Luís Pina

CONFETTI: Amplifying Concolic Guidance for Fuzzers

| PDF | | slides | poster | |

James Kukucka and Luís Pina and Paul Ammann and Jonathan Bell
In Proceedings of the IEEE 44th International Conference on Software Engineering (ICSE)
May, 2022


Fuzz testing (fuzzing) allows developers to detect bugs and vulnerabilities in code by automatically generating defect-revealing inputs. Most fuzzers operate by generating inputs for applications and mutating the bytes of those inputs, guiding the fuzzing process with branch coverage feedback via instrumentation. Whitebox guidance (e.g., taint tracking or concolic execution) is sometimes integrated with coverage-guided fuzzing to help cover tricky-to-reach branches that are guarded by complex conditions (so-called “magic values”). This integration typically takes the form of a targeted input mutation, eg placing particular byte values at a specific offset of some input in order to cover a branch. However, these dynamic analysis techniques are not perfect in practice, which can result in the loss of important relationships between input bytes and branch predicates, thus reducing the effective power of the technique. We introduce a new, surprisingly simple, but effective technique, global hinting, which allows the fuzzer to insert these interesting bytes not only at a targeted position, but in any position of any input. We implemented this idea in Java, creating CONFETTI, which uses both targeted and global hints for fuzzing. In an empirical comparison with two baseline approaches, a state-of-the-art greybox Java fuzzer and a version of CONFETTI without global hinting, we found that CONFETTI covers more branches and finds 15 previously unreported bugs, including 9 that neither baseline could find. By conducting a forensic analysis of CONFETTI’s execution, we determined that global hinting was at least as effective at revealing new coverage as traditional, targeted hinting.


  title     = {CONFETTI: Amplifying Concolic Guidance for Fuzzers},
  author    = {Kukucka, James and Pina, Lu\'{\i}s and Ammann, Paul and Bell, Jonathan},
  booktitle = {Proceedings of the {IEEE} 44th International Conference on Software Engineering},
  year      = {2022},
  month     = MAY,
  series    = {ICSE '22},
  location  = {Pittsburgh, PA, USA},
  publisher = {IEEE},