Caroline Lemieux,Koushik Sen

DOI: https://doi.org/10.1145/3238147.3238176

2018-09-03

Abstract:In recent years, fuzz testing has proven itself to be one of the most effective techniques for finding correctness bugs and security vulnerabilities in practice. One particular fuzz testing tool, American Fuzzy Lop (AFL), has become popular thanks to its ease-of-use and bug-finding power. However, AFL remains limited in the bugs it can find since it simply does not cover large regions of code. If it does not cover parts of the code, it will not find bugs there. We propose a two-pronged approach to increase the coverage achieved by AFL. First, the approach automatically identifies branches exercised by few AFL-produced inputs (rare branches), which often guard code that is empirically hard to cover by naively mutating inputs. The second part of the approach is a novel mutation mask creation algorithm, which allows mutations to be biased towards producing inputs hitting a given rare branch. This mask is dynamically computed during fuzz testing and can be adapted to other testing targets. We implement this approach on top of AFL in a tool named FairFuzz. We conduct evaluation on real-world programs against state-of-the-art versions of AFL. We find that on these programs FairFuzz achieves high branch coverage at a faster rate that state-of-the-art versions of AFL. In addition, on programs with nested conditional structure, it achieves sustained increases in branch coverage after 24 hours (average 10.6% increase). In qualitative analysis, we find that FairFuzz has an increased capacity to automatically discover keywords.

Ruixiang Qian,Quanjun Zhang,Chunrong Fang,Lihua Guo

DOI: https://doi.org/10.1145/3545258.3545285

2022-01-01

Abstract:Coverage guided fuzzing (CGF) is an effective testing technique which has detected hundreds of thousands of bugs from various software applications. It focuses on maximizing code coverage to reveal more bugs during fuzzing. However, a higher coverage does not necessarily imply a better fault detection capability. Triggering a bug involves not only exercising the specific program path but also reaching interesting program states in that path. In this paper, we use mutation testing to improve CGF in detecting bugs. We use mutation scores as additional feedback to guide fuzzing towards detecting bugs rather than just covering code. To evaluate our approach, we conduct a well-designed experiment on 5 benchmarks. We choose the state-of-the-art fuzzing technique Zest as baseline and construct two modified techniques on it using our approach. The experimental results show that our approach can improve CGF in both code coverage and bug detection.

Yiru Zhao,Xiaoke Wang,Lei Zhao,Yueqiang Cheng,Heng Yin

DOI: https://doi.org/10.48550/arXiv.2101.00612

2021-01-03

Software Engineering

Abstract:Coverage-based greybox fuzzing (CGF) has been approved to be effective in finding security vulnerabilities. Seed scheduling, the process of selecting an input as the seed from the seed pool for the next fuzzing iteration, plays a central role in CGF. Although numerous seed scheduling strategies have been proposed, most of them treat these seeds independently and do not explicitly consider the relationships among the seeds. In this study, we make a key observation that the relationships among seeds are valuable for seed scheduling. We design and propose a "seed mutation tree" by investigating and leveraging the mutation relationships among seeds. With the "seed mutation tree", we further model the seed scheduling problem as a Monte-Carlo Tree Search (MCTS) problem. That is, we select the next seed for fuzzing by walking this "seed mutation tree" through an optimal path, based on the estimation of MCTS. We implement two prototypes, AlphaFuzz on top of AFL and AlphaFuzz++ on top of AFL++. The evaluation results on three datasets (the UniFuzz dataset, the CGC binaries, and 12 real-world binaries) show that AlphaFuzz and AlphaFuzz++ outperform state-of-the-art fuzzers with higher code coverage and more discovered vulnerabilities. In particular, AlphaFuzz discovers 3 new vulnerabilities with CVEs.

