SAGE: Scalable Automated Guided Execution
SAGE is a white-box testing technology geared toward exposing bugs in the target program by systematically executing all of its relevant,
input-driven behaviors. SAGE attempts to generate only those tests that exercise unique control paths in the program, thus maximizing the
opportunity of finding defects. This contrasts with the approaches taken by existing fuzz-testing tools, which employ black-box techniques of randomly
generating input data without any knowledge of the target program's code. Such black-box algorithms are inefficient because they generate many redundant
tests exercising the same control path in the program.
SAGE collects symbolic constraints from a target program run and solves these constraints to produce new input parameters. These inputs are
designed to drive the program on a different control path or cause it to exhibit a fatal error. The key part of our approach is a method of generating
constraints from actual program traces obtained by running the program and recording every relevant event during the run. This allows us to focus on
testing the security-critical program behaviors that are controlled by external data.
SAGE is built on top of several existing technologies developed within Microsoft. It uses the CSE iDNA engine
to record live program runs and save them in trace files and the CSE TruScan analysis engine to replay the
trace files and intercept interesting events, such as API calls that read input data and branching instructions that consume input values. Finally,
SAGE uses the Disolver constraint solver to solve the
constraints generated during the analysis phase. Disolver is being developed by the Constraint Reasoning Group
at Microsoft Research, Cambridge.
For more information, see the technical report Automated Whitebox Fuzz Testing.