2026
SP'26
|
|
Cottontail: LLM-Driven Concolic Execution for Highly Structured Test Input Generation.
|
 |
Haoxin Tu, Seongmin Lee, Yuxian Li, Peng Chen, Lingxiao Jiang, and Marcel Böhme.
|
|
|
Abstract:
How to perform concolic execution to generate highly structured test inputs for systematically testing parsing programs.
|
|
|
47th IEEE Symposium on Security and Privacy (SP'26).
18pp.
|
|
Note: Accepted with shepherding. |
|
|
|
2025
ISSTA'25
🏆
|
|
Top Score on the Wrong Exam: On Benchmarking in Machine Learning for Vulnerability Detection.
|
|
Niklas Risse, Jing Liu, and Marcel Böhme.
|
|
🧑💻
|
Abstract:
The most prevalent problem statement of ML4VD as function-level binary classification problem is ill-defined.
|
|
|
34th ACM/SIGSOFT International Symposium on Software Testing and Analysis (ISSTA'25).
22pp.
|
| 🏆 |
Award: Our paper was selected as ACM Distinguished Papers (Top 8% of accepted papers). Congrats Niklas and Jing! |
|
Note: Supplementary material can be found here: ISSTA25-supplementary.pdf |
|
[
pdf
]
[
bib
]
[🧑💻
artifact
]
|
|
|
S&P
|
|
|
How to Solve Cybersecurity Once and For All.
|
|
Marcel Böhme.
|
|
|
Abstract:
We should stop trying to confirm the effectiveness of our defenses and start failing to find counterexamples.
|
|
|
IEEE Security and Privacy, Vol. 23, Issue 3.
|
|
Note: Invited journal article. A much abbreviated version of the keynote at RAID'24 |
|
[
pdf
]
[
bib
]
|
|
|
TOSEM
|
|
|
Software Security Analysis in 2030 and Beyond: A Research Roadmap.
|
|
Marcel Böhme, Eric Bodden, Tevfik Bultan, Cristian Cadar, Yang Liu, and Giuseppe Scanniello.
|
|
|
Abstract:
Challenges and opportunities for the security analysis of our software systems of the future.
|
|
|
ACM Transactions on Software Engineering and Methodology.
25pp.
|
|
Note: Invited article (Special Section: 2030 Software Engineering Roadmap). |
|
[
pdf
]
[
bib
]
|
|
|
TOSEM
|
|
|
Fuzzing: On Benchmarking Outcome as a Function of Benchmark Properties.
|
|
Dylan Wolff, Marcel Böhme, and Abhik Roychoudhury.
|
|
|
Abstract:
How would fuzzer ranking change if programs were larger or initial seeds had more coverage?
|
|
|
ACM Transactions on Software Engineering and Methodology.
24pp.
|
|
[
pdf
]
[
bib
]
|
|
|
TSE
|
|
|
AFLNet Five Years Later: On Coverage-Guided Protocol Fuzzing.
|
|
Ruijie Meng, Van-Thuan Pham, Marcel Böhme, and Abhik Roychoudhury.
|
|
🧑💻
|
Abstract:
State- and code-coverage-guided greybox fuzzing (Extended version of our ICSE'20 Tool Demo)
|
|
|
IEEE Transactions on Software Engineering.
14pp.
|
|
[
pdf
]
[
bib
]
[🧑💻
artifact
]
|
|
ICLR'25
🏆
|
|
|
How Much is Unseen Depends Chiefly on Information About the Seen.
|
|
Seongmin Lee and Marcel Böhme.
|
|
🧑💻
|
Abstract:
Significant progress on a beautiful statistical riddle. Can estimate data representativeness.
|
|
|
13th International Conference on Learning Representations (ICLR'25).
22pp.
|
| 🏆 |
Award: Our paper was selected as ICLR'25 Spotlight (Top 5% of accepted papers). Congrats Seongmin! |
|
[
pdf
]
[
bib
]
[🧑💻
artifact
]
|
|
|
ICSE'25
|
|
|
Invivo Fuzzing by Amplifying Actual Executions.   
|
|
Octavio Galland and Marcel Böhme.
|
|
🧑💻
|
Abstract:
Don't attach a fuzzer using fuzz drivers! Inject a fuzzer and amplify any state.
|
|
|
47th International Conference on Software Engineering (ICSE'25).
13pp.
|
|
[
pdf
]
[
bib
]
[🧑💻
artifact
]
|
|
|
ICSE'25
|
|
|
Accounting for Missing Events in Statistical Information Leakage Analysis.
|
|
Seongmin Lee, Shreyas Minocha, and Marcel Böhme.
|
|
🧑💻
|
Abstract:
Estimating software privacy in the small sample regime.
|
|
|
47th International Conference on Software Engineering (ICSE'25).
