Despite advances, modern software development methods still result in code being deployed with severe errors. There are many reasons why, including growing software complexity and required rapid development needed to quickly deliver systems. Unreliable software is especially problematic in high-value systems such as critical infrastructure (e.g., the power grid) or military and government systems where bugs can result in severe security breaches. To improve software quality, we propose augmenting the software development process with automatic bug finding. This approach goes beyond merely using inadequate programmer-developed tests. Instead, software bugs are immediately and automatically discovered pre-deployment. Using Zafl, our automatic bug-finding system based on binary-only fuzzing, serious bugs can be found early in development. Being binary-only, Zafl easily integrates with complex build systems as no changes are necessary to the development processes. Instead, Zafl operates directly on built binary programs (which must already be packaged and shipped before software use). Key benefits of this approach are finding bugs in any source language (compiled in any manner), and automatically filing actionable bug reports. We propose to containerize Zafl for easy scaling to production environments and include automatic bug reporting and forensics to help developers deploy significantly more dependable and secure software.
