Awesome Fuzzing

Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. Typically, fuzzers are used to test programs that take structured inputs.

A curated list of references to awesome Fuzzing for security testing. Additionally there is a collection of freely available academic papers, tools and so on.

Your favorite tool or your own paper is not listed? Fork and create a Pull Request to add it!

Contents

• Books
• Papers
• Tools
• Platform

Books

• Fuzzing-101
• The Fuzzing Book (2019)
• The Art, Science, and Engineering of Fuzzing: A Survey (2019) - Actually, this document is a paper, but it contains more important and essential content than any other book.
• Fuzzing for Software Security Testing and Quality Assurance, 2nd Edition (2018)
• Fuzzing: Brute Force Vulnerability Discovery, 1st Edition (2007)
• Open Source Fuzzing Tools, 1st Edition (2007)

Talks

• Fuzzing Labs - Patrick Ventuzelo, Youtube
• Effective File Format Fuzzing, Black Hat Europe 2016
• Adventures in Fuzzing, NYU Talk 2018
• Fuzzing with AFL, NDC Conferences 2018

Papers

To achieve a well-defined scope, I have chosen to include publications on fuzzing in the last proceedings of 4 top major security conferences and others from Jan 2008 to Jul 2019. It includes (i) Network and Distributed System Security Symposium (NDSS), (ii) IEEE Symposium on Security and Privacy (S&P), (iii) USENIX Security Symposium (USEC), and (iv) ACM Conference on Computer and Communications Security (CCS).

The Network and Distributed System Security Symposium (NDSS)

• Semantic-Informed Driver Fuzzing Without Both the Hardware Devices and the Emulators, 2022
• MobFuzz: Adaptive Multi-objective Optimization in Gray-box Fuzzing, 2022
• Context-Sensitive and Directional Concurrency Fuzzing for Data-Race Detection, 2022
• EMS: History-Driven Mutation for Coverage-based Fuzzing, 2022
• WINNIE : Fuzzing Windows Applications with Harness Synthesis and Fast Cloning, 2021
• Reinforcement Learning-based Hierarchical Seed Scheduling for Greybox Fuzzing, 2021
• PGFUZZ: Policy-Guided Fuzzing for Robotic Vehicles, 2021
• Favocado: Fuzzing Binding Code of JavaScript Engines Using Semantically Correct Test Cases, 2021
• HFL: Hybrid Fuzzing on the Linux Kernel, 2020
• HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing, 2020
• HYPER-CUBE: High-Dimensional Hypervisor Fuzzing, 2020
• Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization, 2020
• CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines, 2019
• PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary, 2019
• REDQUEEN: Fuzzing with Input-to-State Correspondence, 2019
• Send Hardest Problems My Way: Probabilistic Path Prioritization for Hybrid Fuzzing, 2019
• Life after Speech Recognition: Fuzzing Semantic Misinterpretation for Voice Assistant Applications, 2019
• INSTRIM: Lightweight Instrumentation for Coverage-guided Fuzzing, 2018
• IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing, 2018
• What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices, 2018
• Enhancing Memory Error Detection for Large-Scale Applications and Fuzz Testing, 2018
• Vuzzer: Application-aware evolutionary fuzzing, 2017
• DELTA: A Security Assessment Framework for Software-Defined Networks, 2017
• Driller: Augmenting Fuzzing Through Selective Symbolic Execution, 2016
• Automated Whitebox Fuzz Testing, 2008

IEEE Symposium on Security and Privacy (IEEE S&P)

