Coverage Maximization Using Dynamic Taint Tracing

Abstract

We present COMET, a system that automatically assembles a test suite for a C program to improve line coverage, and give initial results for a prototype implementation. COMET works dynamically, running the program under a variety of instrumentations in a feedback loop that adds new inputs to an initial corpus with each iteration. One instrumentation in particular is crucial to the success of this approach: dynamic taint tracing. Inputs are labeled as tainted at the byte level and all read/write pairs in the program are augmented to track the flow of taint between memory objects. This allows COMET to determine from which bytes of which inputs the variables in conditions derive, thereby dramatically narrowing the search over inputs necessary to expose new code. On a test set of 13 example programs, COMET improves upon the level of coverage reached in random testing by an average of 23% relative, takes only about twice the time, and requires a tiny fraction of the number of inputs to do so.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Mar 28, 2007
Accession Number
ADA465167

Entities

People

  • G. Z. Baker
  • M. A. Zhivich
  • R. E. Brown
  • R. P. Lippmann
  • T. R. Leek

Organizations

  • Massachusetts Institute of Technology

Tags

Communities of Interest

  • Materials and Manufacturing Processes

DTIC Thesaurus Topics

  • Air Force
  • Algorithms
  • Computer Programs
  • Control Systems
  • Department Of Homeland Security
  • Detectors
  • Feedback
  • Genetic Algorithms
  • Grammars
  • Homeland Security
  • Instrumentation
  • Iterations
  • Models
  • Operating Systems
  • Optimization
  • Standards
  • Test Sets

Fields of Study

  • Computer science

Readers

  • Agent-Based Social Robotics and Mobile-Assisted Learning in Virtual Environments.
  • Applied Combinatorial Optimization and Logic Circuit Design.
  • Computer Science.