Recent Papers/Blogs/Tools Related to Fuzzing

Curated list of classic fuzzing books, papers about fuzzing at information security top conferences over the years, commonly used fuzzing tools, and resources that can help us use fuzzer easily. → English

This project includes classic fuzzing books, classic papers about fuzzing at information security top conferences over the years, commonly used fuzzing tools, and resources that can help us use fuzzer easily.

---

The

Table of Contents

• 1 Books
• 2 Articles/Papers
  • Others
  • NDSS
  • USENIX Security
  • IEEE S&P
  • ACM CCS
• 3 Tools
  • Mutator
  • Binary
  • API/Protocol
  • firmware
• 4 Blogs

1 Books

• The Fuzzing Book (2019): This book is based on principles + code exercises to complete a fuzzing test framework from 0 to 1, combined with practical exercises, if you want to write your own test framework, you can refer to this book.
• [Fuzzing for Software Security Testing and Quality Assurance](https://www.amazon.com/Fuzzing-Software-Security-Testing-Assurance/dp/ 1608078507/) (2018): This book introduces the idea of fuzz testing into the software development lifecycle, in fact many efficient fuzzing tests are often considered in the development phase, the book explores the development of fuzz tools, including not only some emerging open source tools, but also covering many commercial fuzzer, how to choose the right one for software development projects How to choose the right fuzzer for a software development project is also a topic of this book.

2 Articles&Papers

This chapter contains classic papers from the Security Top and some journals, but it's not our goal to be big and comprehensive, we just want to select some of the articles with high technical value or novelty to facilitate subsequent learning.

Others

• The Art, Science, and Engineering of Fuzzing: A Survey](https://ieeexplore.ieee.org/document/8863940) (2019): a generic fuzz model proposed by scholars at the Korea Institute of Science and Technology, containing A comparison of 60+ fuzz tools based on an introduction to fuzz techniques, which may be found in this table if you want to know more about fuzz tools.
• Fuzzing: a survey (2018): an article on Cybersecurity published by Tsinghua University related institutions. https://cybersecurity.springeropen.com/) on a survey of fuzzing techniques. Although there are some questionable descriptions in the paper, the paper can give us an overview of the history, principles, and classification of fuzzing techniques.
• Evaluating Fuzz Testing, 2018: a paper at CCS 2018 by scholars at the University of Maryland, USA, summarizes the development of fuzzing in recent years and analyzes the security topologies presented at It is a good survery, covering the complete lifecycle of fuzzing.
• Fuzzing: Art, Science, and Engineering, 2018: a very detailed survery that includes a comparison of the various tools and also covers the various stages of fuzzing.
• Fuzzing: State of the art, 2018: national publication in [IEEE Transactions on Reliability](https:// ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=24), which can roughly understand the fuzzing idea, but the analysis is not deep, compared with the above two articles.
• Source-and-Fuzzing (2019): some experience in reading source code and fuzzing, covering black-box and white-box testing, a series of articles on fuzz analysis is more in-depth, worth a look.
• Effective File Format Fuzzing - Thoughts, Techniques and Results (Blackhat Europe 2015): The authors share their fuzz methodology for a number of open source and commercial software over the years, including Adobe Reader, Wireshark, Hex-Rays IDA Pro, and others.
• [CoLaFUZE: Coverage Guided and Layout-Aware Fuzzing for Android Drivers](https://www.jstage.jst.go.jp/article/transinf/E104.D/11/E104.D_ 2021NGP0005/_pdf) (2021), Tianshi Mu et al. of Southern Power Grid Digital Grid Research Institute Ltd introduced CoLaFUZE, a coverage guided and layout-aware fuzzing tool for automatic generation of valid input and exploration of driver code. For fuzzy testing Android drivers.
• Better Pay Attention Whilst Fuzzing (2022), Shunkai Zhu et al. of Zhejiang University proposed ATTuzz for addressing two limitations of existing fuzzing tools, the lack of comprehensive analysis and lack of effective variation strategies. Improved coverage by deep learning.

NDSS

2022

• [Semantic-Informed Driver Fuzzing Without Both the Hardware Devices and the Emulators](https://www.ndss-symposium.org/ndss-paper/auto-draft (2022): Xi'an Jiaotong University , Wenjia Zhao et al. propose a device-free driver fuzzing test system, DR .FUZZ, which does not require both the hardware devices and the emulators to fuzz the driver. FUZZ is a semantic notification mechanism that efficiently generates input to correctly construct the relevant data structures to pass the "verification chain" during driver initialization, thus enabling subsequent device free driver fuzzing tests.
• MobFuzz: Adaptive Multi-objective Optimization in Gray-box Fuzzing (2022) . National University of Defense Technology proposes a gray-box fuzzifier for multi-objective optimization (MOO), called MobFuzz.
• FirmWire: Transparent Dynamic Analysis for Cellular Baseband Firmware (2022) : FirmWire, a tool developed by the University of Florida, USA, is a full-system baseband firmware analysis platform supporting Samsung and MediaTek. It supports fuzzy testing, simulation and debugging of baseband firmware images.
• EMS: History-Driven Mutation for Coverage based Fuzzing (2022): proposed by Chenyang Lu*, Zhejiang University A novel variation scheme, by analyzing historical test cases, finds that some already tried use cases may still trigger new unique paths. A lightweight and efficient Probabilistic Byte Orientation Model (PBOM) model is proposed, based on which a new history-driven variation framework EMS is proposed and several new CVEs are discovered.
• [Context-Sensitive and Directional Concurrency Fuzzing for Data-Race Detection](https://www.ndss-symposium.org/ndss-paper/auto-draft-198 /) (2022) : A related team at Tsinghua University developed a novel concurrency fuzzing testing framework called CONZZER to efficiently explore thread interleaving and detect hard-to-detect data contention.
• datAFLow: Towards a Data-Flow-Guided Fuzzer (2022) : DATAFLOW, developed by Australian National University. This is a grey-box fuzzer driven by lightweight data-flow analysis.