12pp.
|
|
[
pdf
]
[
bib
]
[🧑💻
artifact
]
|
|
FSE'25
🏆
|
|
|
MendelFuzz: The Return of the Deterministic Stage.
|
|
Han Zheng, Flavio Toffalini, Marcel Böhme, and Mathias Payer.
|
|
🧑💻
|
Abstract:
Can a fuzzer cover more code with minimal corruption of the initial seed?
|
|
|
ACM International Conference on the Foundations of Software Engineering (FSE'25).
21pp.
|
| 🏆 |
Award: Adopted as default mode in the most widely-used fuzzer AFL++ since v4.10c. |
|
[
pdf
]
[
bib
]
[🧑💻
artifact
]
|
|
2024
TOSEM
|
|
|
On the Impact of Lower Recall and Precision in Defect Prediction for Guiding Search-based Software Testing.
|
|
Anjana Perera, Burak Turhan, Aldeida Aleti, and Marcel Böhme.
|
|
🧑💻
|
ACM Transactions on Software Engineering and Methodology 33(6).
27pp.
|
|
[
pdf
]
[
bib
]
[🧑💻
artifact
]
|
|
|
USENIX Sec'24
|
|
|
Uncovering the Limits of Machine Learning for Automatic Vulnerability Detection.
|
|
Niklas Risse and Marcel Böhme.
|
|
🧑💻
|
Abstract:
Are machine learning models for vulnerability discovery as good as they seem?
|
|
|
33rd USENIX Security Symposium (USENIX Sec'24).
19pp.
|
|
[
pdf
]
[
bib
]
[🧑💻
artifact
]
[
github
]
[🧑🏫
slides
]
|
|
CCS'24
🏆
|
|
|
Testing Side-Channel Security of Cryptographic Implementations Against Future Microarchitectures.
|
|
G. Barthe, M. Böhme, S. Cauligi, C. Chuengsatiansup, D. Genkin, M. Guarnieri, D. Romero, P. Schwabe, D. Wu, and Y. Yarom.
|
|
🧑💻
|
Abstract:
How to find side-channels in crypto implementations running on future microarchitectures.
|
|
|
31st ACM Conference on Computer and Communications Security (CCS'24).
16pp.
|
| 🏆 |
Award: Our paper won the ACM SIGSAC Distinguished Paper Award at CCS'24. Congrats all! |
|
[
pdf
]
[
bib
]
[🧑💻
artifact
]
|
|
|
ICSE'24
|
|
|
Extrapolating Coverage Rate in Greybox Fuzzing.
|
|
Danushka Liyanage, Seongmin Lee, Chakkrit Tantithamthavorn, and Marcel Böhme.
|
|
🧑💻
|
Abstract:
How to *predict* the coverage rate of a greybox fuzzer in the future.
|
|
|
46th International Conference on Software Engineering (ICSE'24).
13pp.
|
|
[
pdf
]
[
bib
]
[🧑💻
artifact
]
|
|
NDSS'24
🏆
|
|
|
Large Language Model guided Protocol Fuzzing.
|
|
Ruijie Meng, Martin Mirchev, Marcel Böhme, and Abhik Roychoudhury.
|
|
🧑💻
|
Abstract:
How to make a fuzzer ask ChatGPT about the correct structure and order of messages as specified in 100+ pages of RFC.
|
|
|
Network and Distributed System Security Symposium (NDSS'24).
15pp.
|
| 🏆 |
Award: Number 29 in the Normalized Top-100 Security Papers of all time. |
|
[
pdf
]
[
bib
]
[🧑💻
artifact
]
[
github
]
|
|
|
TSE
|
|
|
Human-In-The-Loop Automatic Program Repair.
|
|
Charaka Geethal Kapugama, Marcel Böhme, and Van-Thuan Pham.
|
|
🧑💻
|
Abstract:
Learn2fix automatically negotiates with the user the condition under which the bug is observed before it repairs the bug.
|
|
|
IEEE Transactions on Software Engineering.
24pp.
|
|
Note: Journal extension of our homonymous ICST'20 paper. |
|
[
pdf
]
[
bib
]
[🧑💻
artifact
]
|
|
2023
CACM
🏆
|
|
|
Boosting Fuzzer Efficiency: An Information Theoretic Perspective.
|
|
Marcel Böhme, Valentin J. M. Manès, and Sang Kil Cha.
|
|
🧑💻
|
Abstract:
Every generated input reveals some information about the program. Maximizing information maximizes efficiency.
|
|
|
Communcations of the ACM 66(11).
