---
_id: '60538'
abstract:
- lang: eng
text: |-
Greybox fuzzing is used extensively in research and practice. There are umpteen publications that improve greybox fuzzing. However, to what extent do these improvements affect the internal components or internals of a given fuzzer is not yet understood as the improvements are mostly evaluated using code coverage and bug finding capability. Such an evaluation is insufficient to understand the effect of improvements on the fuzzer internals. Some of the literature visualizes the outcomes of fuzzing to enhance the understanding. However, they only focus on high-level information and no previous research on visualization has been dedicated to understanding fuzzing internals.
To close this gap, we propose the first step towards development of a fuzzing-specific visualization framework: a taxonomy of visualization analysis tasks that fuzzing experts desire to help them understand the fuzzing internals. Our approach involves conducting interviews with fuzzing experts and using qualitative data analysis to systematically extract the task taxonomy from the interview data. We also evaluate the support of existing fuzzing visualization tools through the lens of our taxonomy. In our study, we have conducted 33 interviews with fuzzing practitioners and extracted a taxonomy of 120 visualization analysis tasks. Our evaluation shows that the existing fuzzing visualization tools only provide aids to support 10 of them.
author:
- first_name: Sriteja
full_name: Kummita, Sriteja
last_name: Kummita
- first_name: Miao
full_name: Miao, Miao
last_name: Miao
- first_name: Eric
full_name: Bodden, Eric
last_name: Bodden
- first_name: Shiyi
full_name: Wei, Shiyi
last_name: Wei
citation:
ama: Kummita S, Miao M, Bodden E, Wei S. Visualization Task Taxonomy to Understand
the Fuzzing Internals. ACM Transactions on Software Engineering and Methodology.
Published online 2025. doi:10.1145/3718346
apa: Kummita, S., Miao, M., Bodden, E., & Wei, S. (2025). Visualization Task
Taxonomy to Understand the Fuzzing Internals. ACM Transactions on Software
Engineering and Methodology. https://doi.org/10.1145/3718346
bibtex: '@article{Kummita_Miao_Bodden_Wei_2025, title={Visualization Task Taxonomy
to Understand the Fuzzing Internals}, DOI={10.1145/3718346},
journal={ACM Transactions on Software Engineering and Methodology}, publisher={Association
for Computing Machinery (ACM)}, author={Kummita, Sriteja and Miao, Miao and Bodden,
Eric and Wei, Shiyi}, year={2025} }'
chicago: Kummita, Sriteja, Miao Miao, Eric Bodden, and Shiyi Wei. “Visualization
Task Taxonomy to Understand the Fuzzing Internals.” ACM Transactions on Software
Engineering and Methodology, 2025. https://doi.org/10.1145/3718346.
ieee: 'S. Kummita, M. Miao, E. Bodden, and S. Wei, “Visualization Task Taxonomy
to Understand the Fuzzing Internals,” ACM Transactions on Software Engineering
and Methodology, 2025, doi: 10.1145/3718346.'
mla: Kummita, Sriteja, et al. “Visualization Task Taxonomy to Understand the Fuzzing
Internals.” ACM Transactions on Software Engineering and Methodology, Association
for Computing Machinery (ACM), 2025, doi:10.1145/3718346.
short: S. Kummita, M. Miao, E. Bodden, S. Wei, ACM Transactions on Software Engineering
and Methodology (2025).
date_created: 2025-07-07T20:25:27Z
date_updated: 2025-07-07T20:26:48Z
doi: 10.1145/3718346
language:
- iso: eng
publication: ACM Transactions on Software Engineering and Methodology
publication_identifier:
issn:
- 1049-331X
- 1557-7392
publication_status: published
publisher: Association for Computing Machinery (ACM)
status: public
title: Visualization Task Taxonomy to Understand the Fuzzing Internals
type: journal_article
user_id: '72582'
year: '2025'
...
