Fuzzing is an automatic software-testing technique that repeatedly injects a randomly mutated input to a target program. Proven to be effective in finding bugs in complex, real-world programs, fuzzing has become a core technique for finding security vulnerabilities. There are now examples of major companies building large-scale, distributed fuzzing infrastructure, which runs on hundreds of virtual machines that relentlessly process over millions of test cases per day. The performance of fuzzers is critical, as a faster, smarter fuzzer will find more security bugs in the target program more quickly. This project takes a novel approach to fuzzing performance by shortening the execution time of each fuzzing iteration by trying to achieve more test coverage in a fixed time interval, whereas other approaches focus on convergence to input sets that are more likely to trigger a vulnerability. In the process, the project will overcome hidden scalability and performance bottlenecks caused at the system software layers, such as operating system and hypervisor. Such technical advances can bring significant saving of the operation cost of fuzzing infrastructure and help developers to identify more security bugs in open source and commercial software in a cost-effective manner.
CAREER: System Techniques to Improve Fuzzing Performance