FrameShift: Learning to Resize Fuzzer Inputs Without Breaking Them

TL;DR

FrameShift is a lightweight technique that enhances coverage-guided fuzzers by preserving input structure during mutation, significantly improving their effectiveness across various programming languages and formats.

Contribution

It introduces a novel, fast method to detect and utilize relation fields, maintaining input integrity without extra instrumentation, boosting fuzzing performance.

Findings

FrameShift improves fuzzing coverage by over 50% in some cases.

The technique is effective across C/C++, Rust, and Python formats.

It requires no additional instrumentation beyond standard coverage feedback.

Abstract

Coverage-guided fuzzers are powerful automated bug-finding tools. They mutate program inputs, observe coverage, and save any input that hits an unexplored path for future mutation. Unfortunately, without knowledge of input formats--for example, the relationship between formats' data fields and sizes--fuzzers are prone to generate destructive frameshift mutations. These time-wasting mutations yield malformed inputs that are rejected by the target program. To avoid such breaking mutations, this paper proposes a novel, lightweight technique that preserves the structure of inputs during mutation by detecting and using relation fields. Our technique, FrameShift, is simple, fast, and does not require additional instrumentation beyond standard coverage feedback. We implement our technique in two state-of-the-art fuzzers, AFL++ and LibAFL, and perform a 12+ CPU-year fuzzer evaluation, finding that FrameShift improves the performance of the fuzzer in each configuration, sometimes increasing coverage by more than 50%. Furthermore, through a series of case studies, we show that our technique is versatile enough to find important structural relationships in a variety of formats, even generalizing beyond C/C++ targets to both Rust and Python.