| [Textbook] |
 |
The Fuzzing Book |
 |
Andreas Zeller, Rahul Gopinath, Marcel Böhme, Gordon Fraser, and Christian Holler |
|
(One-line Abstract) Interactive, Jupyter-style textbook on fuzzing and automated test generation. |
|
Digital textbook available at https://www.fuzzingbook.org |
| | |
| [TOSEM'26] |
|
Vital: Vulnerability-Oriented Symbolic Execution via Type-Unsafe Pointer-Guided Monte Carlo Tree Search |
|
Haoxin Tu, Lingxiao Jiang, and Marcel Böhme |
|
(One-line Abstract) How to guide symbolic execution towards the most vulnerable parts of the execution tree using MCTS. |
|
ACM Transactions on Software Engineering and Methodology (TOSEM). 24pp. |
| | |
| [AAAI'26] |
|
Incoherence as Oracle-less Measure of Error in LLM-Based Code Generation |
|
Thomas Valentin, Ardi Madadi, Gaetano Sapia, and Marcel Böhme |
|
(One-line Abstract) How to estimate the correctness of an LLM-generated program when we have no specification or ground-truth available. |
|
Annual AAAI Conference on Artificial Intelligence (AAAI'26). 14pp. |
|
Note: Thomas fully developed this idea while he was an undergrad intern in our group. Fantastic work, Thomas! |
| | |
| [ICSE'26] |
|
Scaling Security Testing by Addressing the Reachability Gap |
|
Gaetano Sapia and Marcel Böhme |
|
(One-line Abstract) How to configure and interact with any software system to execute a given target functionality (and run invivo fuzzing)? |
|
IEEE/ACM International Conference on Software Engineering (ICSE'26). 12pp. |
|
Note: This is Gaetano's first paper, and it lays the foundation for much more interesting work in agentic security testing. Congrats Gaetano! |
| | |
| [ICSE'26] |
|
Dependency-aware Residual Risk Analysis |
|
Seongmin Lee and Marcel Böhme |
|
(One-line Abstract) First work to account for dependencies among coverage elements in residual risk estimation. |
|
IEEE/ACM International Conference on Software Engineering (ICSE'26). 12pp. |
| | |
| [ICSE'26] |
|
On Interaction Effects in Greybox Fuzzing |
|
Konstantinos Kitsios, Marcel Böhme, and Alberto Bacchelli |
|
(One-line Abstract) First work to identify and leverage interaction effects between mutation operators in greybox fuzzing. |
|
IEEE/ACM International Conference on Software Engineering (ICSE'26). 12pp. |
| | |
| [SP'26] |
|
Cottontail: LLM-Driven Concolic Execution for Highly Structured Test Input Generation |
|
Haoxin Tu, Seongmin Lee, Yuxian Li, Peng Chen, Lingxiao Jiang, and Marcel Böhme |
|
(One-line Abstract) How to perform concolic execution to generate highly structured test inputs for systematically testing parsing programs. |
|
IEEE Symposium on Security and Privacy (SP'26). 18pp. |
| | |
| [ISSTA'25] |
|
Top Score on the Wrong Exam: On Benchmarking in Machine Learning for Vulnerability Detection |
|
Niklas Risse, Jing Liu, Marcel Böhme |
|
(One-line Abstract) The most prevalent problem statement of ML4VD as function-level binary classification problem is ill-defined. |
|
ACM SIGSOFT International Symposium on Software Testing and Analysis 2025 (ISSTA'25), 22 pages. |
|
Note: We published the code, data and results at https://github.com/niklasrisse/TopScoreWrongExam. |
|
Note: The supplementary material can be found at ISSTA25-supplementary.pdf. |
| 🏆 |
Award: Our paper was selected as ACM Distinguished Paper Award! Congrats Niklas and Jing! |
| | |
| [IEEE S&P'25] |
|
How to Solve Cybersecurity Once and For All |
|
Marcel Böhme |
|
(One-line Abstract) We should stop trying to confirm the effectiveness of our defenses and start failing to find counterexamples. |
| 🌱 |
IEEE Security and Privacy, Vol. 23, Issue 3 (Invited Paper). |
|
Note: A much abbreviated version of my keynote at RAID'24. |
| | |
| [TOSEM'25] |
|
Software Security Analysis in 2030 and Beyond: A Research Roadmap |
|
