DyFuzz: Skeleton-based Fuzzing for Python Libraries

• Published in: 2023 IEEE 23rd International Conference on Software Quality, Reliability, and Security (QRS) pp. 325 - 336
• Main Authors: Xia, Xinmeng, Feng, Yang
• Format: Conference Proceeding
• Language: English
• Published: IEEE 22.10.2023
• Subjects: Computer bugs; Fuzzing; Libraries; Library Testing; Programming; Python; Skeleton; Software quality; Software reliability
• ISSN: 2693-9177
• DOI: 10.1109/QRS60937.2023.00040

Programming libraries are indispensable for programming languages. Programmers can access the pre-written codes in these libraries via the application programmable interfaces (API), optimizing and accelerating their programming tasks. However, defects in these libraries may cause unexpected software behaviors, threatening their robustness and safety. Thus, it is crucial to ensure the quality of the libraries. This paper explores an alternative approach, namely Fuzzing Skeleton API (FSA), for detecting library bugs in Python. For the given API, FSA aims to generate massive inputs, i.e., different argument combinations, and pass them to the API to verify its correctness and reliability. To realize this, FSA first abstracts the API into a skeleton by modeling its usage of parameters as placeholders. Then, it can generate the seed API calls by filling these placeholders with pre-defined arguments. Finally, the approach incorporates four mutation strategies, i.e., bit mutation, literal mutation, element mutation, and attribute mutation, to mutate different arguments and hence generate massive API calls. We have implemented the proposed approach into an automated tool, namely DyFuzz, for testing Python libraries. In less than one month of the fuzzing experiment, DyFuzz detected 14 library bugs, of which nine have been confirmed as unknown bugs.