The Human Side of Fuzzing: Challenges Faced by Developers during Fuzzing Activities-Reference-Cited by-同舟云学术

The Human Side of Fuzzing: Challenges Faced by Developers during Fuzzing Activities

Published:2023-11-23 Issue:1 Volume:33 Page:1-26
ISSN:1049-331X
Container-title:ACM Transactions on Software Engineering and Methodology
language:en
Short-container-title:ACM Trans. Softw. Eng. Methodol.

Author:

Nourry Olivier¹^ORCID,Kashiwa Yutaro²^ORCID,Lin Bin³^ORCID,Bavota Gabriele⁴^ORCID,Lanza Michele⁴^ORCID,Kamei Yasutaka¹^ORCID

Affiliation:

1. Kyushu University, Japan

2. Nara Institute of Science and Technolog, Japan

3. Radboud University, The Netherlands

4. Università della Svizzera italiana, Switzerland

Abstract

Fuzz testing, also known as fuzzing, is a software testing technique aimed at identifying software vulnerabilities. In recent decades, fuzzing has gained increasing popularity in the research community. However, existing studies led by fuzzing experts mainly focus on improving the coverage and performance of fuzzing techniques. That is, there is still a gap in empirical knowledge regarding fuzzing, especially about the challenges developers face when they adopt fuzzing. Understanding these challenges can provide valuable insights to both practitioners and researchers on how to further improve fuzzing processes and techniques. We conducted a study to understand the challenges encountered by developers during fuzzing. More specifically, we first manually analyzed 829 randomly sampled fuzzing-related GitHub issues and constructed a taxonomy consisting of 39 types of challenges (22 related to the fuzzing process itself, 17 related to using external fuzzing providers). We then surveyed 106 fuzzing practitioners to verify the validity of our taxonomy and collected feedback on how the fuzzing process can be improved. Our taxonomy, accompanied with representative examples and highlighted implications, can serve as a reference point on how to better adopt fuzzing techniques for practitioners, and indicates potential directions researchers can work on toward better fuzzing approaches and practices.

Funder

JSPS and SNSF

JSPS

JST

Kyushu University for the Leading Human Resource Development Fellowship

Inamori Research Institute for Science

Publisher

Association for Computing Machinery (ACM)

Subject

Software

Link

https://dl.acm.org/doi/pdf/10.1145/3611668

Reference83 articles.

1. Anaconda. 2022. State of Data Science Report 2022. https://www.anaconda.com/state-of-data-science-report-2022

2. Apache software flaw could result in major breaches;Analytica Oxford;Emerald Expert Briefings,2021

3. Ijon: Exploring Deep State Spaces via Fuzzing

4. bitcoin/bitcoin. 2020. Issue #19557. https://github.com/bitcoin/bitcoin/issues/19557. Last accessed on 07-12-2022.

5. bitcoin/bitcoin. 2020. Issue #20088. https://github.com/bitcoin/bitcoin/issues/20088. Last accessed on 07-12-2022.

Cited by 4 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Directed or Undirected: Investigating Fuzzing Strategies in a CI/CD Setup (Registered Report);Proceedings of the 3rd ACM International Fuzzing Workshop;2024-09-13

2. Shaken, Not Stirred: How Developers Like Their Amplified Tests;IEEE Transactions on Software Engineering;2024-05

3. Modularizing Directed Greybox Fuzzing for Binaries over Multiple CPU Architectures;Lecture Notes in Computer Science;2024

4. The Human Side of Fuzzing: Challenges Faced by Developers during Fuzzing Activities;ACM Transactions on Software Engineering and Methodology;2023-11-23