An Empirical Examination of Fuzzer Mutator Performance
Pages 1631 - 1642
Abstract
Over the past decade, hundreds of fuzzers have been published in top-tier security and software engineering conferences. Fuzzers are used to automatically test programs, ideally creating high-coverage input corpora and finding bugs. Modern “greybox” fuzzers evolve a corpus of inputs by applying mutations to inputs and then executing those new inputs while collecting coverage. New inputs that are “interesting” (e.g. reveal new coverage) are saved to the corpus. Given their non-deterministic nature, the impact of each design decision on the fuzzer’s performance can be difficult to predict. Some design decisions (e.g., ” Should the fuzzer perform deterministic mutations of inputs? ”) are exposed to end-users as configuration flags, but others (e.g., ” What kinds of random mutations to apply to inputs?”) are typically baked into the fuzzer code itself. This paper describes our over 12.5-CPU-year evaluation of the set of mutation operators employed by the popular AFL++ fuzzer, including the havoc phase, splicing, and, exploring the impact of adjusting some of those unexposed configurations. In this experience paper, we propose a methodology for determining different fuzzers’ behavioral diversity with respect to branch coverage and bug detection using rigorous statistical methods. Our key finding is that, across a range of targets, disabling certain mutation operators (some of which were previously “baked-in” to the fuzzer) resulted in inputs that cover different lines of code and reveal different bugs. A surprising result is disabling certain mutators leads to more diverse coverage and allows the fuzzer to find more bugs faster. We call for researchers to investigate seemingly simple design decisions in fuzzers more thoroughly and encourage fuzzer developers to expose more configuration parameters pertaining to these design decisions to end users.
References
[1]
[n.d.]. CVE - CVE-2015-8784 — cve.mitre.org. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8784
[2]
[n.d.]. CVE - CVE-2017-9048 — cve.mitre.org. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9048 [Accessed 11-04-2024].
[3]
[n.d.]. CVE - CVE-2018-13785 — cve.mitre.org. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13785
[4]
[n.d.]. CVE - CVE-2019-10873 — cve.mitre.org. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10873 [Accessed 11-04-2024].
[5]
[n.d.]. CVE - CVE-2020-24369 — cve.mitre.org. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24369 [Accessed 11-04-2024].
[6]
[n.d.]. Fixed bug: Negation overflow in getlocal/setlocal · lua/lua@a585eae — github.com. https://github.com/lua/lua/commit/a585eae6e7ada1ca9271607a4f48dfb17868ab7b [Accessed 11-04-2024].
[7]
[n.d.]. NVD - CVE-2020-24370 — nvd.nist.gov. https://nvd.nist.gov/vuln/detail/CVE-2020-24370 [Accessed 11-04-2024].
[8]
[n.d.]. The LLVM Compiler Infrastructure Project — llvm.org. https://llvm.org [Accessed 12-04-2024].
[9]
2023. Fuzzing Survey. https://fuzzing-survey.org/
[10]
Cornelius Aschermann, Sergej Schumilo, Tim Blazytko, Robert Gawlik, and Thorsten Holz. [n.d.]. REDQUEEN: Fuzzing with Input-to-State Correspondence.
[11]
Marcel Böhme, Van-Thuan Pham, and Abhik Roychoudhury. 2016. Coverage-Based Greybox Fuzzing as Markov Chain. CCS ’16. Association for Computing Machinery, New York, NY, USA. 1032–1043. isbn:9781450341394 https://doi.org/10.1145/2976749.2978428
[12]
Marcel Böhme, László Szekeres, and Jonathan Metzman. 2022. On the Reliability of Coverage-Based Fuzzer Benchmarking. ICSE ’22. Association for Computing Machinery, New York, NY, USA. 1621–1633. isbn:9781450392211 https://doi.org/10.1145/3510003.3510230
[13]
Oliver Chang, Jonathan Metzman, Max Moroz, Martin Barbella, and Abhishek Arya. 2016. OSS-Fuzz: Continuous Fuzzing for Open Source Software. URL: https://github. com/google/ossfuzz.
