{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,4,30]],"date-time":"2025-04-30T05:09:32Z","timestamp":1745989772612,"version":"3.40.3"},"publisher-location":"Cham","reference-count":27,"publisher":"Springer Nature Switzerland","isbn-type":[{"type":"print","value":"9783031572555"},{"type":"electronic","value":"9783031572562"}],"license":[{"start":{"date-parts":[[2024,1,1]],"date-time":"2024-01-01T00:00:00Z","timestamp":1704067200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2024,4,5]],"date-time":"2024-04-05T00:00:00Z","timestamp":1712275200000},"content-version":"vor","delay-in-days":95,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2024]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>We present a gray-box fuzzing approach based on several new ideas. While standard gray-box fuzzing aims to cover all branches of the input program, our approach primarily aims to cover both results of each Boolean expression. To achieve this goal, we track the distances to flipping these results and we dynamically detect the input bytes that influence the distance. Then we use this information to efficiently flip the results. More precisely, we apply gradient descent on the detected bytes or we create new inputs by using detected bytes from different inputs.<\/jats:p><jats:p>We implemented our approach in a tool called <jats:sc>Fizzer<\/jats:sc>. An evaluation on the benchmarks of Test-Comp 2023 shows that <jats:sc>Fizzer<\/jats:sc> is fully competitive with the winning tools of the competition, which use advanced formal methods like symbolic execution or bounded model checking, usually in combination with fuzzing.<\/jats:p>","DOI":"10.1007\/978-3-031-57256-2_5","type":"book-chapter","created":{"date-parts":[[2024,4,4]],"date-time":"2024-04-04T08:03:04Z","timestamp":1712217784000},"page":"90-109","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":3,"title":["Gray-Box Fuzzing via Gradient Descent and Boolean Expression Coverage"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4703-0795","authenticated-orcid":false,"given":"Martin","family":"Jon\u00e1\u0161","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5873-403X","authenticated-orcid":false,"given":"Jan","family":"Strej\u010dek","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0009-0009-6122-9574","authenticated-orcid":false,"given":"Marek","family":"Trt\u00edk","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0009-0004-9781-3071","authenticated-orcid":false,"given":"Luk\u00e1\u0161","family":"Urban","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2024,4,5]]},"reference":[{"doi-asserted-by":"publisher","unstructured":"Aldughaim, M., Alshmrany, K.M., Gadelha, M.R., de\u00a0Freitas, R., Cordeiro, L.C.: FuSeBMC_IA: Interval analysis and methods for test case generation (competition contribution). In: Lambers, L., Uchitel, S. (eds.) Fundamental Approaches to Software Engineering - 26th International Conference, FASE 2023, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2023, Paris, France, April 22-27, 2023, Proceedings. Lecture Notes in Computer Science, vol. 13991, pp. 324\u2013329. Springer (2023). https:\/\/doi.org\/10.1007\/978-3-031-30826-0_18, https:\/\/doi.org\/10.1007\/978-3-031-30826-0_18","key":"5_CR1","DOI":"10.1007\/978-3-031-30826-0_18 10.1007\/978-3-031-30826-0_18"},{"doi-asserted-by":"publisher","unstructured":"Alshmrany, K.M., Aldughaim, M., Bhayat, A., Cordeiro, L.C.: FuSeBMC: An energy-efficient test generator for finding security vulnerabilities in C programs. In: Loulergue, F., Wotawa, F. (eds.) Tests and Proofs - 15th International Conference, TAP 2021, Held as Part of STAF 2021, Virtual