General Feedback for Project 3
For those of you who want more details on project 3, here are some general remarks. We provided individual feedback for each of you, but here are some points that we think could benefit most of you:
* Some projects featured either really precise models of the input (grammars, ...) without mutations or really specific mutations (introducing a specific character in the input, ...). The risk with these approaches is that the fuzzer will generate inputs that are actually quite similar and more likely to trigger the same bugs over and over. One strength of fuzzing is the large coverage of the input space of the program.
* Seed prioritization is not limited to coverage-based power schedules. There are actually many reasons for keeping, prioritizing or discarding an input. For example, you might want to discard a seed that found a bug, because it is likely that it will only trigger the same bug again; or to favor seeds that were considered valid by the program; or to favor seeds that you did not mutate many times before; ... The best prioritization method to use depends on your goal, the distribution of bugs that you expect (clustered together, dependent, or spread randomly through the program), etc.
* Most of the projects recognized that the target is stateful and therefore decided to have an entire BSMTP session as input. However very few projects also took into account that the state could also persist between sessions and until the server is restarted. While this did not have a big impact for this project, it would have been a good idea to discuss when and why it makes sense to restart the server.
* Submitting clean code is never a waste of time. The code you submit is not only read by the Python interpreter, but also by you and by reviewers of your project. Structuring you code in a way that makes your intent clear is a great way to improve your grade, as it makes it more likely that your reviewers focus on the relevant parts of your code.
Keep up the good work, and hope to see you soon again,
Andreas Zeller, Rahul Gopinath, and Michael Mera