{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,23]],"date-time":"2026-04-23T14:25:48Z","timestamp":1776954348152,"version":"3.51.4"},"reference-count":54,"publisher":"Association for Computing Machinery (ACM)","issue":"FSE","funder":[{"DOI":"10.13039\/501100001659","name":"Deutsche Forschungsgemeinschaft","doi-asserted-by":"crossref","award":["390781972"],"award-info":[{"award-number":["390781972"]}],"id":[{"id":"10.13039\/501100001659","id-type":"DOI","asserted-by":"crossref"}]},{"name":"European Research Council","award":["850868"],"award-info":[{"award-number":["850868"]}]},{"DOI":"10.13039\/501100001711","name":"SNSF","doi-asserted-by":"crossref","award":["PCEGP2 186974"],"award-info":[{"award-number":["PCEGP2 186974"]}],"id":[{"id":"10.13039\/501100001711","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Proc. ACM Softw. Eng."],"published-print":{"date-parts":[[2025,6,19]]},"abstract":"<jats:p>Fuzz testing a software library requires developers to write fuzz drivers, specialized programs exercising the library. Given a driver, fuzzers generate interesting inputs that trigger the library\u2019s bugs. Writing fuzz drivers manually is a cumbersome process and they frequently hit a coverage plateau, calling for more diverse drivers. To alleviate the need for human expert knowledge, emerging automatic driver generation techniques invest computational time for tasks besides input generation. Therefore, to maximize the number of bugs found, it is crucial to carefully balance the available computational resources between generating valid drivers and testing them thoroughly. Current works model driver generation and testing as a single problem, i.e., they mutate both the driver\u2019s code and input together. This simple approach is limited, as many libraries need a combination of non-trivial library usage and complex inputs. For example, consider a JPEG manipulation library, bugs appear when specific library functions and corrupted images are coincidentally tested together, which, if both are mutated synchronously is difficult to trigger.  \nWe introduce libErator, a novel library testing approach that balances constrained computational resources to achieve two goals: (a) quickly generate valid fuzz drivers and (b) deeply test these drivers to find bugs. To achieve these goals, libErator employs three main techniques. First, we leverage insights from a novel static analysis on the library code to improve the likelihood of generating meaningful drivers. Second, we design a method to quickly discard non-functional drivers, reducing even further resources wasted on unfruitful drivers. Finally, we show an effective driver selection method that avoids redundant tests. We deploy libErator on 15 open-source libraries and evaluate it against manually written and automatically generated drivers. We show that libErator reaches comparable coverage to manually written drivers and, on average, exceeds coverage from existing automated driver generation techniques. More importantly, libErator automatically finds 24 confirmed bugs, 21 of which are already fixed and upstreamed. Among the bugs found, one was assigned a CVE while others contributed to the project test suites, thus showcasing the ability of libErator to create valid library usages. Finally, libErator achieves 25% true positive ratio, doubling the state of the art.<\/jats:p>","DOI":"10.1145\/3729365","type":"journal-article","created":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T15:15:34Z","timestamp":1750346134000},"page":"2123-2145","source":"Crossref","is-referenced-by-count":1,"title":["Liberating Libraries through Automated Fuzz Driver Generation: Striking a Balance without Consumer Code"],"prefix":"10.1145","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7114-5640","authenticated-orcid":false,"given":"Flavio","family":"Toffalini","sequence":"first","affiliation":[{"name":"Ruhr University