Recent Papers/Blogs/Tools Related to Fuzzing

The blog post contains classic fuzzing books, papers about fuzzing at information security top conferences over the years, commonly used fuzzing tools, and blogs that can quickly learn fuzzing tools.

1 Books

• The Fuzzing Book (2019)：This book is based on principles + code exercises, combined with practical exercises, to complete a fuzzing test framework from 0 to 1. If you want to write your own fuzzing framework, you can refer to this book.
• Fuzzing for Software Security Testing and Quality Assurance (2018)：This book introduces the idea of fuzzing into the software development life cycle. In fact, many efficient fuzzing tests are often considered in the development stage. The book discusses the development of fuzz tools, including not only some emerging open source tools, but also many commercial ones. How to choose the right fuzzer for software development projects is also one of the themes of this book.

2 Articles&Papers

This chapter contains top-level information security and classic papers in some journals. We just want to select some of them with relatively high technical value or relatively novel articles to facilitate subsequent learning.

Others

• The Art, Science, and Engineering of Fuzzing: A Survey (2019)
• Fuzzing: a survey (2018)
• Evaluating Fuzz Testing, 2018
• Fuzzing: Art, Science, and Engineering, 2018
• Fuzzing: State of the art, 2018
• Source-and-Fuzzing (2019)
• CoLaFUZE: Coverage-Guided and Layout-Aware Fuzzing for Android Drivers (2021)
• Better Pay Attention Whilst Fuzzing (2022)
• Effective File Format Fuzzing – Thoughts, Techniques and Results

NDSS

• Assessing the Impact of Interface Vulnerabilities in Compartmentalized Software, 2023
• FUZZILLI: Fuzzing for JavaScript JIT Compiler Vulnerabilities, 2023
• No Grammar, No Problem: Towards Fuzzing the Linux Kernel without System-Call Descriptions, 2023
• DARWIN: Survival of the Fittest Fuzzing Mutators, 2023
• LOKI: State-Aware Fuzzing Framework for the Implementation of Blockchain Consensus Protocols, 2023
• OBSan: An Out-Of-Bound Sanitizer to Harden DNN Executables, 2023
• MobFuzz: Adaptive Multi-objective Optimization in Gray-box Fuzzing (2022)
• FirmWire: Transparent Dynamic Analysis for Cellular Baseband Firmware (2022)
• EMS: History-Driven Mutation for Coverage-based Fuzzing (2022)
• Context-Sensitive and Directional Concurrency Fuzzing for Data-Race Detection (2022)
• datAFLow: Towards a Data-Flow-Guided Fuzzer (2022)
• Favocado: Fuzzing the Binding Code of JavaScript Engines Using Semantically Correct Test Cases (2021)
• WINNIE : Fuzzing Windows Applications with Harness Synthesis and Fast Cloning, 2021
• PGFUZZ: Policy-Guided Fuzzing for Robotic Vehicles (2021)
• Reinforcement Learning-based Hierarchical Seed Scheduling for Greybox Fuzzing (2021)
• HFL: Hybrid Fuzzing on the Linux Kernel (2020)
• HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing (2020)
• Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization (2020)
• PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary (2019)
• INSTRIM: Lightweight Instrumentation for Coverage-guided Fuzzing (2018)
• What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices
• Enhancing Memory Error Detection for Large-Scale Applications and Fuzz Testing (2018)
• DELTA: A Security Assessment Framework for Software-Defined Networks (2017)