---
_id: '61108'
abstract:
- lang: eng
text: "Greybox fuzzing is used extensively in research and practice. There
are umpteen publications that improve greybox fuzzing. However, to what extent
do these improvements affect the internal components or internals of a given fuzzer
is not yet understood as the improvements are mostly evaluated using code coverage
and bug finding capability. Such an evaluation is insufficient to understand the
effect of improvements on the fuzzer internals. Some of the literature visualizes
the outcomes of fuzzing to enhance the understanding. However, they only focus
on high-level information and no previous research on visualization has been dedicated
to understanding fuzzing internals.\r\n To close this
gap, we propose the first step towards development of a fuzzing-specific visualization
framework: a taxonomy of visualization analysis tasks that fuzzing experts desire
to help them understand the fuzzing internals. Our approach involves conducting
interviews with fuzzing experts and using qualitative data analysis to systematically
extract the task taxonomy from the interview data. We also evaluate the support
of existing fuzzing visualization tools through the lens of our taxonomy. In our
study, we have conducted 33 interviews with fuzzing practitioners and extracted
a taxonomy of 120 visualization analysis tasks. Our evaluation shows that the
existing fuzzing visualization tools only provide aids to support 10 of them."
article_number: '3718346'
author:
- first_name: Sriteja
full_name: Kummita, Sriteja
id: '72582'
last_name: Kummita
- first_name: Miao
full_name: Miao, Miao
last_name: Miao
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Shiyi
full_name: Wei, Shiyi
last_name: Wei
citation:
ama: Kummita S, Miao M, Bodden E, Wei S. Visualization Task Taxonomy to Understand
the Fuzzing Internals. ACM Transactions on Software Engineering and Methodology.
Published online 2025. doi:10.1145/3718346
apa: Kummita, S., Miao, M., Bodden, E., & Wei, S. (2025). Visualization Task
Taxonomy to Understand the Fuzzing Internals. ACM Transactions on Software
Engineering and Methodology, Article 3718346. https://doi.org/10.1145/3718346
bibtex: '@article{Kummita_Miao_Bodden_Wei_2025, title={Visualization Task Taxonomy
to Understand the Fuzzing Internals}, DOI={10.1145/3718346},
number={3718346}, journal={ACM Transactions on Software Engineering and Methodology},
publisher={Association for Computing Machinery (ACM)}, author={Kummita, Sriteja
and Miao, Miao and Bodden, Eric and Wei, Shiyi}, year={2025} }'
chicago: Kummita, Sriteja, Miao Miao, Eric Bodden, and Shiyi Wei. “Visualization
Task Taxonomy to Understand the Fuzzing Internals.” ACM Transactions on Software
Engineering and Methodology, 2025. https://doi.org/10.1145/3718346.
ieee: 'S. Kummita, M. Miao, E. Bodden, and S. Wei, “Visualization Task Taxonomy
to Understand the Fuzzing Internals,” ACM Transactions on Software Engineering
and Methodology, Art. no. 3718346, 2025, doi: 10.1145/3718346.'
mla: Kummita, Sriteja, et al. “Visualization Task Taxonomy to Understand the Fuzzing
Internals.” ACM Transactions on Software Engineering and Methodology, 3718346,
Association for Computing Machinery (ACM), 2025, doi:10.1145/3718346.
short: S. Kummita, M. Miao, E. Bodden, S. Wei, ACM Transactions on Software Engineering
and Methodology (2025).
date_created: 2025-09-01T10:15:26Z
date_updated: 2025-09-01T10:16:03Z
department:
- _id: '76'
doi: 10.1145/3718346
language:
- iso: eng
publication: ACM Transactions on Software Engineering and Methodology
publication_identifier:
issn:
- 1049-331X
- 1557-7392
publication_status: published
publisher: Association for Computing Machinery (ACM)
status: public
title: Visualization Task Taxonomy to Understand the Fuzzing Internals
type: journal_article
user_id: '15249'
year: '2025'
...
---
_id: '61126'
abstract:
- lang: eng
text: |-
Reusable software libraries, frameworks, and components, such as those provided by open source ecosystems and third-party suppliers, accelerate digital innovation. However, recent years have shown almost exponential growth in attackers leveraging these software artifacts to launch software supply chain attacks. Past well-known software supply chain attacks include the SolarWinds, log4j, and xz utils incidents. Supply chain attacks are considered to have three major attack vectors: through vulnerabilities and malware accidentally or intentionally injected into open source and third-party
dependencies/components/containers
; by infiltrating the
build infrastructure
during the build and deployment processes; and through targeted techniques aimed at the
humans
involved in software development, such as through social engineering. Plummeting trust in the software supply chain could decelerate digital innovation if the software industry reduces its use of open source and third-party artifacts to reduce risks. This article contains perspectives and knowledge obtained from intentional outreach with practitioners to understand their practical challenges and from extensive research efforts. We then provide an overview of current research efforts to secure the software supply chain. Finally, we propose a future research agenda to close software supply chain attack vectors and support the software industry.
