Speeding Up Bug Finding Using Focused Fuzzing

Greybox fuzzing has recently emerged as a scalable and practical approach to finding security bugs in software. For example, AFL the current state-of-the-art greybox fuzzer -has found hundreds of vulnerabilities in popular software since its release in 2013. The combination of lightweight coverage instrumentation and a simple evolutionary algorithm allows AFL to quickly generate inputs that exercise new code. AFL also obviates the need to manually set adhoc fuzzing ratios, which has been a major limitation of classical black-box fuzzers. Instead, AFL's first fuzzing pass exhaustively applies a set of mutations to every byte of a program input. While this approach allows for more thorough exploration of the input space, and therefore improves the chances of finding complex bugs, it also drastically slows down the fuzzing progress for "heavyweight" programs, or programs that take large inputs. This makes AFL less suitable for fuzzing input formats with large size overhead, such as various document formats. In this paper, we propose focused fuzzing as a practical trade-off between thoroughness and speed, for fuzzers that employ input mutation. We extend the notion of code coverage to individual bytes of input, and show how forward dynamic slicing can be used to efficiently determine the set of program instructions that are affected by a particular input byte. This information can then be used to restrict expensive mutations to a small subset of input bytes. We implement focused fuzzing on top of AFL, and evaluate it on four "real-life" Linux programs. Our evaluation shows that focused fuzzing noticeably improves bug discovery, compared to vanilla AFL.