Wang Xiajing,Hu Changzhen,Ma Rui,Tian Donghai,He Jinyuan

DOI: https://doi.org/10.1007/s10664-020-09927-3

IF: 3.762

2021-01-01

Empirical Software Engineering

Abstract:Mutation-based fuzzing is a simple yet effective technique to discover bugs and security vulnerabilities in software. Given a set of well-formed initial seeds, mutation-based fuzzers continually generate interesting seeds by applying specific mutation strategy in order to maximize code coverage or the number of unique bugs explored at any point-in-time. However, existing fuzzers remain limited in the paths it could cover since it simply follows a uniform distribution to choose mutation operators. In this paper, we proposed a novel context-aware adaptive mutation scheme, namely CMFuzz, which utilizes a contextual bandit algorithm LinUCB to effectively choose optimal mutation operators for various seed files. To this end, CMFuzz dynamically extracts and encodes file characteristics, which allows mutation-based fuzzers to perform context-aware mutation. We apply this scheme on top of several state-of-the-art fuzzers, i.e., PTfuzz, AFL, and AFLFast, and implement CMFuzz-PT, CMFuzz-AFL, and CMFuzz-AFLFast, respectively. We conduct evaluation on 12 real-world open source applications and LAVA-M dataset against their counterparts. Extensive evaluations demonstrate that CMFuzz-based fuzzers achieve higher code coverage and find more crashes at a faster rate than their counterparts on most cases. Furthermore, we also utilize other mainstream bandit algorithms, e.g., Thompson Sample and epsilon-greedy, and implement Thompson-PT and Greedy-PT based on PTfuzz to examine the performance of proposed model. CMFuzz-PT significantly outperforms Thompson-PT especially in terms of unique crashes and paths, i.e., found 1.79× unique crashes and 1.29× unique paths on average. Compared to Greedy-PT, our approach still increases the amount of unique crashes and paths by 1.11× and 1.05×, respectively.

Yixiao Yang

DOI: https://doi.org/10.48550/arXiv.2211.04712

2022-11-09

Abstract:The control logic models built by Simulink or Ptolemy have been widely used in industry scenes. It is an urgent need to ensure the safety and security of the control logic models. Test case generation technologies are widely used to ensure the safety and security. State-of-the-art model testing tools employ model checking techniques or search-based methods to generate test cases. Traditional search based techniques based on Simulink simulation are plagued by problems such as low speed and high overhead. Traditional model checking techniques such as symbolic execution have limited performance when dealing with nonlinear elements and complex loops. Recently, coverage guided fuzzing technologies are known to be effective for test case generation, due to their high efficiency and impressive effects over complex branches of loops. In this paper, we apply fuzzing methods to improve model testing and demonstrate the effectiveness. The fuzzing methods aim to cover more program branches by mutating valuable seeds. Inspired by this feature, we propose a novel integration technology SPsCGF, which leverages bounded model checking for symbolic execution to generate test cases as initial seeds and then conduct fuzzing based upon these worthy seeds. In this manner, our work combines the advantages of the model checking methods and fuzzing techniques in a novel way. Since the control logic models always receive signal inputs, we specifically design novel mutation operators for signals to improve the existing fuzzing method in model testing. Over the evaluated benchmarks which consist of industrial cases, SPsCGF could achieve 8% to 38% higher model coverage and 3x-10x time efficiency compared with the state-of-the-art works.

Software Engineering

Jaekwon Lee,Enrico Viganò,Oscar Cornejo,Fabrizio Pastore,Lionel Briand

DOI: https://doi.org/10.48550/arXiv.2308.07949

2023-08-15

Software Engineering

Abstract:Mutation testing can help reduce the risks of releasing faulty software. For such reason, it is a desired practice for the development of embedded software running in safety-critical cyber-physical systems (CPS). Unfortunately, state-of-the-art test data generation techniques for mutation testing of C and C++ software, two typical languages for CPS software, rely on symbolic execution, whose limitations often prevent its application (e.g., it cannot test black-box components). We propose a mutation testing approach that leverages fuzz testing, which has proved effective with C and C++ software. Fuzz testing automatically generates diverse test inputs that exercise program branches in a varied number of ways and, therefore, exercise statements in different program states, thus maximizing the likelihood of killing mutants, our objective. We performed an empirical assessment of our approach with software components used in satellite systems currently in orbit. Our empirical evaluation shows that mutation testing based on fuzz testing kills a significantly higher proportion of live mutants than symbolic execution (i.e., up to an additional 47 percentage points). Further, when symbolic execution cannot be applied, fuzz testing provides significant benefits (i.e., up to 41% mutants killed). Our study is the first one comparing fuzz testing and symbolic execution for mutation testing; our results provide guidance towards the development of fuzz testing tools dedicated to mutation testing.