author:
- first_name: Laurie
full_name: Williams, Laurie
last_name: Williams
- first_name: Giacomo
full_name: Benedetti, Giacomo
last_name: Benedetti
- first_name: Sivana
full_name: Hamer, Sivana
last_name: Hamer
- first_name: Ranindya
full_name: Paramitha, Ranindya
last_name: Paramitha
- first_name: Imranur
full_name: Rahman, Imranur
last_name: Rahman
- first_name: Mahzabin
full_name: Tamanna, Mahzabin
last_name: Tamanna
- first_name: Greg
full_name: Tystahl, Greg
last_name: Tystahl
- first_name: Nusrat
full_name: Zahan, Nusrat
last_name: Zahan
- first_name: Patrick
full_name: Morrison, Patrick
last_name: Morrison
- first_name: Yasemin
full_name: Acar, Yasemin
last_name: Acar
- first_name: Michel
full_name: Cukier, Michel
last_name: Cukier
- first_name: Christian
full_name: Kästner, Christian
last_name: Kästner
- first_name: Alexandros
full_name: Kapravelos, Alexandros
last_name: Kapravelos
- first_name: Dominik
full_name: Wermke, Dominik
last_name: Wermke
- first_name: William
full_name: Enck, William
last_name: Enck
citation:
ama: Williams L, Benedetti G, Hamer S, et al. Research Directions in Software Supply
Chain Security. ACM Transactions on Software Engineering and Methodology.
2025;34(5):1-38. doi:10.1145/3714464
apa: Williams, L., Benedetti, G., Hamer, S., Paramitha, R., Rahman, I., Tamanna,
M., Tystahl, G., Zahan, N., Morrison, P., Acar, Y., Cukier, M., Kästner, C., Kapravelos,
A., Wermke, D., & Enck, W. (2025). Research Directions in Software Supply
Chain Security. ACM Transactions on Software Engineering and Methodology,
34(5), 1–38. https://doi.org/10.1145/3714464
bibtex: '@article{Williams_Benedetti_Hamer_Paramitha_Rahman_Tamanna_Tystahl_Zahan_Morrison_Acar_et
al._2025, title={Research Directions in Software Supply Chain Security}, volume={34},
DOI={10.1145/3714464}, number={5},
journal={ACM Transactions on Software Engineering and Methodology}, publisher={Association
for Computing Machinery (ACM)}, author={Williams, Laurie and Benedetti, Giacomo
and Hamer, Sivana and Paramitha, Ranindya and Rahman, Imranur and Tamanna, Mahzabin
and Tystahl, Greg and Zahan, Nusrat and Morrison, Patrick and Acar, Yasemin and
et al.}, year={2025}, pages={1–38} }'
chicago: 'Williams, Laurie, Giacomo Benedetti, Sivana Hamer, Ranindya Paramitha,
Imranur Rahman, Mahzabin Tamanna, Greg Tystahl, et al. “Research Directions in
Software Supply Chain Security.” ACM Transactions on Software Engineering and
Methodology 34, no. 5 (2025): 1–38. https://doi.org/10.1145/3714464.'
ieee: 'L. Williams et al., “Research Directions in Software Supply Chain
Security,” ACM Transactions on Software Engineering and Methodology, vol.
34, no. 5, pp. 1–38, 2025, doi: 10.1145/3714464.'
mla: Williams, Laurie, et al. “Research Directions in Software Supply Chain Security.”
ACM Transactions on Software Engineering and Methodology, vol. 34, no.
5, Association for Computing Machinery (ACM), 2025, pp. 1–38, doi:10.1145/3714464.
short: L. Williams, G. Benedetti, S. Hamer, R. Paramitha, I. Rahman, M. Tamanna,
G. Tystahl, N. Zahan, P. Morrison, Y. Acar, M. Cukier, C. Kästner, A. Kapravelos,
D. Wermke, W. Enck, ACM Transactions on Software Engineering and Methodology 34
(2025) 1–38.
date_created: 2025-09-04T11:11:26Z
date_updated: 2025-09-04T11:15:46Z
doi: 10.1145/3714464
intvolume: ' 34'
issue: '5'
language:
- iso: eng
page: 1-38
publication: ACM Transactions on Software Engineering and Methodology
publication_identifier:
issn:
- 1049-331X
- 1557-7392
publication_status: published
publisher: Association for Computing Machinery (ACM)
status: public
title: Research Directions in Software Supply Chain Security
type: journal_article
user_id: '94636'
volume: 34
year: '2025'
...
