Path coverage is the process of measuring the fraction of execution paths that are taken during run-time in a software by a given set of inputs. It is commonly used to assess the stability, security, and functionality of an application; therefore, this is closely associated with software testing. Path coverage requires knowledge of the software’s source code (white-box testing), specifically the software’s potential execution paths; however, the problem becomes more challenging when the source code is not available and path coverage must be done using only the software’s binary code. This can occur if the software is a product, the software is a legacy system, or the source code is not available (e.g.~contracted software or permission-less).

This paper investigates how black-box \textit{path detection and discovery} can be achieved using \textit{execution fingerprints} that are a concise frequency representation of a software’s executed assembly instructions. Execution fingerprints can be used to identify which inputs exercised different sections of code, thus revealing execution paths. Experimental results show that clustering execution fingerprints can be used to differentiate the execution paths of software and provide a method to detect these different paths all inside a true black-box testing environment

Frank Whitworth

Wake Forest University