Xiaoqi Zhao,Haipeng Qu,Wenjie Lv,Shuo Li,Jianliang Xu

DOI: https://doi.org/10.3390/math9030205

IF: 2.4

2021-01-01

Mathematics

Abstract:Coverage-based Greybox Fuzzing (CGF) is a practical and effective solution for finding bugs and vulnerabilities in software. A key challenge of CGF is how to select conducive seeds and allocate accurate energy. To address this problem, we propose a novel many-objective optimization solution, MooFuzz, which can identify different states of the seed pool and continuously gather different information about seeds to guide seed schedule and energy allocation. First, MooFuzz conducts risk marking in dangerous positions of the source code. Second, it can automatically update the collected information, including the path risk, the path frequency, and the mutation information. Next, MooFuzz classifies seed pool into three states and adopts different objectives to select seeds. Finally, we design an energy recovery mechanism to monitor energy usage in the fuzzing process and reduce energy consumption. We implement our fuzzing framework and evaluate it on seven real-world programs. The experimental results show that MooFuzz outperforms other state-of-the-art fuzzers, including AFL, AFLFast, FairFuzz, and PerfFuzz, in terms of path discovery and bug detection.

Joshua Bundt,Andrew Fasano,Brendan Dolan-Gavitt,William Robertson,Tim Leek

DOI: https://doi.org/10.1109/ICST57152.2023.00020

2022-12-22

Abstract:Fuzz testing is often automated, but also frequently augmented by experts who insert themselves into the workflow in a greedy search for bugs. In this paper, we propose Homo in Machina, or HM-fuzzing, in which analyses guide the manual efforts, maximizing benefit. As one example of this paradigm, we introduce compartment analysis. Compartment analysis uses a whole-program dominator analysis to estimate the utility of reaching new code, and combines this with a dynamic analysis indicating drastically under-covered edges guarding that code. This results in a prioritized list of compartments, i.e., large, uncovered parts of the program semantically partitioned and largely unreachable given the current corpus of inputs under consideration. A human can use this categorization and ranking of compartments directly to focus manual effort, finding or fashioning inputs that make the compartments available for future fuzzing. We evaluate the effect of compartment analysis on seven projects within the OSS-Fuzz corpus where we see coverage improvements over AFL++ as high as 94%, with a median of 13%. We further observe that the determination of compartments is highly stable and thus can be done early in a fuzzing campaign, maximizing the potential for impact.

Cryptography and Security

Marcel Böhme,Van-Thuan Pham,Abhik Roychoudhury

DOI: https://doi.org/10.1145/2976749.2978428

2016-10-24

Abstract:Coverage-based Greybox Fuzzing (CGF) is a random testing approach that requires no program analysis. A new test is generated by slightly mutating a seed input. If the test exercises a new and interesting path, it is added to the set of seeds; otherwise, it is discarded. We observe that most tests exercise the same few "high-frequency" paths and develop strategies to explore significantly more paths with the same number of tests by gravitating towards low-frequency paths. We explain the challenges and opportunities of CGF using a Markov chain model which specifies the probability that fuzzing the seed that exercises path i generates an input that exercises path j. Each state (i.e., seed) has an energy that specifies the number of inputs to be generated from that seed. We show that CGF is considerably more efficient if energy is inversely proportional to the density of the stationary distribution and increases monotonically every time that seed is chosen. Energy is controlled with a power schedule. We implemented the exponential schedule by extending AFL. In 24 hours, AFLFAST exposes 3 previously unreported CVEs that are not exposed by AFL and exposes 6 previously unreported CVEs 7x faster than AFL. AFLFAST produces at least an order of magnitude more unique crashes than AFL.

Gen Zhang,Pengfei Wang,Tai Yue,Xiangdong Kong,Shan Huang,Xu Zhou,Kai Lu

DOI: https://doi.org/10.14722/ndss.2022.24314

2024-01-29

Abstract:Coverage-guided gray-box fuzzing (CGF) is an efficient software testing technique. There are usually multiple objectives to optimize in CGF. However, existing CGF methods cannot successfully find the optimal values for multiple objectives simultaneously. In this paper, we propose a gray-box fuzzer for multi-objective optimization (MOO) called MobFuzz. We model the multi-objective optimization process as a multi-player multi-armed bandit (MPMAB). First, it adaptively selects the objective combination that contains the most appropriate objectives for the current situation. Second, our model deals with the power schedule, which adaptively allocates energy to the seeds under the chosen objective combination. In MobFuzz, we propose an evolutionary algorithm called NIC to optimize our chosen objectives simultaneously without incurring additional performance overhead. To prove the effectiveness of MobFuzz, we conduct experiments on 12 real-world programs and the MAGMA data set. Experiment results show that multi-objective optimization in MobFuzz outperforms single-objective fuzzing in the baseline fuzzers. In contrast to them, MobFuzz can select the optimal objective combination and increase the values of multiple objectives up to 107%, with at most a 55% reduction in the energy consumption. Moreover, MobFuzz has up to 6% more program coverage and finds 3x more unique bugs than the baseline fuzzers. The NIC algorithm has at least a 2x improvement with a performance overhead of approximately 3%.