2021

• [Favocado: Fuzzing the Binding Code of JavaScript Engines Using Semantically Correct Test Cases, 2021](https://www.ndss-symposium.org/ndss- paper/favocado-fuzzing-the-binding-code-of-javascript-engines-using-semantically-correct-test-cases/): Arizona State University students and faculty present a tool for fuzzing the binding code of the JS engine. layer code for fuzzing: Favocado. The authors found 61 new bugs when fuzzing in 4 different JavaScript runtime systems, 33 of which are security vulnerabilities and 13 of which have been included in CVE.
• [WINNIE : Fuzzing Windows Applications with Harness Synthesis and Fast Cloning, 2021](https://www.ndss-symposium.org/ndss-paper/winnie- fuzzing-windows-applications-with-harness-synthesis-and-fast-cloning/): Using synthesis and fast cloning to fuzz Windows Applications, Georgia Tech authors have built an end-to-end WINNIE system with two components: a generator that automatically synthesizes tools from binaries, and an efficient Windows forkserver. Comparison tool: WinAFL .
• [PGFUZZ: Policy-Guided Fuzzing for Robotic Vehicles, 2021](https://www.ndss-symposium.org/ndss-paper/pgfuzz-policy-guided-fuzzing-for- robotic-vehicles/): a fuzzing tool for Robotic vehicles (RVs) designed by Hyungsub Kim et al. at Purdue University, i.e., PGFUZZ, has more limited applications. scenarios are more limited.
• Reinforcement Learning-based Hierarchical Seed Scheduling for Greybox Fuzzing, 2021](https://www.ndss-symposium.org/ndss-paper/) reinforcement-learning-based-hierarchical-seed-scheduling-for-greybox-fuzzing/): University of California, Riverside Chinese team retained more valuable seeds by introducing multi-level coverage and designing a reinforcement learning-based hierarchical scheduler. That is, a more fine-grained measure of code coverage and a more rational seed scheduling strategy.

2020 ⤵

• HFL: Hybrid Fuzzing on the Linux Kernel (2020): [Oregon State University, USA](https://www.baidu. com/link?url=sn1QvZgfhW08eCz3smcHQsKmxmvdxUVfs90iYf52Qk_F7JedSab1kMqjelKzllZ-P1N3hOHeNCA6tKlSfhfjRdKefUtwi5pzYrjN-fcKWKG&wd=&eqid= fda401e6000301af00000006604737c0) proposed an emerging hybrid fuzz tool. According to the author, HFL code coverage is 15% and 26% higher than Moonshine and Syzkaller respectively, and found 20+ kernel vulnerabilities. The tool does not seem to be open source.
• [HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing](https://www.researchgate.net/ publication/339164746_HotFuzz_Discovering_Algorithmic_Denial-of-Service_Vulnerabilities_Through_Guided_Micro-Fuzzing) (2020): HotFuzz, a framework for automated discovery of AC (Algorithmic Complexity) vulnerabilities in Java libraries, developed by Boston University, USA .
• [Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization](https://www.ndss-symposium.org/wp-content/ uploads/2020/02/24422.pdf) (2020): TortoiseFuzz, developed by the Institute of Software of the Chinese Academy of Sciences, designs a new fuzzy input optimization scheme that finds 20+ 0 day vulnerability.
• [PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary](https://people.cs.kuleuven.be/~stijn.volckaert/papers/ 2019_NDSS_PeriScope.pdf) (2019): a fuzz tool called PeriScope, developed by the University of California, focuses on the kernel-hardware boundary part of the tool, which does not seem to be open source.
• [INSTRIM: Lightweight Instrumentation for Coverage Guided Fuzzing](https://www.ndss-symposium.org/wp-content/uploads/2018/07/bar2018_ 14_Hsu_paper.pdf) (2018): National Taiwan University, Academic research that explores lightweight detection methods for coverage guided fuzzing.
• [IOTFUZZER: Discovering Memory Corruptions in IoT Through App-based Fuzzing](#### firmware) (2018): see firmware chapter.
• What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices: some of the embedded firmware fuzzing This paper designs six different heuristic algorithms based on Avatar and PANDA to improve the fuzzing efficiency of embedded systems.
• Enhancing Memory Error Detection for Large-Scale Applications and Fuzz Testing (2018): Research on memory error detection algorithms by Korea Institute of Science and Technology.
• [DELTA: A Security Assessment Framework for Software-Defined Networks](https://www.ndss-symposium.org/wp-content/uploads/2017/09/ ndss201702A-1LeePaper.pdf) (2017): security assessment framework for SDN design by Korea Institute of Science and Technology.

