ISSTA/ECOOP 2024
Mon 16 - Fri 20 September 2024 Vienna, Austria
Mon 16 Sep 2024 10:45 - 11:00 at EI 9 Hlawka - Strauss Session

Deploying fuzzing within CI/CD pipelines can help ensure safe and secure code evolution. Directed greybox fuzzing techniques such as AFLGo are a good match for the CI/CD context. These techniques prioritise inputs based on estimated distances to the changed code. Unfortunately, computing these distances is often expensive, making the techniques impractical for short CI/CD runs.

In this paper, we propose an AFLGo-based technique called PaZZER, which optimises the distance calculation by dropping the expensive control-flow graph component and computing the call-graph component in an incremental fashion. Preliminary results are promising, showing that PaZZER can make CI/CD testing feasible for large applications: eg. for objdump the distance computation time is decreased from 34 min to just 2.5 min, with a further 2.3 min saved when an incremental algorithm is used. The significant time reduction in distance computation allows PaZZER to use most of the time on actual fuzzing, making it practical for short CI/CD runs of around 10 minutes.

Our planned full evaluation will involve real-world commits from a diverse set of 9 applications of different sizes. This will include coverage experiments and an ablation study to investigate the impact of PaZZER’s design decisions, and a bug-finding case study comparing it against AFLGo and Google’s CIFuzz. We will assess the benefits and effectiveness of our approach in terms of patch coverage, patch proximity, distance computation time, and time-to-exposure for bugs.

Mon 16 Sep

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

10:30 - 12:00
Strauss SessionFUZZING at EI 9 Hlawka
10:30
15m
Talk
Directed or Undirected: Investigating Fuzzing Strategies in a CI/CD Setup
FUZZING
Madonna Huang University of British Columbia, Caroline Lemieux University of British Columbia
10:45
15m
Talk
Effective Fuzzing within CI/CD Pipelines
FUZZING
Arindam Sharma Imperial College London, UK, Cristian Cadar Imperial College London, Jonathan Metzman Google
11:00
15m
Talk
Automated Feature Testing of Verilog Parsers using Fuzzing
FUZZING
Quentin Corradi Imperial College London, John Wickerson Imperial College London, George A. Constantinides Imperial College London, UK
11:15
15m
Talk
WebAssembly as a Fuzzing Compilation Target
FUZZING
Florian Bauckholt CISPA Helmholtz Center for Information Security, Thorsten Holz CISPA Helmholtz Center for Information Security
11:30
15m
Talk
Visualization Task Taxonomy to Understand the Fuzzing Internals
FUZZING
Sriteja Kummita Fraunhofer IEM, Miao Miao The University of Texas at Dallas, Eric Bodden Heinz Nixdorf Institut, Paderborn University and Fraunhofer IEM, Shiyi Wei University of Texas at Dallas

Information for Participants
Mon 16 Sep 2024 10:30 - 12:00 at EI 9 Hlawka - Strauss Session
Info for room EI 9 Hlawka:

Map: https://tuw-maps.tuwien.ac.at/?q=CAEG17

Room tech: https://raumkatalog.tiss.tuwien.ac.at/room/13939