Uninformed: Informative Information for the Uninformed

Vol 5» 2006.Sep

Hypothesis: Code Coverage and Fuzzing

In the security arena, fuzzing has traditionally manifested potential security holes by throwing random garbage at a target, hoping that any given code path will fail in the process of consuming the aforementioned data. The possibility of execution flowing through a particular block in code is the sum of probabilities of the conditional branches leading to blocks. In simplicity, if there are areas of code that are never executed during typical fuzz testing, then administering code coverage methodologies will reveal those unexecuted branches. Graphical code coverage analysis using CFGs helps determine which code path has been executed even without the use of symbol tables. This process allows the tester to more easily identify branch execution, and to subsequently design fuzz testing methods to properly attain complete code coverage. Prior experiments driven at determining the effectiveness of code coverage techniques identify that ensuring branch execution coverage will improve the likelihood of discovery of binary faults.