RULF: Rust Library Fuzzing via API Dependency Graph Traversal

TL;DR

This paper introduces RULF, an automated method for generating fuzz targets for Rust libraries by traversing API dependency graphs, significantly improving coverage and bug detection without manual target design.

Contribution

It presents a novel automated fuzz target generation approach for Rust libraries using API dependency graph traversal, enhancing efficiency and coverage over manual methods.

Findings

Generated 7 to 118 fuzz targets per library

Achieved API coverage up to 0.92

Discovered 30 previously unknown bugs

Abstract

Robustness is a key concern for Rust library development because Rust promises no risks of undefined behaviors if developers use safe APIs only. Fuzzing is a practical approach for examining the robustness of programs. However, existing fuzzing tools are not directly applicable to library APIs due to the absence of fuzz targets. It mainly relies on human efforts to design fuzz targets case by case which is labor-intensive. To address this problem, this paper proposes a novel automated fuzz target generation approach for fuzzing Rust libraries via API dependency graph traversal. We identify several essential requirements for library fuzzing, including validity and effectiveness of fuzz targets, high API coverage, and efficiency. To meet these requirements, we first employ breadth-first search with pruning to find API sequences under a length threshold, then we backward search longer sequences for uncovered APIs, and finally we optimize the sequence set as a set covering problem. We implement our fuzz target generator and conduct fuzzing experiments with AFL++ on several real-world popular Rust projects. Our tool finally generates 7 to 118 fuzz targets for each library with API coverage up to 0.92. We exercise each target with a threshold of 24 hours and find 30 previously-unknown bugs from seven libraries.