Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
119 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

SoK: Prudent Evaluation Practices for Fuzzing (2405.10220v1)

Published 16 May 2024 in cs.SE and cs.CR

Abstract: Fuzzing has proven to be a highly effective approach to uncover software bugs over the past decade. After AFL popularized the groundbreaking concept of lightweight coverage feedback, the field of fuzzing has seen a vast amount of scientific work proposing new techniques, improving methodological aspects of existing strategies, or porting existing methods to new domains. All such work must demonstrate its merit by showing its applicability to a problem, measuring its performance, and often showing its superiority over existing works in a thorough, empirical evaluation. Yet, fuzzing is highly sensitive to its target, environment, and circumstances, e.g., randomness in the testing process. After all, relying on randomness is one of the core principles of fuzzing, governing many aspects of a fuzzer's behavior. Combined with the often highly difficult to control environment, the reproducibility of experiments is a crucial concern and requires a prudent evaluation setup. To address these threats to validity, several works, most notably Evaluating Fuzz Testing by Klees et al., have outlined how a carefully designed evaluation setup should be implemented, but it remains unknown to what extent their recommendations have been adopted in practice. In this work, we systematically analyze the evaluation of 150 fuzzing papers published at the top venues between 2018 and 2023. We study how existing guidelines are implemented and observe potential shortcomings and pitfalls. We find a surprising disregard of the existing guidelines regarding statistical tests and systematic errors in fuzzing evaluations. For example, when investigating reported bugs, ...