USENIX Security

2022

• [MundoFuzz: Hypervisor Fuzzing with Statistical Coverage Testing and Grammar Inference, 2022](https://www.usenix.org/conference/ usenixsecurity22/presentation/myung) - MundoFuzz, a fuzz testing tool for Hypervisors, from Cheolwoo Myung et al. of Seoul National University, Korea.
• [TheHuzz: Instruction Fuzzing of Processors Using Golden-Reference Models for Finding Software-Exploitable Vulnerabilities, 2022](https:// arxiv.org/abs/2201.09941) - A novel hardware-based instruction set fuzzing test tool, TheHuzz, from Texas A&M University, USA .
• Morphuzz: Bending (Input) Space to Fuzz Virtual Devices, 2022 - MORPHUZZ is the first method to automatically trigger complex I/O behavior of real-world virtual devices in modern clouds, from Boston University, USA.
• [Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing, 2022](https://www.usenix.org/conference/usenixsecurity22/ presentation/scharnowski) - Improving Firmware Fuzzing Testing Efficiency Using Precise MMIO Modeling, from Ruhr University Bochum . A tool for Fuzz for ARM Cortex-M MCU firmware using Unicore Engine emulation with MMIO registers as Fuzz entry is open source Fuzzware.
• FuzzOrigin: Detecting UXSS vulnerabilities in Browsers through Origin Fuzzing, 2022 presentation/kim) - Detecting UXSS vulnerabilities in Browsers through Origin Fuzzing, from Samsung research, open sourced FuzzOrigin.
• Drifuzz: Harvesting Bugs in Device Drivers from Golden Seeds, 2022 zekun) - A hardware-free hybrid fuzz testing tool for WiFi and Ethernet drivers from New York University, open-sourced Drifuzz.
• Fuzzing Hardware Like Software, 2022 - fuzzing hardware like software, from * Timothy Trippel, University of Michigan*, on how to convert hardware of RTL designs into software models and automatically generate test cases for hardware verification using coverage guided software fuzzers such as AFL, has been open sourced hw-fuzzing.
• [BrakTooth: Causing Havoc on Bluetooth Link Manager via Directed Fuzzing, 2022](https://www.usenix.org/conference/usenixsecurity22/ presentation/garbelini) - Security researchers from the University of Technology and Design in Singapore, who discovered a new Bluetooth chip security vulnerability "BrakTooth", which affects 11 vendors including Intel, Qualcomm and Texas Instruments of 13 Bluetooth chipsets, PoC has open sourced [braktooth_esp32_bluetooth_classic_attacks](https://github.com/Matheus-Garbelini/braktooth_esp32_bluetooth_classic _attacks), the team that also implemented another BLE Fuzzing tool, SweynTooth, two years ago.
• AmpFuzz: Fuzzing for Amplification DDoS Vulnerabilities, 2022 - Fuzzing for Traffic Amplification Attacks i.e. DDoS Vulnerabilities, from the CISPA Helmholtz Center for Information Security, open sourced AmpFuzz.
• [SGXFuzz: Efficiently Synthesizing Nested Structures for SGX Enclave Fuzzing, 2022](https://www.usenix.org/conference/usenixsecurity22/ presentation/cloosters) - Fuzzing test scheme for Intel's SGX from University of Duisburg-Essen , open sourced sgxfuzz.
• FRAMESHIFTER: Manipulating HTTP/2 Frame Sequences with Fuzzing, 2022 jabiyev) - Developed a novel syntax-based fuzzer specifically for HTTP/2, and found security risks of HTTP/2 to HTTP/1 conversion anomalies, from Northeastern University, USA, open-sourced frameshifter. frameshifter).
• [FIXREVERTER: A Realistic Bug Injection Methodology for Benchmarking Fuzz Testing, 2022](https://www.usenix.org/conference/usenixsecurity22 /presentation/zhang-zenong) - A more theoretical improvement of the Fuzzing methodology, more theoretical, no attention to details for now, from *Zenong Zhang of *The University of Texas at Dallas .
• [StateFuzz: System Call-Based State-Aware Linux Driver Fuzzing, 2022](https://www.usenix.org/conference/usenixsecurity22/presentation/ zhao-bodong) - also a Fuzzing method improvement, code coverage guided fuzzing has limitations when testing programs with complex state (e.g., network protocols, kernel drivers), i.e., fuzzer lacks guidance to traverse program state therefore, the authors argue that for these programs, state-sensitive fuzzing tests need to be used. From Institute for Network Science and Cyberspace, Tsinghua University, soon to be open source StateFuzz.
• [SyzScope: Revealing High-Risk Security Impacts of Fuzzer-Exposed Bugs inLinux kernel, 2022](https://www.usenix.org/system/files/ sec22summer_zou.pdf) - [University of California, Riverside](https://www.baidu.com/link?url= JVR9rCnFswT1Ft9lScNrOtEb1bYGYD0nzwMxhblwu6kgXGLdQ2hvaqCOFaYe8ejpLkVJliC0cbCVr_wZJUeU5hM7Lt6ujuE-- 2GD1B3FtBJgFshjSsRNZAZRuZIlQqnsTvns6y6BWL5PLfeL0jWi0d3JUpINvTBZdhT23WL4KSj-WZGMAEqSH4GIsdDJ7P9NDQru9vgB3_LTw6kCge1CVa&wd=&eqid= ae66d9730006e7190000000661eb9bc2) Xiaochen Zou et al. developed SyzScope to evaluate the impact level of kernel bugs.

2021

• Constraint-guided Directed Greybox Fuzzing, 2021: Constraint-guided Directed Greybox Fuzzing (DGF), satisfying a set of constraints instead of just reaching a goal point, defining the constraints as a combination of goal points and data conditions, and driving the seeds to satisfy the constraints in a specified order, from Seoul National University, Korea.
• UNIFUZZ: A Holistic and Pragmatic Metrics-Driven Platform for Evaluating Fuzzers, 2021: Zhejiang University proposes a metrics-driven fuzzer evaluation platform, designed and developed UNIFUZZ, an open source and metrics-driven platform for evaluating fuzzers in a comprehensive and quantitative manner. Specifically, UNIFUZZ has so far integrated 35 available fuzzers, 20 benchmarks for real-world programs, and six categories of performance metrics, with no tool open source addresses found.
• [Nyx: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types, 2021](https://www.usenix.org/conference/usenixsecurity21/ presentation/schumilo): Ruhr-University Bochum, Germany, designed and implemented RUB-SysSec/*Nyx** for use in cloud hypervisor fuzzing, which is a highly optimized, override bootstrap hypervisor fuzzer.
• [Breaking Through Binaries: Compiler-quality Instrumentation for Better Binary-only Fuzzing, 2021](https://www.usenix.org/conference/ usenixsecurity21/presentation/nagy): Virginia Tech Stefan Nagy et al. investigate the implementation of a compiler-level black-box-only binary fuzzing tool, ZAFL, a tool for porting compiler fuzzing properties to binary.
• The Use of Likely Invariants as Feedback for Fuzzers, 2021: France The School and Research Center for Communication Systems Engineers proposes a new feedback mechanism to increase code coverage by considering the relationship between program variables and constants. The technique is implemented in a prototype named eurecom-s3/*invscov**, based on LLVM as well as on AFL++.