9pp.
|
| 🏆 |
Award: CACM Research Highlight for the month of November. CACM a journal sent to all members of the ACM. |
|
Note: CACM Technical Perspective: "What's all the fuss about fuzzing?" by the amazing Gordon Fraser! |
|
[
pdf
]
[
bib
]
[🧑💻
artifact
]
|
|
|
ESEC / FSE'23
|
|
|
Statistical Reachability Analysis.
|
|
Seongmin Lee and Marcel Böhme.
|
|
🧑💻
|
Abstract:
Quantiative program analysis using a statistical rather than an analytical approach.
|
|
|
31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC / FSE'23).
12pp.
|
|
[
pdf
]
[
bib
]
[🧑💻
artifact
]
|
|
|
ASE'23
|
|
|
Precise Data-Driven Approximation for Program Analysis via Fuzzing.
|
|
Nikhil Parasaram, Earl T. Barr, Sergey Mechtaev, and Marcel Böhme.
|
|
🧑💻
|
Abstract:
Marry static analysis to over-/under-approx. the valid state space and fuzzing + stats to estimate the degree of validity.
|
|
|
38th IEEE/ACM International Conference on Automated Software Engineering (ASE'23).
12pp.
|
|
[
pdf
]
[
bib
]
[🧑💻
artifact
]
|
|
|
ICSE'23
|
|
|
Reachable Coverage: Estimating Saturation in Fuzzing.
|
|
Danushka Liyanage, Marcel Böhme, Chakkrit Tantithamthavorn, and Stephan Lipp.
|
|
🧑💻
|
Abstract:
Estimating the maximum achievable coverage by automatic test input generation.
|
|
|
45th International Conference on Software Engineering (ICSE'23).
13pp.
|
|
Note: Featured in the Fuzzing Weekly Newsletter (CW5). |
|
[
pdf
]
[
bib
]
[🧑💻
artifact
]
|
|
|
ICSE'23
|
|
|
Evaluating the Impact of Experimental Assumptions in Automated Fault Localization.
|
|
Ezekiel Soremekun, Lukas Kirschner, Marcel Böhme, and Mike Papadakis.
|
|
🧑💻
|
Abstract:
Evaluating the assumptions that researchers make during debugging tool evaluations.
|
|
|
ACM/IEEE 45th International Conference on Software Engineering (ICSE'23).
13pp.
|
|
[
pdf
]
[
bib
]
[🧑💻
artifact
]
[🔗
website
]
|
|
|
ISSTA'23
|
|
|
Green Fuzzing: A Saturation-based Stopping Criterion using Vulnerability Prediction.
|
|
Stephan Lipp, Daniel Elsner, Severin Kacianka, Alexander Pretschner, Marcel Böhme, and Sebastian Banescu.
|
|
🧑💻
|
Abstract:
We suggest to stop a fuzzing campaign when the coverage of potentially vulnerable code saturates.
|
|
|
32nd ACM/SIGSOFT International Symposium on Software Testing and Analysis (ISSTA'23).
13pp.
|
|
[
pdf
]
[
bib
]
[🧑💻
artifact
]
[
github
]
|
|
ESEC / FSE'23 (SRC)
🏆
|
|
|
Detecting Overfitting of Machine Learning Techniques for Automatic Vulnerability Detection.
|
|
Niklas Risse.
|
|
|
Student Research Competition (SRC) at the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC / FSE'23 (SRC)).
3pp.
|
| 🏆 |
Award: Niklas won 2nd place in the ACM FSE Student Research Competition. Congrats Niklas! |
|
[
pdf
]
[
bib
]
|
|
|
SBFT'23
|
|
|
Continuous Fuzzing: A Study of the Effectiveness and Scalability of Fuzzing in CI/CD Pipelines.
|
|
Thijs Klooster, Fatih Turkmen, Gerben Broenink, Ruben Ten Hove, and Marcel Böhme.
|
|
🧑💻
|
Abstract:
How to integrate fuzzing in a CI/CD pipeline, where time is limited but the analysis can be incremental?
|
|
|
2023 IEEE/ACM International Workshop on Search-Based and Fuzz Testing (SBFT'23).
13pp.
|
|
[
pdf
]
[
bib
]
[🧑💻
artifact
]
[
github
]
|
|
|
TSE'22
|
|
|
An Experimental Assessment of Using Theoretical Defect Predictors to Guide Search-based Software Testing.
|
|
Anjana Perera, Aldeida Aleti, Burak Turhan, and Marcel Böhme.
|
|
🧑💻
|
Abstract:
What is the impact of defect predictor accuracy on defectiveness-guided test generation?
|
|
|
IEEE Transactions on Software Engineering.
|
|
[
pdf
]
[
bib
]
[🧑💻
artifact
]
|
|
2022
ICSE'22
|
|
|
On the Reliability of Coverage-based Fuzzer Benchmarking.
|
|
Marcel Böhme, László Szekeres, and Jonathan Metzman.
|
|
🧑💻
|
Abstract:
We find a strong correlation but no strong agreement on fuzzer superiority in terms of coverage versus bugs.
|
|
|
44th International Conference on Software Engineering (ICSE'22).