Definition Search Book Streamline Icon: https://streamlinehq.com
References (192)
  1. M. Abadi and R. Needham, “Prudent Engineering Practice for Cryptographic Protocols,” IEEE Transactions on Software Engineering, vol. 22, no. 1, pp. 6–15, 1996.
  2. I. Angelakopoulos, G. Stringhini, and M. Egele, “FirmSolo: Enabling Dynamic Analysis of Binary Linux-based IoT Kernel Modules,” in USENIX Security Symposium, 2023.
  3. A. Arcuri and L. Briand, “A Practical Guide for Using Statistical Tests to Assess Randomized Algorithms in Software Engineering,” in International Conference on Software Engineering (ICSE), 2011.
  4. D. Arp, E. Quiring, F. Pendlebury, A. Warnecke, F. Pierazzi, C. Wressnegger, L. Cavallaro, and K. Rieck, “Dos and don’ts of machine learning in computer security,” in USENIX Security Symposium, 2022.
  5. C. Aschermann, T. Frassetto, T. Holz, P. Jauernig, A.-R. Sadeghi, and D. Teuchert, “NAUTILUS: Fishing for Deep Bugs with Grammars,” in Symposium on Network and Distributed System Security (NDSS), 2019.
  6. C. Aschermann, S. Schumilo, A. Abbasi, and T. Holz, “Ijon: Exploring Deep State Spaces via Fuzzing,” in IEEE Symposium on Security and Privacy (S&P), 2020.
  7. C. Aschermann, S. Schumilo, T. Blazytko, R. Gawlik, and T. Holz, “REDQUEEN: Fuzzing with Input-to-State Correspondence,” in Symposium on Network and Distributed System Security (NDSS), 2019.
  8. Association for Computing Machinery, “Artifact Review and Badging Version 1.1,” 2020. [Online]. Available: https://www.acm.org/publications/policies/artifact-review-and-badging-current
  9. J. Ba, M. Böhme, Z. Mirzamomen, and A. Roychoudhury, “Stateful Greybox Fuzzing,” in USENIX Security Symposium, 2022.
  10. N. Bars, M. Schloegel, T. Scharnowski, N. Schiller, and T. Holz, “Fuzztruction: Using Fault Injection-based Fuzzing to Leverage Implicit Domain Knowledge,” in USENIX Security Symposium, 2023.
  11. F. Bellard, “QEMU, a Fast and Portable Dynamic Translator,” in USENIX Annual Technical Conference (ATC), 2005.
  12. L. Bernhard, T. Scharnowski, M. Schloegel, T. Blazytko, and T. Holz, “JIT-Picking: Differential Fuzzing of JavaScript Engines,” in ACM Conference on Computer and Communications Security (CCS), 2022.
  13. T. Blazytko, C. Aschermann, M. Schloegel, A. Abbasi, S. Schumilo, S. Wörner, and T. Holz, “GRIMOIRE: Synthesizing Structure while Fuzzing,” in USENIX Security Symposium, 2019.
  14. M. Böhme, C. Cadar, and A. Roychoudhury, “Fuzzing: Challenges and Reflections,” IEEE Softw., vol. 38, no. 3, pp. 79–86, 2021.
  15. M. Böhme, V.-T. Pham, and A. Roychoudhury, “Coverage-based Greybox Fuzzing as Markov Chain,” IEEE Transactions on Software Engineering, vol. 45, no. 5, pp. 489–506, 2017.
  16. L. Borzacchiello, E. Coppa, and C. Demetrescu, “Fuzzing Symbolic Expressions,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2021.
  17. A. Bulekov, B. Das, S. Hajnoczi, and M. Egele, “No Grammar, No Problem: Towards Fuzzing the Linux Kernel without System-Call Descriptions,” in Symposium on Network and Distributed System Security (NDSS), 2023.
  18. J. Bundt, A. Fasano, B. Dolan-Gavitt, W. Robertson, and T. Leek, “Evaluating Synthetic Bugs,” in ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2021.
  19. M. Busch, A. Machiry, C. Spensky, G. Vigna, C. Kruegel, and M. Payer, “TEEzz: Fuzzing Trusted Applications on COTS Android Devices,” in IEEE Symposium on Security and Privacy (S&P), 2023.
  20. M. Böhme and B. Falk, “Fuzzing: On the Exponential Cost of Vulnerability Discovery,” in ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE), 2020.
  21. M. Böhme, D. Liyanage, and V. Wüstholz, “Estimating Residual Risk in Greybox Fuzzing,” in ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE), 2021.
  22. M. Böhme, V. J. M. Manès, and S. K. Cha, “Boosting Fuzzer Efficiency: An Information Theoretic Perspective,” in ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE), 2020.
  23. M. Böhme, L. Szekeres, and J. Metzman, “On the Reliability of Coverage-Based Fuzzer Benchmarking,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2022.
  24. H. Chen, S. Guo, Y. Xue, Y. Sui, C. Zhang, Y. Li, H. Wang, and Y. Liu, “MUZZ: Thread-aware Grey-box Fuzzing for Effective Bug Hunting in Multithreaded Programs,” in USENIX Security Symposium, 2020.
  25. H. Chen, Y. Xue, Y. Li, B. Chen, X. Xie, X. Wu, and Y. Liu, “Hawkeye: Towards a Desired Directed Grey-box Fuzzer,” in ACM Conference on Computer and Communications Security (CCS), 2018.
  26. J. Chen, W. Diao, Q. Zhao, C. Zuo, Z. Lin, X. Wang, W. C. Lau, M. Sun, R. Yang, and K. Zhang, “IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing,” in Symposium on Network and Distributed System Security (NDSS), 2018.
  27. J. Chen, W. Han, M. Yin, H. Zeng, C. Song, B. Lee, H. Yin, and I. Shin, “SYMSAN: Time and Space Efficient Concolic Execution via Dynamic Data-flow Analysis,” in USENIX Security Symposium, 2022.
  28. J. Chen, J. Wang, C. Song, and H. Yin, “JIGSAW: Efficient and Scalable Path Constraints Fuzzing,” in IEEE Symposium on Security and Privacy (S&P), 2022.
  29. L. Chen, Q. Cai, Z. Ma, Y. Wang, H. Hu, M. Shen, Y. Liu, S. Guo, H. Duan, K. Jiang, and Z. Xue, “SFuzz: Slice-based Fuzzing for Real-Time Operating Systems,” in ACM Conference on Computer and Communications Security (CCS), 2022.
  30. P. Chen and H. Chen, “Angora: Efficient Fuzzing by Principled Search,” in IEEE Symposium on Security and Privacy (S&P), 2018.
  31. P. Chen, J. Liu, and H. Chen, “Matryoshka: Fuzzing Deeply Nested Branches,” in ACM Conference on Computer and Communications Security (CCS), 2019.
  32. P. Chen, Y. Xie, Y. Lyu, Y. Wang, and H. Chen, “HOPPER: Interpretative Fuzzing for Libraries,” in ACM Conference on Computer and Communications Security (CCS), 2023.
