Please note: This PhD defence will take place online.
Aniruddhan Murali, PhD candidate
David R. Cheriton School of Computer Science
Supervisor: Professor Mei Nagappan
Modern software systems are increasingly complex, and static analysis tools are widely used to identify potentially vulnerable code by issuing warnings. However, these warnings often require manual inspection by developers to determine whether the reported issues are genuine, making validation time-consuming and error-prone. Similarly, ensuring that individual commits (i.e., code changes) do not introduce defects or security vulnerabilities remains a fundamental challenge in software maintenance. Directed fuzzing has emerged as a powerful automated technique for vulnerability validation. Yet applying directed fuzzing to entire projects for each warning or modified code location is computationally expensive, often requiring days of execution while yielding only incremental coverage improvements.
We present a unified framework for efficient vulnerability validation based on the construction and fuzzing of compiled code slices centered on either static analysis warnings or functions modified in code commits. Unlike prior approaches that extract slices from the program entry point or impose restrictive slice-size limits, our framework constructs slices of arbitrary size and compiles them into standalone, testable units.
For static analysis warning verification, we directly fuzz slices of the function containing the warning, enabling rapid elimination of false positives. We implement this approach in a tool called FuzzSlice. The key insight that we base our work on is that a warning that does not yield the bug when fuzzed at the function level in a given time budget is most likely a false positive. Evaluation on the Juliet benchmark shows that FuzzSlice detects all 864 known false positives in the ground truth. For open-source repositories, developers from tmux and openSSH independently labeled reported warnings. In these projects, FuzzSlice automatically identified 33 of 53 developer-confirmed false positives, reducing false positives by 62.26%. These results demonstrate that FuzzSlice substantially reduces manual validation effort, achieving complete elimination of false positives in Juliet and significant reductions in real-world codebases.
To further strengthen static analysis warning verification, we introduce SnipTest, a framework that heuristically identifies true positives among warnings. SnipTest employs a layer-by-layer slicing strategy that incrementally expands the slice context around the target location prior to fuzzing. Unlike FuzzSlice which tests the function containing the warning, SnipTest can incrementally grow the boundary of the code slice to include more calling context, enabling the validation of potential vulnerabilities with progressively increasing precision We evaluate SnipTest on a benchmark comprising 97 true vulnerabilities and 97 false alarms across three real-world projects. SnipTest triggered 53 true vulnerabilities (54.6%), consistently across three slice levels, while the remaining cases were determined to be unreachable. Compared to state-of-the-art directed fuzzers, unseeded SnipTest confirms more bugs than unseeded baselines and matches the effectiveness of seeded fuzzers. Moreover, SnipTest significantly improves efficiency, achieving a 5.5–10.6× speedup in fuzzing time relative to both seeded and unseeded directed fuzzers. We further demonstrate its practical relevance by discovering three previously unknown vulnerabilities in two open-source projects, including CVE-2025-11964.
Finally, we extend our slice-based approach to commit verification. We introduce a novel commit-aware differential fuzzing framework for detecting vulnerabilities introduced by code changes. Rather than fuzzing entire program versions, our method automatically identifies functions modified in a target commit and generates dedicated slices for those functions. For each modified function, we construct slices from both the target commit and its direct predecessor in the version history. These corresponding slices are fuzzed independently, and their runtime behaviors are systematically compared to uncover divergences indicative of commit-induced vulnerabilities. By restricting analysis to modified code regions and combining slice-level execution with differential comparison, our framework enables precise, scalable, and efficient verification of code changes without requiring full end-to-end fuzzing or manually constructed test cases. Overall, we aim to show that slice-based differential fuzzing is both effective and computationally efficient, making it well-suited for integration into modern, fast-paced software development workflows, such as Continuous Integration (CI).