Marcel Böhme, Eric Bodden, Tevfik Bultan, Cristian Cadar, Yang Liu, and Giuseppe Scanniello |
|
(One-line Abstract) Challenges and opportunities for the security analysis of our software systems of the future. |
| 🌱 |
ACM Transactions on Software Engineering and Methodology (Invited Paper). |
| | |
| [TOSEM'25] |
|
Fuzzing: On Benchmarking Outcome as a Function of Benchmark Properties |
|
Dylan Wolff, Marcel Böhme, Abhik Roychoudhury |
|
(One-line Abstract) How would fuzzer ranking change if programs were larger or initial seeds had more coverage? |
|
ACM Transactions on Software Engineering and Methodology, Just Accepted, 23 pages. |
| | |
| [TSE'25] |
|
AFLNet Five Years Later: On Coverage-Guided Protocol Fuzzing |
|
Ruijie Meng, Van-Thuan Pham, Marcel Böhme, and Abhik Roychoudhury |
|
(One-line Abstract) State- and code-coverage-guided greybox fuzzing (Extended version of our ICSE'20 Tool Demo). |
|
IEEE Transactions on Software Engineering. |
|
Note: AFLNet is available on Github at https://github.com/aflnet/aflnet. |
| | |
| [ICLR'25] |
|
How Much is Unseen Depends Chiefly on Information About the Seen |
|
Seongmin Lee and Marcel Böhme |
|
(One-line Abstract) Significant progress on a beautiful statistical riddle. For instance, estimates training data representativeness. |
|
International Conference on Learning Representations (ICLR'25), 24 pages. |
|
Note: We published all data and analysis at https://github.com/niMgnoeSeeL/UnseenGA. |
| 🏆 |
Award: Our paper was selected as ICLR'25 Spotlight (Top 5%)! Congrats Seongmin! |
| | |
| [ICSE'25] |
|
Invivo Fuzzing by Amplifying Actual Executions |
|
Octavio Galland and Marcel Böhme |
|
(One-line Abstract) Don't attach a fuzzer using fuzz drivers! Inject a fuzzer and amplify any state. |
|
IEEE/ACM International Conference on Software Engineering 2025 (ICSE'25), 13 pages. |
|
Note: We published the prototype, exp. setup, and results at https://github.com/OctavioGalland/afllive. |
 |
Note: Artifact Evaluation Committee evaluated our artifact as Available, Functional, and Reusable! |
| | |
| [ICSE'25] |
|
Accounting for Missing Events in Statistical Information Leakage Analysis |
|
Seongmin Lee, Shreyas Minocha, and Marcel Böhme |
|
(One-line Abstract) Estimating software privacy in the small sample regime. |
|
IEEE/ACM International Conference on Software Engineering 2025 (ICSE'25), 12 pages. |
|
Note: We published the prototype, exp. setup, and results at https://github.com/niMgnoeSeeL/ChaoMI. |
|
Note: Artifact Evaluation Committee evaluated our artifact as Available and Functional! |
| | |
| [FSE'25] |
|
MendelFuzz: The Return of the Deterministic Stage |
|
Han Zheng, Flavio Toffalini, Marcel Böhme, and Mathias Payer |
|
(One-line Abstract) Can a fuzzer cover more code with minimal corruption of the initial seed? |
|
ACM International Conference on the Foundations of Software Engineering 2025 (FSE'25), 21 pages. |
|
Note: We published the prototype, exp. setup, and results at https://github.com/HexHive/MendelFuzz-Artifact. |
|
Note: Artifact Evaluation Committee evaluated our artifact as Available, Functional, and Reproduced! |
| 🏆 |
Award: Adopted as default mode in the most widely-used fuzzer AFL++ since v4.10c. |
| | |
| [USENIX Sec'24] |
|
Uncovering the Limits of Machine Learning for Automatic Vulnerability Detection |
|
Niklas Risse and Marcel Böhme |
|
(One-line Abstract) Are machine learning models for vulnerability discovery as good as they seem? |
|
USENIX Security Symposium 2024 (USENIX Sec'24), 19 pages. |
|
Note: We published the code, data and results at https://github.com/niklasrisse/LimitsOfML4Vuln. |
| | |
| [CCS'24] |
|
Testing Side-Channel Security of Crypto. Implementations Against Future Microarchitectures |
|