• PATA: Fuzzing with Path Aware Taint Analysis, 2022
• Jigsaw: Efficient and Scalable Path Constraints Fuzzing, 2022
• FuzzUSB: Hybrid Stateful Fuzzing of USB Gadget Stacks, 2022
• Effective Seed Scheduling for Fuzzing with Graph Centrality Analysis, 2022
• BEACON : Directed Grey-Box Fuzzing with Provable Path Pruning, 2022
• STOCHFUZZ: Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting, 2021
• One Engine to Fuzz 'em All: Generic Language Processor Testing with Semantic Validation, 2021
• NTFUZZ: Enabling Type-Aware Kernel Fuzzing on Windows with Static Binary Analysis, 2021
• DIFUZZRTL: Differential Fuzz Testing to Find CPU Bugs, 2021
• DIANE: Identifying Fuzzing Triggers in Apps to Generate Under-constrained Inputs for IoT Devices, 2021
• Fuzzing JavaScript Engines with Aspect-preserving Mutation, 2020
• IJON: Exploring Deep State Spaces via Fuzzing, 2020
• Krace: Data Race Fuzzing for Kernel File Systems, 2020
• Pangolin:Incremental Hybrid Fuzzing with Polyhedral Path Abstraction, 2020
• RetroWrite: Statically Instrumenting COTS Binaries for Fuzzing and Sanitization, 2020
• Full-speed Fuzzing: Reducing Fuzzing Overhead through Coverage-guided Tracing, 2019
• Fuzzing File Systems via Two-Dimensional Input Space Exploration, 2019
• NEUZZ: Efficient Fuzzing with Neural Program Smoothing, 2019
• Razzer: Finding Kernel Race Bugs through Fuzzing, 2019
• Angora: Efficient Fuzzing by Principled Search, 2018
• CollAFL: Path Sensitive Fuzzing, 2018
• T-Fuzz: fuzzing by program transformation, 2018
• Skyfire: Data-Driven Seed Generation for Fuzzing, 2017
• Program-Adaptive Mutational Fuzzing, 2015
• TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection, 2010

USENIX Security

• StateFuzz: System Call-Based State-Aware Linux Driver Fuzzing, 2022
• FIXREVERTER: A Realistic Bug Injection Methodology for Benchmarking Fuzz Testing, 2022
• SGXFuzz: Efficiently Synthesizing Nested Structures for SGX Enclave Fuzzing, 2022
• AmpFuzz: Fuzzing for Amplification DDoS Vulnerabilities, 2022
• Stateful Greybox Fuzzing, 2022
• BrakTooth: Causing Havoc on Bluetooth Link Manager via Directed Fuzzing, 2022
• Fuzzing Hardware Like Software, 2022
• Drifuzz: Harvesting Bugs in Device Drivers from Golden Seeds, 2022
• FuzzOrigin: Detecting UXSS vulnerabilities in Browsers through Origin Fuzzing, 2022
• TheHuzz: Instruction Fuzzing of Processors Using Golden-Reference Models for Finding Software-Exploitable Vulnerabilities, 2022
• MundoFuzz: Hypervisor Fuzzing with Statistical Coverage Testing and Grammar Inference, 2022
• Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing, 2022
• SyzScope: Revealing High-Risk Security Impacts of Fuzzer-Exposed Bugs in Linux kernel, 2022
• Morphuzz: Bending (Input) Space to Fuzz Virtual Devices, 2022
• Breaking Through Binaries: Compiler-quality Instrumentation for Better Binary-only Fuzzing, 2021
• ICSFuzz: Manipulating I/Os and Repurposing Binary Code to Enable Instrumented Fuzzing in ICS Control Applications, 2021
• Android SmartTVs Vulnerability Discovery via Log-Guided Fuzzing, 2021
• Constraint-guided Directed Greybox Fuzzing, 2021
• Nyx: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types, 2021
• UNIFUZZ: A Holistic and Pragmatic Metrics-Driven Platform for Evaluating Fuzzers, 2021
• FANS: Fuzzing Android Native System Services via Automated Interface Analysis, 2020
• Analysis of DTLS Implementations Using Protocol State Fuzzing, 2020
• EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit, 2020
• Fuzzing Error Handling Code using Context-Sensitive Software Fault Injection, 2020
• FuzzGen: Automatic Fuzzer Generation, 2020
• ParmeSan: Sanitizer-guided Greybox Fuzzing, 2020
• SpecFuzz: Bringing Spectre-type vulnerabilities to the surface, 2020
• FuzzGuard: Filtering out Unreachable Inputs in Directed Grey-box Fuzzing through Deep Learning, 2020
• Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer, 2020
• GREYONE: Data Flow Sensitive Fuzzing, 2020
• Fuzzification: Anti-Fuzzing Techniques, 2019
• AntiFuzz: Impeding Fuzzing Audits of Binary Executables, 2019
• Charm: Facilitating Dynamic Analysis of Device Drivers of Mobile Systems, 2018
• MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation, 2018
• QSYM : A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing, 2018
• OSS-Fuzz - Google's continuous fuzzing service for open source software, 2017
• kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels, 2017
• Protocol State Fuzzing of TLS Implementations, 2015
• Optimizing Seed Selection for Fuzzing, 2014
• Dowsing for overflows: a guided fuzzer to find buffer boundary violations, 2013
• Fuzzing with Code Fragments, 2012