  33. W. Chen, Y. Wang, Z. Zhang, and Z. Qian, “SyzGen: Automated Generation of Syscall Specification of Closed-Source macOS Drivers,” in ACM Conference on Computer and Communications Security (CCS), 2021.
  34. Y. Chen, P. Li, J. Xu, S. Guo, R. Zhou, Y. Zhang, T. Wei, and L. Lu, “SAVIOR: Towards Bug-Driven Hybrid Testing,” in IEEE Symposium on Security and Privacy (S&P), 2020.
  35. Y. Chen, Y. Jiang, F. Ma, J. Liang, M. Wang, C. Zhou, X. Jiao, and Z. Su, “EnFuzz: Ensemble Fuzzing with Seed Synchronization among Diverse Fuzzers,” in USENIX Security Symposium, 2019.
  36. Y. Chen, T. Su, and Z. Su, “Deep Differential Testing of JVM Implementations,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2019.
  37. Z. Chen, S. L. Thomas, and F. D. Garcia, “MetaEmu: An Architecture Agnostic Rehosting Framework for Automotive Firmware,” in ACM Conference on Computer and Communications Security (CCS), 2022.
  38. M. Cho, S. Kim, and T. Kwon, “Intriguer: Field-Level Constraint Solving for Hybrid Fuzzing,” in ACM Conference on Computer and Communications Security (CCS), 2019.
  39. J. Choi, J. Jang, C. Han, and S. K. Cha, “Grey-box Concolic Testing on Binary Code,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2019.
  40. J. Choi, K. Kim, D. Lee, and S. K. Cha, “NtFuzz: Enabling Type-Aware Kernel Fuzzing on Windows with Static Binary Analysis,” in IEEE Symposium on Security and Privacy (S&P), 2021.
  41. N. Christou, D. Jin, V. Atlidakis, B. Ray, and V. P. Kemerlis, “IvySyn: Automated Vulnerability Discovery in Deep Learning Frameworks,” in USENIX Security Symposium, 2023.
  42. A. A. Clements, E. Gustafson, T. Scharnowski, P. Grosen, D. Fritz, C. Kruegel, G. Vigna, S. Bagchi, and M. Payer, “HALucinator: Firmware Re-hosting Through Abstraction Layer Emulation,” in USENIX Security Symposium, 2020.
  43. T. Cloosters, J. Willbold, T. Holz, and L. Davi, “SGXFuzz: Efficiently Synthesizing Nested Structures for SGX Enclave Fuzzing,” in USENIX Security Symposium, 2022.
  44. DARPA, “DARPA Cyber Grand Challenge,” 2018. [Online]. Available: https://github.com/CyberGrandChallenge
  45. N. Demir, M. Große-Kampmann, T. Urban, C. Wressnegger, T. Holz, and N. Pohlmann, “Reproducibility and Replicability of Web Measurement Studies,” in ACM Web Conference 2022, 2022.
  46. P. Deng, Z. Yang, L. Zhang, G. Yang, W. Hong, Y. Zhang, and M. Yang, “NestFuzz: Enhancing Fuzzing with Comprehensive Understanding of Input Processing Logic,” in ACM Conference on Computer and Communications Security (CCS), 2023.
  47. S. Dinesh, N. Burow, D. Xu, and M. Payer, “RetroWrite: Statically Instrumenting COTS Binaries for Fuzzing and Sanitization,” in IEEE Symposium on Security and Privacy (S&P), 2020.
  48. S. T. Dinh, H. Cho, K. Martin, A. Oest, K. Zeng, A. Kapravelos, G.-J. Ahn, T. Bao, R. Wang, A. Doupé, and Y. Shoshitaishvili, “Favocado: Fuzzing the Binding Code of JavaScript Engines Using Semantically Correct Test Cases,” in Symposium on Network and Distributed System Security (NDSS), 2021.
  49. Dmitry Vyukov and Google, “Syzkaller – Kernel Fuzzer,” 2015. [Online]. Available: https://github.com/google/syzkaller
  50. B. Dolan-Gavitt, P. Hulin, E. Kirda, T. Leek, A. Mambretti, W. Robertson, F. Ulrich, and R. Whelan, “Lava: Large-scale Automated Vulnerability Addition,” in IEEE Symposium on Security and Privacy (S&P), 2016.
  51. Z. Du, Y. Li, Y. Liu, and B. Mao, “Windranger: A Directed Greybox Fuzzer driven by Deviation Basic Blocks,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2022.
  52. B. Feng, A. Mera, and L. Lu, “P2IM: Scalable and Hardware-independent Firmware Testing via Automatic Peripheral Interface Modeling,” in USENIX Security Symposium, 2020.
  53. X. Feng, R. Sun, X. Zhu, M. Xue, S. Wen, D. Liu, S. Nepal, and Y. Xiang, “Snipuzz: Black-box Fuzzing of IoT Firmware via Message Snippet Inference,” in ACM Conference on Computer and Communications Security (CCS), 2021.
  54. A. Fioraldi, D. C. D’Elia, and D. Balzarotti, “The Use of Likely Invariants as Feedback for Fuzzers,” in USENIX Security Symposium, 2021.
  55. A. Fioraldi, D. Maier, H. Eißfeldt, and M. Heuse, “AFL++ : Combining Incremental Steps of Fuzzing Research,” in USENIX Workshop on Offensive Technologies (WOOT), 2020.
  56. A. Fioraldi, D. C. Maier, D. Zhang, and D. Balzarotti, “LibAFL: A Framework to Build Modular and Reusable Fuzzers,” in ACM Conference on Computer and Communications Security (CCS), 2022.
  57. J. Fu, J. Liang, Z. Wu, M. Wang, and Y. Jiang, “Griffin: Grammar-Free DBMS Fuzzing,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2022.
  58. S. Gan, C. Zhang, P. Chen, B. Zhao, X. Qin, D. Wu, and Z. Chen, “GREYONE: Data Flow Sensitive Fuzzing,” in USENIX Security Symposium, 2020.
  59. S. Gan, C. Zhang, X. Qin, X. Tu, K. Li, Z. Pei, and Z. Chen, “CollAFL: Path Sensitive Fuzzing,” in IEEE Symposium on Security and Privacy (S&P), 2018.
  60. X. Ge, B. Niu, R. Brotzman, Y. Chen, H. Han, P. Godefroid, and W. Cui, “HyperFuzzer: An Efficient Hybrid Fuzzer for Virtual CPUs,” in ACM Conference on Computer and Communications Security (CCS), 2021.
  61. Google, “OSS-Fuzz: Continuous Fuzzing for Open Source Software.” [Online]. Available: https://github.com/google/oss-fuzz
  62. ——, “Fuzzer-Test-Suite,” 2016. [Online]. Available: https://github.com/google/fuzzer-test-suite
  63. H. Green and T. Avgerinos, “GraphFuzz: Library API Fuzzing with Lifetime-aware Dataflow Graphs,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2022.
  64. S. Groß, S. Koch, L. Bernhard, T. Holz, and M. Johns, “FUZZILLI: Fuzzing for JavaScript JIT Compiler Vulnerabilities,” in Symposium on Network and Distributed System Security (NDSS), 2023.
