Generator-Based Fuzzers with Type-Based Targeted Mutation

TL;DR

This paper introduces a type-based mutation heuristic for generator-based fuzzers in Java, leveraging input structure information to improve code coverage, demonstrated by a 20% coverage increase on AWSLambda applications.

Contribution

The paper presents a novel type-based mutation approach tailored for generator-based fuzzers, enhancing their ability to reach specific code targets by exploiting input type information.

Findings

20% average improvement in application coverage

Larger coverage gains with third-party code included

Effective targeting of input sub-parts influencing branch decisions

Abstract

As with any fuzzer, directing Generator-Based Fuzzers (GBF) to reach particular code targets can increase the fuzzer's effectiveness. In previous work, coverage-guided fuzzers used a mix of static analysis, taint analysis, and constraint-solving approaches to address this problem. However, none of these techniques were particularly crafted for GBF where input generators are used to construct program inputs. The observation is that input generators carry information about the input structure that is naturally present through the typing composition of the program input. In this paper, we introduce a type-based mutation heuristic, along with constant string lookup, for Java GBF. Our key intuition is that if one can identify which sub-part (types) of the input will likely influence the branching decision, then focusing on mutating the choices of the generators constructing these types is likely to achieve the desired coverages. We used our technique to fuzz AWSLambda applications. Results compared to a baseline GBF tool show an almost 20\% average improvement in application coverage, and larger improvements when third-party code is included.