Increasing Program Code Coverage Using Fuzzing and Targeted Branch Exploration

Abstract

Code coverage is a longstanding metric for evaluating how thoroughly a program has been tested. Achieving high coverage remains a priority goal for quality assurance and software stability. Exhaustive enumeration of possible input paths to every code region is desirable in theory but computationally infeasible in practice, especially in large-scale codebases. Fuzzing is a widely used technique for input generation and is effective at exploring smaller programs but often struggles with more complex conditional logic and nested modules. Concolic execution, which exhaustively explores paths using constraint solving, can work effectively with complex conditional logic but suffers from path explosion. Targeted branch exploration is a similar approach for input generation but sidesteps the path explosion problem by focusing more on specific constraint paths of interest.

In this thesis, I introduce a hybrid system that combines fuzzing and targeted branch exploration with the goal of improving code coverage by leveraging the complementary strengths of each. The system uses fuzzing to quickly generate a broad input corpus and follows up with targeted branch exploration to explore paths that fuzzing struggles to reach. Findings from experiments on two C projects of different complexities show that the system did not outperform the individual techniques in terms of raw coverage, revealing limitations of the approach and opportunities for future improvement.