HAMPI: A String Solver for Testing, Analysis and Vulnerability Detection

  • Vijay Ganesh
  • Adam Kieżun
  • Shay Artzi
  • Philip J. Guo
  • Pieter Hooimeijer
  • Michael Ernst
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6806)


Many automatic testing, analysis, and verification techniques for programs can effectively be reduced to a constraint-generation phase followed by a constraint-solving phase. This separation of concerns often leads to more effective and maintainable software reliability tools. The increasing efficiency of off-the- shelf constraint solvers makes this approach even more compelling. However, there are few effective and sufficiently expressive off-the-shelf solvers for string constraints generated by analysis of string-manipulating programs, and hence researchers end up implementing their own ad-hoc solvers. Thus, there is a clear need for an effective and expressive string-constraint solver that can be easily integrated into a variety of applications.

To fulfill this need, we designed and implemented Hampi, an efficient and easy-to-use string solver. Users of the Hampi string solver specify constraints using membership predicate over regular expressions, context-free grammars, and equality/dis-equality between string terms. These terms are constructed out of string constants, bounded string variables, and typical string operations such as concatenation and substring extraction. Hampi takes such a constraint as input and decides whether it is satisfiable or not. If an input constraint is satisfiable, Hampi generates a satsfying assignment for the string variables that occur in it.

We demonstrate Hampi’s expressiveness and efficiency by applying it to program analysis and automated testing: We used Hampi in static and dynamic analyses for finding SQL injection vulnerabilities in Web applications with hundreds of thousands of lines of code.We also used Hampi in the context of automated bug finding in C programs using dynamic systematic testing (also known as concolic testing). Hampi’s source code, documentation, and experimental data are available at .


Regular Expression Regular Language String Constraint Satisfying Assignment Input Constraint 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Biere, A., Cimatti, A., Clarke, E., Strichman, O., Zhu, Y.: Bounded model checking. Advances in Computers 58, 117–148 (2003)CrossRefGoogle Scholar
  2. 2.
    Bjørner, N., Tillmann, N., Voronkov, A.: Path feasibility analysis for string-manipulating programs. In: Kowalewski, S., Philippou, A. (eds.) TACAS 2009. LNCS, vol. 5505, pp. 307–321. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  3. 3.
    Cadar, C., Dunbar, D., Engler, D.R.: Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs. In: Symposium on Operating Systems Design and Implementation. USENIX Association, San Diego (2008)Google Scholar
  4. 4.
    Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: EXE: automatically generating inputs of death. In: Conference on Computer and Communications Security. ACM Press, Alexandria (2006)Google Scholar
  5. 5.
    de Moura, L., Bjørner, N.S.: Z3: An Efficient SMT Solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    Emmi, M., Majumdar, R., Sen, K.: Dynamic test input generation for database applications. In: International Symposium on Software Testing and Analysis. ACM Press, London (2007)Google Scholar
  7. 7.
    Fu, X., Lu, X., Peltsverger, B., Chen, S., Qian, K., Tao, L.: A static analysis framework for detecting SQL injection vulnerabilities. In: International Computer Software and Applications Conference. IEEE, Beijing (2007)Google Scholar
  8. 8.
    Ganesh, V., Dill, D.L.: A decision procedure for bit-vectors and arrays. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 519–531. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  9. 9.
    Godefroid, P., Kiezun, A., Levin, M.Y.: Grammar-based whitebox fuzzing. In: Programming Language Design and Implementation. ACM Press, Tuscon (2008)Google Scholar
  10. 10.
    Godefroid, P., Klarlund, N., Sen, K.: DART: Directed automated random testing. In: Programming Language Design and Implementation, Chicago, Illinois. ACM Press, New York (2005)Google Scholar
  11. 11.
    Godefroid, P., Levin, M.Y., Molnar, D.: Automated whitebox fuzz testing. In: Network and Distributed System Security Symposium, San Diego, California. The Internet Society (2008)Google Scholar
  12. 12.
    Gulwani, S., Srivastava, S., Venkatesan, R.: Program analysis as constraint solving. In: Programming Language Design and Implementation, Tuscon, Arizona. ACM Press, New York (2008)Google Scholar
  13. 13.
    Halfond, W., Orso, A., Manolios, P.: WASP: Protecting Web applications using positive tainting and syntax-aware evaluation. Transactions on Software Engineering 34(1), 65–81 (2008)CrossRefGoogle Scholar
  14. 14.
    Jackson, D., Vaziri, M.: Finding bugs with a constraint solver. In: International Symposium on Software Testing and Analysis, Portland, Oregon. ACM Press, New York (2000)Google Scholar
  15. 15.
    Jayaraman, K., Harvison, D., Ganesh, V., Kiezun, A.: jFuzz: A concolic whitebox fuzzer for Java. In: NASA Formal Methods Symposium. NASA, Moffett Field (2009)Google Scholar
  16. 16.
    Kiezun, A., Ganesh, V., Guo, P.J., Hooimeijer, P., Ernst, M.D.: HAMPI: a solver for string constraints. In: International Symposium on Software Testing and Analysis, pp. 105–116. ACM Press, New York (2009)Google Scholar
  17. 17.
    Kiezun, A., Guo, P.J., Jayaraman, K., Ernst, M.D.: Automatic creation of SQL injection and cross-site scripting attacks. In: International Conference on Software Engineering. IEEE, Vancouver (2009)Google Scholar
  18. 18.
    Majumdar, R., Xu, R.-G.: Directed test generation using symbolic grammars. In: Automated Software Engineering. ACM/IEEE (2007)Google Scholar
  19. 19.
    Minamide, Y.: Static approximation of dynamically generated Web pages. In: International World Wide Web Conference, Chiba, Japan. ACM Press, New York (2005)Google Scholar
  20. 20.
    Moskewicz, M., Madigan, C., Zhao, Y., Zhang, L., Malik, S.: Chaff: engineering an efficient SAT solver. In: Design Automation Conference, Las Vegas, Nevada. ACM Press, New York (2001)Google Scholar
  21. 21.
    Shannon, D., Hajra, S., Lee, A., Zhan, D., Khurshid, S.: Abstracting symbolic execution with string analysis. In: Testing: Academic and Industrial Conference Practice and Research Techniques, Windsor, UK. IEEE Computer Society Press, Los Alamitos (2007)Google Scholar
  22. 22.
    Sipser, M.: Introduction to the Theory of Computation. In: Course Technology, Florence, KY (2005)Google Scholar
  23. 23.
    Wassermann, G., Su, Z.: Sound and precise analysis of Web applications for injection vulnerabilities. In: Programming Language Design and Implementation. ACM, San Diego (2007)Google Scholar
  24. 24.
    Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: International Conference on Software Engineering. IEEE, Leipzig (2008)Google Scholar
  25. 25.
    Wassermann, G., Yu, D., Chander, A., Dhurjati, D., Inamura, H., Su, Z.: Dynamic test input generation for Web applications. In: International Symposium on Software Testing and Analysis. ACM, Seattle (2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Vijay Ganesh
    • 1
  • Adam Kieżun
    • 2
  • Shay Artzi
    • 3
  • Philip J. Guo
    • 4
  • Pieter Hooimeijer
    • 5
  • Michael Ernst
    • 6
  1. 1.Massachusetts Institute of TechnologyUSA
  2. 2.Harvard Medical SchoolUSA
  3. 3.IBM ResearchUSA
  4. 4.Stanford UniversityUSA
  5. 5.University of VirginiaUSA
  6. 6.University of WashingtonUSA

Personalised recommendations