G. Barthe, M. Böhme, S. Cauligi, C. Chuengsatiansup, D. Genkin, M. Guarnieri, D. Romero, P. Schwabe, D. Wu, and Y. Yarom |
|
(Two-line Abstract) Turns out all tested crypto impl. are vulnerable in the presence of recently proposed microarchitectures. |
|
--- even despite of (and sometimes because of) coding idioms meant to mitigate side channels at the source code level. |
|
ACM Conference on Computer and Communications Security 2024 (CCS'24), 16 pages. |
|
Note: We published the prototype at https://github.com/hw-sw-contracts/leakage-model-testing. |
| 🏆 |
Award: Our paper received the ACM SIGSAC Distinguished Paper Award. Congrats all! |
| | |
| [ICSE'24] |
|
Extrapolating Coverage Rate in Greybox Fuzzing |
|
Danushka Liyanage, Seongmin Lee, Chakkrit Tantithamthavorn, and Marcel Böhme |
|
(One-line Abstract) How to *predict* the coverage rate of a greybox fuzzer in the future. |
|
IEEE/ACM International Conference on Software Engineering 2024 (ICSE'24), 13 pages. |
|
Note: We published tools, data, and analysis at Zenodo (DOI 10.5281/zenodo.10575734). |
|
Note: Artifact Evaluation Committee evaluated our artifact as Functional and Reusable! |
| | |
| [NDSS'24] |
|
Large Language Model guided Protocol Fuzzing |
|
Ruijie Meng, Martin Mirchev, Marcel Böhme, and Abhik Roychoudhury |
|
(One-line Abstract) How to make a fuzzer ask ChatGPT about the correct structure and order of messages as specified in 100+ pages of RFC. |
|
Network and Distributed System Security Symposium (NDSS) 2024, 15 pages. |
|
Note: We published tools, data, and analysis at Zenodo (DOI 10.5281/zenodo.8373804) and https://github.com/ChatAFLndss/ChatAFL. |
|
Note: Inaugural NDSS Artifact Evaluation Committee evaluated our artifact as Available, Functional, and Reproduced! |
| 🏆 |
Award: Number 29 in the Normalized Top-100 Security Papers of all time. |
| | |
| [TSE'24] |
|
Human-in-the-loop Automatic Program Repair |
|
Charaka Geethal, Marcel Böhme, and Van-Thuan Pham |
|
(One-line Abstract) Learn2fix automatically "negotiates" with the user the condition under which the bug is observed before it repairs the bug. |
|
IEEE Transactions on Software Engineering (TSE), 2024, 24 pages. |
|
Note: Journal extension of our homonymous ICST'20 paper. |
|
Note: We publish our implementation, data, and scripts available at: https://github.com/charakageethal/learn2fix-journal-ext/. |
| | |
| [CACM'23] |
|
Boosting Fuzzer Efficiency: An Information Theoretic Perspective |
|
Marcel Böhme, Valentin Manès, Sang Kil Cha |
|
(One-line Abstract) Every generated input reveals some information about the program. Maximizing information maximizes efficiency.. |
|
Communications of the ACM (Vol. 66, No. 11) |
| 🏆 |
Award: CACM Research Highlight for the month of November. CACM is the monthly journal sent to all members of the ACM. Congrats all! |
|
Note: CACM Technical Perspective: "What's all the fuss about fuzzing?" by the amazing Gordon Fraser! |
| | |
| [ASE'23] |
|
Precise Data-Driven Approximation for Program Analysis via Fuzzing |
|
Nikhil Parasaram, Earl T. Barr, Sergey Mechtaev, and Marcel Böhme |
|
(One-line Abstract) Marry static analysis to over-/under-approx. the valid state space and fuzzing + stats to estimate the degree of validity. |
|
IEEE/ACM International Conference on Automated Software Engineering (ASE) 2023, 12 pages. |
|
Note: We published tools, data, and analysis at Zenodo (DOI 10.5281/zenodo.7902214). |
| | |
| [ESEC/FSE'23] |
|
Statistical Reachability Analysis |
|
Seongmin Lee and Marcel Böhme |
|
(One-line Abstract) Quantiative program analysis using a statistical rather than an analytical approach. |
|
ACM European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE) 2023, 12 pages |
|
Note: We published tools, data, and analysis at Zenodo (DOI 10.5281/zenodo.7612964). |
|