Cryptography and Security,Software Engineering

Dong Li,Linghuan Hu,Ruizhi Gao,W. Eric Wong,D. Richard Kuhn,Raghu N. Kacker

DOI: https://doi.org/10.1109/qrs-c.2017.131

2017-01-01

Abstract:Software, in many different fields and tasks, has played a critical role and even replaced humans to improve efficiency and safety. However, catastrophic consequences can be caused by implementation bugs and design defects. Modified condition/decision coverage (MC/DC), required by the Federal Aviation Administration on Level A (the most safety critical system), has been shown to be effective in detecting software bugs. However, generating tests to achieve high MC/DC can be very expensive and time consuming. Recently, many studies showed that combinatorial testing (CT) could generate high-quality test cases in a cost-effective way. Can CT generate test cases to achieve high MC/DC? In this paper, we conduct an empirical study on two real-life programs to evaluate the efficiency and effectiveness of using combinatorial testing to improve MC/DC coverage achievement, as well as the fault detection strength.

Chen Chen,Zhouguo Chen,Yongle Hao,Baojiang Cui

DOI: https://doi.org/10.1007/978-3-319-69811-3_37

2018-01-01

Abstract:Fuzzing is an effective and widely used technique to find bugs and vulnerabilities in program. It triggers the vulnerable condition in program execution by inputting randomly-mutated seeds into program to be tested. It is difficult for random fuzzing to find bugs hided deeply in the target program with complex structured input formats due to its blindly emitting random data. In this paper, we propose an effective model-based fuzzing system, named Mocov, which leverages the coverage-guided technology. Mocov uses model-based technology to find deeply-hided bugs in the target program and uses instrumentation approach to feedback the runtime information in order to avoid blindness. It has the advantages and avoids the disadvantages of both technologies. We test the Mocov using a program elaborately designed. The result showed that it can generate fine seeds and improve the code coverage compared with Peach.

Jun-Ru Chang,Chin-Yu Huang

DOI: https://doi.org/10.1109/compsac.2007.44

2007-01-01

Abstract:The coverage criteria of verification techniques play an important role in software development and testing. The goal is to reduce the size of test suites to economize on time, and to ensure whether all statements (or conditions) are covered. We can use these criteria to track test progress, assess current situations, predict emerging events, and so on. Thus we can take the necessary actions upon early indications that testing activity is falling behind. Modified condition/decision coverage (MC/DC) was proposed by NASA in 1994, and had been widely adopted and discussed since then. As evident from the definition, MC/DC criterion is used to judge whether each Boolean operator can be satisfied or not. However, we find that the selected test cases sometimes may not be able to satisfy the original definition of MC/DC under some Boolean expressions. In this paper, we will propose a simple but useful method which focuses on all conditions of Boolean expression to practice MC/DC. Specifically, our proposed approach will use n-cube graph and Gray code to implement the MC/DC criterion. We will further show how to use the proposed method to differentiate the necessary and redundancy test cases. Finally, a practical regression testing tool, TASTE (Tool for Automatic Software regression TEsting), will be presented in this paper. An example is given to illustrate the detailed working process and is explained in detail.

Zhuo Su,Zehong Yu,Dongyan Wang,Wanli Chang,Bin Gu,Yu Jiang

DOI: https://doi.org/10.1145/3691620.3694991

2024-01-01

Abstract:Simulink plays an important role in the industry for modeling and synthesis of embedded systems. Ensuring system stability requires using numerous test cases to validate the functionality and safety of the models. However, as requirements increase, the complexity of the models poses new challenges to traditional testing methods. Traditional methods such as constraint solving and random search run into significant obstacles when navigating the complex branching logic and states within models. In this paper, we introduce HybridTCG, a test case generation method by collaborating model fuzzing and state solving for Simulink models. First, HybridTCG starts a code-based fuzzer to generate high-coverage test cases rapidly. Then, it refines the test cases generated by the fuzzer, preserving only those that can achieve new model coverage. These selected test cases are input into the state-solving engine to derive corresponding states and resolve the constraints of subsequent branches. Ultimately, the test cases produced by the solving engine will be fed back into the fuzzer as high-quality seeds to enhance the fuzzing process. We have implemented HybridTCG and conducted a comprehensive evaluation using various benchmark Simulink models. Compared to the built-in Simulink Design Verifier and state-of-the-art academic work SimCoTest and STCG, HybridTCG achieves an average improvement of 54%, 108% and 24% on Decision Coverage, 50%, 62% and 6% on Condition Coverage, 291%, 282% and 45% on Modified Condition Decision Coverage, respectively. Moreover, HybridTCG is also much more efficient in testing than other tools.

