A fuzzer can literally run forever. However, as more resources are spent, the coverage rate continuously drops and the utility the fuzzer declines. To tackle this coverage-resource tradeoff, we could introduce a policy to stop a campaign whenever the coverage rate drops below a certain threshold value, say 10 new branches covered per 15 minutes. During the campaign, can we predict the coverage rate at some point in the future? If so, how well can we predict the future coverage rate as the prediction horizon or the current campaign length increases? How can we tackle the statistical challenge of adaptive bias which is inherent in greybox fuzzing (i.e., samples are not independent and identically distributed)?
In this paper, we i) evaluate existing statistical techniques to predict the coverage rate $U(t_0+k)$ at any time $t_0$ in the campaign after a period of $k$ units of time in the future and ii) develop a new extrapolation methodology that tackles the {adaptive bias}. We propose to efficiently simulate a large number of blackbox campaigns from the collected coverage data, estimate the coverage rate for each of these blackbox campaigns and condunct a simple regression to extrapolate the coverage rate for the greybox campaign.
Our empirical evaluation using the Fuzztastic fuzzer benchmark demonstrates that, our extrapolation methodology exhibits at least one order of magnitude lower bias compared to the existing benchmark for $4$ out of $5$ experimental subjects we investigated. Notably, compared to the existing extrapolation methodology, our extrapolator excels in making long-term predictions, such as those extending up to three times the length of the current campaign.
Thu 18 AprDisplayed time zone: Lisbon change
14:00 - 15:30 | Fuzzing 2Software Engineering in Practice / Research Track at Fernando Pessoa Chair(s): Thuan Pham The University of Melbourne | ||
14:00 15mTalk | Are We There Yet? Unraveling the State-of-the-Art Smart Contract Fuzzers Research Track Shuohan Wu Hong Kong Polytechnic University, zihao li The Hong Kong Polytechnic Universituy, Luyi Yan Hong Kong Polytechnic University, Weimin Chen The Hong Kong Polytechnic University, Muhui Jiang The Hong Kong Polytechnic University, Chenxu Wang Xi'an Jiaotong University, Xiapu Luo The Hong Kong Polytechnic University, Hao Zhou Hong Kong Polytechnic University | ||
14:15 15mTalk | RPG: Rust Library Fuzzing with Pool-based Fuzz Target Generation and Generic Support Research Track Zhiwu Xu Shenzhen University, Bohao Wu CSSE, Shenzhen University, Cheng Wen Guangzhou Institute of Technology, Xidian University, Bin Zhang Shenzhen University, Shengchao Qin Fermat Labs, Huawei, Mengda He Fermat Labs, Huawei DOI Pre-print | ||
14:30 15mTalk | Extrapolating Coverage Rate in Greybox Fuzzing Research Track Danushka Liyanage Monash University, Australia, Seongmin Lee Max Planck Institute for Security and Privacy (MPI-SP), Marcel Böhme MPI-SP, Bochum, Kla Tantithamthavorn Monash University DOI Pre-print | ||
14:45 15mTalk | FuzzInMem: Fuzzing Programs via In-memory Structures Research Track Xuwei Liu Purdue University, USA, Wei You Renmin University of China, Yapeng Ye Purdue University, Zhuo Zhang Purdue University, Jianjun Huang Renmin University of China, Xiangyu Zhang Purdue University | ||
15:00 15mTalk | Fuzz4All: Universal Fuzzing with Large Language Models Research Track Chunqiu Steven Xia University of Illinois at Urbana-Champaign, Matteo Paltenghi University of Stuttgart, Jia Le Tian UIUC, Michael Pradel University of Stuttgart, Lingming Zhang University of Illinois at Urbana-Champaign Pre-print | ||
15:15 15mTalk | MicroFuzz: An Efficient Fuzzing Framework for Microservices Software Engineering in Practice | ||