1

What tools are out there that can perform code coverage analysis at the machine code level rather than the source code level? I'm looking for a possible solution to perform fuzz testing on software that I do not have source code access.

Mechanical snail
  • 29,755
  • 14
  • 88
  • 113
Jeremy Powell
  • 3,426
  • 2
  • 21
  • 29

4 Answers4

2

For compiled code (not Java), try Valgrind.

Community
  • 1
  • 1
DomQ
  • 4,184
  • 38
  • 37
2

I think the IBM Rational test coverage tools instrument object code.

Assuming you had such a tool, but no access to the source, what exactly would code coverage mean, other than 100%?

If you didn't have 100% coverage, you'd know you hadn't exercised something. But you would have no way of knowing what.

Ira Baxter
  • 93,541
  • 22
  • 172
  • 341
  • I'm interested in using fuzz testing and code coverage analysis to find security vulnerabilities. First, I might run the application under normal operating conditions and identify dusty unused code paths. Then try to identify vulnerabilities under the assumption that the least covered code are likely to have the most vulnerabilities. – Jeremy Powell Sep 13 '10 at 19:50
  • But just exactly what is a "dusty unused path" when you don't have the source? It seems like all you would have is "this instruction wasn't executed" and you'd have to trace out the (downstream branching) path yourself. Even so, you'd have no idea what that path represented; something related to passwords, or something related to printing "disk full"? So what specifically would you do with a list of unexecuted instruction locations? – Ira Baxter Sep 13 '10 at 21:11
  • That's a good point; I somehow convinced myself that I could divine how to form input to exercise unused code by examining how other input maps into the instructions. Now that I think about it more, it looks quite difficult. – Jeremy Powell Sep 14 '10 at 15:04
1

Old post... but my two cents.

If you have a bunch of jars and if you know what classes/methods you are using, you can instrument the jars with Emma and run your sample application against those jars.

In my case, I have jars which are actually proprietary components (to generate html code) which our company uses to build it's web-pages. We have a sample application that utilizes these components and a bunch of tests that are run against the sample app. I wrote an ant task to copy the maven dependencies to a directory, instrument them and run the tests against these instrumented jars. This task is invoked from the maven POM and is hence part of the build process.

Also, as part of the build process, we process the emma coverage data to produce a report. This report shows the classes and methods in the jar for which we do not have the source code! Hope this helps.

logicfox
  • 11
  • 1
0

If you have the number of entry points (public methods), you can test the coverage for that. I don't know any tool for that though. Otherwise you would have to test the assembly code coverage, and I don't know if it is possible.

Jader Dias
  • 88,211
  • 155
  • 421
  • 625