Inasmuch as, there apparently is now a fuzz test script(courtesy of Michal Zalewski, < http://lcamtuf.blogspot.ie/2014/10/bash-bug-how-we-finally-cracked.html > that identifies the bash bug...
I believe it would be interesting to measure the combinatorial coverage of the fuzz tests. So we would be able to say what percentage of 2-way, 3-way, etc. combinations are covered, which would be useful in understanding the difficulty of finding the bug using tests. For example, it may be that the test script produces a high level of 4-way combination coverage, suggesting that the bug is complex and that a high proportion of the possible input space needs to be covered by tests to detect the problem (that we would need 4-way or 5-way testing). This may depend on how tailored the fuzz tests are for finding this particular bug. Obviously they could be very narrowly tailored and not cover much of the input space. We would have to measure the coverage to see. I’m asking this group for feedback... do you think the fuzz test scripts that have been developed could be analyzed in this way? To measure the combination coverage, we just need test values in a matrix or spreadsheet format, where each row is a test and each column represents a parameter. Could we run the fuzz test scripts and produce such a matrix? Please let me know -- Rick