Event, June 21-22, 2021, Proceedings. Lecture Notes in Computer Science, vol. 12740, pp. 85\u2013105. Springer (2021). https:\/\/doi.org\/10.1007\/978-3-030-79379-1_6, https:\/\/doi.org\/10.1007\/978-3-030-79379-1_6","key":"5_CR2","DOI":"10.1007\/978-3-030-79379-1_6 10.1007\/978-3-030-79379-1_6"},{"doi-asserted-by":"crossref","unstructured":"Alshmrany, K.M., Aldughaim, M., Bhayat, A., Cordeiro, L.C.: FuSeBMC v4: Smart seed generation for hybrid fuzzing. In: Johnsen, E.B., Wimmer, M. (eds.) Fundamental Approaches to Software Engineering. pp. 336\u2013340. Springer International Publishing, Cham (2022)","key":"5_CR3","DOI":"10.1007\/978-3-030-99429-7_19"},{"doi-asserted-by":"publisher","unstructured":"Bekrar, S., Bekrar, C., Groz, R., Mounier, L.: A taint based approach for smart fuzzing. In: Proceedings of the 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation. p. 818-825. ICST \u201912, IEEE Computer Society, USA (2012). https:\/\/doi.org\/10.1109\/ICST.2012.182, https:\/\/doi.org\/10.1109\/ICST.2012.182","key":"5_CR4","DOI":"10.1109\/ICST.2012.182 10.1109\/ICST.2012.182"},{"doi-asserted-by":"publisher","unstructured":"Beyer, D.: Software testing: 5th comparative evaluation: Test-Comp 2023. In: Lambers, L., Uchitel, S. (eds.) Fundamental Approaches to Software Engineering - 26th International Conference, FASE 2023, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2023, Paris, France, April 22-27, 2023, Proceedings. Lecture Notes in Computer Science, vol. 13991, pp. 309\u2013323. Springer (2023). https:\/\/doi.org\/10.1007\/978-3-031-30826-0_17, https:\/\/doi.org\/10.1007\/978-3-031-30826-0_17","key":"5_CR5","DOI":"10.1007\/978-3-031-30826-0_17 10.1007\/978-3-031-30826-0_17"},{"doi-asserted-by":"publisher","unstructured":"Beyer, D., Jakobs, M.: Cooperative verifier-based testing with CoVeriTest. Int. J. Softw. Tools Technol. Transf. 23(3), 313\u2013333 (2021). https:\/\/doi.org\/10.1007\/s10009-020-00587-8, https:\/\/doi.org\/10.1007\/s10009-020-00587-8","key":"5_CR6","DOI":"10.1007\/s10009-020-00587-8 10.1007\/s10009-020-00587-8"},{"doi-asserted-by":"publisher","unstructured":"Cha, S.K., Woo, M., Brumley, D.: Program-adaptive mutational fuzzing. In: 2015 IEEE Symposium on Security and Privacy. pp. 725\u2013741 (2015). https:\/\/doi.org\/10.1109\/SP.2015.50","key":"5_CR7","DOI":"10.1109\/SP.2015.50"},{"doi-asserted-by":"publisher","unstructured":"Chen, P., Chen, H.: Angora: Efficient fuzzing by principled search. In: 2018 IEEE Symposium on Security and Privacy (SP). pp. 711\u2013725 (2018). https:\/\/doi.org\/10.1109\/SP.2018.00046","key":"5_CR8","DOI":"10.1109\/SP.2018.00046"},{"doi-asserted-by":"publisher","unstructured":"Chen, P., Liu, J., Chen, H.: Matryoshka: Fuzzing deeply nested branches. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. p. 499-513. CCS \u201919, Association for Computing Machinery, New York, NY, USA (2019). https:\/\/doi.org\/10.1145\/3319535.3363225, https:\/\/doi.org\/10.1145\/3319535.3363225","key":"5_CR9","DOI":"10.1145\/3319535.3363225 10.1145\/3319535.3363225"},{"doi-asserted-by":"publisher","unstructured":"Ganesh, V., Leek, T., Rinard, M.: Taint-based directed whitebox fuzzing. In: Proceedings of the 31st International Conference on Software Engineering. p. 474-484. ICSE \u201909, IEEE Computer Society, USA (2009). https:\/\/doi.org\/10.1109\/ICSE.2009.5070546, https:\/\/doi.org\/10.1109\/ICSE.2009.5070546","key":"5_CR10","DOI":"10.1109\/ICSE.2009.5070546 10.1109\/ICSE.2009.5070546"},{"doi-asserted-by":"crossref","unstructured":"Godefroid, P., Levin, M.Y., Molnar, D.: SAGE: whitebox fuzzing for security testing. Communications of the ACM 