Coverage-Guided Fuzzing
What is Coverage-Guided Fuzzing?
Coverage-Guided FuzzingA fuzzing technique that instruments the target to measure code coverage and evolves inputs that explore previously unseen paths, dramatically improving bug-finding efficiency.
Coverage-guided fuzzers instrument the target at compile time or via dynamic binary translation, then run candidate inputs while collecting edge or basic-block coverage. Inputs that exercise new coverage are kept and further mutated by an evolutionary algorithm, so the corpus drifts toward harder-to-reach code. This feedback loop, popularized by AFL and refined by AFL++, libFuzzer and Honggfuzz, is orders of magnitude more effective than blind random fuzzing on real software. It powers projects such as Google OSS-Fuzz, which has discovered tens of thousands of bugs in open-source code by running coverage-guided fuzzers continuously.
● Examples
- 01
Compiling a C parser with AFL++ instrumentation and using afl-fuzz to grow a coverage-driven corpus.
- 02
libFuzzer using SanitizerCoverage to evolve inputs for a Rust crate.
● Frequently asked questions
What is Coverage-Guided Fuzzing?
A fuzzing technique that instruments the target to measure code coverage and evolves inputs that explore previously unseen paths, dramatically improving bug-finding efficiency. It belongs to the Application Security category of cybersecurity.
What does Coverage-Guided Fuzzing mean?
A fuzzing technique that instruments the target to measure code coverage and evolves inputs that explore previously unseen paths, dramatically improving bug-finding efficiency.
How do you defend against Coverage-Guided Fuzzing?
Defences for Coverage-Guided Fuzzing typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Coverage-Guided Fuzzing?
Common alternative names include: Greybox fuzzing, Feedback-driven fuzzing.