Reachable coverage is the number of code elements in the search space of an automatic software testing tool (i.e., fuzzer). A fuzzer cannot find bugs in code that are unreachable. Hence, reachable coverage quantifies \emph{fuzzer effectiveness}. Using static program analysis, we can compute an upper bound on the number of reachable coverage elements, e.g., by extracting the call graph. However, we cannot decide whether a coverage element is reachable in general. If we could precisely determine reachable coverage efficiently, we would have solved the software verification problem. Unfortunately, we cannot approach a given degree of accuracy for the static approximation, either.
In this paper, we advocate a \emph{statistical} perspective on the approximation of the number of elements in the fuzzer’s search space, where accuracy \emph{does} improve as a function of the analysis runtime. In applied statistics, corresponding estimators have been developed and well established for more than a quarter century. These estimators hold an exciting promise to finally tackle the long-standing challenge of counting reachability. In this paper, we explore the utility of these estimators in the context of automatic software testing. Estimates of reachable coverage can be used to measure (a) the amount of untested code, (b) the effectiveness of the testing technique, and (c) the completeness of the ongoing testing campaign (w.r.t. the asymptotic max. achievable coverage). We make all data and our analysis publicly available.
Wed 17 MayDisplayed time zone: Hobart change
13:45 - 15:15 | Fuzzing: techniques and toolsTechnical Track / Journal-First Papers / SEIP - Software Engineering in Practice at Meeting Room 101 Chair(s): Mike Papadakis University of Luxembourg, Luxembourg | ||
13:45 7mTalk | Neural Network Guided Evolutionary Fuzzing for Finding Traffic Violations of Autonomous Vehicles Journal-First Papers Ziyuan Zhong Columbia University, Gail Kaiser Columbia University, Baishakhi Ray Columbia University | ||
13:52 15mTalk | Reachable Code Coverage Technical Track Danushka Liyanage Monash University, Australia, Marcel Böhme MPI-SP, Germany and Monash University, Australia, Kla Tantithamthavorn Monash University, Stephan Lipp Technical University of Munich | ||
14:07 15mTalk | Learning Seed-Adaptive Mutation Strategies for Greybox Fuzzing Technical Track | ||
14:22 15mTalk | Improving Java Deserialization Gadget Chain Mining via Overriding-Guided Object Generation Technical Track Sicong Cao Yangzhou University, Xiaobing Sun Yangzhou University, Xiaoxue Wu Yangzhou University, Lili Bo Yangzhou University, Bin Li Yangzhou University, Rongxin Wu Xiamen University, Wei Liu Nanjing University, Biao He Ant Group, Yu Ouyang Ant Group, Jiajia Li Ant Group | ||
14:37 15mTalk | Evaluating and Improving Hybrid Fuzzing Technical Track Ling Jiang Southern University of Science and Technology, Hengchen Yuan Southern University of Science and Technology, Mingyuan Wu Southern University of Science and Technology, Lingming Zhang University of Illinois at Urbana-Champaign, Yuqun Zhang Southern University of Science and Technology | ||
14:52 15mTalk | DAISY: Effective Fuzz Driver Synthesis with Object Usage Sequence Analysis SEIP - Software Engineering in Practice Mingrui Zhang Tsinghua University, Beijing, China, Chijin Zhou Tsinghua University, Jianzhong Liu ShanghaiTech University, Mingzhe Wang Tsinghua University, Jie Liang , Juan Zhu , Yu Jiang Tsinghua University | ||