13pp.
|
|
[
pdf
]
[
bib
]
[🧑💻
artifact
]
[
github
]
[🧑🏫
slides
]
|
|
|
USENIX SEC'22
|
|
|
Stateful Greybox Fuzzing.
|
|
Jinsheng Ba, Marcel Böhme, Zahra Mirzamomen, and Abhik Roychoudhury.
|
|
🧑💻
|
Abstract:
Navigating an unknown state space by identifying and monitoring state variables values.
|
|
|
31st USENIX Security Symposium (USENIX SEC'22).
18pp.
|
|
[
pdf
]
[
bib
]
[🧑💻
artifact
]
[🧑🏫
slides
]
|
|
|
ISSTA'22
|
|
|
Human-in-the-Loop Oracle Learning for Semantic Bugs in String Processing Programs.
|
|
Charaka Geethal, Van-Thuan Pham, Aldeida Aleti, and Marcel Böhme.
|
|
🧑💻
|
Abstract:
Learning to identify semantic bugs for string processing programs.
|
|
|
31st ACM/SIGSOFT International Symposium on Software Testing and Analysis (ISSTA'22).
12pp.
|
|
[🧑💻
artifact
]
[
github
]
|
|
|
ICSE'22 (NIER)
|
|
|
Statistical Reasoning About Programs.
|
|
Marcel Böhme.
|
|
|
Abstract:
Open challenges and new research directions for automated program analysis at scale.
|
|
|
44th International Conference on Software Engineering (ICSE'22 (NIER)).
5pp.
|
|
[
pdf
]
[
bib
]
[🧑🏫
slides
]
|
|
2021
IEEE Software
|
|
|
Fuzzing: Challenges and Opportunities.
|
|
Marcel Böhme, Cristian Cadar, and Abhik Roychoudhury.
|
|
|
Abstract:
A resource for practitioners and researchers to learn about the main open challenges in fuzzing and symbolic execution.
|
|
|
IEEE Software.
9pp.
|
|
Note: This is the outcome of a 3-day meeting of thought leaders and rising stars, both in industry and academia. We are happy to publish these results in the premier magazine (and journal) for software practitioners. |
|
[
pdf
]
[
bib
]
[🧑🏫
slides
]
|
|
|
CCS'21
|
|
|
Regression Greybox Fuzzing.
|
|
Xiaogang Zhu and Marcel Böhme.
|
|
🧑💻
|
Abstract:
Once a program is well-fuzzed, most bugs found are regressions. Fuzz all commits at once, but focus on recent ones.
|
|
|
28th ACM Conference on Computer and Communications Security (CCS'21).
12pp.
|
|
[
pdf
]
[
bib
]
[
github
]
[🧑💻
artifact
]
|
|
|
EMSE'21
|
|
|
Locating faults with program slicing: an empirical analysis.
|
|
Ezekiel Soremekun, Lukas Kirschner, Marcel Böhme, and Andreas Zeller.
|
|
🧑💻
|
Abstract:
Empirical comparison of statistical fault localization and dynamic program slicing along more realistic assumptions.
|
|
|
Empirical Software Engineering 26(3).
|
|
Note: Congrats to Ezekiel, Lukas, and Andreas! Ezekiel started this work with when I was still a PostDoc in Andreas' team. |
|
[
pdf
]
[
bib
]
[🧑💻
artifact
]
|
|
|
ESEC / FSE'21
|
|
|
Estimating Residual Risk in Greybox Fuzzing.
|
|
Marcel Böhme, Danushka Liyanage, and Valentin Wüstholz.
|
|
🧑💻
|
Abstract:
After 24hrs no crashes, you abort the campaign. What is the change to see a crash if you generated one more input?
|
|
|
15th Joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC / FSE'21).
12pp.
|
|
Note: Congrats Danushka on his first paper. Exciting work with our industry collaborator Valentin. We are breaking new ground! Shoutout J. Campbell (Microsoft) finds this direction interesting for large-scale fuzzing campaigns in OneFuzz to maximize bug finding within the compute budget. |
|
[
pdf
]
[
bib
]
[🧑💻
artifact
]
[
github
]
|
|
