Rich coverage signal and the consequences for scaling
Most existing fuzzing tools use edge coverage to identify interesting inputs and guide the expansion of the corpus. This coverage signal is convenient because it is bounded in size. Once fuzzing discovers all reachable edges, however, this form of coverage stops being useful. To keep providing a useful guidance to the fuzzer we can add additional signals, such as call stacks, bounded execution paths, arguments to comparison instructions, and signals derived from anomaly detection. Most of these signals can generate a large amount of data that the fuzzer needs to deal with which can have a drastic impact on the computational resources required. It is still tempting to use these rich signals. In the SiliFuzz project we have used rich coverage signals to uncover bugs that were hidden otherwise. In this talk we will discuss approaches to scaling fuzzing with rich coverage signals in a new fuzzing engine called Centipede.
Mon 17 JulDisplayed time zone: Pacific Time (US & Canada) change
13:30 - 15:00 | |||
13:30 45mKeynote | Rich coverage signal and the consequences for scaling FUZZING | ||
14:15 15mPaper | Large Language Models for Fuzzing Parsers FUZZING | ||
14:30 15mPaper | Novelty not Found: Adaptive Fuzzer Restarts to Improve Input Space Coverage FUZZING Nico Schiller CISPA Helmholtz Center for Information Security, Xinyi Xu CISPA Helmholtz Center for Information Security, Lukas Bernhard CISPA Helmholtz Center for Information Security, Nils Bars CISPA Helmholtz Center for Information Security, Moritz Schloegel CISPA, Germany, Thorsten Holz CISPA Helmholtz Center for Information Security | ||
14:45 15mPaper | Grammar Mutation for Testing Input Parsers FUZZING Bachir Bendrissou Imperial College London, Cristian Cadar Imperial College London, Alastair F. Donaldson Imperial College London | ||
