Coverage-guided Greybox Fuzzing (CGF) is one of the most successful and widely-used techniques for bug hunting. Two major approaches are adopted to optimize CFG: (i) to reduce search space of inputs by inferring relationships between input bytes and path constraints; (ii) to formulate fuzzing processes (e.g., path transitions) and build up probability distributions to optimize power schedules, i.e., the number of inputs generated per seed. However, the former is subjective to the inference results which may include extra bytes for a path constraint, thereby limiting the efficiency of path constraints resolution, code coverage discovery, and bugs exposure; the latter formalization, concentrating on power schedules for seeds alone, is inattentive to the schedule for bytes in a seed.

In this paper, we propose a lightweight fuzzing framework, Truzz, to optimize existing CGFs. To address two aforementioned challenges, Truzz identifies the bytes related to the validation checks (i.e., the checks guarding error-handling code), and protects those bytes from being frequently mutated, making most generated inputs examine the functionalities of programs, in lieu of being rejected by validation checks. The byte-wise relationship determination mitigates the problem of loading extra bytes when fuzzers infer the byte-constraint relation. Furthermore, the proposed path transition within Truzz can efficiently prioritize the seed as the new path, harvesting many new edges, likely belongs to a code region with many undiscovered code lines. To evaluate our approach, we implemented 4 state-of-the-art fuzzers, AFL, AFLFast, NEUZZ, and Greyone, in Truzz. The experimental results show that Truzz can generate up to 33% more inputs flowing into functional code, in addition to roughly 83% more edge coverage identified than the vanilla fuzzers. Finally, our approach exposes 9 bugs in 8 target programs, and three of the bugs have not been identified by the vanilla fuzzers.