AFLSmart++: Smarter Greybox Fuzzing

Abstract

Model/grammar-based greybox fuzzing has gained attention from both industry and academia due to its capability of discovering bugs/vulnerabilities in programs taking highly-structured inputs. AFLSmart is a specific example. It is a model-based fuzzer that focuses on chunk-based file formats like PNG, PDF and WAV. Its effectiveness is enabled by carefully-designed high-level mutation operators—that work at data chunk levels—and other heuristics such as its validity-based power schedule and deferred cracking mechanism. In this work, we present an extension of AFLSmart in which we explore some design options to (i) support structure-aware low-level mutation operators—that work at bit-byte-word-dword levels—and (ii) improve AFLSmart's usability and applicability with the so-called composite input model. The extension is called AFLSmart++ and it was evaluated independently—along with 11 other fuzzers—on the Google FuzzBench in a large-scale competition setup. The results show that AFLSmart++ secures the 3rd place in terms of bug finding but it ranks 11th based on its code coverage achievement.