Hanxiang Xu,Wei Ma,Ting Zhou,Yanjie Zhao,Kai Chen,Qiang Hu,Yang Liu,Haoyu Wang

2024-12-19

Abstract:In recent years, the programming capabilities of large language models (LLMs) have garnered significant attention. Fuzz testing, a highly effective technique, plays a key role in enhancing software reliability and detecting vulnerabilities. However, traditional fuzz testing tools rely on manually crafted fuzz drivers, which can limit both testing efficiency and effectiveness. To address this challenge, we propose an automated fuzz testing method driven by a code knowledge graph and powered by an LLM-based intelligent agent system, referred to as CKGFuzzer. We approach fuzz driver creation as a code generation task, leveraging the knowledge graph of the code repository to automate the generation process within the fuzzing loop, while continuously refining both the fuzz driver and input seeds. The code knowledge graph is constructed through interprocedural program analysis, where each node in the graph represents a code entity, such as a function or a file. The knowledge graph-enhanced CKGFuzzer not only effectively resolves compilation errors in fuzz drivers and generates input seeds tailored to specific API usage scenarios, but also analyzes fuzz driver crash reports, assisting developers in improving code quality. By querying the knowledge graph of the code repository and learning from API usage scenarios, we can better identify testing targets and understand the specific purpose of each fuzz driver. We evaluated our approach using eight open-source software projects. The experimental results indicate that CKGFuzzer achieved an average improvement of 8.73% in code coverage compared to state-of-the-art techniques. Additionally, CKGFuzzer reduced the manual review workload in crash case analysis by 84.4% and successfully detected 11 real bugs (including nine previously unreported bugs) across the tested libraries.

Software Engineering,Cryptography and Security

Gen Zhang,Xu Zhou

DOI: https://doi.org/10.7763/ijmo.2018.v8.622

2018-01-01

International Journal of Modeling and Optimization

Abstract:Fuzzing is an efficient testing technique to expose bugs and vulnerabilities, and fuzzers extended with coverage information can generate interesting results and find potential bugs in programs.However, previous coverage-based fuzzers, such as American Fuzzy Lop (AFL), fail to realize the importance of the order of input test cases or they are unable to adopt significant and useful coverage information, so some of them suffer from dramatically poor performance.Meanwhile, the main idea of test case prioritization (TCP) in the field of software testing is to rank the test cases according to a certain rule, helping expose bugs and vulnerabilities.Thus our work concentrates on complementing AFL with the characteristics of TCP and improving the performance of the original AFL.In this paper, we present a brand-new fuzzing technique combining essential and practical coverage information and prioritization properties commonly used in TCP, which fundamentally enhancing the process of creating new test cases and finding bugs.We implement our method by extending state-ofthe-art fuzzer AFL with TCP techniques and evaluate it on 6 widely-used and open source programs from GNU.We conduct experiments on 6 target programs to illustrate our performance on bug detection.On all of these experiments, improvement of our method is witnessed and significantly better outcomes are generated.

Liu Yu,Shen Yanlong,Zhou Ying

2024-08-13

Abstract:Stateful Coverage-Based Greybox Fuzzing (SCGF) is considered the state-of-the-art method for network protocol greybox fuzzing. During the protocol fuzzing process, SCGF constructs the state machine of the target protocol by identifying protocol states. Optimal states are selected for fuzzing using heuristic methods, along with corresponding seeds and mutation regions, to effectively conduct fuzz testing. Nevertheless, existing SCGF methodologies prioritise the selection of protocol states without considering the correspondence between program basic block coverage information and protocol states. To address this gap, this paper proposes a statemap-based reverse state selection method for SCGF. This approach prioritises the coverage information of fuzzy test seeds, and delves deeper into the correspondence between the basic block coverage information of the programme and the protocol state, with the objective of improving the bitmap coverage. The state map is employed to simplify the state machine representation method. Furthermore, the design of different types of states has enabled the optimisation of the method of constructing message sequences, the reduction in the length of message sequences further improve the efficiency of test case execution. By optimising the SCGF, we developed SMGFuzz and conducted experiments utilising Profuzzbench in order to assess the testing efficiency of SMGFuzz.The results indicate that compared to AFLNet, SMGFuzz achieved an average increase of 12.48% in edges coverage, a 50.1% increase in unique crashes and a 40.2% increase in test case execution speed over a period of 24 hours.

