CIDFuzz: Fuzz testing for continuous integration

IF 1.5 4区计算机科学 Q3 COMPUTER SCIENCE, SOFTWARE ENGINEERING IET Software Pub Date : 2023-04-06 DOI:10.1049/sfw2.12125

Jiaming Zhang, Zhanqi Cui, Xiang Chen, Huiwen Yang, Liwei Zheng, Jianbin Liu

{"title":"CIDFuzz: Fuzz testing for continuous integration","authors":"Jiaming Zhang, Zhanqi Cui, Xiang Chen, Huiwen Yang, Liwei Zheng, Jianbin Liu","doi":"10.1049/sfw2.12125","DOIUrl":null,"url":null,"abstract":"<p>As agile software development and extreme programing have become increasingly popular, continuous integration (CI) has become a widely used collaborative work method. However, it is common to make changes frequently to a project during CI. If existing testing methods are applied to CI directly, it will be difficult to make testing resources focus on changes generated by CI, which results in insufficient testing for changes. To solve this problem, we propose a fuzz testing method for CI. First, differential analysis is performed to determine the change points generated during CI, change points are added to the taint source set, and static analysis is conducted to calculate the distances between each basic block and the taint sources. Then, the project under test is instrumented according to the distances. During fuzz testing, testing resources are allocated based on seed coverage to test the change points effectively. Using the proposed methods, we implement CIDFuzz as a prototype tool, and experiments are conducted on four open-source projects that use CI. Experimental results show that, compared with AFL and AFLGo, CIDFuzz can reduce the time costs of covering change points up to 39.59% and 41.64%, respectively. Also, CIDFuzz can reduce the time costs of reproducing vulnerabilities up to 34.78% and 25.55%.</p>","PeriodicalId":50378,"journal":{"name":"IET Software","volume":"17 3","pages":"301-315"},"PeriodicalIF":1.5000,"publicationDate":"2023-04-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://onlinelibrary.wiley.com/doi/epdf/10.1049/sfw2.12125","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IET Software","FirstCategoryId":"94","ListUrlMain":"https://onlinelibrary.wiley.com/doi/10.1049/sfw2.12125","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

As agile software development and extreme programing have become increasingly popular, continuous integration (CI) has become a widely used collaborative work method. However, it is common to make changes frequently to a project during CI. If existing testing methods are applied to CI directly, it will be difficult to make testing resources focus on changes generated by CI, which results in insufficient testing for changes. To solve this problem, we propose a fuzz testing method for CI. First, differential analysis is performed to determine the change points generated during CI, change points are added to the taint source set, and static analysis is conducted to calculate the distances between each basic block and the taint sources. Then, the project under test is instrumented according to the distances. During fuzz testing, testing resources are allocated based on seed coverage to test the change points effectively. Using the proposed methods, we implement CIDFuzz as a prototype tool, and experiments are conducted on four open-source projects that use CI. Experimental results show that, compared with AFL and AFLGo, CIDFuzz can reduce the time costs of covering change points up to 39.59% and 41.64%, respectively. Also, CIDFuzz can reduce the time costs of reproducing vulnerabilities up to 34.78% and 25.55%.

Abstract Image

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

CIDFuzz：持续集成的Fuzz测试

随着敏捷软件开发和极限编程的日益流行，连续集成（CI）已成为一种广泛使用的协作工作方法。然而，在CI过程中经常对项目进行更改是很常见的。如果将现有的测试方法直接应用于CI，则很难使测试资源集中在CI生成的更改上，这会导致对更改的测试不足。为了解决这个问题，我们提出了一种CI的模糊测试方法。首先，进行微分分析来确定CI过程中产生的变化点，将变化点添加到污染源集合中，并进行静态分析来计算每个基本块与污染源之间的距离。然后，根据距离对测试中的项目进行仪表化。在模糊测试中，根据种子覆盖率分配测试资源，有效地测试变化点。使用所提出的方法，我们将CIDFuzz作为原型工具进行了实现，并在四个使用CI的开源项目上进行了实验。实验结果表明，与AFL和AFLGo相比，CIDFuzz可以将覆盖变化点的时间成本分别降低39.59%和41.64%。此外，CIDFuzz可以将复制漏洞的时间成本分别降低34.78%和25.55%。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

IET Software 工程技术-计算机：软件工程

CiteScore

4.20

自引率

0.00%

发文量

审稿时长

9 months

期刊介绍： IET Software publishes papers on all aspects of the software lifecycle, including design, development, implementation and maintenance. The focus of the journal is on the methods used to develop and maintain software, and their practical application. Authors are especially encouraged to submit papers on the following topics, although papers on all aspects of software engineering are welcome: Software and systems requirements engineering Formal methods, design methods, practice and experience Software architecture, aspect and object orientation, reuse and re-engineering Testing, verification and validation techniques Software dependability and measurement Human systems engineering and human-computer interaction Knowledge engineering; expert and knowledge-based systems, intelligent agents Information systems engineering Application of software engineering in industry and commerce Software engineering technology transfer Management of software development Theoretical aspects of software development Machine learning Big data and big code Cloud computing Current Special Issue. Call for papers: Knowledge Discovery for Software Development - https://digital-library.theiet.org/files/IET_SEN_CFP_KDSD.pdf Big Data Analytics for Sustainable Software Development - https://digital-library.theiet.org/files/IET_SEN_CFP_BDASSD.pdf