2020

• [Analysis of DTLS Implementations Using Protocol State Fuzzing](https://www.usenix.org/conference/usenixsecurity20/presentation/fiterau- brostean) (2020): [Uppsala University, Sweden](https://www.baidu.com/link?url=xRk-x5EtMxr6AhX3qTQWGiC1pbZmfh8mem1x9_ o2MuZAhAFm5haijjK1M21ZlPbJGARysEoJZmQxijhoCzPmXOnj135atLDX4m9thgw0MEI2u47O-pk1BH4bTKSYGCdYnbTL6FL18ZDlCKLg8ypFHq&wd=&eqid= 8278386e000070bd000000056047391c) The first comprehensive analysis of a DTLS implementation, the proposed TLS-Attacker is an open source framework for analyzing TLS implementations.
• [EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit](https://www.usenix.org/conference/ usenixsecurity20/presentation/yue) (2020): EcoFuzz is an AFL-based Adaptive Energy-Saving Greybox Fuzzing developed by faculty and students of National University of Defense Technology. Based on the AFL, a unique adaptive scheduling algorithm and a probability-based search strategy are developed, and according to the results, EcoFuzz can reduce the use cases of AFL by 32%, thus achieving a path coverage of AFL 214%.
• [FANS: Fuzzing Android Native System Services via Automated Interface Analysis](https://www.usenix.org/conference/usenixsecurity20/ presentation/liu) (2020): Chao Zhang's team at Tsinghua University, in collaboration with 360, proposed FANS, an automatically generated fuzz testing solution to find vulnerabilities in Android native system services, by [Liu Assurance](http://netsec.ccert.edu.cn/people/ iromise/) developed the Native Service Fuzz tool fans Open Source Connection, which can automatically speculate the interface and incoming parameters of Native Service for fuzzing based on the source code, the limitation of the tool is that it needs AOSP compilation environment.
• Fuzzing Error Handling Code using Context-Sensitive Software Fault Injection presentation/jiang) (2020): Zuming Jiang and Jiaju Bai of Tsinghua University propose a new fuzzy testing framework called FIFUZZ to detect exception handling. the core of FIFUZZ is the context-sensitive software fault injection (SFI) method, which can effectively override error handling code in different calling contexts to find hidden error handling code with complex contextual error handling code.
• FuzzGen: Automatic Fuzzer Generation, 2020: Kyriakos A tool for analyzing library interfaces proposed by Ispoglou et al. It is a tool for automatic synthesis of fuzzers for complex libraries in a given environment. FuzzGen uses whole-system analysis to infer the interface of a library and synthesize fuzzers specifically for that library. FuzzGen requires no human intervention and can be applied to a variety of libraries. In addition, the generated fuzzers leverage LibFuzzer to achieve better code coverage and expose errors deep within the library.
• GREYONE: Data Flow Sensitive Fuzzing, 2020: another data flow Sensitive Fuzzing Solution GREYONE. the idea is considerable, and since it is not open source, it is more difficult to land.
• SweynTooth: Unleashing Mayhem over Bluetooth Low Energy, 2020 - Security researchers from Singapore University of Technology and Design University security researchers who used Noridc nRF52840 to implement a low cost BLE full stack fuzzy testing tool, PoC is open source [sweyntooth_bluetooth_low_energy_attacks](https://github.com/Matheus- Garbelini/sweyntooth_bluetooth_low_energy_attacks).

2019 ⤵

• Fuzzification: Anti-Fuzzing Techniques, 2019: Georgia Institute of Technology Scholars propose A means to combat fuzzing, primarily by preventing security personnel from fuzzing their own products, this perspective is relatively new and worth a look.
• AntiFuzz: Impeding Fuzzing Audits of Binary Executables, 2019: Also a solution to combat fuzzing, except it introduces a different technique to protect binary executables from fuzzing.
• [MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation, 2018](https://www.usenix.org/conference/usenixsecurity18/ presentation/pailoor): MoonShine, a novel strategy for extracting fuzz seeds from system calls of real programs, developed by a team at Columbia University. As an extension to Syzkaller, MoonShin was able to improve the Linux kernel code coverage of Syzkaller by an average of 13%.
• [QSYM : A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing, 2018](https://www.usenix.org/conference/usenixsecurity18/ presentation/yun): Georgia Institute of Technology scholars have designed a fast, conolic execution engine called QSYM that supports hybrid fuzzing.
• [OSS-Fuzz - Google's continuous fuzzing service for open source software, 2017](https://www.usenix.org/conference/usenixsecurity17/ technical-sessions/presentation/serebryany): Google's OSS-Fuzz framework, nothing to write home about, mainly a framework to help developers introduce in the development phase, inheriting multiple fuzz tools.
• [kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels, 2017](https://www.usenix.org/conference/usenixsecurity17/technical-sessions/ presentation/schumilo): for kernel fuzzing, crashes often lead to system reboots and any single error in the kernel can have far-reaching consequences. *The overlay-directed kernel fuzzing problem is solved in an operating system-independent and hardware-assisted way by *Sergey Shumishu et al. of Ruhr-University Bochum: using the hypervisor and Intel's Processor Trace (PT) technology.

