Fuzzing with Fast Failure Feedback

TL;DR

This paper introduces bFuzzer, a novel fuzzing approach that relies solely on failure feedback to efficiently explore program inputs without needing execution coverage information.

Contribution

The paper presents bFuzzer, a language-agnostic fuzzing method that uses failure feedback to guide input generation, eliminating the need for instrumentation or coverage data.

Findings

bFuzzer effectively finds valid inputs faster than traditional methods

It is language-agnostic and requires no program instrumentation

bFuzzer performs comparably to white-box fuzzers in experiments

Abstract

Fuzzing -- testing programs with random inputs -- has become the prime technique to detect bugs and vulnerabilities in programs. To generate inputs that cover new functionality, fuzzers require execution feedback from the program -- for instance, the coverage obtained by previous inputs, or the conditions that need to be resolved to cover new branches. If such execution feedback is not available, though, fuzzing can only rely on chance, which is ineffective. In this paper, we introduce a novel fuzzing technique that relies on failure feedback only -- that is, information on whether an input is valid or not, and if not, where the error occurred. Our bFuzzer tool enumerates byte after byte of the input space and tests the program until it finds valid prefixes, and continues exploration from these prefixes. Since no instrumentation or execution feedback is required, bFuzzer is language agnostic and the required tests execute very quickly. We evaluate our technique on five subjects, and show that bFuzzer is effective and efficient even in comparison to its white-box counterpart.