Going Beyond Coverage-Guided Fuzzing with Structured Fuzzing

Structured fuzzing is a technique that can help find more bugs in software testing by constraining input to syntactically valid code and focusing on higher levels of abstraction. It can also improve efficiency by avoiding certain code and covering code that needs to be tested.

• Structured fuzzing can find more bugs by constraining input to syntactically valid code and focusing on higher levels of abstraction
• Structured fuzzing can improve efficiency by avoiding certain code and covering code that needs to be tested
• An anecdote about how structured fuzzing found bugs in SQLite that were not found with unstructured fuzzing was shared

Structured fuzzing found bugs in SQLite that were not found with unstructured fuzzing, despite SQLite being one of the most well-fuzzed projects in the world. The technique can help find more bugs by constraining input to syntactically valid code and focusing on higher levels of abstraction. By avoiding certain code and covering code that needs to be tested, structured fuzzing can also improve efficiency.

Coverage-guided fuzzers like AFL and libFuzzer have led to a "fuzzing renaissance". This is because they made it possible for security researchers to write effective fuzzers for formats without knowing about the format's structure. However, structure-aware (aka structured) fuzzing is far from dead. In fact, the combination of structured and coverage-guided (aka coverage) fuzzing has quietly become the state of the art in automated vulnerability discovery.This talk will:Explain the problems in coverage fuzzing that structured fuzzing solves and how it solves them, including:How to ensure fuzzing reaches specific code to find vulnerabilities.How to ensure fuzzing does not fuzz specific code that makes fuzzing harder.How to fuzz code that doesn't accept an array of bytes.Highlight some of the places where structured coverage fuzzing has shined.Including Chrome's AppCache where it found a vulnerability used in a full-chain exploit and SQLite+Skia where it found bugs that other kinds of fuzzing did not.Present libprotobuf-mutator and custom mutators, two techniques for structured coverage fuzzing that are supported by libFuzzer. These can be used by anyone who can write a fuzzer.Share lessons on writing structured coverage fuzzers and how it can make fuzzing less of an art and more of a science.Show how structured coverage fuzzing can find more bugs than coverage fuzzing alone and how this technique is straightforward to use.The talk will ultimately benefit anyone who is interested in fuzzing. In particular, it will benefit security researchers trying to go beyond coverage fuzzing to find vulnerabilities in real code.