USENIX Security

• Fuzztruction: Using Fault Injection-based Fuzzing to Leverage Implicit Domain Knowledge, 2023
• DynSQL: Stateful Fuzzing for Database Management Systems with Complex and Valid SQL Query Generation, 2023
• FuzzJIT: Oracle-Enhanced Fuzzing for JavaScript Engine JIT Compiler, 2023
• GLeeFuzz: Fuzzing WebGL Through Error Message Guided Mutation, 2023
• Automata-Guided Control-Flow-Sensitive Fuzz Driver Generation, 2023
• PolyFuzz: Holistic Greybox Fuzzing of Multi-Language Systems, 2023
• AIFORE: Smart Fuzzing Based on Automatic Input Format Reverse Engineering, 2023
• Remote Code Execution from SSTI in the Sandbox: Automatically Detecting and Exploiting Template Escape Bugs, 2023
• MTSan: A Feasible and Practical Memory Sanitizer for Fuzzing COTS Binaries, 2023
• MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation, 2023
• MINER: A Hybrid Data-Driven Approach for REST API Fuzzing, 2023
• KextFuzz: Fuzzing macOS Kernel EXTensions on Apple Silicon via Exploiting Mitigations, 2023
• Intender: Fuzzing Intent-Based Networking with Intent-State Transition Guidance, 2023
• DDRace: Finding Concurrency UAF Vulnerabilities in Linux Drivers with Directed Fuzzing, 2023
• CarpetFuzz: Automatic Program Option Constraint Extraction from Documentation for Fuzzing, 2023
• BoKASAN: Binary-only Kernel Address Sanitizer for Effective Kernel Fuzzing, 2023
• Bleem: Packet Sequence Oriented Fuzzing for Protocol Implementations, 2023
• autofz: Automated Fuzzer Composition at Runtime, 2023
• MundoFuzz: Hypervisor Fuzzing with Statistical Coverage Testing and Grammar Inference, 2022
• TheHuzz: Instruction Fuzzing of Processors Using Golden-Reference Models for Finding Software-Exploitable Vulnerabilities, 2022
• Morphuzz: Bending (Input) Space to Fuzz Virtual Devices, 2022
• Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing, 2022
• FuzzOrigin: Detecting UXSS vulnerabilities in Browsers through Origin Fuzzing, 2022
• Drifuzz: Harvesting Bugs in Device Drivers from Golden Seeds, 2022
• Fuzzing Hardware Like Software, 2022
• BrakTooth: Causing Havoc on Bluetooth Link Manager via Directed Fuzzing, 2022
• AmpFuzz: Fuzzing for Amplification DDoS Vulnerabilities, 2022
• SGXFuzz: Efficiently Synthesizing Nested Structures for SGX Enclave Fuzzing, 2022
• FRAMESHIFTER: Manipulating HTTP/2 Frame Sequences with Fuzzing, 2022
• FIXREVERTER: A Realistic Bug Injection Methodology for Benchmarking Fuzz Testing, 2022
• StateFuzz: System Call-Based State-Aware Linux Driver Fuzzing, 2022
• SyzScope: Revealing High-Risk Security Impacts of Fuzzer-Exposed Bugs inLinux kernel, 2022
• Automatic Firmware Emulation through Invalidity-guided Knowledge Inference, 2021
• Constraint-guided Directed Greybox Fuzzing, 2021
• UNIFUZZ: A Holistic and Pragmatic Metrics-Driven Platform for Evaluating Fuzzers, 2021
• Nyx: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types, 2021
• Breaking Through Binaries: Compiler-quality Instrumentation for Better Binary-only Fuzzing, 2021
• The Use of Likely Invariants as Feedback for Fuzzers, 2021
• Analysis of DTLS Implementations Using Protocol State Fuzzing
• EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit (2020)
• FANS: Fuzzing Android Native System Services via Automated Interface Analysis (2020)
• Fuzzing Error Handling Code using Context-Sensitive Software Fault Injection (2020)
• FuzzGen: Automatic Fuzzer Generation, 2020
• GREYONE: Data Flow Sensitive Fuzzing, 2020
• Fuzzification: Anti-Fuzzing Techniques, 2019
• AntiFuzz: Impeding Fuzzing Audits of Binary Executables, 2019
• MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation, 2018
• QSYM : A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing, 2018
• OSS-Fuzz - Google’s continuous fuzzing service for open source software, 2017
• kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels, 2017