Bochum, Bochum, Germany"},{"name":"EPFL, Lausanne, Switzerland"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0774-5166","authenticated-orcid":false,"given":"Nicolas","family":"Badoux","sequence":"additional","affiliation":[{"name":"EPFL, Lausanne, Switzerland"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-8575-8207","authenticated-orcid":false,"given":"Zurab","family":"Tsinadze","sequence":"additional","affiliation":[{"name":"EPFL, Lausanne, Switzerland"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5054-7547","authenticated-orcid":false,"given":"Mathias","family":"Payer","sequence":"additional","affiliation":[{"name":"EPFL, Lausanne, Switzerland"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,6,19]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/3338906.3340456"},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/3213846.3213872"},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243849"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00046"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3616610"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00002"},{"key":"e_1_2_1_7_1","volume-title":"USENIX Security Symposium. 91","author":"Cowan Crispin","year":"2001","unstructured":"Crispin Cowan, Matt Barringer, Steve Beattie, Greg Kroah-Hartman, Michael Frantzen, and Jamie Lokier. 2001. FormatGuard: Automatic Protection From printf Format String Vulnerabilities.. In USENIX Security Symposium. 91."},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/3597926.3598067"},{"key":"e_1_2_1_9_1","volume-title":"14th USENIX Workshop on Offensive Technologies (WOOT 20)","author":"Fioraldi Andrea","year":"2020","unstructured":"Andrea Fioraldi, Dominik Maier, Heiko Ei\u00df feldt, and Marc Heuse. 2020. AFL++ : Combining Incremental Steps of Fuzzing Research. In 14th USENIX Workshop on Offensive Technologies (WOOT 20). USENIX Association. https:\/\/www.usenix.org\/conference\/woot20\/presentation\/fioraldi"},{"key":"e_1_2_1_10_1","volume-title":"CASR: Crash Analysis and Severity Report. https:\/\/github.com\/ispras\/casr","author":"Ivannikov Institute for System Programming of the Russian Academy of Sciences.","year":"2023","unstructured":"Ivannikov Institute for System Programming of the Russian Academy of Sciences. 2023. CASR: Crash Analysis and Severity Report. https:\/\/github.com\/ispras\/casr"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/2025113.2025179"},{"key":"e_1_2_1_12_1","volume-title":"Twenty-Second International Joint Conference on Artificial Intelligence.","author":"Fujiwara Yasuhiro","year":"2011","unstructured":"Yasuhiro Fujiwara, Go Irie, and Tomoe Kitahara. 2011. Fast algorithm for affinity propagation. In Twenty-Second International Joint Conference on Artificial Intelligence."},{"key":"e_1_2_1_13_1","volume-title":"GreyOne: Data Flow Sensitive Fuzzing. In 29th USENIX Security Symposium (USENIX Security 20)","author":"Gan Shuitao","year":"2020","unstructured":"Shuitao Gan, Chao Zhang, Peng Chen, Bodong Zhao, Xiaojun Qin, Dong Wu, and Zuoning Chen. 2020. GreyOne: Data Flow Sensitive Fuzzing. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 2577\u20132594. isbn:978-1-939133-17-5 https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/gan"},{"key":"e_1_2_1_14_1","volume-title":"Fuzzing: Using automated testing to identify security bugs in software. https:\/\/www.microsoft.com\/en-us\/research\/blog\/a-brief-introduction-to-fuzzing-and-why-its-an-important-tool-for-developers\/","author":"Godefroid Patrice","year":"2020","unstructured":"Patrice Godefroid. 2020. Fuzzing: Using automated testing to identify security bugs in software. https:\/\/www.microsoft.com\/en-us\/research\/blog\/a-brief-introduction-to-fuzzing-and-why-its-an-important-tool-for-developers\/"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/2090147.2094081"},{"key":"e_1_2_1_16_1","unstructured":"Google. 2020. Structure-Aware Fuzzing with libFuzzer. https:\/\/github.com\/google\/fuzzing\/blob\/bb05211c12328cb16327bb0d58c0c67a9a44576f\/docs\/structure-aware-fuzzing.md"},{"key":"e_1_2_1_17_1","unstructured":"On2 Technologies \/ Google. 2023. libvpx. https:\/\/chromium.googleource.com\/webm\/libvpx"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510228"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/325478.325519"},{"key":"e_1_2_1_20_1","unstructured":"Google inc.. 2023. A Framework for Fuzz Target Generation and Evaluation. https:\/\/github.com\/google\/oss-fuzz-gen"},{"key":"e_1_2_1_21_1","unstructured":"Google inc.. 2023. Fuzz target generation using LLMs. https:\/\/google.github.io\/oss-fuzz\/research\/llms\/target_generation\/"},{"key":"e_1_2_1_22_1","volume-title":"FuzzGen: Automatic Fuzzer Generation. In 29th USENIX Security Symposium (USENIX Security 20)","author":"Ispoglou Kyriakos","year":"2020","unstructured":"Kyriakos Ispoglou, Daniel Austin, Vishwath Mohan, and Mathias Payer. 