IEEE S&P

2022

• JIGSAW: Efficient and Scalable Path Constraints Fuzzing, 2022 - Compiling path constraints as native functions to improve branch flipping rates in fuzzer, from Ju Chen, University of California, USA, tool is open source JIGSAW.
• PATA: Fuzzing with Path Aware Taint Analysis, 2022 - Tsinghua University Software This paper discusses the application of path-aware taint analysis (PATA) in fuzzing.
• FuzzUSB: Hybrid Stateful Fuzzing of USB Gadget Stacks, 2022 - Hybrid fuzzing techniques on USB, from Kyungtae Kim, Princeton University, USA.
• Effective Seed Scheduling for Fuzzing with Graph Centrality Analysis, 2022 - Columbia University, USA, Dongdong She et al. Using Graph Theory Centrality Analysis for Effective Seed Scheduling for Fuzzing Tests, a scheme known as K-Scheduler, is open source.
• BEACON: Directed Grey-Box Fuzzing with Provable Path Pruning, 2022 - Heqing Huang, Hong Kong University of Science and Technology et al. implemented a directed fuzzing test called BEACON. It is based on LLVM gray-box Fuzzer, which requires compiling the input source code into LLVM bit code for static analysis. After analysis and stubbing, the LLVM bit code is compiled into executable binaries that can be integrated with various fuzzy engines. Not seen as open source.

2021

• DiFuzzRTL: Differential Fuzz Testing to Find CPU Bugs, 2021: Seoul National University, Korea, [DifuzzRTL](https:// github.com/compsec-snu/difuzz-rtl), a fuzz tool dedicated to finding CPU RTL vulnerabilities, is open source.
• [StochFuzz: Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting, 2021](https://ieeexplore.ieee.org/ document/9519407): A new fuzz technique, called incremental and stochastic rewriting, has been developed by a team of Chinese at Purdue University and Renmin University of China to improve the efficiency of black-box binary fuzzing using lower overheads than afl-unicorn. Related tools are open source: ZhangZhuoSJTU/*StochFuzz**.
• NtFuzz: Enabling Type-Aware Kernel Fuzzing on Windows with Static Binary Analysis, 2021: Korea Academy of Science and Technology (KAIST) Jaeseung Cho et al. proposed a static binary analyzer that automatically inferred Windows system calls, which was integrated into SoftSec-KAIST/*NTFuzz**, a Windows system call fuzzing framework that for the first time combines static binary analysis techniques with fuzzing techniques for the Windows kernel.
• [Diane: Identifying Fuzzing Triggers in Apps to Generate Under-constrained Inputs for IoT Devices, 2021](https://ieeexplore.ieee.org/document/ 9519432): Nilo Redini et al. at the University of California, Santa Barbara, address the input generation problem by using a hybrid analysis of network traffic and apps that control the target IoT devices with a tool called ucsb-seclab/*diane**, which is open source, is more similar to IoTFuzzer and makes up for some of the shortcomings of IoTFuzzer.
• One Engine to Fuzz 'em All: Generic Language Processor Testing with Semantic Validation, 2021: Yongheng Chen et al. at Georgia Tech propose a generic fuzzing framework (s3team/*Polyglot** ) that aims to Generate high-quality fuzzy test cases for the purpose of exploring processors in different programming languages and achieve generality and applicability across languages. It is more efficient in generating high-quality test cases than the current state-of-the-art general-purpose fuzz: including the variant-based fuzzer AFL as well as the hybrid fuzzer QSYM and the syntax-based fuzzer Nautilus.

2020

• [IJON: Exploring Deep State Spaces via Fuzzing, 2020](https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2020/02/27/ IJON-Oakland20.pdf): Discover more about program behavior by adapting AFL to probe the spatial state of programs, and demonstrate this with the game "Super Mario". The authors modified Super Mario so that all keyboard commands can be read from standard input, and Mario can only keep running to the right and die whenever it stops, mainly to save time.
• Krace: Data Race Fuzzing for Kernel File Systems, 2020: introduces KRACE, an end-to-end fuzzing framework that introduces concurrency aspects to into overlay bootstrap-based file system fuzzing.
• Pangolin:Incremental Hybrid Fuzzing with Polyhedral Path Abstraction, 2020: Hong Kong University of Science and Technology , hybrid fuzing, which combines the advantages of symbolic execution and fuzzy testing, has gradually become one of the important development directions of coverage guided fuzzing based techniques. Despite the great progress in achieving high coverage, it is well known that hybrid fuzzing still suffers from efficiency problems. It is possible to achieve Constrained Mutation and Guided Constraint Solving by reusing the information after constraint solving, thus improving hybrid fuzz efficiency.
• [RetroWrite: Statically Instrumenting COTS Binaries for Fuzzing and Sanitization, 2020](https://www.semanticscholar.org/paper/RetroWrite% 3A-Statically-Instrumenting-COTS-Binaries-Dinesh-Burow/845cafb153b0e4b9943c6d9b6a7e42c14845a0d6): The team developed a binary rewrite tool retrowrite for supporting AFL and ASAN, and demonstrated that it can achieve compiler-level performance while maintaining precision. Using retrowriter to rewrite binaries used for overwriting bootstrapping is equivalent in performance to compiler-detected binaries, with performance 4.5x better than defaultQEMU-based detection. The tool is open source: https://github.com/HexHive/retrowrite/ and has very many restrictions, such as the target binary can only be of x86_64 architecture, must contain symbol tables, etc.

