Fine-Grained Coverage-Based Fuzzing - Artifact

Fuzzing is an effective software testing method that discovers bugs by feeding target applications with (a massive amount of) automatically generated inputs. Many state-of-art fuzzers use branch coverage as a feedback metric to guide the fuzzing process. The fuzzer retains inputs for further mutation only if branch coverage is increased. However, branch coverage only provides a shallow sampling of program behaviours and hence may discard inputs that might be interesting to mutate. Our work aims at taking advantage of the large body of research over defining finer-grained code coverage metrics (such as control-flow or mutation coverage) and at evaluating how fuzzing performance is impacted when using these metrics to select interesting inputs
for mutation. We propose to make coverage-based fuzzers support most fine-grained coverage metrics out of the box (i.e., without changing fuzzer internals). We achieve this by making the test objectives defined by these metrics (such as condition to activate or mutants to kill) explicit as new branches in the target program.

The upload software contains the programs required to reproduce our evaluation results.