Fine-Grained Coverage-Based Fuzzing

Fuzzing is a popular software testing method that discovers bugs by massively feeding target applications with automatically generated inputs. Many state-of-art fuzzers use branch coverage as feedback metric to guide the fuzzing process. The fuzzer retains inputs for further mutation only if increased. However, provides shallow sampling of program behaviours and hence may discard interesting mutate. This work aims at taking advantage large body research over defining finer-grained code metrics (such control-flow, data-flow or coverage) evaluating how performance impacted when using these select mutation. We propose make coverage-based support most fine-grained out box (i.e., without changing internals). achieve this making test objectives defined conditions activate mutants kill) explicit new branches in program. such modified then equivalent original target, but will also retain covering additional In addition, all mechanisms penetrate hard-to-cover help objectives. approach evaluate impact supporting two (multiple condition weak mutation) state-of-the-art (AFL++ QSYM) standard LAVA-M MAGMA benchmarks. evaluation suggests our mechanism runtime guidance, where fuzzed instrumented branches, effective could be leveraged encode guidance from human users static analysers. Our results show hard predict before fuzzing, time either neutral negative. As consequence, we do not recommend them fuzzers, except maybe some possibly favorable circumstances yet investigate, like limited parts complement classical campaigns.