Gray-Box Fuzzing in Local Space
Martin Jonáš, Jan Strejček, Marek Trtík
TL;DR
This paper formalizes gray-box fuzzing where probes record atomic Boolean expressions and signed distances along a program path. It defines a coverage problem that seeks inputs reproducing the path's Abe order and outcomes with the last Abe inverted, and introduces a local-space embedding (orthonormal bases) and a constraint system to guide gradient- and search-based input generation. An algorithm combining gradient steps, bit-mutations, and random sampling in the local space is proposed and evaluated on TestComp 2024, showing improvement over the prior Fizzer version in path/branch coverage. The results demonstrate that reduced-instrumentation, taint-informed local-space search can more effectively explore new execution paths under tight time/memory budgets, offering practical gains for gray-box fuzzers.
Abstract
We consider gray-box fuzzing of a program instrumented such that information about evaluation of program expressions converting values of numerical types to Boolean, like x <= y, is recorded during each program's execution. Given that information for an executed program path, we formally define the problem for finding input such that program's execution with that input evaluates all those expressions in the same order and with the same Boolean values as in the original execution path, except for the last one, which is evaluated to the opposite value. Then we also provide an algorithm searching for a solution of the problem effectively. The effectiveness of the algorithm is demonstrated empirically via its evaluation on the TestComp 2024 benchmark suite.