Marcel Böhme

After 5 years, we are back at NDSS in San Diego!

Looking forward to submissions from the Security and the Software Engineering community!

GUIFuzz++ is the first general-purpose fuzzer for desktop GUI software! Fuzzing by translating AFL++ random input into user interaction with GUIs, leading to the discovery of 23 new bugs!

Paper: futures.cs.utah.edu/papers/25ASE.pdf
Source: github.com/FuturesLab/GUIFuzzPlusPlus

Go test some GUIs!

ASE 2025 - Workshops - ASE 2025 Welcome to the website of the 40th IEEE/ACM International Conference on Automated Software Engineering, ASE 2025. The ASE conference is the premier research forum for Automated Software Engineering. E...

Paper deadlines for ASE’25 co-located workshops are approaching! This year, nine exciting workshops are co-located with ASE’25, covering diverse SE topics. Deadlines vary, but most are due Aug 26 ⏳. Check each workshop’s website for details! conf.researchr.org/track/ase-20...

#ASE25 #Workshop #CFP

25yrs of delta dbg

25 years of delta debugging! On this day in 2000, I presented “Simplifying Failure-Inducing Inputs” at ISSTA - now one of the most influential works in the 50-year history of Transactions on Software Engineering. Read all about its genesis and impact at doi.ieeecomputersociety.org/10.1109/TSE....

Aixcc results !

YouTube video by Jonathan Aldrich PLP 1.3-1.4: Compilation, interpretation, and environments

Released today: the second video in my Programming Language Pragmatics series, covering Compilation, Interpretation, and Environments!

www.youtube.com/watch?v=mrmo...

Going forward, I'll post a video 3 times a week. Please share the series with anyone who might benefit!

We believe that our probabilistic perspective of correctness for the LLM-generated program as a random variable gives rise to a proliferation of new techniques built for trustworthy code generation with probabilistic guarantees.

Comments and feedback welcome!

This work on "Estimating Correctness Without Oracles in LLM-Based Code Generation" was led by Thomas Valentin (ENS Paris Saclay) with the generous advice and help from Ardi Madadi (MPI-SP) and Gaetano Sapia (MPI-SP).

A traditional pass@1 based evaluation of the code generation abilities of LLMs can be reliably substituted with our oracle-less evaluation. This brings substantial benefits. For instance, it removes reliance on human-written oracles (reducing data leakage and overfitting problems).

Estimating Correctness Without Oracles in LLM-Based Code Generation Generating code from natural language specifications is one of the most successful applications of Large Language Models (LLMs). Yet, they hallucinate: LLMs produce outputs that may be grammatically c...

Can we statistically estimate how likely an LLM-generated program is correct w/o knowing what is a correct program for that task?

Sounds impossible-but it's actually really simple. In fact, our measure of "correctness" called incoherence can be estimated (PAC guarantees).

arxiv.org/abs/2507.00057

GitHub - vusec/libaflgo: LibAFLGo: Evaluating and Advancing Directed Greybox Fuzzing LibAFLGo: Evaluating and Advancing Directed Greybox Fuzzing - vusec/libaflgo

LibAFLGo adds directed fuzzing to #LibAFL

Neat!
(not related to Golang)

github.com/vusec/libaflgo

It absolutely is. See you next time :)

🚨 Our amazing #FUZZING'25 keynotes are online!

"Constraining Fuzzing without Paying Too Much" by Miryung Kim
youtu.be/L90MBb6NLBE

"Are you sure you belong in academia?" by Will Wilson
youtu.be/qQGuQ_4V6WI

// @mboehme.bsky.social, László Szekeres, @rohan.padhye.org, @ruijiemeng.bsky.social

Wow! That was quick.

It's been a lot of fun! Up here in Trondheim the sun never really sets at this time of the year. This is a picture from 9:30pm which feels like an eternal 4pm.

See y'all next year!

Will Wilson (@AntithesisHQ.bsky.social) talked about the four professional paths with a beautiful historical metaphor from being a member of a guilt (academia) to being a siege engineer (startup founder). He also talked about his efforts at Antithesis to build a deterministic VM for fuzzing.

Miryung Kim (UCLA) talked about challenges in domain-specific fuzzing beyond those of general-purpose, including very slow targets (from HW circuits to distributed systems), and her approach to developing domain-specific program transformations, mutation operators, feedback, etc.

We had two exciting keynotes:
* From academia: Miryung Kim (Prof @ UCLA)
* From industry: Will Wilson (CEO and Co-Founder of @AntithesisHQ.bsky.social).
Stay tuned for recordings!

It was great to see the community come together again at our 4th #FUZZING workshop in Trondheim this year! We drew a big crowd. Enjoyed the super lively discussions.

Thanks to the organizers:
* @rohan.padhye.org
* @yannicnoller.bsky.social
* @ruijiemeng.bsky.social and
* László Szekeres (Google)

Thrilled to share a recent opinion piece at the IEEE Security and Privacy (Vol. 23, Issue 3).

Basically a long-term perspective on the field meant for both researchers and practitioners.

📝 ieeexplore.ieee.org/stamp/stamp....

Knowing the input language of a software system greatly facilitates its (automated) testing. In our new GDBMiner work, we use the GNU debugger (GDB) to extract precise input grammars from any recursive descent parser that can be traced via GDB: doi.org/10.4230/LITE...

The sequence of proofs approaches intuition with distance converging to 0.

YouTube video by natoccdcoe Fireside Chat: Gentleman Hackers with Thomas Dullien

My short impulse presentation from Cycon is online: youtu.be/qllU_B_Rmis?...

Just Accepted to ACM TOSEM!

The "Havoc Paradox" is about the relationship between byte-level fuzzer mutations and their effect on the inputs produced by generators for structured strings (e.g. XML/SQL). Can disruptive mutations be controlled? Should they be? Find out.

📄 dl.acm.org/doi/pdf/10.1...

Massive 1.2k submissions to #ASE25 in Korea! 🎉 📈

🖊️ Register here: ntnu.eventsair.com/fse2025-isst...
(FUZZING is a co-located workshop)

List of Accepted Papers at the FUZZING Workshop

We also have an excellent program of research talks and *fuzzing nuggets*. Detailed schedule coming soon.

conf.researchr.org/home/issta-2...

We're excited to announce two keynote speakers for the #FUZZING'25 workshop (part of @issta_conf at Trondheim, Norway):

[*] Will Wilson, CEO and Co-Founder of Antithesis
[*] Miryung Kim, Professor and Vice Chair of Graduate Studies at UCLA

conf.researchr.org/home/issta-2...

Congrats Dominik!! 🥳 Can't wait to see what you are going to build.

All @acm.org publications will be 100% Open Access as of January 2026. When we announced this at POPL and CHI this year, conference participants spontaneously erupted in applause. The CS community is excited about ACM's move to OA!