Open access
Date
2023-04Type
- Journal Article
ETH Bibliography
yes
Altmetrics
Abstract
Coverage-guided fuzzing is one of the most effective approaches for discovering software defects and vulnerabilities. It executes all mutated tests from seed inputs to expose coverage-increasing tests. However, executing all mutated tests incurs significant performance penalties - -most of the mutated tests are discarded because they do not increase code coverage. Thus, determining if a test increases code coverage without actually executing it is beneficial, but a paradoxical challenge. In this paper, we introduce the notion of prefix-guided execution (PGE) to tackle this challenge. PGE leverages two key observations: (1) Only a tiny fraction of the mutated tests increase coverage, thus requiring full execution; and (2) whether a test increases coverage may be accurately inferred from its partial execution. PGE monitors the execution of a test and applies early termination when the execution prefix indicates that the test is unlikely to increase coverage. To demonstrate the potential of PGE, we implement a prototype on top of AFL++, which we call AFL++-PGE. We evaluate AFL++-PGE on MAGMA, a ground-truth benchmark set that consists of 21 programs from nine popular real-world projects. Our results show that, after 48 hours of fuzzing, AFL++-PGE finds more bugs, discovers bugs faster, and achieves higher coverage. Prefix-guided execution is general and can benefit the AFL-based family of fuzzers. Show more
Permanent link
https://doi.org/10.3929/ethz-b-000610905Publication status
publishedExternal links
Journal / series
Proceedings of the ACM on Programming LanguagesVolume
Pages / Article No.
Publisher
Association for Computing MachinerySubject
fuzzing; code coverage; software testingOrganisational unit
09628 - Su, Zhendong / Su, Zhendong
More
Show all metadata
ETH Bibliography
yes
Altmetrics