Fuzz testing (fuzzing) has witnessed its prosperity in detecting security flaws recently. It
generates a large number of test cases and monitors the executions for defects. Fuzzing has …

Fuzzing is a powerful tool for vulnerability discovery in software, with much progress being
made in the field in recent years. There is limited literature available on the fuzzing …

Fuzzing has proven to be a highly effective approach to uncover software bugs over the past
decade. After AFL popularized the groundbreaking concept of lightweight coverage …

Unlike traditional software, smart contracts have the unique organization in which a
sequence of transactions shares persistent states. Unfortunately, such a characteristic …

Given a program where none of our fuzzers finds any bugs, how do we know which fuzzer is
better? In practice, we often look to code coverage as a proxy measure of fuzzer …

Many protocol implementations are reactive systems, where the protocol process is in
continuous interaction with other processes and the environment. If a bug can be exposed …

Mutation-based greybox fuzzing---unquestionably the most widely-used fuzzing technique---
relies on a set of non-crashing seed inputs (a corpus) to bootstrap the bug-finding process …

Seed scheduling, the order in which seeds are selected, can greatly affect the performance
of a fuzzer. Existing approaches schedule seeds based on their historical mutation data, but …

Taint analysis assists fuzzers in solving complex fuzzing constraints by inferring the
influencing input bytes. Execution paths in real-world programs often reach loops, where …

Coverage metrics play an essential role in greybox fuzzing. Recent work has shown that fine-
grained coverage metrics could allow a fuzzer to detect bugs that cannot be covered by …