ICST 2023
Sun 16 - Thu 20 April 2023 Dublin, Ireland
Tue 18 Apr 2023 12:00 - 12:20 at Pearse suite - Session 9: Fuzzing Chair(s): Xavier Devroey

Fuzz testing is often automated, but also frequently augmented by experts who insert themselves into the workflow in a greedy search for bugs. In this paper, we propose Homo in Machina, or HM-fuzzing, in which analyses guide the manual efforts, maximizing benefit. As one example of this paradigm, we introduce compartment analysis. Compartment analysis uses a whole-program dominator analysis to estimate the utility of reaching new code, and combines this with a dynamic analysis indicating drastically under-covered edges guarding that code. This results in a prioritized list of compartments, i.e., large, uncovered parts of the program semantically partitioned and largely unreachable given the current corpus of inputs under consideration. A human can use this categorization and ranking of compartments directly to focus manual effort, finding or fashioning inputs that make the compartments available for future fuzzing. We evaluate the effect of compartment analysis on seven projects within the OSS-Fuzz corpus where we see coverage improvements over AFL++ as high as 94%, with a median of 13%. We further observe that the determination of compartments is highly stable and thus can be done early in a fuzzing campaign, maximizing the potential for impact.

Tue 18 Apr

Displayed time zone: Dublin change

11:00 - 12:30
Session 9: FuzzingPrevious Editions / Posters / Industry / Research Papers at Pearse suite
Chair(s): Xavier Devroey University of Namur
11:00
20m
Talk
Industrial Deployment of Compiler Fuzzing Techniques for Two GPU Shading Languages
Industry
Alastair F. Donaldson Imperial College London, Ben Clayton Google, Ryan Harrison Google, Hasan Mohsin Imperial College London, David Neto Google, Vasyl Teliman National Technical University of Ukraine, Hana Watson Imperial College London
11:20
20m
Talk
Metamorphic Fuzzing of C++ Libraries
Previous Editions
Andrei Lascu Imperial College London, Alastair F. Donaldson Imperial College London, Tobias Grosser University of Edinburgh, Torsten Hoefler ETH Zurich
DOI
11:40
20m
Talk
Android Fuzzing: Balancing User-Inputs and Intents
Research Papers
Michael Auer University of Passau, Andreas Stahlbauer University of Passau, Gordon Fraser University of Passau
12:00
20m
Talk
Homo in Machina: Improving Fuzz Testing Coverage via Compartment Analysis
Research Papers
Joshua Bundt Northeastern University, Andrew Fasano Northeastern University, Brendan Dolan-Gavitt New York University, William Robertson Northeastern University, USA, Tim Leek MIT Lincoln Laboratory
12:20
5m
Talk
Poster: BugOSS: A Regression Bug Benchmark for Empirical Study of Regression Fuzzing Techniques
Posters
Jeewoong Kim Handong Global University, Shin Hong Handong Global University