[14]
Ju Chen, WookHyun Han, Mingjun Yin, Haochen Zeng, Chengyu Song, Byoungyoung Lee, Heng Yin, and Insik Shin. 2022. SYMSAN: Time and Space Efficient Concolic Execution via Dynamic Data-flow Analysis. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA. 2531–2548. isbn:978-1-939133-31-1 https://www.usenix.org/conference/usenixsecurity22/presentation/chen-ju
[15]
P. Chen and H. Chen. 2018. Angora: Efficient Fuzzing by Principled Search. In 2018 IEEE Symposium on Security and Privacy (SP). 711–725.
[16]
Yuanliang Chen, Yu Jiang, Fuchen Ma, Jie Liang, Mingzhe Wang, Chijin Zhou, Xun Jiao, and Zhuo Su. 2019. EnFuzz: Ensemble Fuzzing with Seed Synchronization among Diverse Fuzzers. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA. 1967–1983. isbn:978-1-939133-06-9 https://www.usenix.org/conference/usenixsecurity19/presentation/chen-yuanliang
[17]
DARPA. 2016. DARPA Cyber Grand Challenge Sample Challenges. https://github.com/CyberGrandChallenge/samples/
[18]
B. Dolan-Gavitt, P. Hulin, E. Kirda, T. Leek, A. Mambretti, W. Robertson, F. Ulrich, and R. Whelan. 2016. LAVA: Large-Scale Automated Vulnerability Addition. In 2016 IEEE Symposium on Security and Privacy (SP). 110–121. https://doi.org/10.1109/SP.2016.15
[19]
Andrea Fioraldi, Dominik Maier, Heiko Eibfeldt, and Marc Heuse. 2020. AFL++: Combining incremental steps of fuzzing research. In 14th USENIX Workshop on Offensive Technologies (WOOT 20).
[20]
Andrea Fioraldi, Alessandro Mantovani, Dominik Maier, and Davide Balzarotti. 2023. Dissecting American Fuzzy Lop: A FuzzBench Evaluation. ACM Trans. Softw. Eng. Methodol., 32, 2 (2023), Article 52, mar, 26 pages. issn:1049-331X https://doi.org/10.1145/3580596
[21]
Vijay Ganesh, Tim Leek, and Martin Rinard. 2009. Taint-Based Directed Whitebox Fuzzing. In Proceedings of the 31st International Conference on Software Engineering (ICSE ’09). IEEE Computer Society, USA. 474–484. isbn:9781424434534 https://doi.org/10.1109/ICSE.2009.5070546
[22]
Google. 2022. honggfuzz. https://honggfuzz.dev
[23]
Alex Groce, Chaoqiang Zhang, Eric Eide, Yang Chen, and John Regehr. 2012. Swarm Testing. ISSTA 2012. Association for Computing Machinery, New York, NY, USA. 78–88. isbn:9781450314541 https://doi.org/10.1145/2338965.2336763
[24]
Ahmad Hazimeh, Adrian Herrera, and Mathias Payer. 2020. Magma: A Ground-Truth Fuzzing Benchmark. Proc. ACM Meas. Anal. Comput. Syst., 4, 3 (2020), Article 49, Dec., 29 pages. https://doi.org/10.1145/3428334
[25]
Patrick Jauernig, Domagoj Jakobovic, Stjepan Picek, Emmanuel Stapf, and Ahmad-Reza Sadeghi. 2023. DARWIN: Survival of the Fittest Fuzzing Mutators. In Proceedings 2023 Network and Distributed System Security Symposium. Internet Society. https://doi.org/10.14722/ndss.2023.23159
[26]
