ICSE 2024
Fri 12 - Sun 21 April 2024 Lisbon, Portugal
Thu 18 Apr 2024 11:45 - 12:00 at Fernando Pessoa - Fuzzing 1 Chair(s): Marcel Böhme

A large-scale system contains a huge configuration space because of its large number of configuration parameters. This leads to a combination explosion among configuration parameters when exploring the configuration space. Existing configuration testing techniques first use fuzzing to generate different configuration parameters, and then directly inject them into the program under test to find configuration-induced bugs. However, they do not fully consider the complexity of large-scale systems, resulting in low testing effectiveness. In this paper, we propose ECFuzz, an effective configuration fuzzer for large-scale systems. Our core approach consists of (i) Multi-dimensional configuration generation strategy. ECFuzz first designs different mutation strategies according to different dependencies and selects multiple configuration parameters from the candidate configuration parameters to effectively generate configuration parameters; (ii) Unit-testing-oriented configuration validation strategy. ECFuzz introduces unit testing into configuration testing techniques to filter out configuration parameters that are unlikely to yield errors before executing system testing, and effectively validate generated configuration parameters. We have conducted extensive experiments in real-world large-scale systems including HCommon, HDFS, HBase, ZooKeeper and Alluxio. Our evaluation shows that ECFuzz is effective in finding configuration-induced crash bugs. Compared with the state-of-the-art configuration testing tools including ConfTest, ConfErr and ConfDiagDetector, ECFuzz finds 60.3–67 more unexpected failures when the same 1000 testcases are injected into the system with an increase of 1.87x–2.63x. Moreover, ECFuzz has exposed 14 previously unknown bugs, and 5 of them have been confirmed.

Thu 18 Apr

Displayed time zone: Lisbon change

11:00 - 12:30
11:00
15m
Talk
Crossover in Parametric Fuzzing
Research Track
Katherine Hough Northeastern University, Jonathan Bell Northeastern University
Pre-print Media Attached
11:15
15m
Talk
SpecBCFuzz: Fuzzing LTL Solvers with Boundary Conditions
Research Track
Luiz Carvalho University of Luxembourg, Renzo Degiovanni Luxembourg Institute of Science and Technology, Maxime Cordy University of Luxembourg, Luxembourg, Nazareno Aguirre University of Rio Cuarto and CONICET, Yves Le Traon University of Luxembourg, Luxembourg, Mike Papadakis University of Luxembourg
11:30
15m
Talk
EDEFuzz: A Web API Fuzzer for Excessive Data ExposuresACM SIGSOFT Distinguished Paper Award
Research Track
Lianglu Pan University of Melbourne, Shaanan Cohney University of Melbourne, Toby Murray University of Melbourne, Thuan Pham The University of Melbourne
11:45
15m
Talk
ECFuzz: Effective Configuration Fuzzing for Large-Scale Systems
Research Track
Junqiang Li University of Electronic Science and Technology of China, Senyi Li University of Electronic Science and Technology of China, Keyao Li University of Electronic Science and Technology of China, Falin Luo University of Electronic Science and Technology of China, Hongfang Yu University of Electronic Science and Technology of China, Shanshan Li National University of Defense Technology, Xiang Li Academy of Military Sciences
DOI Media Attached File Attached
12:00
15m
Talk
Mind the Gap: What Working With Developers on Fuzz Tests Taught Us About Coverage Gaps
Software Engineering in Practice
Carolin Brandt Delft University of Technology, Marco Castelluccio Mozilla, Christian Holler Mozilla Corporation, Jason Kratzer Mozilla Corporation, Andy Zaidman Delft University of Technology, Alberto Bacchelli University of Zurich
DOI Pre-print
12:15
7m
Talk
CLFuzz: Vulnerability Detection of Cryptographic Algorithm Implementation via Semantic-Aware Fuzzing
Journal-first Papers
Yuanhang Zhou Tsinghua University, Fuchen Ma Tsinghua University, Yuanliang Chen Tsinghua University, Meng Ren Tsinghua University, Yu Jiang Tsinghua University
12:22
7m
Talk
FormatFuzzer: Effective Fuzzing of Binary File Formats
Journal-first Papers
Rafael Dutra CISPA Helmholtz Center for Information Security, Rahul Gopinath University of Sydney, Andreas Zeller CISPA Helmholtz Center for Information Security