  65. T. Gu, X. Li, S. Lu, J. Tian, Y. Nie, X. Kuang, Z. Lin, C. Liu, J. Liang, and Y. Jiang, “Group-based Corpus Scheduling for Parallel Fuzzing,” in ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE), 2022.
  66. S. Guo, X. Wan, W. You, B. Liang, W. Shi, Y. Zhang, J. Huang, and J. Zhang, “Operand-Variation-Oriented Differential Analysis for Fuzzing Binding Calls in PDF Readers,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2023.
  67. E. Güler, C. Aschermann, A. Abbasi, and T. Holz, “AntiFuzz: Impeding Fuzzing Audits of Binary Executables,” in USENIX Security Symposium, 2019.
  68. H. Han, D. Oh, and S. K. Cha, “CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines,” in Symposium on Network and Distributed System Security (NDSS), 2019.
  69. A. Hazimeh, A. Herrera, and M. Payer, “Magma: A Ground-Truth Fuzzing Benchmark,” ACM on Measurement and Analysis of Computing Systems (POMACS), vol. 4, no. 3, pp. 49:1–49:29, 2020.
  70. X. He, X. Xie, Y. Li, J. Sun, F. Li, W. Zou, Y. Liu, L. Yu, J. Zhou, W. Shi, and W. Huo, “SoFi Artifact,” 2021. [Online]. Available: https://sites.google.com/view/sofi4js/souce-and-data
  71. ——, “SoFi: Reflection-Augmented Fuzzing for JavaScript Engines,” in ACM Conference on Computer and Communications Security (CCS), 2021.
  72. A. Herrera, H. Gunadi, S. Magrath, M. Norrish, M. Payer, and A. L. Hosking, “Seed Selection for Successful Fuzzing,” in International Symposium on Software Testing and Analysis (ISSTA), 2021.
  73. H. Huang, Y. Guo, Q. Shi, P. Yao, R. Wu, and C. Zhang, “BEACON: Directed Grey-Box Fuzzing with Provable Path Pruning,” in IEEE Symposium on Security and Privacy (S&P), 2022.
  74. H. Huang, P. Yao, R. Wu, Q. Shi, and C. Zhang, “Pangolin: Incremental Hybrid Fuzzing with Polyhedral Path Abstraction,” in IEEE Symposium on Security and Privacy (S&P), 2020.
  75. A. Humayun, Y. Wu, M. Kim, and M. A. Gulzar, “NaturalFuzz: Natural Input Generation for Big Data Analytics,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2023.
  76. K. K. Ispoglou, D. Austin, V. Mohan, and M. Payer, “FuzzGen: Automatic Fuzzer Generation,” in USENIX Security Symposium, 2020.
  77. P. Jauernig, D. Jakobovic, S. Picek, E. Stapf, and A.-R. Sadeghi, “DARWIN: Survival of the Fittest Fuzzing Mutators,” in Symposium on Network and Distributed System Security (NDSS), 2023.
  78. D. R. Jeong, K. Kim, B. Shivakumar, B. Lee, and I. Shin, “Razzer: Finding Kernel Race Bugs through Fuzzing,” in IEEE Symposium on Security and Privacy (S&P), 2019.
  79. H. Jia, M. Wen, Z. Xie, X. Guo, R. Wu, M. Sun, K. Chen, and H. Jin, “Detecting JVM JIT Compiler Bugs via Exploring Two-Dimensional Input Spaces,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2023.
  80. J. Jiang, H. Xu, and Y. Zhou, “RULF: Rust Library Fuzzing via API Dependency Graph Traversal,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2021.
  81. L. Jiang, H. Yuan, M. Wu, L. Zhang, and Y. Zhang, “Evaluating and Improving Hybrid Fuzzing,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2023.
  82. Z. Jiang, S. Gan, A. Herrera, F. Toffalini, L. Romerio, C. Tang, M. Egele, C. Zhang, and M. Payer, “Evocatio: Conjuring Bug Capabilities from a Single PoC,” in ACM Conference on Computer and Communications Security (CCS), 2022.
  83. Z.-M. Jiang, J.-J. Bai, K. Lu, and S.-M. Hu, “Context-Sensitive and Directional Concurrency Fuzzing for Data-Race Detection,” in Symposium on Network and Distributed System Security (NDSS), 2022.
  84. J. Jung, H. Hu, D. Solodukhin, D. Pagan, K. H. Lee, and T. Kim, “Fuzzification: Anti-Fuzzing Techniques,” in USENIX Security Symposium, 2019.
  85. J. Jung, S. Tong, H. Hu, J. Lim, Y. Jin, and T. Kim, “WINNIE: Fuzzing Windows Applications with Harness Synthesis and Fast Cloning,” in Symposium on Network and Distributed System Security (NDSS), 2021.
  86. K. Kim, D. R. Jeong, C. H. Kim, Y. Jang, I. Shin, and B. Lee, “HFL: Hybrid Fuzzing on the Linux Kernel,” in Symposium on Network and Distributed System Security (NDSS), 2020.
  87. G. Klees, A. Ruef, B. Cooper, S. Wei, and M. Hicks, “Evaluating Fuzz Testing,” in ACM Conference on Computer and Communications Security (CCS), 2018.
  88. J. Kukucka, L. Pina, P. Ammann, and J. Bell, “CONFETTI: Amplifying Concolic Guidance for Fuzzers,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2022.
  89. lafintel, “laf-intel - Circumventing Fuzzing Roadblocks with Compiler Transformations.” [Online]. Available: https://lafintel.wordpress.com
  90. G. Lee, W. Shim, and B. Lee, “Constraint-guided Directed Greybox Fuzzing,” in USENIX Security Symposium, 2021.
  91. M. Lee, S. Cha, and H. Oh, “Learning Seed-Adaptive Mutation Strategies for Greybox Fuzzing,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2023.
  92. S. Lee, H. Han, S. K. Cha, and S. Son, “Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer,” in USENIX Security Symposium, 2020.
  93. C. Lemieux, R. Padhye, K. Sen, and D. Song, “PerfFuzz: Automatically Generating Pathological Inputs,” in International Symposium on Software Testing and Analysis (ISSTA), 2018.
  94. C. Lemieux and K. Sen, “FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2018.
  95. W. Li, J. Ruan, G. Yi, L. Cheng, X. Luo, and H. Cai, “PolyFuzz: Holistic Greybox Fuzzing of Multi-Language Systems,” in USENIX Security Symposium, 2023.
  96. W. Li, J. Shi, F. Li, J. Lin, W. Wang, and L. Guan, “μ⁢A⁢F⁢L𝜇𝐴𝐹𝐿\mu AFLitalic_μ italic_A italic_F italic_L: Non-intrusive Feedback-driven Fuzzing for Microcontroller Firmware,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2022.
  97. Y. Li, Y. Xue, H. Chen, X. Wu, C. Zhang, X. Xie, H. Wang, and Y. Liu, “Cerebro: Context-aware Adaptive Fuzzing for Effective Vulnerability Detection,” in ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE), 2019.