George Klees, Andrew Ruef, Benji Cooper, Shiyi Wei, and Michael Hicks. 2018. Evaluating Fuzz Testing. CCS ’18. Association for Computing Machinery, New York, NY, USA. 2123–2138. isbn:9781450356930 https://doi.org/10.1145/3243734.3243804
[27]
James Kukucka, Luís Pina, Paul Ammann, and Jonathan Bell. 2022. CONFETTI: Amplifying Concolic Guidance for Fuzzers. ICSE ’22. Association for Computing Machinery, New York, NY, USA. 438–450. isbn:9781450392211 https://doi.org/10.1145/3510003.3510628
[28]
James Kukucka, Luís Pina, Paul Ammann, and Jonathan Bell. 2024. Artifact to accompany "An Empirical Examination of Fuzzer Mutator Performance" (ISSTA 2024 article). https://doi.org/10.5281/zenodo.12655683
[29]
LLVM Project. 2019. libFuzzer - a library for coverage-guided fuzz testing. https://llvm.org/docs/LibFuzzer.html
[30]
Chenyang Lyu, Shouling Ji, Chao Zhang, Yuwei Li, Wei-Han Lee, Yu Song, and Raheem Beyah. 2019. MOPT: Optimized Mutation Scheduling for Fuzzers. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA. 1949–1966. isbn:978-1-939133-06-9 https://www.usenix.org/conference/usenixsecurity19/presentation/lyu
[31]
Jonathan Metzman, László Szekeres, Laurent Maurice Romain Simon, Read Trevelin Sprabery, and Abhishek Arya. 2021. FuzzBench: An Open Fuzzer Benchmarking Platform and Service. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2021). Association for Computing Machinery, New York, NY, USA. 1393–1403. isbn:9781450385626 https://doi.org/10.1145/3468264.3473932
[32]
Maria-Irina Nicolae, Max Eisele, and Andreas Zeller. 2023. Revisiting Neural Program Smoothing for Fuzzing. ESEC/FSE 2023. Association for Computing Machinery, New York, NY, USA. 133–145. isbn:9798400703270 https://doi.org/10.1145/3611643.3616308
[33]
Sebastian Österlund, Elia Geretto, Andrea Jemmett, Emre Güler, Philipp Görz, Thorsten Holz, Cristiano Giuffrida, and Herbert Bos. 2021. CollabFuzz: A Framework for Collaborative Fuzzing. EuroSec ’21. Association for Computing Machinery, New York, NY, USA. 1–7. isbn:9781450383370 https://doi.org/10.1145/3447852.3458720
[34]
Rohan Padhye, Caroline Lemieux, Koushik Sen, Mike Papadakis, and Yves Le Traon. 2019. Semantic fuzzing with zest. In Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis. 329–340.
[35]
Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. 2017. VUzzer: Application-aware Evolutionary Fuzzing. In NDSS. https://www.vusec.net/download/?t=papers/vuzzer_ndss17.pdf
[36]
Moritz Schloegel, Nils Bars, Nico Schiller, Lukas Bernhard, Tobias Scharnowski, Addison Crump, Arash Ale Ebrahim, Nicolai Bissantz, Marius Muench, and Thorsten Holz. 2024. SoK: Prudent Evaluation Practices for Fuzzing. arXiv preprint arXiv:2405.10220.
[37]
Koushik Sen and Gul Agha. 2006. CUTE and jCUTE: Concolic Unit Testing and Explicit Path Model-Checking Tools. In CAV, Thomas Ball and Robert B. Jones (Eds.). 419–423.
