Enhancing Fuzz Testing Efficiency through Automated Fuzz Target Generation

TL;DR

This paper presents an automated approach for generating fuzz targets in software testing by analyzing source code, aiming to improve coverage and reduce manual effort in fuzz testing large-scale projects.

Contribution

It introduces a static analysis-based method for automatic fuzz target generation, enhancing efficiency and coverage in fuzz testing of C/C++ libraries.

Findings

Effective fuzz target generation for C/C++ libraries

Improved fuzzing coverage and efficiency

Automated analysis reduces manual effort

Abstract

Fuzzing continues to be the most effective method for identifying security vulnerabilities in software. In the context of fuzz testing, the fuzzer supplies varied inputs to fuzz targets, which are designed to comprehensively exercise critical sections of the client code. Various studies have focused on optimizing and developing advanced fuzzers, such as AFL++, libFuzzer, Honggfuzz, syzkaller, ISP-Fuzzer, which have substantially enhanced vulnerability detection in widely used software and libraries. Nevertheless, achieving greater coverage necessitates improvements in both the quality and quantity of fuzz targets. In large-scale software projects and libraries -- characterized by numerous user defined functions and data types -- manual creation of fuzz targets is both labor-intensive and time-consuming. This challenge underscores the need for automated techniques not only to generate fuzz targets but also to streamline the execution and analysis of their results. In this paper, we introduce an approach to improving fuzz target generation through static analysis of library source code. The proposed method encompasses several key aspects: it analyzes source code structures to accurately construct function calls and generate fuzz targets; it maps fuzzer input data to the corresponding function parameters; it synthesizes compilation information for the fuzz targets; and it automatically collects and analyzes execution results. Our findings are demonstrated through the application of this approach to the generation of fuzz targets for C/C++ libraries.