  98. Y. Li, S. Ji, Y. Chen, S. Liang, W.-H. Lee, Y. Chen, C. Lyu, C. Wu, R. Beyah, P. Cheng, K. Lu, and T. Wang, “UNIFUZZ: A Holistic and Pragmatic Metrics-Driven Platform for Evaluating Fuzzers,” in USENIX Security Symposium, 2021.
  99. J. Liang, M. Wang, C. Zhou, Z. Wu, Y. Jiang, J. Liu, Z. Liu, and J. Sun, “PATA: Fuzzing with Path Aware Taint Analysis,” in IEEE Symposium on Security and Privacy (S&P), 2022.
  100. “LibFuzzer - A Library for Coverage-guided Wuzz Testing.” [Online]. Available: https://llvm.org/docs/LibFuzzer.html
  101. Z. Lin, Y. Chen, Y. Wu, D. Mu, C. Yu, X. Xing, and K. Li, “GREBE: Unveiling Exploitation Potential for Linux Kernel Bugs,” in IEEE Symposium on Security and Privacy (S&P), 2022.
  102. S. Lipp, D. Elsner, T. Hutzelmann, S. Banescu, A. Pretschner, and M. Böhme, “FuzzTastic: A Fine-grained, Fuzzer-agnostic Coverage Analyzer,” in International Conference on Software Engineering (ICSE), 2022.
  103. Q. Liu, F. Toffalini, Y. Zhou, and M. Payer, “VIDEZZO: Dependency-aware Virtual Device Fuzzing,” in IEEE Symposium on Security and Privacy (S&P), 2023.
  104. Y. Liu, S. Chen, Y. Xie, Y. Wang, L. Chen, B. Wang, Y. Zeng, Z. Xue, and P. Su, “VD-Guard: DMA Guided Fuzzing for Hypervisor Virtual Device,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2023.
  105. Y. Liu, Y. Wang, P. Su, Y. Yu, and X. Jia, “InstruGuard: Find and Fix Instrumentation Errors for Coverage-based Greybox Fuzzing,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2021.
  106. D. Liyanage, M. Böhme, C. Tantithamthavorn, and S. Lipp, “Reachable Coverage: Estimating Saturation in Fuzzing,” in International Conference on Software Engineering (ICSE), 2023.
  107. C. Luo, W. Meng, and P. Li, “SelectFuzz: Efficient Directed Fuzzing with Selective Path Exploration,” in IEEE Symposium on Security and Privacy (S&P), 2023.
  108. Z. Luo, J. Yu, F. Zuo, J. Liu, Y. Jiang, T. Chen, A. Roychoudhury, and J. Sun, “Bleem: Packet Sequence Oriented Fuzzing for Protocol Implementations,” in USENIX Security Symposium, 2023.
  109. C. Lyu, S. Ji, C. Zhang, Y. Li, W.-H. Lee, Y. Song, and R. Beyah, “MOPT: Optimized Mutation Scheduling for Fuzzers,” in USENIX Security Symposium, 2019.
  110. C. Lyu, J. Xu, S. Ji, X. Zhang, Q. Wang, B. Zhao, G. Pan, W. Cao, P. Chen, and R. Beyah, “MINER: A Hybrid Data-Driven Approach for REST API Fuzzing,” in USENIX Security Symposium, 2023.
  111. V. J. M. Manès, H. Han, C. Han, S. K. Cha, M. Egele, E. J. Schwartz, and M. Woo, “The Art, Science, and Engineering of Fuzzing: A Survey,” IEEE Transactions on Software Engineering, vol. 47, no. 11, pp. 2312–2331, 2021.
  112. V. J. M. Manès, S. Kim, and S. K. Cha, “Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2020.
  113. M. Matz, “Comment 1,” 2018. [Online]. Available: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87675#c1
  114. R. Meng, Z. Dong, J. Li, I. Beschastnikh, and A. Roychoudhury, “Linear-time Temporal Logic guided Greybox Fuzzing,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2022.
  115. R. Meng, G. Pirlea, A. Roychoudhury, and I. Sergey, “Greybox Fuzzing of Distributed Systems,” in ACM Conference on Computer and Communications Security (CCS), 2023.
  116. A. Mera, B. Feng, L. Lu, and E. Kirda, “DICE: Automatic Emulation of DMA Input Channels for Dynamic Firmware Analysis,” in IEEE Symposium on Security and Privacy (S&P), 2021.
  117. J. Metzman, L. Szekeres, L. Simon, R. Sprabery, and A. Arya, “FuzzBench: An Open Fuzzer Benchmarking Platform and Service,” in ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE), 2021.
  118. M. Muench, J. Stijohann, F. Kargl, A. Francillon, and D. Balzarotti, “What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices,” in Symposium on Network and Distributed System Security (NDSS), 2018.
  119. C. Myung, G. Lee, and B. Lee, “MundoFuzz: Hypervisor Fuzzing with Statistical Coverage Testing and Grammar Inference,” in USENIX Security Symposium, 2022.
  120. S. Nagy and M. Hicks, “Full-Speed Fuzzing: Reducing Fuzzing Overhead through Coverage-Guided Tracing,” in IEEE Symposium on Security and Privacy (S&P), 2019.
  121. S. Nagy, A. Nguyen-Tuong, J. D. Hiser, J. W. Davidson, and M. Hicks, “Same Coverage, Less Bloat: Accelerating Binary-only Fuzzing with Coverage-preserving Coverage-guided Tracing,” in ACM Conference on Computer and Communications Security (CCS), 2021.
  122. R. Natella and V.-T. Pham, “ProFuzzBench: A Benchmark for Stateful Protocol Fuzzing,” in International Symposium on Software Testing and Analysis (ISSTA), 2021.
  123. H. L. Nguyen and L. Grunske, “BEDIVFUZZ: Integrating Behavioral Diversity into Generator-based Fuzzing,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2022.
  124. H. L. Nguyen, N. Nassar, T. Kehrer, and L. Grunske, “MoFuzz: A Fuzzer Suite for Testing Model-Driven Software Engineering Tools,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2020.
  125. S. Nilizadeh, Y. Noller, and C. S. Pasareanu, “DifFuzz: Differential Fuzzing for Side-channel Analysis,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2019.
  126. D. Paaßen, S. Surminski, M. Rodler, and L. Davi, “My Fuzzer Beats Them All! Developing a Framework for Fair Evaluation and Comparison of Fuzzers,” in European Symposium on Research in Computer Security (ESORICS), 2021.
  127. L. Padgham, Y. Lee, S. Sadiq, M. Winikoff, A. Fekete, S. MacDonell, D. Kaafar, and S. Zollmann, “CORE Rankings.” [Online]. Available: https://www.core.edu.au/conference-portal
  128. S. Pailoor, A. Aday, and S. Jana, “MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation,” in USENIX Security Symposium, 2018.
  129. G. Pan, X. Lin, X. Zhang, Y. Jia, S. Ji, C. Wu, X. Ying, J. Wang, and Y. Wu, “V-Shuttle: Scalable and Semantics-Aware Hypervisor Virtual Device Fuzzing,” in ACM Conference on Computer and Communications Security (CCS), 2021.