2019 ⤵

• [Full-speed Fuzzing: Reducing Fuzzing Overhead through Coverage Guided Tracing, 2019](https://www.computer.org/csdl/proceedings-article/ sp/2019/666000b122/19skgbGVFEQ): Virginia Tech , created an implementation of a static binary-based tool or Dyninst, called UnTracer, that tool can reduce fuzzing overhead and thus increase speed.
• [Fuzzing File Systems via Two-Dimensional Input Space Exploration, 2019](https://www.computer.org/csdl/proceedings-article/sp/2019/ 666000a594/19skfLYOpaw): The author of this paper, Wen Xu of Georgia Tech, and the author's research group, have long been engaged in binary-related research. This work implements a feedback-based evolutionary fuzzer-JANUS, universal file system fuzzer, which can efficiently explore two dimensions of the file system's input space.
• [NEUZZ: Efficient Fuzzing with Neural Program Smoothing, 2019](https://www.computer.org/csdl/proceedings-article/sp/2019/666000a900/ 19skg5XghG0): Columbia University landing project, Using Neural Networks to Simulate Branching Behavior of Programs. neuzz By strategically modifying some bytes of existing seeds in order to generate interesting seeds that can trigger unexecuted edges. This strategy can only be implemented with the help of neural networks.
• [Razzer: Finding Kernel Race Bugs through Fuzzing, 2019](https://www.computer.org/csdl/proceedings-article/sp/2019/666000a296/ 19skfwZLirm): DR Jeong, Korea Advanced Institute of Science and Technology (KAIST), designed and proposed Razzer, a fuzzing test (fuzzing) tool for data race type vulnerabilities in the kernel. The two-stage fuzzing test of Razzer is based on Syzkaller. The deterministic scheduler is implemented using QEMU / KVM.
• Angora: Efficient Fuzzing by Principled Search, 2018](http://web.cs.ucdavis.edu/~hchen/paper/chen2018angora.pdf): peng chen et al. of Shanghai Jiao Tong University developed Angora, the main goal is to improve branch coverage without using symbolic execution to solve path constraints . The tool is currently active and has been steadily updated.
• CollAFL: Path Sensitive Fuzzing, 2018: Chao Zhang's team at Tsinghua University made improvements to coverage inaccuracy and seed **selection strategies in AFL * *, the improved tool is called CollAFL.
• T-Fuzz: fuzzing by program transformation, 2018: Peng Hui et al. of Purdue University developed of T-fuzz improves coverage by removing the santiy check. T-fuzz uses coverage to guide the generation of input. When a new path cannot be accessed, T-fuzz removes the check to ensure that fuzz can continue, finding new paths and bugs.
• Skyfire: Data-Driven Seed Generation for Fuzzing, 2017: For programs that handle highly structured input (e.g., parsing engine programs for XML), this paper proposes a seed generation method that trains contextually relevant grammars with probabilities through a large number of samples, and automatically generates seeds that meet the program input requirements through the trained grammars for subsequent Fuzz.

ACM CCS

• SFuzz: Slice-based Fuzzing for Real-Time Operating Systems, 2022: a novel slice-based fuzzer SFuzz for detecting security vulnerabilities in RTOS, from Shanghai Jiao Tong University.
• LibAFL: A Framework to Build Modular and Reusable Fuzzers, 2022: LibAFL, a framework for building modular and reusable Fuzzers, a framework for building modular and reusable fuzzers, from individual researchers at Google, has been open sourced LibAFL.
• JIT-Picking: Differential Fuzzing of JavaScript Engines, 2022: fuzz testing of JavaScript engines, from the German * Ruhr-University Bochum*.
• MC2: Rigorous and Efficient Directed Greybox Fuzzing, 2022: Complexity-theoretic framework for directed greybox fuzz testing as an oracle guided search problem, a more academic improvement of Fuzz, from Columbia University, New York, USA.
• [Favocado: Fuzzing the Binding Code of JavaScript Engines Using Semantically Correct Test Cases, 2021](https://www.ndss-symposium.org/ndss- paper/favocado-fuzzing-the-binding-code-of-javascript-engines-using-semantically-correct-test-cases/): Arizona State University students and faculty present a tool for fuzzing the binding code of JS engines. layer code for fuzzing: Favocado. The authors found 61 new bugs when fuzzing in 4 different JavaScript runtime systems, 33 of which are security vulnerabilities and 13 of which have been included in CVE.
• [WINNIE : Fuzzing Windows Applications with Harness Synthesis and Fast Cloning, 2021](https://www.ndss-symposium.org/ndss-paper/winnie- fuzzing-windows-applications-with-harness-synthesis-and-fast-cloning/): Using synthesis and fast cloning to fuzz Windows Applications, Georgia Tech authors have built an end-to-end WINNIE system with two components: a generator that automatically synthesizes tools from binaries, and an efficient Windows forkserver. Comparison tool: WinAFL .
• [PGFUZZ: Policy-Guided Fuzzing for Robotic Vehicles, 2021](https://www.ndss-symposium.org/ndss-paper/pgfuzz-policy-guided-fuzzing-for- robotic-vehicles/): a fuzzing tool for Robotic vehicles (RVs) designed by Hyungsub Kim et al. at Purdue University, i.e., PGFUZZ, has more limited applications. scenarios are more limited.
• Reinforcement Learning-based Hierarchical Seed Scheduling for Greybox Fuzzing, 2021](https://www.ndss-symposium.org/ndss-paper/) reinforcement-learning-based-hierarchical-seed-scheduling-for-greybox-fuzzing/): University of California, Riverside Chinese team retained more valuable seeds by introducing multi-level coverage and designing a reinforcement learning-based hierarchical scheduler. That is, a more fine-grained measure of code coverage and a more rational seed scheduling strategy.
• DIFUZE: Interface Aware Fuzzing for Kernel Drivers, 2017 : Jake Corina et al. of Santa Barbara University propose a seed generation scheme. By optimizing seed generation, the same effect of improving fuzzing efficiency can be achieved. It has been verified that DIFUZE does have a significant advantage over existing fuzzer in terms of the ioctl() interface. It is also clear that DIFUZE provides enough information over other tools on an interface like fuzzing, which requires a very large amount of information, to support it in mining an amount of information that is several orders of magnitude larger than other tools.
• [Learning to Fuzz from Symbolic Execution with Application to Smart Contracts, 2019](https://files.sri.inf.ethz.ch/website/papers/ccs19-ilf. pdf): Jingxuan He et al. at ETH Zurich propose a new method for learning fuzzer from symbolic execution with application to smart contracts.
• Matryoshka: fuzzing deeply nested branches, 2019: Byte Jump Artificial Intelligence Lab, Graybox fuzz Impressive advances have been made in recent years, from heuristic-based evolution of stochastic variants to solving individual branching constraints. However, they have difficulty solving path constraints that contain deeply nested conditional statements. The authors have developed a tool Matryoshka1 to implement coverage of deeply nested paths.
• Hawkeye: Towards a Desired Directed Grey-box Fuzzer, 2018: Nanyang Technological University, Singapore, Hawkeye is a directed fuzzer testing technique, and this paper proposes 4 features of the directed fuzzer and improves them: considering all paths to the target point, regardless of length; balancing the overhead and practicality of static analysis; rational energy allocation; and adaptive variational strategies.
• IMF: Inferred Model-based Fuzzer, 2017: existing kernel fuzzy techniques involve inputting random input values into kernel API functions. However, such a simple approach does not reveal potential bugs deep in the kernel code, and the authors propose the IMF model, which uses an inferred dependency model between API function calls to discover deep kernel flaws.
• [SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits, 2017](https://www.informatics.indiana.edu/xw7/papers/p2139- you.pdf): SemFuzz, a new technique that uses vulnerability-related text (e.g., CVE reports and Linux git logs) to guide the automated generation of PoC attacks, developed by the Chinese at Indiana University, Burmington.
• Directed Greybox Fuzzing, 2017: In 2017 Bohme introduced the concept of DGF and completed a tool called AFLGo, or directed fuzzing testing.
• SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities, 2017: Focuses on the problems posed by regular expressions in fuzzing, and implements the corresponding improved algorithms.
• DIFUZE: Interface Aware Fuzzing for Kernel Drivers, 2017: Jake Corina, Santa Barbara University, designed and completed ** DIFUZE**, a fuzzing tool for user-state and kernel driver critical interfaces ioctl(), DIFUZE first performs a static analysis of the kernel code, completes the recovery of the interface, obtains The first step is to perform a static analysis of the kernel code, complete the interface recovery, obtain key information about the interface, and generate more reasonable fuzzing input based on this valid information to get a better fuzzing effect.

