This program is tentative and subject to change.
Generator-based fuzzing is a technique for testing programs with randomly generated input data produced via a domain-specific generation function, which samples inputs conforming to some data type or input-format structure. Parametric generators combine coverage-guided and generator-based fuzzing for testing programs requiring structured inputs. They function as decoders that transform arbitrary byte sequences into structured inputs, allowing mutations on byte sequences to map directly to mutations on structured inputs, without requiring specialized mutators. However, this technique is prone to the havoc effect, where small mutations on the byte sequence cause large, destructive mutations to the structured input.
This paper investigates the paradoxical nature of the havoc effect for generator-based fuzzing in Java. In particular, we measure mutation characteristics and confirm the existence of the havoc effect, as well as scenarios where it may be more detrimental. In order to better quantify the havoc effect, we introduce mutation distance, i.e. the Levenshtein distance between the parent and child input. Our evaluation across 7 real-world Java applications compares various techniques that perform context-aware, finer-grained mutations on parametric byte sequences, such as JQF-EI, BeDivFuzz, and Zeugma.
We find that these techniques exhibit better control over input mutations and consistently reduce the havoc effect compared to our coverage-guided fuzzer baseline Zest. While we find that context-aware mutation approaches can achieve statistically significantly higher code coverage, we see that destructive mutations still play a valuable role in discovering inputs that increase code coverage. Specialized mutation strategies, while effective, impose substantial computational overhead—revealing practical trade-offs in mitigating the havoc effect.
This program is tentative and subject to change.
Fri 17 AprDisplayed time zone: Brasilia, Distrito Federal, Brazil change
11:00 - 12:30 | |||
11:00 15mTalk | Bridging the Final Gap: Fuzzing Template Generation from Protocol Reverse Engineering Demonstrations Wenlong Zhang Central South University, Yongjun Xie Central South University, Yuanliang Chen Tsinghua University, Fuchen Ma Tsinghua University, Dalong Shi AVIC International Digital Network Technology Co., Ltd., Dongyi Yu AVIC International Digital Network Technology Co., Ltd., Heyuan Shi Central South University | ||
11:15 15mTalk | The Havoc Paradox in Generator-Based Fuzzing Journal-first Papers Ao Li Carnegie Mellon University, Madonna Huang University of British Columbia, Vasudev Vikram Carnegie Mellon University, Caroline Lemieux University of British Columbia, Rohan Padhye Carnegie Mellon University | ||
11:30 15mTalk | Visualization Task Taxonomy to Understand the Fuzzing Internals Journal-first Papers Sriteja Kummita Paderborn University, Miao Miao The University of Texas at Dallas, Eric Bodden Heinz Nixdorf Institute at Paderborn University & Fraunhofer IEM, Shiyi Wei University of Texas at Dallas | ||
11:45 15mTalk | FrameShift: Resizing Fuzzer Inputs Without Breaking Them Research Track Harrison Green Carnegie Mellon University, Claire Le Goues Carnegie Mellon University, Fraser Brown CMU | ||
12:00 15mTalk | On Interaction Effects in Greybox Fuzzing Research Track Konstantinos Kitsios University of Zurich, Marcel Böhme MPI for Security and Privacy, Alberto Bacchelli IfI, University of Zurich Pre-print | ||
12:15 15mTalk | Configuration-Sensitive Linux Kernel Fuzzing Research Track Yuheng Shen , Jianzhong Liu Tsinghua University, Yuhan Chen Central South Sniversity, Yifei Chu Tsinghua University, Qiang Zhang Hunan University, Guoyu Yin Central South University, Heyuan Shi Central South University, Yu Jiang Tsinghua University | ||