VisFuzz: Understanding and Intervening Fuzzing with Interactive Visualization
Tue 12 Nov 2019 12:10 - 12:20 at Cortez 1 - Testing and Coverage Chair(s): Jonathan Bell
Fuzzing is widely used for vulnerability detection. One of the challenges for an efficient fuzzing is covering code guarded by constraints such as the magic number and nested conditions. Recently, academia has partially addressed the challenge via whitebox methods. However, high-level constraints such as array sorts, virtual function invocations, and tree set queries are yet to be handled.
To meet this end, we present VisFuzz, an interactive tool for better understanding and intervening fuzzing process via real-time visualization. It extracts call graph and control flow graph from source code, maps each function and basic block to the line of source code and tracks real-time execution statistics with detail constraint contexts. With VisFuzz, test engineers first locate blocking constraints and then learn its semantic context, which helps to craft targeted inputs or update test drivers. Preliminary evaluations are conducted on four real-world programs in Google fuzzer-test-suite. Given additional 15 minutes to understand and intervene the state of fuzzing, the intervened fuzzing outperform the original pure AFL fuzzing, and the path coverage improvements range from 10.84% to 150.58%, equally fuzzed by for 12 hours.
Tue 12 Nov
10:40 - 12:20: Papers - Testing and Coverage at Cortez 1 Chair(s): Jonathan BellGeorge Mason University | ||||||||||||||||||||||||||||||||||||||||||
10:40 - 11:00 Talk | Automatic Self-Validation for Code Coverage Profilers Yibiao YangHuazhong University of Science and Technology, Yanyan JiangNanjing University, Zhiqiang ZuoNanjing University, China, Yang WangNanjing University, Hao SunUnaffiliated, Hongmin LuNanjing University, Yuming ZhouNanjing University, Baowen XuNanjing University Pre-print | |||||||||||||||||||||||||||||||||||||||||
11:00 - 11:20 Talk | Efficient Test Generation Guided by Field Coverage Criteria Ariel GodioDept. of Software Engineering Instituto Tecnológico de Buenos Aires, Valeria BengoleaDept. of Computer Science FCEFQyN, University of Rio Cuarto, Pablo PonzioDept. of Computer Science FCEFQyN, University of Rio Cuarto, Nazareno AguirreDept. of Computer Science FCEFQyN, University of Rio Cuarto, Marcelo F. FriasDept. of Software Engineering Instituto Tecnológico de Buenos Aires | |||||||||||||||||||||||||||||||||||||||||
11:20 - 11:40 Talk | Exploring Output-Based Coverage for Testing PHP Web Applications Hung Viet NguyenGoogle LLC, USA, Hung Dang PhanECpE Department, Iowa State University, Christian KästnerCarnegie Mellon University, Tien N. NguyenUniversity of Texas at Dallas Link to publication | |||||||||||||||||||||||||||||||||||||||||
11:40 - 12:00 Talk | PHANTA: Diversified Test Code Quality Measurement for Modern Software Development Media Attached | |||||||||||||||||||||||||||||||||||||||||
12:00 - 12:10 Demonstration | TestCov: Robust Test-Suite Execution and Coverage Measurement Pre-print Media Attached File Attached | |||||||||||||||||||||||||||||||||||||||||
12:10 - 12:20 Demonstration | VisFuzz: Understanding and Intervening Fuzzing with Interactive Visualization Chijin ZhouTsinghua University, Mingzhe WangTsinghua University, Jie LiangTsinghua University, Zhe LiuNanjing University of Aeronautics and Astronautics, Chengnian SunWaterloo University, Yu JiangTsinghua University |
Thu 14 Nov
10:00 - 10:40 Demonstration | PraPR: Practical Program Repair via Bytecode Mutation | |||||||||||||||||||||||||||||||||||||||||