3 Tools

Most of the tools have been practiced by the author and have a certain degree of universality. There are also some excellent tools that have not been maintained and updated for a long time, and have very limited applicability, so they are not included.

Mutators

• Radamsa : Radamsa is a test case generator for robustness testing. It works by reading sample files of valid data and generating interestingly different output from them.
• zzuf: a fuzzer input program, as an excellent open source project, has been introduced to zzuf by many large foreign projects as the generation of various malformed data.

binary

• afl-unicorn: Fuzzing The 'Unfuzzable' : Battelle at ** A tool released at ShmooCon 2018**, already some bigwigs have added Chinese subtitles to the video of the talk and uploaded it to the B site. This tool makes up for the shortcomings of afl by allowing fuzzing of arbitrary binary code snippets. As a tool that uses black boxes for fuzzing exclusively, afl-unicorn also retains afl's original code coverage statistics, based on feedback on the seed to improve code coverage.
• Intriguer: Field-Level Constraint Solving for Hybrid Fuzzing: published by Yonsei University, Korea at the Security Top Conference CCS 2019 on a paper on fuzzer performance improvement. The team proposed a novel hybrid fuzzer based on AFL called Intriguer. With taint analysis and instruction tracing, the tool is able to cover deeper code paths after practice by the author. However, there is also a bug that generates a lot of redundant files in /tmp directory.
• Unicorefuzz: On the Viability of Emulation for Kernelspace Fuzzing: Academic, Technical University of Berlin An article on fuzzing kernels published in the Security Top Society USENIX Security '19. Compared to syzkaller, unicorefuzz is simpler to configure and can fuzz some functions with deeper paths.
• libFuzzer : A Google-developed overlay-based bootstrap fuzzer, mainly for fuzzing the interface provided by the library.
• honggfuzz: also a Google-developed tool similar to afl, except that honggfuzz is feedback-driven, multi-threaded and multi-process, and has a qualitative leap in fuzz speed compared to afl.
• syzkaller: Excellent kernel fuzz tool for fuzzing various driver interfaces.
• frida-fuzzer: Frida-Fuzzer is a memory fuzz testing framework for APIs, the design and development of the tool is inspired by afl/afl++, Frida-Fuzzer The current version of Frida-Fuzzer supports running on GNU/Linux x86_64 and Android x86--64 platforms.
• winafl: a branch project of afl that uses afl for Windows platforms.
• trinity: Linux system call fuzzer, a fuzzy test tool for Linux system calls.
• NtCall64: Windows NT x64 syscall fuzzer, NtCall-based fuzzy testing tool for Windows system calls.
• kDriver-Fuzzer: kDriver Fuzzer, driver fuzzer, a driver vulnerability mining tool written based on the ioctlbf framework.
• fuzzball: FuzzBALL is a symbolic execution tool for x86 (and to a lesser extent ARM) binary code based on the BitBlaze Vine library

API/protocol

• Sulley/Boofuzz: Sulley is a fuzz testing framework. It is mainly used for fuzzing protocols and is no longer maintained today. Boofuzz is a branch and successor of the venerable Sulley fuzz testing framework. In addition to a number of bug fixes, boofuzz extends with more new features.
• fuzzowski: boofuzz-based fuzzy testing tool for network protocols, based on sulley's data variants.
• Peach: Peach is a fuzz testing framework developed by Michael's team, initially as open source software, with subsequent partial releases of the core test suite commercial. Peach focuses on file format fuzz, but also for various protocols fuzz is very friendly.
• Defensics](https://www.synopsys.com/software-integrity/security-testing/fuzz-testing.html): Defensics is a variant-based fuzzing commercial tool that is simple and powerful, widely supported by various protocols, with mature test sets, also has strong scalability, users can create their own test sets through templates.
• bsSTORM: commercial tool, covers the complete software lifecycle, looks better at protocol fuzz.
• API-fuzzer: fuzzes some web API requests using common penetration testing techniques and known vulnerabilities.
• domato : A black-box fuzz tool developed by googleprojectzero specifically for browsers, with a simple usage, observing the state of the browser by making it accessible to generate various random front-end pages.

