Learning Inputs in Greybox Fuzzing
This addresses a bottleneck in software testing and security for developers and security researchers, offering an incremental improvement over existing greybox fuzzing methods.
The paper tackles the challenge of covering code guarded by complex checks in greybox fuzzing by introducing a technique that learns new inputs from explored executions to guide exploration toward increased path coverage or vulnerability detection. The technique significantly improves path coverage (up to 3X) and bug detection (up to 38% more) compared to traditional greybox fuzzing on 26 real-world benchmarks.
Greybox fuzzing is a lightweight testing approach that effectively detects bugs and security vulnerabilities. However, greybox fuzzers randomly mutate program inputs to exercise new paths; this makes it challenging to cover code that is guarded by complex checks. In this paper, we present a technique that extends greybox fuzzing with a method for learning new inputs based on already explored program executions. These inputs can be learned such that they guide exploration toward specific executions, for instance, ones that increase path coverage or reveal vulnerabilities. We have evaluated our technique and compared it to traditional greybox fuzzing on 26 real-world benchmarks. In comparison, our technique significantly increases path coverage (by up to 3X) and detects more bugs (up to 38% more), often orders-of-magnitude faster.