ZTaint-Havoc: From Havoc Mode to Zero-Execution Fuzzing-Driven Taint Inference

TL;DR

ZTaint-Havoc introduces a lightweight, zero-overhead fuzzing-driven taint inference method that enhances vulnerability discovery by efficiently identifying hot bytes during fuzzing.

Contribution

It adapts havoc mutation for taint inference, enabling minimal-overhead, black-box hot byte detection integrated into fuzzing processes.

Findings

Achieves up to 33.71% edge coverage improvement on FuzzBench.

Maintains low overhead of 3.84% to 12.58%.

Enhances fuzzing effectiveness with average coverage gains of 2.97% and 6.12%.

Abstract

Fuzzing is a widely used technique for discovering software vulnerabilities, but identifying hot bytes that influence program behavior remains challenging. Traditional taint analysis can track such bytes white-box, but suffers from scalability issue. Fuzzing-Driven Taint Inference (FTI) offers a black-box alternative, yet typically incurs significant runtime overhead due to extra program executions. We observe that the commonly used havoc mutation scheme in fuzzing can be adapted for lightweight FTI with zero extra executions. We present a computational model of havoc mode, demonstrating that it can perform FTI while generating new test cases. Building on this, we propose ZTaint-Havoc, a novel, efficient FTI with minimal overhead (3.84% on UniBench, 12.58% on FuzzBench). We further design an effective mutation algorithm utilizing the identified hot bytes. Our comprehensive evaluation shows that ZTaint-Havoc, implemented in AFL++, improves edge coverage by up to 33.71% on FuzzBench and 51.12% on UniBench over vanilla AFL++, with average gains of 2.97% and 6.12% in 24-hour fuzzing campaigns.