IEEE S&P

• AFGen: Whole-Function Fuzzing for Applications and Libraries, 2024
• Chronos: Finding Timeout Bugs in Practical Distributed Systems by Deep-Priority Fuzzing with Transient Delay, 2024
• DY Fuzzing: Formal Dolev-Yao Models Meet Cryptographic Protocol Fuzz Testing, 2024
• LABRADOR: Response Guided Directed Fuzzing for Black-box IoT Devices, 2024
• Predecessor-aware Directed Greybox Fuzzing, 2024
• SATURN: Host-Gadget Synergistic USB Driver Fuzzing, 2024
• SoK: Prudent Evaluation Practices for Fuzzing, 2024
• SyzTrust: State-aware Fuzzing on Trusted OS Designed for IoT Devices, 2024
• Titan: Efficient Multi-target Directed Greybox Fuzzing, 2024
• To Boldly Go Where No Fuzzer Has Gone Before: Finding Bugs in Linux’ Wireless Stacks through VirtIO Devices, 2024
• DEVFUZZ: Automatic Device Model-Guided Device Driver Fuzzing, 2023
• ODDFUZZ: Discovering Java Deserialization Vulnerabilities via Structure-Aware Directed Greybox Fuzzing, 2023
• Finding Specification Blind Spots via Fuzz Testing, 2023
• RSFuzzer: Discovering Deep SMI Handler Vulnerabilities in UEFI Firmware with Hybrid Fuzzing, 2023
• SegFuzz: Segmentizing Thread Interleaving to Discover Kernel Concurrency Bugs through Fuzzing, 2023
• SelectFuzz: Efficient Directed Fuzzing with Selective Path Exploration, 2023
• TEEzz: Fuzzing Trusted Applications on COTS Android Devices, 2023
• UTOPIA: Automatic Generation of Fuzz Driver using Unit Tests, 2023
• VIDEZZO: Dependency-aware Virtual Device Fuzzing, 2023
• Toss a Fault to Your Witcher: Applying Grey-box Coverage-Guided Mutational Fuzzing to Detect SQL and Command Injection Vulnerabilities, 2023
• JIGSAW: Efficient and Scalable Path Constraints Fuzzing, 2022
• PATA: Fuzzing with Path Aware Taint Analysis, 2022
• FuzzUSB: Hybrid Stateful Fuzzing of USB Gadget Stacks, 2022
• Effective Seed Scheduling for Fuzzing with Graph Centrality Analysis, 2022,
• BEACON: Directed Grey-Box Fuzzing with Provable Path Pruning, 2022
• DiFuzzRTL: Differential Fuzz Testing to Find CPU Bugs, 2021
• StochFuzz: Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting, 2021
• NtFuzz: Enabling Type-Aware Kernel Fuzzing on Windows with Static Binary Analysis, 2021
• Diane: Identifying Fuzzing Triggers in Apps to Generate Under-constrained Inputs for IoT Devices, 2021
• One Engine to Fuzz ‘em All: Generic Language Processor Testing with Semantic Validation, 2021
• IJON: Exploring Deep State Spaces via Fuzzing, 2020
• Krace: Data Race Fuzzing for Kernel File Systems, 2020
• Pangolin:Incremental Hybrid Fuzzing with Polyhedral Path Abstraction, 2020
• RetroWrite: Statically Instrumenting COTS Binaries for Fuzzing and Sanitization, 2020
• Full-speed Fuzzing: Reducing Fuzzing Overhead through Coverage-guided Tracing, 2019
• Fuzzing File Systems via Two-Dimensional Input Space Exploration, 2019
• NEUZZ: Efficient Fuzzing with Neural Program Smoothing, 2019
• Razzer: Finding Kernel Race Bugs through Fuzzing, 2019
• Angora: Efficient Fuzzing by Principled Search, 2018
• CollAFL: Path Sensitive Fuzzing, 2018
• T-Fuzz: fuzzing by program transformation, 2018
• Skyfire: Data-Driven Seed Generation for Fuzzing, 2017

ACM CCS

• DSFuzz: Detecting Deep State Bugs with Dependent State Exploration, 2023
• Fuzz on the Beach: Fuzzing Solana Smart Contracts, 2023
• Greybox Fuzzing of Distributed Systems, 2023
• HOPPER: Interpretative Fuzzing for Libraries, 2023
• Profile-guided System Optimizations for Accelerated Greybox Fuzzing, 2023
• NestFuzz: Enhancing Fuzzing with Comprehensive Understanding of Input Processing Logic, 2023
• SyzDirect: Directed Greybox Fuzzing for Linux Kernel, 2023
• PyRTFuzz: Detecting Bugs in Python Runtimes via Two-Level Collaborative Fuzzing, 2023
• Poster: Combining Fuzzing with Concolic Execution for IoT Firmware Testing, 2023
• SFuzz: Slice-based Fuzzing for Real-Time Operating Systems, 2022
• LibAFL: A Framework to Build Modular and Reusable Fuzzers, 2022
• JIT-Picking: Differential Fuzzing of JavaScript Engines, 2022
• MC2: Rigorous and Efficient Directed Greybox Fuzzing, 2022
• Favocado: Fuzzing the Binding Code of JavaScript Engines Using Semantically Correct Test Cases, 2021
• WINNIE : Fuzzing Windows Applications with Harness Synthesis and Fast Cloning, 2021
• PGFUZZ: Policy-Guided Fuzzing for Robotic Vehicles, 2021
• Reinforcement Learning-based Hierarchical Seed Scheduling for Greybox Fuzzing, 2021
• DIFUZE: Interface Aware Fuzzing for Kernel Drivers, 2017
• Learning to Fuzz from Symbolic Execution with Application to Smart Contracts, 2019
• Matryoshka: fuzzing deeply nested branches, 2019
• Hawkeye: Towards a Desired Directed Grey-box Fuzzer, 2018
• IMF: Inferred Model-based Fuzzer, 2017
• SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits, 2017
• Directed Greybox Fuzzing, 2017
• SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities, 2017
• DIFUZE: Interface Aware Fuzzing for Kernel Drivers, 2017