ACM Conference on Computer and Communications Security (ACM CCS)

• SpecDoctor: Differential Fuzz Testing to Find Transient Execution Vulnerabilities, 2022
• SFuzz: Slice-based Fuzzing for Real-Time Operating Systems, 2022
• MC^2: Rigorous and Efficient Directed Greybox Fuzzing, 2022
• LibAFL: A Framework to Build Modular and Reusable Fuzzers, 2022
• JIT-Picking: Differential Fuzzing of JavaScript Engines, 2022
• DriveFuzz: Discovering Autonomous Driving Bugs through Driving Quality-Guided Fuzzing, 2022
• SoFi: Reflection-Augmented Fuzzing for JavaScript Engines, 2021
• T-Reqs: HTTP Request Smuggling with Differential Fuzzing, 2021
• V-SHUTTLE: Scalable and Semantics-Aware Hypervisor Fuzzing, 2021
• Same Coverage, Less Bloat: Accelerating Binary-only Fuzzing with Coverage-preserving Coverage-guided Tracing, 2021
• HyperFuzzer: An Efficient Hybrid Fuzzer For Virtual CPUs, 2021
• Regression Greybox Fuzzing, 2021
• Hardware Support to Improve Fuzzing Performance and Precision, 2021
• SNIPUZZ: Black-box Fuzzing of IoT Firmware via Message Snippet Inference, 2021
• FREEDOM: Engineering a State-of-the-Art DOM Fuzzer, 2020
• Intriguer: Field-Level Constraint Solving for Hybrid Fuzzing, 2019
• Learning to Fuzz from Symbolic Execution with Application to Smart Contracts, 2019
• Matryoshka: fuzzing deeply nested branches, 2019
• Evaluating Fuzz Testing, 2018
• Hawkeye: Towards a Desired Directed Grey-box Fuzzer, 2018
• IMF: Inferred Model-based Fuzzer, 2017
• SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits, 2017
• AFL-based Fuzzing for Java with Kelinci, 2017
• Designing New Operating Primitives to Improve Fuzzing Performance, 2017
• Directed Greybox Fuzzing, 2017
• SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities, 2017
• DIFUZE: Interface Aware Fuzzing for Kernel Drivers, 2017
• Systematic Fuzzing and Testing of TLS Libraries, 2016
• Coverage-based Greybox Fuzzing as Markov Chain, 2016
• eFuzz: A Fuzzer for DLMS/COSEM Electricity Meters, 2016
• Scheduling Black-box Mutational Fuzzing, 2013
• Taming compiler fuzzers, 2013
• SAGE: whitebox fuzzing for security testing, 2012
• Grammar-based whitebox fuzzing, 2008
• Taint-based directed whitebox fuzzing, 2009

ArXiv (Fuzzing with Artificial Intelligence & Machine Learning)

• MEUZZ: Smart Seed Scheduling for Hybrid Fuzzing, 2020
• A Review of Machine Learning Applications in Fuzzing, 2019
• Evolutionary Fuzzing of Android OS Vendor System Services, 2019
• MoonLight: Effective Fuzzing with Near-Optimal Corpus Distillation, 2019
• Coverage-Guided Fuzzing for Deep Neural Networks, 2018
• DLFuzz: Differential Fuzzing Testing of Deep Learning Systems, 2018
• TensorFuzz: Debugging Neural Networks with Coverage-Guided Fuzzing, 2018
• NEUZZ: Efficient Fuzzing with Neural Program Learning, 2018
• EnFuzz: From Ensemble Learning to Ensemble Fuzzing, 2018
• REST-ler: Automatic Intelligent REST API Fuzzing, 2018
• Deep Reinforcement Fuzzing, 2018
• Not all bytes are equal: Neural byte sieve for fuzzing, 2017
• Faster Fuzzing: Reinitialization with Deep Neural Models, 2017
• Learn&Fuzz: Machine Learning for Input Fuzzing, 2017
• Complementing Model Learning with Mutation-Based Fuzzing, 2016

The others

• Fuzzle: Making a Puzzle for Fuzzers, 2022
• Ifuzzer: An evolutionary interpreter fuzzer using genetic programming, 2016
• Hybrid fuzz testing: Discovering software bugs via fuzzing and symbolic execution, 2012
• Call-Flow Aware API Fuzz Testing for Security of Windows Systems, 2008
• Feedback-directed random test generation, 2007
• MTF-Storm:a high performance fuzzer for Modbus/TCP, 2018
• A Modbus/TCP Fuzzer for testing internetworked industrial systems, 2015

Tools

Information about the various open source tools you can use to leverage fuzz testing.