55(3), 40\u201344 (2012)","key":"5_CR11","DOI":"10.1145\/2093548.2093564"},{"unstructured":"Haller, I., Slowinska, A., Neugschwandtner, M., Bos, H.: Dowsing for overflows: A guided fuzzer to find buffer boundary violations. In: Proceedings of the 22nd USENIX Conference on Security. p. 49-64. SEC\u201913, USENIX Association, USA (2013)","key":"5_CR12"},{"doi-asserted-by":"publisher","unstructured":"Jon\u00e1\u0161, M., Strej\u010dek, J., Trt\u00edk, M., Urban, L.: Fizzer: Artifact for TACAS 2024 evaluation (Dec 2023). https:\/\/doi.org\/10.5281\/zenodo.10440311","key":"5_CR13","DOI":"10.5281\/zenodo.10440311"},{"unstructured":"Jon\u00e1\u0161, M., Strej\u010dek, J., Trt\u00edk, M., Urban, L.: Fizzer: Git repository (2023), https:\/\/github.com\/staticafi\/sbt-fizzer","key":"5_CR14"},{"unstructured":"Jon\u00e1\u0161, M., Strej\u010dek, J., Trt\u00edk, M., Urban, L.: Gray-box fuzzing via gradient descent and Boolean expression coverage. Tech. rep., Masaryk University, Brno (2024), https:\/\/arxiv.org\/abs\/2401.12643","key":"5_CR15"},{"doi-asserted-by":"publisher","unstructured":"Kim, Y., Yoon, J.: Maxafl: Maximizing code coverage with a gradient-based optimization technique. Electronics 10(1) (2021). https:\/\/doi.org\/10.3390\/electronics10010011, https:\/\/www.mdpi.com\/2079-9292\/10\/1\/11","key":"5_CR16","DOI":"10.3390\/electronics10010011"},{"doi-asserted-by":"publisher","unstructured":"Liang, G., Liao, L., Xu, X., Du, J., Li, G., Zhao, H.: Effective fuzzing based on dynamic taint analysis. In: 2013 Ninth International Conference on Computational Intelligence and Security. pp. 615\u2013619 (2013). https:\/\/doi.org\/10.1109\/CIS.2013.135","key":"5_CR17","DOI":"10.1109\/CIS.2013.135"},{"doi-asserted-by":"publisher","unstructured":"Liang, H., Pei, X., Jia, X., Shen, W., Zhang, J.: Fuzzing: State of the art. IEEE Transactions on Reliability 67(3), 1199\u20131218 (2018). https:\/\/doi.org\/10.1109\/TR.2018.2834476","key":"5_CR18","DOI":"10.1109\/TR.2018.2834476"},{"doi-asserted-by":"publisher","unstructured":"Liang, J., Wang, M., Zhou, C., Wu, Z., Jiang, Y., Liu, J., Liu, Z., Sun, J.: PATA: Fuzzing with path aware taint analysis. In: 2022 IEEE Symposium on Security and Privacy (SP). pp. 1\u201317 (2022). https:\/\/doi.org\/10.1109\/SP46214.2022.9833594","key":"5_CR19","DOI":"10.1109\/SP46214.2022.9833594"},{"doi-asserted-by":"publisher","unstructured":"Liu, D., Ernst, G., Murray, T., Rubinstein, B.I.P.: Legion: Best-first concolic testing. In: Proceedings of the 35th IEEE\/ACM International Conference on Automated Software Engineering. p. 54-65. ASE \u201920, Association for Computing Machinery, New York, NY, USA (2021). https:\/\/doi.org\/10.1145\/3324884.3416629, https:\/\/doi.org\/10.1145\/3324884.3416629","key":"5_CR20","DOI":"10.1145\/3324884.3416629 10.1145\/3324884.3416629"},{"doi-asserted-by":"publisher","unstructured":"Metta, R., Yeduru, P., Karmarkar, H., Medicherla, R.K.: VeriFuzz 1.4: Checking for (non-)termination (competition contribution). In: Sankaranarayanan, S., Sharygina, N. (eds.) Tools and Algorithms for the Construction and Analysis of Systems - 29th International Conference, TACAS 2023, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2022, Paris, France, April 22-27, 2023, Proceedings, Part II. Lecture Notes in Computer Science, vol. 13994, pp. 594\u2013599. Springer (2023). https:\/\/doi.org\/10.1007\/978-3-031-30820-8_42, https:\/\/doi.org\/10.1007\/978-3-031-30820-8_42","key":"5_CR21","DOI":"10.1007\/978-3-031-30820-8_42 10.1007\/978-3-031-30820-8_42"},{"doi-asserted-by":"publisher","unstructured":"Paduraru, C., Melemciuc, M.C., Ghimis, B.: Fuzz testing with dynamic