Going Beyond Coverage-Guided Fuzzing with Structured Fuzzing

Coverage-guided fuzzers like AFL and libFuzzer have led to a "fuzzing renaissance". This is because they made it possible for security researchers to write effective fuzzers for formats without knowing about the format's structure. However, structure-aware (aka structured) fuzzing is far from dead. In fact, the combination of structured and coverage-guided (aka coverage) fuzzing has quietly become the state of the art in automated vulnerability discovery.This talk will:

• Explain the problems in coverage fuzzing that structured fuzzing solves and how it solves them, including:

• How to ensure fuzzing reaches specific code to find vulnerabilities.

• How to ensure fuzzing does not fuzz specific code that makes fuzzing harder.
• How to fuzz code that doesn't accept an array of bytes.

• Highlight some of the places where structured coverage fuzzing has shined.

• Including Chrome's AppCache where it found a vulnerability used in a full-chain exploit and SQLite+Skia where it found bugs that other kinds of fuzzing did not.

• Present libprotobuf-mutator and custom mutators, two techniques for structured coverage fuzzing that are supported by libFuzzer. These can be used by anyone who can write a fuzzer.
• Share lessons on writing structured coverage fuzzers and how it can make fuzzing less of an art and more of a science.
• Show how structured coverage fuzzing can find more bugs than coverage fuzzing alone and how this technique is straightforward to use.

The talk will ultimately benefit anyone who is interested in fuzzing. In particular, it will benefit security researchers trying to go beyond coverage fuzzing to find vulnerabilities in real code.