General-purpose

• radamsa - A general-purpose fuzzer.
• zzuf - A transparent application input fuzzer.
• FireCracker - BLST CLI tool takes your HTTP logs, uses them to map your API flows and find risks.

Binary

• American Fuzzy Lop plus plus (AFL++) - A superior fork to Google's AFL. more speed, more and better mutations, more and better instrumentation, custom module support, etc. paper
• American fuzzy lop - A security-oriented fuzzer that employs a novel type of compile-time instrumentation and genetic algorithms to automatically discover clean, interesting test cases that trigger new internal states in the targeted binary.
• WinAFL - A fork of AFL for fuzzing Windows binaries.
• libFuzzer - A library for coverage-guided fuzz testing. Tutorial from Google.
• Driller - An implementation of the driller paper. This implementation was built on top of AFL with angr being used as a symbolic tracer.
• shellphish fuzzer - A Python interface to AFL, allowing for easy injection of testcases and other functionality.
• Eclipser - A binary-based fuzz testing tool that improves upon classic coverage-based fuzzing by leveraging a novel technique called grey-box concolic testing.
• Jazzer - A coverage-guided, in-process fuzzer for the Java Virtual Machine. It is based on libFuzzer and can be applied directly to compiled applications.

Web, JavaScript

• jsfunfuzz - JavaScript engine fuzzers.
• IFuzzer - An Evolutionary Interpreter Fuzzer Using Genetic Programming.
• domato - DOM fuzzer from Google Project Zero. Blog Post.
• fuzzilli - A (coverage-)guided Javascript engine fuzzer, written by Samuel Groß.
• CodeAlchemist - JavaScript engine fuzzer, written by KAIST SoftSec Lab.
• test-each - Repeat tests using different inputs.
• gremlins.js - gremlins.js is a monkey testing library written in JavaScript.

Network protocol

• dtls-fuzzer - A Java tool which performs protocol state fuzzing of DTLS servers.
• T-Fuzz - T-Fuzz leverages a coverage guided fuzzer to generate inputs.
• TLS-Attacker - A Java-based framework for analyzing TLS libraries.
• DELTA - SDN Security evaluation framework.
• boofuzz - Network Protocol Fuzzing for Humans. Documentation is available at http://boofuzz.readthedocs.io/, including nifty quickstart guides.
• LL-Fuzzer - An automated NFC fuzzing framework for Android devices.
• tlsfuzzer - A SSL and TLS protocol test suite and fuzzer.
• TumbleRF - A framework that orchestrates the application of fuzzing techniques to RF systems.
• PULSAR - A method for stateful black-box fuzzing of proprietary network protocols.
• SPIKE - A fuzzer development framework like sulley, a predecessor of sulley.
• PROTOS - Security testing of protocol implementations.
• MTF - A Modbus/TCP Fuzzer for testing internetworked industrial systems
• MTF-Storm - A high performance fuzzer for Modbus/TCP.
• Scapy - Packet manipulation program & library. Can fuzz any protocol. See the fuzz function.

Driver

• Charm - A system solution that facilitates dynamic analysis of device drivers of mobile systems.

Platform

• certfuzz - It contains the source code for the CMU CERT Basic Fuzzing Framework (BFF) and the CERT Failure Observation Engine (FOE).
• Peach Fuzzer Platform - An automated security testing platform that prevents zero day attacks by finding vulnerabilities in hardware and software systems.
• Blackhat USA 2018 AFL workshop training materials - From @wrauner at Samsung Research.
• CI Fuzz - A CI/CD-agnostic platform for feedback-based fuzz testing of both native applications and Java web apps.

Contribute

Contributions welcome! Read the contribution guidelines first.

License

To the extent possible under law, cpuu has waived all copyright and related or neighboring rights to this work.