skip to main content

Computer scientists significantly increase ability to detect software bugs by getting 'fuzzy'

April 20, 2017

The process for software development companies to find bugs can be time consuming, and current industry standard testing doesn’t always find each and every new glitch.

Now a team in Virginia Tech’s Department of Computer Science in the College of Engineering has developed a way for programmers to significantly increase the amount and types of bugs detected during stress testing using a tool called Node.fz.

While the software increases the amount of bugs detected, it also has the potential to decrease the amount of time it takes to get products to market by randomizing — or “fuzzing" — tasks performed by servers.

“This research is extremely important for testing prototypes of software,” said Dongyoon Lee, assistant professor of computer science. “Fuzzing randomizes server events and that randomization ensures that each time a program is executed, it will be different every time and events will occur in a random order. In precisely timed server architecture using vanilla Javascript, it can be difficult to know if the scenarios being tested actually trigger all of the bugs that exist.”

Lee and his Ph.D. student, Jamie Davis, will travel to Eurosys 2017 in Belgrade, Serbia, to present the team’s study on fuzzing on April 24.

Though fuzzing client side applications, such as those of industry titans Facebook and Google, as well as numerous web apps, is not new,  fuzzing backend servers is novel, said Lee.

Lee and his team identified 12 real-world Node.js programs that had concurrency bugs — bugs that don’t occur every time, but instead were based only on a particular sequence of events. The study is first to demonstrate empirical evidence of the effectiveness of fuzzing for these programs.

Node.fz is a variant of vanilla Node.js, which is JavaScript software that can run on a desktop or server just like any other program. JavaScript is the most popular programming language on the planet at about 4 millions users.

As a variant of Node.js, developing Node.fz allowed Lee and Davis to maintain a connection to an existing and robust community of programmers.

“Node.js bridges the gap between web developers who program JavaScript for front-facing apps like web interfaces, and backend developers who deal with servers,” said Jamie Davis, who is first author on the paper. “Previously these developers used different languages and had to work around communication issues, but Node.js allows them to use JavaScript exclusively. This change has significantly increased the importance of JavaScript in the software community, and our work was one of the first to really embrace this shift.”

The advent of the internet of things (IoT) makes fuzzing more appealing on the server side also. The IoT communicates between the cloud network and the increasing number of gadgets attached to the internet that do everything from keeping the temperature constant in smart refrigerators to regulating pacemakers, means testing the cloud will become increasingly important on the server side.

Historically, bugs in software were quite literally pests that gummed up the vacuum tubes used to carry the index cards to program the behemoth computers of yore.

Today software bugs are a digital metaphor for glitches in software code that cause programs to fail. In the future, Lee and his team are helping to make software bugs more of a fuzzy memory than anything else.

Written by Amy Loeffler