---
_id: '59411'
abstract:
- lang: eng
text: As our lives, our businesses, and indeed our world economy become
increasingly reliant on the secure operation of many interconnected software systems,
the software engineering research community is faced with unprecedented research
challenges, but also with exciting new opportunities. In this roadmap paper, we
outline our vision of Software Security Analysis for the systems of the future.
Given the recent advances in generative AI, we need new methods to assess and
maximize the security of code co-written by machines. As our systems become increasingly
heterogeneous, we need practical approaches that work even if some functions are
automatically generated, e.g., by deep neural networks. As software systems depend
evermore on the software supply chain, we need tools that scale to an entire ecosystem.
What kind of vulnerabilities exist in future systems and how do we detect them?
When all the shallow bugs are found, how do we discover vulnerabilities hidden
deeply in the system? Assuming we cannot find all security flaws, how can we nevertheless
protect our system? To answer these questions, we start our roadmap with a survey
of recent advances in software security, then discuss open challenges and opportunities,
and conclude with a long-term perspective for the field.
author:
- first_name: Marcel
full_name: Böhme, Marcel
last_name: Böhme
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Tevfik
full_name: Bultan, Tevfik
last_name: Bultan
- first_name: Cristian
full_name: Cadar, Cristian
last_name: Cadar
- first_name: Yang
full_name: Liu, Yang
last_name: Liu
- first_name: Giuseppe
full_name: Scanniello, Giuseppe
last_name: Scanniello
citation:
ama: 'Böhme M, Bodden E, Bultan T, Cadar C, Liu Y, Scanniello G. Software Security
Analysis in 2030 and Beyond: A Research Roadmap. ACM Transactions on Software
Engineering and Methodology. Published online 2024. doi:10.1145/3708533'
apa: 'Böhme, M., Bodden, E., Bultan, T., Cadar, C., Liu, Y., & Scanniello, G.
(2024). Software Security Analysis in 2030 and Beyond: A Research Roadmap. ACM
Transactions on Software Engineering and Methodology. https://doi.org/10.1145/3708533'
bibtex: '@article{Böhme_Bodden_Bultan_Cadar_Liu_Scanniello_2024, title={Software
Security Analysis in 2030 and Beyond: A Research Roadmap}, DOI={10.1145/3708533},
journal={ACM Transactions on Software Engineering and Methodology}, publisher={Association
for Computing Machinery (ACM)}, author={Böhme, Marcel and Bodden, Eric and Bultan,
Tevfik and Cadar, Cristian and Liu, Yang and Scanniello, Giuseppe}, year={2024}
}'
chicago: 'Böhme, Marcel, Eric Bodden, Tevfik Bultan, Cristian Cadar, Yang Liu, and
Giuseppe Scanniello. “Software Security Analysis in 2030 and Beyond: A Research
Roadmap.” ACM Transactions on Software Engineering and Methodology, 2024.
https://doi.org/10.1145/3708533.'
ieee: 'M. Böhme, E. Bodden, T. Bultan, C. Cadar, Y. Liu, and G. Scanniello, “Software
Security Analysis in 2030 and Beyond: A Research Roadmap,” ACM Transactions
on Software Engineering and Methodology, 2024, doi: 10.1145/3708533.'
mla: 'Böhme, Marcel, et al. “Software Security Analysis in 2030 and Beyond: A Research
Roadmap.” ACM Transactions on Software Engineering and Methodology, Association
for Computing Machinery (ACM), 2024, doi:10.1145/3708533.'
short: M. Böhme, E. Bodden, T. Bultan, C. Cadar, Y. Liu, G. Scanniello, ACM Transactions
on Software Engineering and Methodology (2024).
date_created: 2025-04-07T10:04:48Z
date_updated: 2025-04-07T10:05:15Z
department:
- _id: '76'
doi: 10.1145/3708533
language:
- iso: eng
publication: ACM Transactions on Software Engineering and Methodology
publication_identifier:
issn:
- 1049-331X
- 1557-7392
publication_status: published
publisher: Association for Computing Machinery (ACM)
status: public
title: 'Software Security Analysis in 2030 and Beyond: A Research Roadmap'
type: journal_article
user_id: '15249'
year: '2024'
...
---
_id: '33835'
abstract:
- lang: eng
text: "\r\n Nowadays, an increasing number of applications uses
deserialization. This technique, based on rebuilding the instance of objects from
serialized byte streams, can be dangerous since it can open the application to
attacks such as remote code execution (RCE) if the data to deserialize is originating
from an untrusted source. Deserialization vulnerabilities are so critical that
they are in OWASP’s list of top 10 security risks for web applications. This is
mainly caused by faults in the development process of applications and by flaws
in their dependencies, i.e., flaws in the libraries used by these applications.
