Property-Based Fuzzing for Finding Data Manipulation Errors in Android Apps
dc.contributor.author
Sun, Jingling
dc.contributor.author
Su, Ting
dc.contributor.author
Jiang, Jiayi
dc.contributor.author
Wang, Jue
dc.contributor.author
Pu, Geguang
dc.contributor.author
Su, Zhendong
dc.contributor.editor
Chandra, Satish
dc.contributor.editor
Blincoe, Kelly
dc.contributor.editor
Tonella, Paolo
dc.date.accessioned
2024-01-15T09:10:32Z
dc.date.available
2024-01-12T10:19:09Z
dc.date.available
2024-01-15T09:10:32Z
dc.date.issued
2023-11
dc.identifier.isbn
979-8-4007-0327-0
en_US
dc.identifier.other
10.1145/3611643.3616286
en_US
dc.identifier.uri
http://hdl.handle.net/20.500.11850/652133
dc.description.abstract
Like many software applications, data manipulation functionalities( DMFs ) are prevalent in Android apps, which perform the common CRUD operations (create, read, update, delete) to handle app-specific data. Thus, ensuring the correctness of these DMFs is fundamentally important for many core app functionalities. However, the bugs related to DMFs (named as data manipulation errors, DMEs ), especially those non-crashing logic ones, are prevalent but difficult to find. To this end, inspired by property-based testing, we introduce a property-based fuzzing approach to effectively finding DMEs in Android apps. Our key idea is that, given some type of app data of interest, we randomly interleave its relevant DMFs and other possible events to explore diverse app states for thorough validation. Specifically, our approach characterizes DMFs in (data) model-based properties and leverage the consistency between the data model and the UI layouts as the handler to do property checking. The properties of DMFs are specified by human according to specific app features. To support the application of our approach, we implemented an automated GUI testing tool, PBFDroid. We evaluated PBFDroid on 20 real-world Android apps, and successfully found 30 unique and previously unknown bugs in 18 apps. Out of the 30 bugs, 29 of which are DMEs (22 are non-crashing logic bugs, and 7 are crash ones). To date, 19 have been confirmed and 9 have already been fixed. Many of these bugs are non-trivial and lead to different types of app failures. Our further evaluation confirms that none of the 22 non-crashing DMEs can be found by the state-of-the-art techniques. In addition, a user study shows that the manual cost of specifying the DMF properties with the assistance of our tool is acceptable. Overall, given accurate DMF properties, our approach can automatically find DMEs without any false positives. We have made all the artifacts publicly available at:https:// github.com/ property-based-fuzzing/ home.
en_US
dc.language.iso
en
en_US
dc.publisher
Association for Computing Machinery
en_US
dc.subject
Property-based testing
en_US
dc.subject
Model-based testing
en_US
dc.subject
Android app testing
en_US
dc.subject
Non-crashing functional bugs
en_US
dc.title
Property-Based Fuzzing for Finding Data Manipulation Errors in Android Apps
en_US
dc.type
Conference Paper
dc.date.published
2023-11-30
ethz.book.title
ESEC/FSE 2023: Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering
en_US
ethz.pages.start
1088
en_US
ethz.pages.end
1100
en_US
ethz.event
31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2023)
en_US
ethz.event.location
San Francisco, CA, USA
en_US
ethz.event.date
December 3-9, 2023
en_US
ethz.identifier.wos
ethz.identifier.scopus
ethz.publication.place
New York, NY
en_US
ethz.publication.status
published
en_US
ethz.leitzahl
ETH Zürich::00002 - ETH Zürich::00012 - Lehre und Forschung::00007 - Departemente::02150 - Dep. Informatik / Dep. of Computer Science::02664 - Inst. f. Programmiersprachen u. -systeme / Inst. Programming Languages and Systems::09628 - Su, Zhendong / Su, Zhendong
en_US
ethz.leitzahl.certified
ETH Zürich::00002 - ETH Zürich::00012 - Lehre und Forschung::00007 - Departemente::02150 - Dep. Informatik / Dep. of Computer Science::02664 - Inst. f. Programmiersprachen u. -systeme / Inst. Programming Languages and Systems::09628 - Su, Zhendong / Su, Zhendong
en_US
ethz.relation.isSupplementedBy
https://github.com/property-based-fuzzing/
ethz.date.deposited
2024-01-12T10:19:10Z
ethz.source
FORM
ethz.eth
yes
en_US
ethz.availability
Metadata only
en_US
ethz.rosetta.installDate
2024-01-15T09:10:36Z
ethz.rosetta.lastUpdated
2024-01-15T09:10:36Z
ethz.rosetta.exportRequired
true
ethz.rosetta.versionExported
true
ethz.COinS
ctx_ver=Z39.88-2004&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.atitle=Property-Based%20Fuzzing%20for%20Finding%20Data%20Manipulation%20Errors%20in%20Android%20Apps&rft.date=2023-11&rft.spage=1088&rft.epage=1100&rft.au=Sun,%20Jingling&Su,%20Ting&Jiang,%20Jiayi&Wang,%20Jue&Pu,%20Geguang&rft.isbn=979-8-4007-0327-0&rft.genre=proceeding&rft_id=info:doi/10.1145/3611643.3616286&rft.btitle=ESEC/FSE%202023:%20Proceedings%20of%20the%2031st%20ACM%20Joint%20European%20Software%20Engineering%20Conference%20and%20Symposium%20on%20the%20Foundations%20of%20Softwar
Files in this item
| Files | Size | Format | Open in viewer |
|---|---|---|---|
|
There are no files associated with this item. |
|||
Publication type
-
Conference Paper [35014]