Note: Artifact Evaluation Committee evaluated our artifact as Functional and Reusable! |
| | |
| [ICSE'23] |
|
Reachable Coverage: Estimating Saturation in Fuzzing |
|
Danushka Liyanage, Marcel Böhme, Chakkrit Tantithamthavorn, and Stephan Lipp |
|
(One-line Abstract) Estimating the maximum achievable coverage by automatic test input generation. |
|
IEEE/ACM International Conference on Software Engineering 2023 (ICSE'23), 13 pages |
|
Note: We published data, analysis, and figures at Zenodo (DOI 10.5281/zenodo.7571359). |
|
Note: Featured in the Fuzzing Weekly Newsletter (CW5). |
|
Note: Artifact Evaluation Committee evaluated our artifact as Available and Reusable! |
| | |
| [ICSE'23] |
|
Evaluating the Impact of Experimental Assumptions in Automated Fault Localization |
|
Ezekiel Soremekun, Lukas Kirschner, Marcel Böhme, and Mike Papadakis |
|
(One-line Abstract) Evaluating the assumptions that researchers make during debugging tool evaluations. |
|
IEEE International Conference on Software Engineering 2023 (ICSE'23), 13 pages |
|
Website: https://debugging-assumptions.github.io/ |
|
Note: Artifact Evaluation Committee evaluated our artifact as Available and Reusable! |
| | |
| [ISSTA'23] |
|
Green Fuzzing: A Saturation-based Stopping Criterion using Vulnerability Prediction |
|
Stephan Lipp, Daniel Elsner, Severin Kacianka, Alexander Pretschner, Marcel Böhme, Sebastian Banescu |
|
(One-line Abstract) We suggest to stop a fuzzing campaign when the coverage of potentially vulnerable code saturates. |
|
ACM SIGSOFT International Symposium on Software Testing and Analysis 2023 (ISSTA'23), 13 pages |
|
Note: We published data, analysis, and figures at Zenodo (DOI 10.5281/zenodo.7944722) and Github (https://github.com/tum-i4/green-fuzzing-artifacts). |
| | |
| [USENIX SEC'22] |
|
Stateful Greybox Fuzzing |
|
Jinsheng Ba, Marcel Böhme, Zahra Mirzamomen, Abhik Roychoudhury |
|
(One-line Abstract) Navigating an unknown state space by identifying and monitoring state variables values. |
|
USENIX Security Symposium (USENIX SEC) 2022, 18 pages |
|
Note: SGFuzz is available on Github: https://github.com/bajinsheng/SGFuzz |
| | |
| [ISSTA'22] |
|
Human-in-the-loop Oracle Learning for Semantic Bugs in String Processing Programs |
|
Charaka Geethal, Van-Thuan Pham, Aldeida Aleti, and Marcel Böhme |
|
(One-line Abstract) Learning to identify semantic bugs for string processing programs |
|
ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA'22), 11 pages |
|
Note: We published data, analysis, and figures at https://github.com/charakageethal/grammar2fix. |
| | |
| [ICSE'22] |
|
On the Reliability of Coverage-Based Fuzzer Benchmarking |
|
Marcel Böhme, Laszlo Szekeres, Jonathan Metzman |
|
(One-line Abstract) We find a strong correlation but no strong agreement on fuzzer superiority in terms of coverage versus bugs. |
|
IEEE/ACM International Conference on Software Engineering 2022 (ICSE'22), 11 pages |
|
Note: We published data, analysis, and figures at Zenodo (DOI 10.5281/zenodo.6045830) and Github (https://github.com/icse22data/). |
|
Slides @Slideshare |
| | |
| [ICSE'22-NIER] |
|
Statistical Reasoning about Programs |
|
Marcel Böhme |
|
(One-line Abstract) Open challenges and new research directions for automated program analysis at scale. |
|
IEEE International Conference on Software Engineering 2022: New Ideas and Emerging Results (ICSE'22 NIER), 5 pages |
|
Slides @Slideshare |
| | |
| [IEEE TSE'22] |
|
An Experimental Assessment of Using Theoretical Defect Predictors to Guide Search-Based Software Testing |
|
Anjana Perera, Aldeida Aleti, Burak Turhan, Marcel Böhme |
|
(One-line Abstract) What is the impact of defect predictor accuracy on defectiveness-guided test generation? |
|
IEEE Transactions on Software Engineering (TSE), 16 pages |
| | |