[38]
Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2016. Driller: Augmenting Fuzzing Through Selective Symbolic Execution. In 23rd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21-24, 2016. The Internet Society. http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/driller-augmenting-fuzzing-through-selective-symbolic-execution.pdf
[39]
Junjie Wang, Bihuan Chen, Lei Wei, and Yang Liu. 2019. Superion: Grammar-Aware Greybox Fuzzing. ICSE ’19. IEEE Press, 724–735. https://doi.org/10.1109/ICSE.2019.00081
[40]
Tielei Wang, Tao Wei, Guofei Gu, and Wei Zou. 2011. Checksum-Aware Fuzzing Combined with Dynamic Taint Analysis and Symbolic Execution. ACM Trans. Inf. Syst. Secur., 14, 2 (2011), Article Article 15, Sept., 28 pages. issn:1094-9224 https://doi.org/10.1145/2019599.2019600
[41]
Mingyuan Wu, Ling Jiang, Jiahong Xiang, Yanwei Huang, Heming Cui, Lingming Zhang, and Yuqun Zhang. 2022. One Fuzzing Strategy to Rule Them All. ICSE ’22. Association for Computing Machinery, New York, NY, USA. 1634–1645. isbn:9781450392211 https://doi.org/10.1145/3510003.3510174
[42]
Andy B Yoo, Morris A Jette, and Mark Grondona. 2003. Slurm: Simple linux utility for resource management. In Job Scheduling Strategies for Parallel Processing: 9th International Workshop, JSSPP 2003, Seattle, WA, USA, June 24, 2003. Revised Paper 9. 44–60.
[43]
Michał Zalewski. 2014. Binary fuzzing strategies: What works, what doesn’t. https://lcamtuf.blogspot.com/2014/08/binary-fuzzing-strategies-what-works.html
[44]
Michal Zalewski. 2019. American Fuzzy Lop. http://lcamtuf.coredump.cx/afl/technical_details.txt
[45]
Zenong Zhang, George Klees, Eric Wang, Michael Hicks, and Shiyi Wei. 2023. Fuzzing Configurations of Program Options. ACM Trans. Softw. Eng. Methodol., 32, 2 (2023), Article 53, mar, 21 pages. issn:1049-331X https://doi.org/10.1145/3580597
[46]
Zenong Zhang, Zach Patterson, Michael Hicks, and Shiyi Wei. 2022. FIXREVERTER: A Realistic Bug Injection Methodology for Benchmarking Fuzz Testing. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA. 3699–3715. isbn:978-1-939133-31-1 https://www.usenix.org/conference/usenixsecurity22/presentation/zhang-zenong
[47]
Lei Zhao, Yue Duan, Heng Yin, and Jifeng Xuan. 2019. Send Hardest Problems My Way: Probabilistic Path Prioritization for Hybrid Fuzzing. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24-27, 2019. https://www.ndss-symposium.org/ndss-paper/send-hardest-problems-my-way-probabilistic-path-prioritization-for-hybrid-fuzzing/
Index Terms
- An Empirical Examination of Fuzzer Mutator Performance
Recommendations
On test suite composition and cost-effective regression testing
Regression testing is an expensive testing process used to revalidate software as it evolves. Various methodologies for improving regression testing processes have been explored, but the cost-effectiveness of these methodologies has been shown to vary ...
Empirically revisiting the test independence assumption
ISSTA 2014: Proceedings of the 2014 International Symposium on Software Testing and AnalysisIn a test suite, all the test cases should be independent: no test should affect any other test’s result, and running the tests in any order should produce the same test results. Techniques such as test prioritization generally assume that the tests in ...
Prioritizing JUnit Test Cases: An Empirical Assessment and Cost-Benefits Analysis
Test case prioritization provides a way to run test cases with the highest priority earliest. Numerous empirical studies have shown that prioritization can improve a test suite's rate of fault detection, but the extent to which these results generalize ...
Comments
Information & Contributors
Information
Published In
September 2024
1928 pages
Copyright © 2024 Copyright is held by the owner/author(s). Publication rights licensed to ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 11 September 2024
Check for updates
Badges
Author Tags
Qualifiers
- Research-article
Conference
ISSTA '24
Sponsor:
ISSTA '24: 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis
September 16 - 20, 2024
Vienna, Austria
Acceptance Rates
Overall Acceptance Rate 58 of 213 submissions, 27%
Upcoming Conference
ISSTA '25
- Sponsor:
- sigsoft
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 798Total Downloads
- Downloads (Last 12 months)798
- Downloads (Last 6 weeks)124
Reflects downloads up to 08 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in