TY - GEN
T1 - Homo in Machina
T2 - 16th IEEE International Conference on Software Testing, Verification and Validation, ICST 2023
AU - Bundt, Joshua
AU - Fasano, Andrew
AU - Dolan-Gavitt, Brendan
AU - Robertson, William
AU - Leek, Tim
N1 - Publisher Copyright:
© 2023 IEEE.
PY - 2023
Y1 - 2023
N2 - Fuzz testing is often automated, but also frequently augmented by experts who insert themselves into the workflow in a greedy search for bugs. In this paper, we propose Homo in Machina, or HM-fuzzing, in which analyses guide the manual efforts, maximizing benefit. As one example of this paradigm, we introduce compartment analysis. Compartment analysis uses a whole-program dominator analysis to estimate the utility of reaching new code, and combines this with a dynamic analysis indicating drastically under-covered edges guarding that code. This results in a prioritized list of compartments, i.e., large, uncovered parts of the pro-gram semantically partitioned and largely unreachable given the current corpus of inputs under consideration. A human can use this categorization and ranking of compartments directly to focus manual effort, finding or fashioning inputs that make the compartments available for future fuzzing. We evaluate the effect of compartment analysis on seven projects within the OSS-Fuzz corpus where we see coverage improvements over AFL++ as high as 94%, with a median of 13%. We further observe that the determination of compartments is highly stable and thus can be done early in a fuzzing campaign, maximizing the potential for impact.
AB - Fuzz testing is often automated, but also frequently augmented by experts who insert themselves into the workflow in a greedy search for bugs. In this paper, we propose Homo in Machina, or HM-fuzzing, in which analyses guide the manual efforts, maximizing benefit. As one example of this paradigm, we introduce compartment analysis. Compartment analysis uses a whole-program dominator analysis to estimate the utility of reaching new code, and combines this with a dynamic analysis indicating drastically under-covered edges guarding that code. This results in a prioritized list of compartments, i.e., large, uncovered parts of the pro-gram semantically partitioned and largely unreachable given the current corpus of inputs under consideration. A human can use this categorization and ranking of compartments directly to focus manual effort, finding or fashioning inputs that make the compartments available for future fuzzing. We evaluate the effect of compartment analysis on seven projects within the OSS-Fuzz corpus where we see coverage improvements over AFL++ as high as 94%, with a median of 13%. We further observe that the determination of compartments is highly stable and thus can be done early in a fuzzing campaign, maximizing the potential for impact.
KW - fuzz testing
KW - fuzzing
UR - http://www.scopus.com/inward/record.url?scp=85161844281&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85161844281&partnerID=8YFLogxK
U2 - 10.1109/ICST57152.2023.00020
DO - 10.1109/ICST57152.2023.00020
M3 - Conference contribution
AN - SCOPUS:85161844281
T3 - Proceedings - 2023 IEEE 16th International Conference on Software Testing, Verification and Validation, ICST 2023
SP - 117
EP - 128
BT - Proceedings - 2023 IEEE 16th International Conference on Software Testing, Verification and Validation, ICST 2023
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 16 April 2023 through 20 April 2023
ER -