Cryptography and Security

Mingzhe Wang,Jie Liang,Yuanliang Chen,Yu Jiang,Xun Jiao,Han Liu,Xibin Zhao,Jiaguang Sun

DOI: https://doi.org/10.1145/3183440.3183494

2018-01-01

Abstract:Mutation-based fuzzing is a widely used software testing technique for bug and vulnerability detection, and the testing performance is greatly affected by the quality of initial seeds and the effectiveness of mutation strategy. In this paper, we present SAFL1, an efficient fuzzing testing tool augmented with qualified seed generation and efficient coverage-directed mutation. First, symbolic execution is used in a lightweight approach to generate qualified initial seeds. Valuable explore directions are learned from the seeds, thus the later fuzzing process can reach deep paths in program state space earlier and easier. Moreover, we implement a fair and fast coverage-directed mutation algorithm. It helps the fuzzing process to exercise rare and deep paths with higher probability. We implement SAFL based on KLEE and AFL and conduct thoroughly repeated evaluations on real-world program benchmarks against state-of-the-art versions of AFL. After 24 hours, compared to AFL and AFLFast, it discovers 214% and 133% more unique crashes, covers 109% and 63% more paths and achieves 279% and 180% more covered branches. Video link: https://youtu.be/LkiFLNMBhVE

Jun Li,Chao Zhang

DOI: https://doi.org/10.12783/dtcse/cimns2017/17417

2017-01-01

DEStech Transactions on Computer Science and Engineering

Abstract:Coverage-based fuzzing is widely used in finding program bugs. While state-of-the-art coverage-based fuzzers, either ignore the differences between newly discovered edges or consider only control flow features (e.g., depth) when prioritizing seeds for mutation. In this paper, we propose a semantic sensitive coverage-based fuzzing solutions, SSFuzzer. When new edges are discovered during fuzzing, it evaluates the semantic features of the new edges and update the weights of testcases. Seeds with heavier weights will first be picked to mutate and be given more energy to mutate (i.e., more testcases will be generated). We evaluate not only positive semantic features (e.g., memory access) but also negative ones (e.g., error handling) of edges. We implemented a prototype based on AFL. Experiment results demonstrate that SSFuzzer can discover vulnerabilities faster.

Hassan Sartaj,Muhammad Zohaib Iqbal,Atif Aftab Ahmed Jilani,Muhammad Uzair Khan

DOI: https://doi.org/10.1002/stvr.1906

2024-11-10

Software Testing Verification and Reliability

Abstract:This paper introduces an efficient method for automating modified condition/decision coverage (MC/DC) test data generation in model‐based testing, employing a strategy that uses case‐based reasoning (CBR) and range reduction heuristics to solve MC/DC‐tailored Object Constraint Language (OCL) constraints. Results indicate that CBR and range reduction outperform the baseline approach in MC/DC test data generation. Furthermore, their combination presents an effective alternative to existing constraint solvers. System‐level testing of avionics software systems requires compliance with different international safety standards such as DO‐178C. An important consideration of the avionics industry is automated test data generation according to the criteria suggested by safety standards. One of the recommended criteria by DO‐178C is the modified condition/decision coverage (MC/DC) criterion. Current model‐based test data generation approaches use constraints written in Object Constraint Language (OCL) and apply search techniques to generate test data. These approaches either do not support MC/DC criterion or suffer from performance issues while generating test data for large‐scale avionics systems. In this paper, we propose an effective way to automate MC/DC test data generation during model‐based testing. We develop a strategy that utilizes case‐based reasoning (CBR) and range reduction heuristics designed to solve MC/DC‐tailored OCL constraints. We performed an empirical study to compare our proposed strategy for MC/DC test data generation using CBR, range reduction, both CBR and range reduction, with an original search algorithm, and random search. We also empirically compared our strategy with existing constraint‐solving approaches. The results show that both CBR and range reduction for MC/DC test data generation outperform the baseline approach. Moreover, the combination of both CBR and range reduction for MC/DC test data generation is an effective approach compared to existing constraint solvers.

computer science, software engineering