Fuzzing is a popular software testing method that discovers bugs by massively feeding target applications with automatically generated inputs. Many state-of-art fuzzers use branch coverage as a feedback metric to guide the fuzzing process. The fuzzer retains inputs for further mutation only if branch coverage is increased. However, branch coverage only provides a shallow sampling of program behaviours and hence may discard interesting inputs to mutate. This work aims at taking advantage of the large body of research over defining finer-grained code coverage metrics (such as control-flow, data-flow or mutation coverage) and at evaluating how fuzzing performance is impacted when using these metrics to select interesting inputs for mutation. We propose to make branch coverage-based fuzzers support most fine-grained coverage metrics out of the box (i.e., without changing fuzzer internals). We achieve this by making the test objectives defined by these metrics (such as conditions to activate or mutants to kill) explicit as new branches in the target program. Fuzzing such a modified target is then equivalent to fuzzing the original target, but the fuzzer will also retain inputs covering the additional metrics objectives for mutation. In addition, all the fuzzer mechanisms to penetrate hard-to-cover branches will help covering the additional metrics objectives. We use this approach to evaluate the impact of supporting two fine-grained coverage metrics (multiple condition coverage and weak mutation) over the performance of two state-of-the-art fuzzers (AFL++ and QSYM) with the standard LAVA-M and MAGMA benchmarks. This evaluation suggests that our mechanism for runtime fuzzer guidance, where the fuzzed code is instrumented with additional branches, is effective and could be leveraged to encode guidance from human users or static analysers. Our results also show that the impact of fine-grained metrics over fuzzing performance is hard to predict before fuzzing, and most of the time either neutral or negative. As a consequence, we do not recommend using them to guide fuzzers, except maybe in some possibly favorable circumstances yet to investigate, like for limited parts of the code or to complement classical fuzzing campaigns.
| slides (ASE 2023 - Fine-Grained Coverage-Based Fuzzing.pdf) | 2.44MiB |
Thu 14 SepDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
15:30 - 17:00 | FuzzingNIER Track / Journal-first Papers / Research Papers / Tool Demonstrations at Plenary Room 2 Chair(s): Lars Grunske Humboldt-Universität zu Berlin | ||
15:30 12mTalk | Fine-Grained Coverage-Based Fuzzing Journal-first Papers Wei-Cheng Wu University of Southern California, USA, Bernard Nongpoh CEA LIST, University Paris-Saclay, Marwan Nour CEA, LIST, Université Paris Saclay, Michaël Marcozzi CEA, LIST, Université Paris Saclay, Sébastien Bardin CEA LIST, University Paris-Saclay, Christophe Hauser Dartmouth College Link to publication File Attached | ||
15:42 12mTalk | MLIRSmith: Random Program Generation for Fuzzing MLIR Compiler Infrastructure Research Papers Haoyu Wang College of Intelligence and Computing, Tianjin University, Junjie Chen Tianjin University, Chuyue Xie College of Intelligence and Computing, Tianjin University, Shuang Liu Tianjin University, Zan Wang Tianjin University, Qingchao Shen Tianjin University, Yingquan Zhao Tianjin University Pre-print File Attached | ||
15:54 12mTalk | Thunderkaller: Profiling and Improving the Performance of Syzkaller Research Papers Yang Lan Institute for Network Science and Cyberspace of Tsinghua University, Di Jin Brown University, Zhun Wang Institute for Network Science and Cyberspace of Tsinghua University, Wende Tan Tsinghua University, Zheyu Ma Tsinghua University, Chao Zhang Tsinghua University File Attached | ||
16:06 12mTalk | PHYFU: Fuzzing Modern Physics Simulation Engines Research Papers Dongwei Xiao Hong Kong University of Science and Technology, Zhibo Liu Hong Kong University of Science and Technology, Shuai Wang Hong Kong University of Science and Technology Link to publication DOI | ||
16:18 12mTalk | NaturalFuzz: Natural Input Generation for Big Data Analytics Research Papers Ahmad Humayun Virginia Tech, Yaoxuan Wu UCLA, Miryung Kim University of California at Los Angeles, USA, Muhammad Ali Gulzar Virginia Tech File Attached | ||
16:30 12mTalk | SpecFuzzer: A Tool for Inferring Class Specifications via Grammar-based Fuzzing Tool Demonstrations Facundo Molina IMDEA Software Institute, Marcelo d'Amorim North Carolina State University, Nazareno Aguirre University of Rio Cuarto and CONICET, Argentina Pre-print Media Attached File Attached | ||
16:42 12mTalk | Scalable Industrial Control System Analysis via XAI-based Gray-Box Fuzzing NIER Track Justin Kur Oakland University, Jingshu Chen Oakland University, Jun Huang City University of Hong Kong | ||