3 Tools

Common and practical tools are included here, most of which have been practiced by the author and have a certain degree of universality. There are also some excellent tools that have not been maintained and updated for a long time and have very limited applicable scenarios, which are not included.

Mutator

• Radamsa: Radamsa is a test case generator for robustness testing, a.k.a. a fuzzer. It is typically used to test how well a program can withstand malformed and potentially malicious inputs. It works by reading sample files of valid data and generating interestringly different outputs from them. The main selling points of radamsa are that it has already found a slew of bugs in programs that actually matter, it is easily scriptable and, easy to get up and running.
• zzuf: zzuf is a transparent application input fuzzer. It works by intercepting file operations and changing random bits in the program’s input. zzuf’s behaviour is deterministic, making it easy to reproduce bugs.

Binary

• afl-unicorn: Fuzzing The ‘Unfuzzable’ : afl-unicorn lets you fuzz any piece of binary that can be emulated by Unicorn Engine.
• Intriguer: Intriguer is a concolic execution engine for hybrid fuzzing. The key idea of Intriguer is a field-level constraint solving, which optimizes symbolic execution with field-level information.
• Unicorefuzz: Fuzzing the Kernel using UnicornAFL and AFL++. For details, skim through the WOOT paper or watch this talk at CCCamp19.
• libFuzzer: LibFuzzer is in-process, coverage-guided, evolutionary fuzzing engine. LibFuzzer is linked with the library under test, and feeds fuzzed inputs to the library via a specific fuzzing entrypoint (aka “target function”); the fuzzer then tracks which areas of the code are reached, and generates mutations on the corpus of input data in order to maximize the code coverage. The code coverage information for libFuzzer is provided by LLVM’s SanitizerCoverage instrumentation.
• Honggfuzz: A security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with interesting analysis options. See the Usage document for a primer on Honggfuzz use.
• syzkaller: syzkaller is an unsupervised coverage-guided kernel fuzzer.
• frida-fuzzer: This experimetal fuzzer is meant to be used for API in-memory fuzzing.
• winafl: A fork of AFL for fuzzing Windows binaries
• trinity: Linux system call fuzzer.
• NtCall64: Windows NT x64 syscall fuzzer .
• kDriver-Fuzzer: A kernel driver fuzzer, based on ioctlbf.
• FuzzBALL: Vine-based Binary Symbolic Execution.

API/Protocol

• Sulley/Boofuzz: A fork and successor of the Sulley Fuzzing Framework
• fuzzowski: The Network Protocol Fuzzer that we will want to use.
• Peach: Peach is a fuzzing framework which uses a DSL for building fuzzers and an observer based architecture to execute and monitor them.
• Defensics: Defensics is a comprehensive, versatile, automated black box fuzzer that enables organizations to efficiently and effectively discover and remediate security weaknesses in software.
• bsSTORM: Black box Fuzz Testing is a requirement of the Verification phase of the SDL, the industry-leading software security assurance process that was created by Microsoft and proven effective since 2004.
• API-fuzzer: API Fuzzer which allows to fuzz request attributes using common pentesting techniques and lists vulnerabilities
• domato: A DOM fuzzer: Written and maintained by Ivan Fratric, ifratric@google.com

Firmware

• Forming Faster Firmware Fuzzers, 2023
• FirmSolo: Enabling dynamic analysis of binary Linux-based IoT kernel modules, 2023
• Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing, 2022
• Automatic Firmware Emulation through Invalidity-guided Knowledge Inference, 2021
• IOTFUZZER: Discovering Memory Corruptions in IoT Through App-based Fuzzing
• FIRM-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation
• FIRMCORN: Vulnerability-Oriented Fuzzing of IoT Firmware via Optimized Virtual Execution