A team of Microsoft researchers has been working on improving fuzzing techniques by using deep neural networks, and initial tests have shown promising results.
Fuzzing is used to find software vulnerabilities – particularly memory corruption bugs – by injecting malformed or semi-malformed data into the targeted application. If the software crashes or behaves unexpectedly, it could indicate the presence of a security flaw.
There are three types of fuzzing: whitebox fuzzing, which tests source or disassembled code; blackbox fuzzing, which does not require access to source code; and greybox fuzzing, which is similar to blackbox fuzzing but uses results from previous executions for feedback.
Experts at Microsoft have attempted to improve this feedback loop using a type of machine learning called deep neural networks (DNN). Neural networks, a set of algorithms modeled after the human brain, are designed to recognize patterns in an effort to help classify and cluster data.
Neural networks have been used by several companies for security-related purposes, including for detecting spam and malware, and even in Apple’s new Face ID feature.
Microsoft researchers have been trying to use neural networks for a learning technique that relies on patterns in previous fuzzing iterations to guide future iterations.
“The neural models learn a function to predict good (and bad) locations in input files to perform fuzzing mutations based on the past mutations and corresponding code coverage information,” the researchers said.
The method has been implemented in American Fuzzy Lop (AFL), a popular open source fuzzer developed by Google researcher Michal Zalewski. Tests were conducted against parsers for the ELF, PDF, PNG and XML file formats.
The tests showed significant improvements in the results obtained with the neural AFL compared to the original AFL, except for PDF files, which experts believe may be too large. Improvements were seen in terms of code coverage, unique code paths and crashes.
The team behind the project believes this approach can be applied to any fuzzer, not just AFL.
“We believe our neural fuzzing research project is just scratching the surface of what can be achieved using deep neural networks for fuzzing,” explained Microsoft’s William Blum. “Right now, our model only learns fuzzing locations, but we could also use it to learn other fuzzing parameters such as the type of mutation or strategy to apply. We are also considering online versions of our machine learning model, in which the fuzzer constantly learns from ongoing fuzzing iterations.”
Blum is the lead of the engineering team for Microsoft Security Risk Detection, a recently launched cloud-based fuzzing service that uses artificial intelligence to find bugs and vulnerabilities in applications. The results of the research into the use of neural networks for fuzzing could help improve this service.
Another recently launched Microsoft tool designed for finding memory corruption bugs, VulnScan, might also be added to the Security Risk Detection service.
Related: Fuzzing Reveals Over 30 Web Browser Engine Flaws
Related: Google Launches OSS-Fuzz Open Source Fuzzing Service

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Google Patches Third Chrome Zero-Day of 2023
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
Latest News
- OWASP’s 2023 API Security Top 10 Refines View of API Risks
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- Blumira Raises $15 Million for SMB-Tailored XDR Platform
- Microsoft Will Pay $20M to Settle US Charges of Illegally Collecting Children’s Data
- KeePass Update Patches Vulnerability Exposing Master Password
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Keep Aware Raises $2.4M to Eliminate Browser Blind Spots