  130. J. Park, S. An, D. Youn, G. Kim, and S. Ryu, “JEST: N+1 -version Differential Testing of Both JavaScript Engines and Specification,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2021.
  131. S. Park, W. Xu, I. Yun, D. Jang, and T. Kim, “Fuzzing JavaScript Engines with Aspect-preserving Mutation,” in IEEE Symposium on Security and Privacy (S&P), 2020.
  132. H. Peng, Y. Shoshitaishvili, and M. Payer, “T-Fuzz: Fuzzing by Program Transformation,” in IEEE Symposium on Security and Privacy (S&P), 2018.
  133. H. Peng, Z. Yao, A. A. Sani, D. J. Tian, and M. Payer, “GLeeFuzz: Fuzzing WebGL Through Error Message Guided Mutation,” in USENIX Security Symposium, 2023.
  134. S. Poeplau and A. Francillon, “Symbolic execution with SymCC: Don’t interpret, compile!” in USENIX Security Symposium, 2020.
  135. ——, “SymQEMU: Compilation-based Symbolic Execution for Binaries,” in Symposium on Network and Distributed System Security (NDSS), 2021.
  136. J. Ruge, J. Classen, F. Gringoli, and M. Hollick, “Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets,” in USENIX Security Symposium, 2020.
  137. C. Salls, C. Jindal, J. Corina, C. Kruegel, and G. Vigna, “Token-Level Fuzzing,” in USENIX Security Symposium, 2021.
  138. T. Scharnowski, N. Bars, M. Schloegel, E. Gustafson, M. Muench, G. Vigna, C. Kruegel, T. Holz, and A. Abbasi, “Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing,” in USENIX Security Symposium, 2022.
  139. S. Schumilo, C. Aschermann, A. Abbasi, S. Wörner, and T. Holz, “HYPER-CUBE: High-Dimensional Hypervisor Fuzzing,” in Symposium on Network and Distributed System Security (NDSS), 2020.
  140. ——, “Nyx: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types,” in USENIX Security Symposium, 2021.
  141. L. Seidel, D. Maier, and M. Muench, “Forming Faster Firmware Fuzzers,” in USENIX Security Symposium, 2023.
  142. A. Shah, D. She, S. Sadhu, K. Singal, P. Coffman, and S. Jana, “MC2: Rigorous and Efficient Directed Greybox Fuzzing,” in ACM Conference on Computer and Communications Security (CCS), 2022.
  143. D. She, R. Krishna, L. Yan, S. Jana, and B. Ray, “MTFuzz: Fuzzing with a Multi-task Neural Network,” in ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE), 2020.
  144. D. She, K. Pei, D. Epstein, J. Yang, B. Ray, and S. Jana, “NEUZZ: Efficient Fuzzing with Neural Program Smoothing,” in IEEE Symposium on Security and Privacy (S&P), 2019.
  145. D. She, A. Shah, and S. Jana, “Effective Seed Scheduling for Fuzzing with Graph Centrality Analysis,” in IEEE Symposium on Security and Privacy (S&P), 2022.
  146. Z. Shen, R. Roongta, and B. Dolan-Gavitt, “Drifuzz: Harvesting Bugs in Device Drivers from Golden Seeds,” in USENIX Security Symposium, 2022.
  147. J. Shi, Z. Wang, Z. Feng, Y. Lan, S. Qin, W. You, W. Zou, M. Payer, and C. Zhang, “AIFORE: Smart Fuzzing Based on Automatic Input Format Reverse Engineering,” in USENIX Security Symposium, 2023.
  148. D. Song, F. Hetzelt, J. Kim, B. B. Kang, J.-P. Seifert, and M. Franz, “Agamotto: Accelerating Kernel Driver Fuzzing with Lightweight Virtual Machine Checkpoints,” in USENIX Security Symposium, 2020.
  149. S. Song, J. Hur, S. Kim, P. Rogers, and B. Lee, “R2Z2: Detecting Rendering Regressions in Web Browsers through Differential Fuzz Testing,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2022.
  150. S. Song, C. Song, Y. Jang, and B. Lee, “CrFuzz: Fuzzing Multi-purpose Programs through Input Validation,” in ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE), 2020.
  151. L. Stone, R. Ranjan, S. Nagy, and M. Hicks, “No Linux, No Problem: Fast and Correct Windows Binary Fuzzing via Target-embedded Snapshotting,” in USENIX Security Symposium, 2023.
  152. S. M. S. Talebi, H. Tavakoli, H. Zhang, Z. Zhang, A. A. Sani, and Z. Qian, “Charm: Facilitating Dynamic Analysis of Device Drivers of Mobile Systems,” in USENIX Security Symposium, 2018.
  153. E. van der Kouwe, G. Heiser, D. Andriesse, H. Bos, and C. Giuffrida, “SoK: Benchmarking Flaws in Systems Security,” in IEEE European Symposium on Security and Privacy (EuroS&P), 2019.
  154. A. Vargha and H. D. Delaney, “A Critique and Improvement of the CL Common Language Effect Size Statistics of McGraw and Wong,” Journal of Educational and Behavioral Statistics, vol. 25, no. 2, pp. 101–132, 2000.
  155. V. Vikram, R. Padhye, and K. Sen, “Growing A Test Corpus with Bonsai Fuzzing,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2021.
  156. H. Wang, X. Xie, Y. Li, C. Wen, Y. Li, Y. Liu, S. Qin, H. Chen, and Y. Sui, “Typestate-guided Fuzzer for Discovering Use-after-free Vulnerabilities,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2020.
  157. H. Wang, J. Chen, C. Xie, S. Liu, Z. Wang, Q. Shen, and Y. Zhao, “MLIRSmith: Random Program Generation for Fuzzing MLIR Compiler Infrastructure,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2023.
  158. J. Wang, B. Chen, L. Wei, and Y. Liu, “Superion: Grammar-aware Greybox Fuzzing,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2019.
  159. J. Wang, Z. Zhang, S. Liu, X. Du, and J. Chen, “FuzzJIT: Oracle-Enhanced Fuzzing for JavaScript Engine JIT Compiler,” in USENIX Security Symposium, 2023.
  160. Y. Wang, X. Jia, Y. Liu, K. Zeng, T. Bao, D. Wu, and P. Su, “Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization,” in Symposium on Network and Distributed System Security (NDSS), 2020.
  161. A. Wei, Y. Deng, C. Yang, and L. Zhang, “Free Lunch for Testing: Fuzzing Deep-Learning Libraries from Open Source,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2022.
  162. C. Wen, H. Wang, Y. Li, S. Qin, Y. Liu, Z. Xu, H. Chen, X. Xie, G. Pu, and T. Liu, “MemLock: Memory Usage Guided Fuzzing,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2020.
