Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Generator-Based Fuzzers with Type-Based Targeted Mutation

Soha Hussein, Stephen McCamant, Mike Whalen

TL;DR

This work tackles the inefficiency of generator-based fuzzers (GBF) arising from uniform mutation, by introducing a type-based targeted mutation augmented with constant string lookup for Java GBF. The approach statically identifies influencing input types that drive branch decisions, dynamically annotates the FCI with these types using execution indexing, and bias mutations toward generator components producing influencing types, while maintaining exploration with random mutations. Evaluated on AWS Lambda benchmarks, SpotOn achieves a geometric-mean application-branch coverage gain of $18.2\%$ and total coverage gain of $43.2\%$, demonstrating that type-aware mutation can rival or surpass traditional GBF and CGF approaches while being lighter than heavy data-flow analyses. The method shows practical impact for focusing fuzzing on application logic within large, library-heavy serverless programs, and points to future work on recursive types, broader benchmarks, and automated generator generation.

Abstract

As with any fuzzer, directing Generator-Based Fuzzers (GBF) to reach particular code targets can increase the fuzzer's effectiveness. In previous work, coverage-guided fuzzers used a mix of static analysis, taint analysis, and constraint-solving approaches to address this problem. However, none of these techniques were particularly crafted for GBF where input generators are used to construct program inputs. The observation is that input generators carry information about the input structure that is naturally present through the typing composition of the program input. In this paper, we introduce a type-based mutation heuristic, along with constant string lookup, for Java GBF. Our key intuition is that if one can identify which sub-part (types) of the input will likely influence the branching decision, then focusing on mutating the choices of the generators constructing these types is likely to achieve the desired coverages. We used our technique to fuzz AWSLambda applications. Results compared to a baseline GBF tool show an almost 20\% average improvement in application coverage, and larger improvements when third-party code is included.

Generator-Based Fuzzers with Type-Based Targeted Mutation

TL;DR

This work tackles the inefficiency of generator-based fuzzers (GBF) arising from uniform mutation, by introducing a type-based targeted mutation augmented with constant string lookup for Java GBF. The approach statically identifies influencing input types that drive branch decisions, dynamically annotates the FCI with these types using execution indexing, and bias mutations toward generator components producing influencing types, while maintaining exploration with random mutations. Evaluated on AWS Lambda benchmarks, SpotOn achieves a geometric-mean application-branch coverage gain of and total coverage gain of , demonstrating that type-aware mutation can rival or surpass traditional GBF and CGF approaches while being lighter than heavy data-flow analyses. The method shows practical impact for focusing fuzzing on application logic within large, library-heavy serverless programs, and points to future work on recursive types, broader benchmarks, and automated generator generation.

Abstract

As with any fuzzer, directing Generator-Based Fuzzers (GBF) to reach particular code targets can increase the fuzzer's effectiveness. In previous work, coverage-guided fuzzers used a mix of static analysis, taint analysis, and constraint-solving approaches to address this problem. However, none of these techniques were particularly crafted for GBF where input generators are used to construct program inputs. The observation is that input generators carry information about the input structure that is naturally present through the typing composition of the program input. In this paper, we introduce a type-based mutation heuristic, along with constant string lookup, for Java GBF. Our key intuition is that if one can identify which sub-part (types) of the input will likely influence the branching decision, then focusing on mutating the choices of the generators constructing these types is likely to achieve the desired coverages. We used our technique to fuzz AWSLambda applications. Results compared to a baseline GBF tool show an almost 20\% average improvement in application coverage, and larger improvements when third-party code is included.
Paper Structure (19 sections, 1 equation, 15 figures, 3 tables, 1 algorithm)

This paper contains 19 sections, 1 equation, 15 figures, 3 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Motivating Example
  3. Generator-Based Fuzzers Background
  4. Fuzzing the Thumbnail Program with GBF
  5. Fuzzing Using The Proposed Type-Based Mutation
  6. Technique
  7. Algorithm
  8. Static Phase
  9. Dynamic Fuzzing Phase
  10. Using Execution Index to annotate the FCI with Types
  11. Type-Based Mutation Strategy
  12. Evaluation
  13. RQ1: Does SpotOn achieve more coverage?
  14. RQ2: What is the effectiveness of type-based targeting?
  15. RQ3: What is the overhead of SpotOn?
  16. ...and 4 more sections

Figures (15)

  • Figure 1: A program snippet that creates thumbnails for images of a specific year.
  • Figure 2: Generator-Based Fuzzer - FCI is the fuzzer chosen input
  • Figure 3: A snippet of generators
  • Figure 4: FCI used in generating a File from FileWithAttributesGenerator with our extension of Type annotation
  • Figure 5: Overall Process of Type-Based Targeted Mutation
  • ...and 10 more figures