generate tests randomly, a model-based framework can deduce tests from a behavioral model using a constraint solver. Because the state space being explored by the fuzzer is often large, the rapid generation of test vectors is crucial. The need to generate tests quickly, however, is antithetical to the use of a constraint solver. Our solution to this problem is to use the constraint solver to generate an initial solution, to generalize that solution relative to the system model, and then to perform rapid, repeated, randomized sampling of the generalized solution space to generate fuzzing tests. Crucial to the success of this endeavor is a generalization procedure with reasonable size and performance costs that produces generalized solution spaces that can be sampled efficiently. This paper describes a generalization technique for logical formulae expressed in terms of Boolean combinations of linear constraints that meets the unique performance requirements of model-based fuzzing. The technique represents generalizations using trapezoidal solution sets consisting of ordered, hierarchical conjunctions of linear constraints that are more expressive than simple intervals but are more efficient to manipulate and sample than generic polytopes. Supporting materials contain an ACL2 proof that verifies the correctness of a low-level implementation of the generalization algorithm against a specification of generalization correctness. Finally a post-processing procedure is described that results in a restricted trapezoidal solution that can be sampled (solved) rapidly and efficiently without backtracking, even for integer domains. While informal correctness arguments are provided, a formal proof of the correctness of the restriction algorithm remains as future work.http://arxiv.org/pdf/1810.04310v1 |
| collection |
DOAJ |
| language |
English |
| format |
Article |
| sources |
DOAJ |
| author |
David Greve Andrew Gacek |
| spellingShingle |
David Greve Andrew Gacek Trapezoidal Generalization over Linear Constraints Electronic Proceedings in Theoretical Computer Science |
| author_facet |
David Greve Andrew Gacek |
| author_sort |
David Greve |
| title |
Trapezoidal Generalization over Linear Constraints |
| title_short |
Trapezoidal Generalization over Linear Constraints |
| title_full |
Trapezoidal Generalization over Linear Constraints |
| title_fullStr |
Trapezoidal Generalization over Linear Constraints |
| title_full_unstemmed |
Trapezoidal Generalization over Linear Constraints |
| title_sort |
trapezoidal generalization over linear constraints |
| publisher |
Open Publishing Association |
| series |
Electronic Proceedings in Theoretical Computer Science |
| issn |
2075-2180 |
| publishDate |
2018-10-01 |
| description |
We are developing a model-based fuzzing framework that employs mathematical models of system behavior to guide the fuzzing process. Whereas traditional fuzzing frameworks generate tests randomly, a model-based framework can deduce tests from a behavioral model using a constraint solver. Because the state space being explored by the fuzzer is often large, the rapid generation of test vectors is crucial. The need to generate tests quickly, however, is antithetical to the use of a constraint solver. Our solution to this problem is to use the constraint solver to generate an initial solution, to generalize that solution relative to the system model, and then to perform rapid, repeated, randomized sampling of the generalized solution space to generate fuzzing tests. Crucial to the success of this endeavor is a generalization procedure with reasonable size and performance costs that produces generalized solution spaces that can be sampled efficiently. This paper describes a generalization technique for logical formulae expressed in terms of Boolean combinations of linear constraints that meets the unique performance requirements of model-based fuzzing. The technique represents generalizations using trapezoidal solution sets consisting of ordered, hierarchical conjunctions of linear constraints that are more expressive than simple intervals but are more efficient to manipulate and sample than generic polytopes. Supporting materials contain an ACL2 proof that verifies the correctness of a low-level implementation of the generalization algorithm against a specification of generalization correctness. Finally a post-processing procedure is described that results in a restricted trapezoidal solution that can be sampled (solved) rapidly and efficiently without backtracking, even for integer domains. While informal correctness arguments are provided, a formal proof of the correctness of the restriction algorithm remains as future work. |
| url |
http://arxiv.org/pdf/1810.04310v1 |
| work_keys_str_mv |
AT davidgreve trapezoidalgeneralizationoverlinearconstraints AT andrewgacek trapezoidalgeneralizationoverlinearconstraints |
| _version_ |
1724818009392939008 |