  163. M. Wu, M. Lu, H. Cui, J. Chen, Y. Zhang, and L. Zhang, “JITfuzz: Coverage-Guided Fuzzing for JVM Just-in-Time Compilers,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2023.
  164. M. Wu, Y. Ouyang, M. Lu, J. Chen, Y. Zhao, H. Cui, G. Yang, and Y. Zhang, “SJFuzz: Seed & Mutator Scheduling for JVM Fuzzing,” in ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE), 2023.
  165. V. Wüstholz and M. Christakis, “Targeted Greybox Fuzzing with Static Lookahead Analysis,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2020.
  166. M. Xu, S. Kashyap, H. Zhao, and T. Kim, “Krace: Data Race Fuzzing for Kernel File Systems,” in IEEE Symposium on Security and Privacy (S&P), 2020.
  167. P. Xu, Y. Wang, H. Hu, and P. Su, “COOPER: Testing the Binding Code of Scripting Languages with Cooperative Mutation,” in Symposium on Network and Distributed System Security (NDSS), 2022.
  168. W. Xu, H. Moon, S. Kashyap, P.-N. Tseng, and T. Kim, “Fuzzing File Systems via Two-Dimensional Input Space Exploration,” in IEEE Symposium on Security and Privacy (S&P), 2019.
  169. W. Xu, S. Park, and T. Kim, “FREEDOM: Engineering a State-of-the-Art DOM Fuzzer,” in ACM Conference on Computer and Communications Security (CCS), 2020.
  170. W. You, X. Liu, S. Ma, D. M. Perry, X. Zhang, and B. Liang, “SLF: Fuzzing without Valid Seed Inputs,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2019.
  171. W. You, X. Wang, S. Ma, J. Huang, X. Zhang, X. Wang, and B. Liang, “ProFuzzer: On-the-fly Input Type Probing for Better Zero-Day Vulnerability Discovery,” in IEEE Symposium on Security and Privacy (S&P), 2019.
  172. Y. Yu, X. Jia, Y. Liu, Y. Wang, Q. Sang, C. Zhang, and P. Su, “HTFuzz: Heap Operation Sequence Sensitive Fuzzing,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2022.
  173. T. Yue, P. Wang, Y. Tang, E. Wang, B. Yu, K. Lu, and X. Zhou, “EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit,” in USENIX Security Symposium, 2020.
  174. I. Yun, S. Lee, M. Xu, Y. Jang, and T. Kim, “QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing,” in USENIX Security Symposium, 2018.
  175. M. Zalewski, “American Fuzzy Lop.” [Online]. Available: http://lcamtuf.coredump.cx/afl/
  176. A. Zeller, R. Gopinath, M. Böhme, G. Fraser, and C. Holler, “The Fuzzing Book,” 2019. [Online]. Available: https://www.fuzzingbook.org/
  177. A. Zeller, S. Just, and K. Greshake, “When Results Are All That Matters: Consequences,” 2019. [Online]. Available: https://andreas-zeller.blogspot.com/2019/10/when-results-are-all-that-matters.html
  178. G. Zhang, P. Wang, T. Yue, X. Kong, S. Huang, X. Zhou, and K. Lu, “MobFuzz: Adaptive Multi-objective Optimization in Gray-box Fuzzing,” in Symposium on Network and Distributed System Security (NDSS), 2022.
  179. Q. Zhang, J. Wang, and M. Kim, “HeteroFuzz: Fuzz Testing to Detect Platform Dependent Divergence for Heterogeneous Applications,” in ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE), 2021.
  180. Y. Zhang, C. Pang, S. Nagy, X. Chen, and J. Xu, “Profile-guided System Optimizations for Accelerated Greybox Fuzzing,” in ACM Conference on Computer and Communications Security (CCS), 2023.
  181. Z. Zhang, Z. Patterson, M. Hicks, and S. Wei, “FIXREVERTER: A Realistic Bug Injection Methodology for Benchmarking Fuzz Testing,” in USENIX Security Symposium, 2022.
  182. Z. Zhang, W. You, G. Tao, Y. Aafer, X. Liu, and X. Zhang, “StochFuzz: Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting,” in IEEE Symposium on Security and Privacy (S&P), 2021.
  183. B. Zhao, Z. Li, S. Qin, Z. Ma, M. Yuan, W. Zhu, Z. Tian, and C. Zhang, “StateFuzz: System Call-Based State-Aware Linux Driver Fuzzing,” in USENIX Security Symposium, 2022.
  184. H. Zheng, J. Zhang, Y. Huang, Z. Ren, H. Wang, C. Cao, Y. Zhang, F. Toffalini, and M. Payer, “FISHFUZZ: Catch Deeper Bugs by Throwing Larger Nets,” in USENIX Security Symposium, 2023.
  185. Y. Zheng, A. Davanian, H. Yin, C. Song, H. Zhu, and L. Sun, “FIRM-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation,” in USENIX Security Symposium, 2019.
  186. C. Zhou, M. Wang, J. Liang, Z. Liu, and Y. Jiang, “Zeror: Speed Up Fuzzing with Coverage-sensitive Tracing and Scheduling,” in IEEE/ACM International Conference on Automated Software Engineering (ASE), 2020.
  187. C. Zhou, Q. Zhang, M. Wang, L. Guo, J. Liang, Z. Liu, M. Payer, and Y. Jiang, “Minerva: Browser API Fuzzing with Dynamic mod-ref Analysis,” in ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE), 2022.
  188. S. Zhou, Z. Yang, D. Qiao, P. Liu, M. Yang, Z. Wang, and C. Wu, “Ferry: State-Aware Symbolic Execution for Exploring State-Dependent Program Paths,” in USENIX Security Symposium, 2022.
  189. W. Zhou, L. Zhang, L. Guan, P. Liu, and Y. Zhang, “What Your Firmware Tells You Is Not How You Should Emulate It: A Specification-Guided Approach for Firmware Emulation,” in ACM Conference on Computer and Communications Security (CCS), 2022.
  190. X. Zhu and M. Böhme, “Regression Greybox Fuzzing,” in ACM Conference on Computer and Communications Security (CCS), 2021.
  191. X. Zhu, S. Wen, S. Camtepe, and Y. Xiang, “Fuzzing: A Survey for Roadmap,” ACM Computing Surveys (CSUR), vol. 54, no. 11s, pp. 1–36, 2022.
  192. S. Österlund, K. Razavi, H. Bos, and C. Giuffrida, “ParmeSan: Sanitizer-guided Greybox Fuzzing,” in USENIX Security Symposium, 2020.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (10)
  1. Moritz Schloegel (5 papers)
  2. Nils Bars (3 papers)
  3. Nico Schiller (3 papers)
  4. Lukas Bernhard (5 papers)
  5. Tobias Scharnowski (1 paper)
  6. Addison Crump (2 papers)
  7. Arash Ale Ebrahim (2 papers)
  8. Nicolai Bissantz (13 papers)
  9. Marius Muench (1 paper)
  10. Thorsten Holz (52 papers)
Citations (9)
View on Semantic Scholar

