Litcius/Paper detail

Fuzzing: on the exponential cost of vulnerability discovery

Marcel Böhme, Brandon Falk

202063 citationsDOI

Abstract

We present counterintuitive results for the scalability of fuzzing. Given the same non-deterministic fuzzer, finding the same bugs linearly faster requires linearly more machines. For instance, with twice the machines, we can find all known bugs in half the time. Yet, finding linearly more bugs in the same time requires exponentially more machines. For instance, for every new bug we want to find in 24 hours, we might need twice more machines. Similarly for coverage. With exponentially more machines, we can cover the same code exponentially faster, but uncovered code only linearly faster. In other words, re-discovering the same vulnerabilities is cheap but finding new vulnerabilities is expensive. This holds even under the simplifying assumption of no parallelization overhead.

Topics & Concepts

Fuzz testingComputer scienceScalabilityOverhead (engineering)Exponential growthVulnerability (computing)Cover (algebra)Exponential functionCode (set theory)Theoretical computer scienceSoftwareProgramming languageMathematicsComputer securityOperating systemSet (abstract data type)Mathematical analysisMechanical engineeringEngineeringSoftware Testing and Debugging TechniquesAdvanced Malware Detection TechniquesSoftware Reliability and Analysis Research
Fuzzing: on the exponential cost of vulnerability discovery | Litcius