An Empirical Study of OSS-Fuzz Bugs (MSR 2021 - Technical Papers)

Who

Zhen Yu Ding, Claire Le Goues

Track

MSR 2021 Technical Papers

Time Zone

The program is currently displayed in (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna.

Use conference time zone: (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, ViennaSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Wed 19 May 2021 02:08 - 02:12 at MSR Room 1 - Bug Detection Chair(s): Raula Gaikovina Kula

Abstract

Continuous fuzzing is an increasingly popular technique for automated quality and security assurance. Google maintains OSS-Fuzz: a continuous fuzzing service for open source software. We conduct the first empirical study of OSS-Fuzz, analyzing 23,907 bugs found in 316 projects. We examine the characteristics of fuzzer-found faults, the lifecycles of such faults, and the evolution of fuzzing campaigns over time. We find that OSS-Fuzz is often effective at quickly finding bugs, and developers are often quick to patch them. However, flaky bugs, timeouts, and out of memory errors are problematic, people rarely file CVEs for security vulnerabilities, and fuzzing campaigns often exhibit punctuated equilibria, where developers might be surprised by large spikes in bugs found. Our findings have implications on future research and practice in fuzzing.

Link to Preprint

https://squareslab.github.io/materials/DingOSSFuzz21.pdf

Zhen Yu Ding

Motional

United States

Claire Le Goues

Carnegie Mellon University

United States

Time Zone

The program is currently displayed in (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna.

Use conference time zone: (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, ViennaSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

Display full programSpecify a time band

Save

Session Program

Wed 19 May
Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

02:00 - 02:50	Bug DetectionMining Challenge / Data Showcase / Technical Papers at MSR Room 1 Chair(s): Raula Gaikovina Kula NAIST

02:01 4m Talk		Practitioners' Perceptions of the Goals and Visual Explanations of Defect Prediction Models Technical Papers Jirayus Jiarpakdee Monash University, Australia, Kla Tantithamthavorn Monash University, John Grundy Monash University Pre-print
02:05 3m Talk		On the Effectiveness of Deep Vulnerability Detectors to Simple Stupid Bug Detection Mining Challenge Jiayi Hua Beijing University of Posts and Telecommunications, Haoyu Wang Beijing University of Posts and Telecommunications Pre-print
02:08 4m Talk		An Empirical Study of OSS-Fuzz Bugs Technical Papers Zhen Yu Ding Motional, Claire Le Goues Carnegie Mellon University Pre-print
02:12 3m Talk		Denchmark: A Bug Benchmark of Deep Learning-related Software Data Showcase Misoo Kim Sungkyunkwan University, Youngkyoung Kim Sungkyunkwan University, Eunseok Lee Sungkyunkwan University
02:15 4m Talk		JITLine: A Simpler, Better, Faster, Finer-grained Just-In-Time Defect Prediction Technical Papers Chanathip Pornprasit Monash University, Kla Tantithamthavorn Monash University Pre-print
02:19 31m Live Q&A		Discussions and Q&A Technical Papers

Information for Participants

Wed 19 May 2021 02:00 - 02:50 at MSR Room 1 - Bug Detection Chair(s): Raula Gaikovina Kula

Info for room MSR Room 1:

Go directly to this room on Clowdr