Automatic Test Generation for String Manipulation Programs using Symbolic Execution

S ymbolic execution of string manipulation programs is challenging as the constraint solvers do not typically support logic over strings and non-string operations. KLEE[1] is a symbolic execution tool used to generate test cases with high coverage. It uses Simple Theorem Prover (STP) as its constraint solver. STP encodes constraints only as bit-vector logic and solves the constraints. It has no direct representation of strings. Strings and their operations (like concatentation, substring) have to be encoded in bit-vector logic and then passed onto STP for a solution. This renders STP unsuitable for analyzing arbitrary length strings. KLEE has some basic support for handling symbolic strings. However, the quality of test cases generated quickly deteriorates when string operations are used. Our initial analysis shows that it cannot handle arbitrarylength strings. The symbolic value is always bounded by its size. Clearly, this is undesirable in applications where the size of string is relatively unknown. The limitations are particularly relevant when testing applications for SQL injections in web servers like Apache or Nginx. We therefore aim to achieve the following: 1. Clearly identify the weaknesses of KLEE, as is, when handling symbolic strings on applications that use string operations 2. Compare and contrast the above results by porting KLEE to other string solver (CVC or Z3-str[2]) 3. Evaluate the above ported KLEE to detect SQL injections.