Summary

Analyzing Fuzzing Evaluation Practices: A Methodological Study

The paper "SoK: Prudent Evaluation Practices for Fuzzing" offers a comprehensive analysis of the evaluation practices adopted in fuzzing research papers over the span of six years (2018-2023) in leading computer security and software engineering venues. The research critically examines the adherence of these studies to methodological best practices, mainly benchmarking them against guidelines provided by Klees et al., and further proposes updated recommendations for evaluating fuzzing methodologies.

Overview of Research and Findings

Fuzzing, widely acknowledged for its efficacy in discovering software bugs, relies fundamentally on randomness, which presents unique challenges to the reproducibility and validity of experimental results. The authors investigate 150 fuzzing papers, revealing significant deficiencies in the way these evaluations are often conducted. Specific gaps were noted in the areas of statistical testing, evaluation metrics, seed selection, and the fairness in resource allocation—all crucial for ensuring reproducible and trustworthy results. Furthermore, the research incorporates artifact evaluations for a subset of eight papers to assess the practicality and reproducibility of the claims made in fuzzing studies.

A major observation was the frequent inconsistency or outright neglect of robust statistical methods in reported evaluations: 63 papers used no statistical tests to back their claims. Additionally, only 37 of the studies employed the Mann-Whitney U-test, while 15 did so with insufficient trial repetitions, questioning the robustness of their findings. This lack of statistical rigor directly undermines the reliability of the research outcomes and the perceived improvements over existing methodologies.

Moreover, the paper highlights the disproportionate focus on certain fuzzers, such as AFL and its derivatives, while failing to adequately consider state-of-the-art alternatives. This skew in evaluation subjects not only limits the perceived generalizability of the results but also potentially overlooks the strengths of diverse fuzzing approaches available in contemporary practice.

Another salient issue is the practice surrounding CVE claims. The analysis shows that out of the numerous CVEs reported, a significant number were unverifiable or disputed, raising concerns about the pressure to demonstrate real-world impact through these metrics.

Recommendations and Best Practices

In addressing the identified shortcomings, the paper provides an updated set of guidelines for future fuzzing research:

  1. Reproducibility and Artifact Sharing: Authors should ensure their research artifacts, including code and experiment configurations, are openly accessible and accompanied by thorough documentation. Participation in artifact evaluation should be encouraged to improve transparency and reproducibility.
  2. Benchmarking and Target Selection: The paper advises using well-recognized benchmarks and a representative set of evaluation targets that align with the specifics of the technique under assessment.
  3. Fair Comparison and Seed Selection: It is vital to compare against relevant state-of-the-art fuzzers and employ a transparent and equitable selection of seed sets. Uninformed seeds or multiple seed sets should be used to validate claims effectively.
  4. Metrics and Statistical Analysis: Fuzzing studies should employ established metrics for evaluation and ensure that statistical tests such as bootstrap or permutation tests are systematically applied, with sufficient trial repetitions to substantiate any performance claims. Effect sizes should also be reported alongside significance tests.
  5. Documenting Threats to Validity: Explicit attention should be given to articulating possible threats to the validity of the research findings and discussing mitigation strategies within the documentation.

Conclusion

This work is instrumental in highlighting the gaps that exist in the evaluation practices of contemporary fuzzing research and delineates a clear pathway towards more rigorous and reproducible methodologies. These recommendations, if diligently followed, have the potential to significantly bolster the reliability, impact, and scientific contribution of future fuzzing studies. As fuzzing continues to be a pivotal tool in software security, advancing its evaluation practices is vital for ensuring progress and fostering innovation in both industry and academia.

File Document Download Save Streamline Icon: https://streamlinehq.com PDF File Document Download Save Streamline Icon: https://streamlinehq.com Markdown
Reddit Logo Streamline Icon: https://streamlinehq.com

Reddit

  1. SoK: Prudent Evaluation Practices for Fuzzing (Paper, 2024.05.16) (1 point, 0 comments)