taint analysis based tools for faster code coverage. In: Proceedings of the 14th International Conference on Software Technologies. p. 82-93. ICSOFT 2019, SCITEPRESS - Science and Technology Publications, Lda, Setubal, PRT (2019). https:\/\/doi.org\/10.5220\/0007921300820093, https:\/\/doi.org\/10.5220\/0007921300820093","key":"5_CR22","DOI":"10.5220\/0007921300820093 10.5220\/0007921300820093"},{"doi-asserted-by":"crossref","unstructured":"Rawat, S., Jain, V., Kumar, A., Cojocar, L., Giuffrida, C., Bos, H.: VUzzer: Application-aware evolutionary fuzzing. In: NDSS. vol.\u00a017, pp. 1\u201314 (2017)","key":"5_CR23","DOI":"10.14722\/ndss.2017.23404"},{"doi-asserted-by":"crossref","unstructured":"She, D., Pei, K., Epstein, D., Yang, J., Ray, B., Jana, S.: Neuzz: Efficient fuzzing with neural program smoothing. In: 2019 IEEE Symposium on Security and Privacy (SP). pp. 803\u2013817. IEEE (2019)","key":"5_CR24","DOI":"10.1109\/SP.2019.00052"},{"doi-asserted-by":"publisher","unstructured":"Wang, T., Wei, T., Gu, G., Zou, W.: TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. In: 2010 IEEE Symposium on Security and Privacy. pp. 497\u2013512 (2010). https:\/\/doi.org\/10.1109\/SP.2010.37","key":"5_CR25","DOI":"10.1109\/SP.2010.37"},{"doi-asserted-by":"publisher","unstructured":"You, W., Liu, X., Ma, S., Perry, D., Zhang, X., Liang, B.: SLF: Fuzzing without valid seed inputs. In: Proceedings of the 41st International Conference on Software Engineering. p. 712-723. ICSE \u201919, IEEE Press (2019). https:\/\/doi.org\/10.1109\/ICSE.2019.00080, https:\/\/doi.org\/10.1109\/ICSE.2019.00080","key":"5_CR26","DOI":"10.1109\/ICSE.2019.00080 10.1109\/ICSE.2019.00080"},{"unstructured":"Zalewski, M.: American fuzzy lop (2013), http:\/\/lcamtuf.coredump.cx\/afl\/.","key":"5_CR27"}],"container-title":["Lecture Notes in Computer Science","Tools and Algorithms for the Construction and Analysis of Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-57256-2_5","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,4,4]],"date-time":"2024-04-04T08:07:07Z","timestamp":1712218027000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-57256-2_5"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024]]},"ISBN":["9783031572555","9783031572562"],"references-count":27,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-57256-2_5","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2024]]},"assertion":[{"value":"5 April 2024","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"TACAS","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Tools and Algorithms for the Construction and Analysis of Systems","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Luxembourg City","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Luxembourg","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2024","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"6 April 2024","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"11 April 2024","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"30","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"tacas2024","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/etaps.org\/2024\/conferences\/tacas\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Double-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"EasyChair","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"159","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"53","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"16","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"33% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"10","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}