No previous work has studied deserialization attacks in-depth: How are they performed?
How are weaknesses introduced and patched? And for how long are vulnerabilities
present in the codebase? To yield a deeper understanding of this important kind
of vulnerability, we perform two main analyses: one on attack gadgets, i.e., exploitable
pieces of code, present in Java libraries, and one on vulnerabilities present
in Java applications. For the first analysis, we conduct an exploratory large-scale
study by running 256 515 experiments in which we vary the versions of libraries
for each of the 19 publicly available exploits. Such attacks rely on a combination
of\r\n gadgets\r\n present in
one or multiple Java libraries. A gadget is a method which is using objects or
fields that can be attacker-controlled. Our goal is to precisely identify library
versions containing gadgets and to understand how gadgets have been introduced
and how they have been patched. We observe that the modification of one innocent-looking
detail in a class – such as making it\r\n public\r\n
\ – can already introduce a gadget. Furthermore, we noticed that among
the studied libraries, 37.5% are not patched, leaving gadgets available for future
attacks.\r\n \r\n For the second analysis,
we manually analyze 104 deserialization vulnerabilities CVEs to understand how
vulnerabilities are introduced and patched in real-life Java applications. Results
indicate that the vulnerabilities are not always completely patched or that a
workaround solution is proposed. With a workaround solution, applications are
still vulnerable since the code itself is unchanged."
author:
- first_name: Imen
full_name: Sayar, Imen
last_name: Sayar
- first_name: Alexandre
full_name: Bartel, Alexandre
last_name: Bartel
- first_name: Eric
full_name: Bodden, Eric
id: '59256'
last_name: Bodden
orcid: 0000-0003-3470-3647
- first_name: Yves
full_name: Le Traon, Yves
last_name: Le Traon
citation:
ama: Sayar I, Bartel A, Bodden E, Le Traon Y. An In-depth Study of Java Deserialization
Remote-Code Execution Exploits and Vulnerabilities. ACM Transactions on Software
Engineering and Methodology. Published online 2022. doi:10.1145/3554732
apa: Sayar, I., Bartel, A., Bodden, E., & Le Traon, Y. (2022). An In-depth Study
of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities. ACM
Transactions on Software Engineering and Methodology. https://doi.org/10.1145/3554732
bibtex: '@article{Sayar_Bartel_Bodden_Le Traon_2022, title={An In-depth Study of
Java Deserialization Remote-Code Execution Exploits and Vulnerabilities}, DOI={10.1145/3554732}, journal={ACM Transactions
on Software Engineering and Methodology}, publisher={Association for Computing
Machinery (ACM)}, author={Sayar, Imen and Bartel, Alexandre and Bodden, Eric and
Le Traon, Yves}, year={2022} }'
chicago: Sayar, Imen, Alexandre Bartel, Eric Bodden, and Yves Le Traon. “An In-Depth
Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities.”
ACM Transactions on Software Engineering and Methodology, 2022. https://doi.org/10.1145/3554732.
ieee: 'I. Sayar, A. Bartel, E. Bodden, and Y. Le Traon, “An In-depth Study of Java
Deserialization Remote-Code Execution Exploits and Vulnerabilities,” ACM Transactions
on Software Engineering and Methodology, 2022, doi: 10.1145/3554732.'
mla: Sayar, Imen, et al. “An In-Depth Study of Java Deserialization Remote-Code
Execution Exploits and Vulnerabilities.” ACM Transactions on Software Engineering
and Methodology, Association for Computing Machinery (ACM), 2022, doi:10.1145/3554732.
short: I. Sayar, A. Bartel, E. Bodden, Y. Le Traon, ACM Transactions on Software
Engineering and Methodology (2022).
date_created: 2022-10-20T12:31:49Z
date_updated: 2022-10-20T12:32:31Z
department:
- _id: '76'
doi: 10.1145/3554732
keyword:
- Software
language:
- iso: eng
publication: ACM Transactions on Software Engineering and Methodology
publication_identifier:
issn:
- 1049-331X
- 1557-7392
publication_status: published
publisher: Association for Computing Machinery (ACM)
status: public
title: An In-depth Study of Java Deserialization Remote-Code Execution Exploits and
Vulnerabilities
type: journal_article
user_id: '15249'
year: '2022'
...