Title：Principled fuzzing driven by mathematics
Fuzzing is a popular technique for finding software bugs. However, fuzzers based on random mutation have difficulty producing quality inputs. We propose a principled fuzzing framework driven by mathematics. Our goal is to increase branch coverage by solving path constraints without symbolic execution. To solve path constraints efficiently, we introduce several key techniques: scalable byte-level taint tracking, context-sensitive branch count, search based on gradient descent, and input length exploration. To overcome the challenges of solving path constraints involving deeply nested conditional statements, first we identify all the control flow-dependent conditional statements. Next, we select the taint flow-dependent conditional statements. Finally, we use three strategies to find an input that satisfies all conditional statements simultaneously. We compared our fuzzer with other state-of-the-art fuzzers on 13 open source programs, and our fuzzer achieved significantly higher cumulative line and branch coverage. We manually classified the crashes found by our fuzzer into 41 unique new bugs and obtained 12 CVEs.
Hao Chen is a Professor in the Department of Computer Science at the University of California, Davis. Currently he is on academic leave and is leading the security research group at ByteDance (字节跳动) AI lab. His research focuses on a broad range of security problems, including machine learning security, software security, and cloud security. His work on fuzzing includes Angora (S&P '18) and Matryoshka (CCS '19). He received his PhD at the Computer Science Division at the University of California, Berkeley.