2020. FuzzGen: Automatic Fuzzer Generation. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 2271\u20132287. isbn:978-1-939133-17-5 https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/ispoglou"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179394"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24334"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00085"},{"key":"e_1_2_1_26_1","volume-title":"Proceedings of the 2025 Network and Distributed System Security Symposium (NDSS","author":"Lin Jiayi","year":"2025","unstructured":"Jiayi Lin, Qingyu Zhang, Junzhe Li, Chenxin Sun, Hao Zhou, Changhua Luo, and Chenxiong Qian. 2025. Automatic Library Fuzzing through API Relation Evolvement. In Proceedings of the 2025 Network and Distributed System Security Symposium (NDSS 2025)."},{"key":"e_1_2_1_27_1","volume-title":"ViDeZZo: Dependency-aware Virtual Device Fuzzing. In 2023 IEEE Symposium on Security and Privacy (SP). 3228\u20133245","author":"Liu Qiang","year":"2023","unstructured":"Qiang Liu, Flavio Toffalini, Yajin Zhou, and Mathias Payer. 2023. ViDeZZo: Dependency-aware Virtual Device Fuzzing. In 2023 IEEE Symposium on Security and Privacy (SP). 3228\u20133245."},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00011"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510454.3516829"},{"key":"e_1_2_1_30_1","volume-title":"2015 IEEE 8th international conference on software testing, verification and validation (ICST). 1\u201310","author":"Mirshokraie Shabnam","year":"2015","unstructured":"Shabnam Mirshokraie, Ali Mesbah, and Karthik Pattabiraman. 2015. JSeft: Automated javascript unit test generation. In 2015 IEEE 8th international conference on software testing, verification and validation (ICST). 1\u201310."},{"key":"e_1_2_1_31_1","volume-title":"29th USENIX Security Symposium (USENIX Security 20)","author":"\u00d6sterlund Sebastian","year":"2020","unstructured":"Sebastian \u00d6sterlund, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. 2020. $ParmeSan$: Sanitizer-guided Greybox Fuzzing. In 29th USENIX Security Symposium (USENIX Security 20). 2289\u20132306."},{"key":"e_1_2_1_32_1","volume-title":"Companion to the 22nd ACM SIGPLAN conference on Object-oriented programming systems and applications companion. 815\u2013816.","author":"Pacheco Carlos","unstructured":"Carlos Pacheco and Michael D Ernst. 2007. Randoop: feedback-directed random testing for Java. In Companion to the 22nd ACM SIGPLAN conference on Object-oriented programming systems and applications companion. 815\u2013816."},{"key":"e_1_2_1_33_1","first-page":"19","article-title":"A formal semantics for the C programming language","volume":"15","author":"Papaspyrou Nikolaos S","year":"1998","unstructured":"Nikolaos S Papaspyrou. 1998. A formal semantics for the C programming language. Doctoral Disseration. National Technical University of Athens. Athens (Greece), 15 (1998), 19.","journal-title":"Doctoral Disseration. National Technical University of Athens. Athens (Greece)"},{"key":"e_1_2_1_34_1","unstructured":"Greg Roelofs. 2023. libpng. http:\/\/www.libpng.org\/pub\/png\/libpng.html"},{"key":"e_1_2_1_35_1","doi-asserted-by":"crossref","unstructured":"Kosta Serebryany. 2016. Continuous fuzzing with libfuzzer and addresssanitizer. In 2016 IEEE Cybersecurity Development (SecDev). 157\u2013157.","DOI":"10.1109\/SecDev.2016.043"},{"key":"e_1_2_1_36_1","volume-title":"AddressSanitizer: A Fast Address Sanity Checker. In 2012 USENIX Annual Technical Conference (USENIX ATC 12)","author":"Serebryany Konstantin","year":"2012","unstructured":"Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. AddressSanitizer: A Fast Address Sanity Checker. In 2012 USENIX Annual Technical Conference (USENIX ATC 12). USENIX Association, Boston, MA. 309\u2013318. isbn:978-931971-93-5 https:\/\/www.usenix.org\/conference\/atc12\/technical-sessions\/presentation\/serebryany"},{"key":"e_1_2_1_37_1","volume-title":"OSS-Fuzz - Google","author":"Kostya","unstructured":"Kostya Serebryany1. 2017. OSS-Fuzz - Google\u2019 s continuous fuzzing service for open source software. USENIX Association, Vancouver, BC."