|
Hypothesis: Code Coverage and Fuzzing
In the security arena, fuzzing has traditionally manifested
potential security holes by throwing random garbage at a target,
hoping that any given code path will fail in the process of
consuming the aforementioned data. The possibility of execution
flowing through a particular block in code is the sum of
probabilities of the conditional branches leading to blocks. In
simplicity, if there are areas of code that are never executed
during typical fuzz testing, then administering code coverage
methodologies will reveal those unexecuted branches. Graphical code
coverage analysis using CFGs helps determine which code path has
been executed even without the use of symbol tables. This process
allows the tester to more easily identify branch execution, and to
subsequently design fuzz testing methods to properly attain complete
code coverage. Prior experiments driven at determining the
effectiveness of code coverage techniques identify that ensuring
branch execution coverage will improve the likelihood of discovery
of binary faults.
Subsections
|