Firmware

• [Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing, 2022](https://www.usenix.org/conference/usenixsecurity22/ presentation/scharnowski) - Using Precise MMIO Modeling for Effective Firmware Fuzzing Testing from Ruhr University Bochum . A tool for Fuzzing ARM Cortex-M MCU firmware using Unicore Engine emulation, with MMIO registers as Fuzz entry, open source Fuzzware Automatic Firmware Emulation
• [Automatic Firmware Emulation through Invalidity-guided Knowledge Inference, 2021](https://www.usenix.org/conference/usenixsecurity21/ presentation/zhou) - μEmu, developed by Mr. Wei Zhou's team at Huazhong University of Science and Technology, uses Symbolic Execution to obtain the information needed to emulate firmware images, supports ARM Cortex-M MCU firmware, designed and developed based on S2E (Symbolic Execution Platform), is open source [μEmu](https:/ /github.com/MCUSec/uEmu).
• [IOTFUZZER: Discovering Memory Corruptions in IoT Through App-based Fuzzing](https://www.ndss-symposium.org/wp-content/uploads/2018/02/ ndss2018_01A-1_Chen_paper.pdf): an article on firmware fuzzing by Jiongyi Chen, University of Hong Kong, published in NDSS 2018, where the author designed a black-box fuzzing testing tool IOTFuzzer with the help of a mobile app for IoT devices github.com/zyw-200/IOTFuzzer_Full) to analyze memory error vulnerabilities on IoT devices. By testing 17 different IoT devices, 15 memory error vulnerabilities were eventually found, including 8 unknown vulnerabilities.
• [FIRM-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation](https://www.usenix.org/conference/ usenixsecurity19/presentation/zheng): published by Yaowen Zheng, Institute of Information Technology, Chinese Academy of Sciences in USENIX Security '19 , FIRM-AFL is the first high quality graybox fuzzers for IoT firmware, the disadvantage of this tool is that it can only fuzz firmware that Firmadyne can emulate properly.
• FIRMCORN: Vulnerability-Oriented Fuzzing of IoT Firmware via Optimized Virtual Execution: Published in the journal IEEE Access 2020 as a framework for fuzzing tests of IoT firmware based on optimized virtual execution [FIRMCORN](https. //github.com/FIRMCORN-Fuzzing/FIRMCORN), which the authors claim is the first fuzzy testing framework for IoT firmware.

4 Blogs

If you don't want to read so much theory, but just want to quickly use the tools in real projects, you can directly refer to the following blogs to get a quick start on various fuzzing tools.

AFL

• AFL Vulnerability Mining Technical Ramblings (I): Start your first Fuzzing with AFL
• AFL Vulnerability Mining Technical Ramblings (II): Fuzz Result Analysis and Code Coverage
• In-depth analysis of afl / qemu-mode (qemu mode) / afl-unicorn compilation and installation problems and the corresponding solutions
• AFL Two or Three Things - Source Code Analysis (Previous)
• AFL Two or Three Things - Source Code Analysis (Next)

boofuzz

• IoT device network protocol fuzz testing tool boofuzz in action

libfuzzer

• fuzz hands-on with libfuzzer

Peach

• In-depth exploration of the file Fuzz tool of Peach in action
• Industrial control network protocol fuzzy test: Fuzzy testing of modbus protocol with peach
• Introduction to Peach Principle and Practice: Fuzz Web API as an example

Kernel fuzz

• Kernel Vulnerability Mining Techniques Series (1) - trinity
• Kernel Vulnerability Mining Techniques Series (2) - bochspwn
• Kernel Vulnerability Mining Techniques Series (3)--bochspwn-reloaded(1)
• Kernel Vulnerability Mining Techniques Series (3) - bochspwn-reloaded(2)
• Kernel Vulnerability Mining Techniques Series (4) - syzkaller(1) - syzkaller source code analysis article series
• Syzkaller Getting Started Knowledge Summary - syzkaller Getting Started
• Starting the Fuzzing Journey from 0: Linux Driver Vulnerability Mining with Syzkaller - Android Simulator Kernel
• Fuzzing from 0 to 1: Linux Kernel Vulnerability Mining with syzkaller - Linux Kernel
• Fuzzing a Pixel 3a Kernel with Syzkaller - Android Mobile

Other

• Simulation execution fuzzing based on Unicorn and LibFuzzer e6%89%a7%e8%a1%8cfuzzing/) (2019): Galaxy Labs conducted a study on unicorn-based simulation execution fuzzing techniques. Based on the last study, further integration was done to solve some of the problems, and a preliminary implementation of a simulated execution fuzzing tool based on Unicorn and LibFuzzer: uniFuzzer
• IoT Firmware Rehosting Overview - A pretty good overview of firmware emulation

---

Contribute

If you see a resource on fuzz testing that you think is better, feel free to contribute to this project! Please read the Contribution Guidelines.

License

This work is available under a knowledge Creative Commons Attribution-ShareAlike 4.0 International License is licensed.