},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/2892208.2892235"},{"key":"e_1_2_1_39_1","unstructured":"LLVM Team. 2013. LLVM profdata merge. https:\/\/llvm.org\/docs\/CommandGuide\/llvm-profdata.html#profdata-merge"},{"key":"e_1_2_1_40_1","unstructured":"The Clang Team. 2023. SanitizerCoverage. https:\/\/clang.llvm.org\/docs\/SanitizerCoverage.html"},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","unstructured":"Flavio Toffalini Nicolas Badoux Zurab Tsidnadze and Mathias Payer. 2025. Artifact for libErator. https:\/\/doi.org\/10.5281\/zenodo.15201791 10.5281\/zenodo.15201791","DOI":"10.5281\/zenodo.15201791"},{"key":"e_1_2_1_42_1","volume-title":"RAID 2012, Amsterdam, The Netherlands, September 12-14, 2012. Proceedings 15","author":"der Veen Victor Van","year":"2012","unstructured":"Victor Van der Veen, Nitish Dutt-Sharma, Lorenzo Cavallaro, and Herbert Bos. 2012. Memory errors: The past, the present, and the future. In Research in Attacks, Intrusions, and Defenses: 15th International Symposium, RAID 2012, Amsterdam, The Netherlands, September 12-14, 2012. Proceedings 15. 86\u2013106."},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.58"},{"key":"e_1_2_1_44_1","doi-asserted-by":"crossref","unstructured":"Yanhao Wang Xiangkun Jia Yuwei Liu Kyle Zeng Tiffany Bao Dinghao Wu and Purui Su. 2020. Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization.. In NDSS.","DOI":"10.14722\/ndss.2020.24422"},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/3180155.3180178"},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2007.1078"},{"key":"e_1_2_1_47_1","volume-title":"Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security (CCS \u201924)","author":"Yunlong Lyu","year":"2024","unstructured":"Lyu Yunlong, Xie Yuxuan Chen Peng, and Chen Hao. 2024. Prompt Fuzzing for Fuzz Driver Generation. In Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security (CCS \u201924). Association for Computing Machinery."},{"key":"e_1_2_1_48_1","unstructured":"Michal Zalewski. 2013. american fuzzy lop. https:\/\/lcamtuf.coredump.cx\/afl\/"},{"key":"e_1_2_1_49_1","unstructured":"Hamzeh Zawawy and Jon Bottarini. 2023. Android goes all-in on fuzzing. https:\/\/security.googleblog.com\/2023\/08\/android-goes-all-in-on-fuzzing.html"},{"key":"e_1_2_1_50_1","volume-title":"Automata-Guided Control-Flow-Sensitive Fuzz Driver Generation. In 32nd USENIX Security Symposium (USENIX Security 23)","author":"Zhang Cen","year":"2023","unstructured":"Cen Zhang, Yuekang Li, Hao Zhou, Xiaohan Zhang, Yaowen Zheng, Xian Zhan, Xiaofei Xie, Xiapu Luo, Xinghua Li, and Yang Liu. 2023. Automata-Guided Control-Flow-Sensitive Fuzz Driver Generation. In 32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, Anaheim, CA. 2867\u20132884. isbn:978-1-939133-37-3 https:\/\/www.usenix.org\/conference\/usenixsecurity23\/presentation\/zhang-cen"},{"key":"e_1_2_1_51_1","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Zhang Cen","year":"2021","unstructured":"Cen Zhang, Xingwei Lin, Yuekang Li, Yinxing Xue, Jundong Xie, Hongxu Chen, Xinlei Ying, Jiashui Wang, and Yang Liu. 2021. APICraft: Fuzz Driver Generation for Closed-source $SDK$ Libraries. In 30th USENIX Security Symposium (USENIX Security 21). 2811\u20132828."},{"key":"e_1_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-SEIP52600.2021.00041"},{"key":"e_1_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-SEIP58684.2023.00013"},{"key":"e_1_2_1_54_1","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Zheng Han","year":"2023","unstructured":"Han Zheng, Jiayuan Zhang, Yuhang Huang, Zezhong Ren, He Wang, Chunjie Cao, Yuqing Zhang, Flavio Toffalini, and Mathias Payer. 2023. FishFuzz: catch deeper bugs by throwing larger nets. In 32nd USENIX Security Symposium (USENIX Security 23). 1343\u20131360."}],"container-title":["Proceedings of the ACM on Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3729365","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T15:24:36Z","timestamp":1750346676000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3729365"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,6,19]]},"references-count":54,"journal-issue":{"issue":"FSE","published-print":{"date-parts":[[2025,6,19]]}},"alternative-id":["10.1145\/3729365"],"URL":"https:\/\/doi.org\/10.1145\/3729365","relation":{},"ISSN":["2994-970X"],"issn-type":[{"value":"2994-970X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,6,19]]}}}