10:00 - 10:40 Demonstration | Kotless: a Serverless Framework for Kotlin Vladislav TankovJetBrains, ITMO University, Yaroslav GolubevJetBrains Research, ITMO University, Timofey BryksinJetBrains Research, Saint-Petersburg State University | |||||||||||||||||||||||||||||||||||||||||
10:00 - 10:40 Demonstration | PeASS: A Tool for Identifying Performance Changes at Code Level David Georg ReicheltUniversität Leipzig, Stefan KühneUniversität Leipzig, Wilhelm HasselbringKiel University Pre-print Media Attached File Attached | |||||||||||||||||||||||||||||||||||||||||
10:00 - 10:40 Demonstration | MutAPK: Source-Codeless Mutant Generation for Android Apps Camilo Escobar-VelásquezUniversidad de los Andes, Michael Osorio-RiañoUniversidad de los Andes, Mario Linares-VásquezSystems and Computing Engineering Department , Universidad de los Andes , Bogotá, Colombia | |||||||||||||||||||||||||||||||||||||||||
10:00 - 10:40 Demonstration | CocoQa: Question Answering for Coding Conventions over Knowledge Graphs Tianjiao DuShanghai JiaoTong University, Junming CaoShanghai JiaoTong University, Qinyue WuShanghai JiaoTong University, Wei LiShanghai JiaoTong University, Beijun ShenSchool of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University, Yuting ChenShanghai Jiao Tong University | |||||||||||||||||||||||||||||||||||||||||
10:00 - 10:03 Demonstration | Humanoid: A Deep Learning-based Approach to Automated Black-box Android App Testing Yuanchun LiPeking University, Ziyue YangPeking University, Yao GuoPeking University, Xiangqun ChenPeking University | |||||||||||||||||||||||||||||||||||||||||
10:00 - 10:40 Demonstration | Developer Reputation Estimator (DRE) Sadika AmreenUniversity of Tennessee Knoxville, Andrey KarnauchUniversity of Tennessee Knoxville, Audris MockusUniversity of Tennessee - Knoxville | |||||||||||||||||||||||||||||||||||||||||
10:00 - 10:40 Demonstration | NeuralVis: Visualizing and Interpreting Deep Learning Models Xufan ZhangState Key Laboratory for Novel Software Technology Nanjing University, Nanjing, China, Ziyue YinState Key Laboratory for Novel Software Technology Nanjing University, Nanjing, China, Yang FengUniversity of California, Irvine, Qingkai ShiHong Kong University of Science and Technology, Jia LiuState Key Laboratory for Novel Software Technology Nanjing University, Nanjing, China, Zhenyu ChenNanjing University | |||||||||||||||||||||||||||||||||||||||||
10:00 - 10:40 Demonstration | Visual Analytics for Concurrent Java Executions Cyrille ArthoKTH Royal Institute of Technology, Sweden, Monali PandeKTH Royal Institute of Technology, Qiyi TangUniversity of Oxford | |||||||||||||||||||||||||||||||||||||||||
10:00 - 10:40 Demonstration | Sip4J: Statically Inferring Access Permission Contracts for Parallelising Sequential Java Programs Ayesha SadiqMonash University, Li LiMonash University, Australia, Yuan-Fang LiMonash University, Ijaz AhmedUniversity of Lahore, Sea LingMonash University | |||||||||||||||||||||||||||||||||||||||||
10:00 - 10:40 Demonstration | SWAN_ASSIST: Semi-Automated Detection of Code-Specific, Security-Relevant Methods Goran PiskachevFraunhofer IEM, Lisa Nguyen Quang DoGoogle, Oshando JohnsonFraunhofer IEM, Eric BoddenHeinz Nixdorf Institut, Paderborn University and Fraunhofer IEM Pre-print Media Attached File Attached | |||||||||||||||||||||||||||||||||||||||||
10:00 - 10:40 Demonstration | VisFuzz: Understanding and Intervening Fuzzing with Interactive Visualization Chijin ZhouTsinghua University, Mingzhe WangTsinghua University, Jie LiangTsinghua University, Zhe LiuNanjing University of Aeronautics and Astronautics, Chengnian SunWaterloo University, Yu JiangTsinghua University |