Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Researchers Introduce Smart Greybox Fuzzing

A team of researchers has introduced the concept of smart greybox fuzzing, which they claim is much more efficient in finding vulnerabilities in libraries that parse complex files compared to existing fuzzers.

A team of researchers has introduced the concept of smart greybox fuzzing, which they claim is much more efficient in finding vulnerabilities in libraries that parse complex files compared to existing fuzzers.

Fuzzing is used to find software vulnerabilities by sending malformed input to the targeted application. If the software crashes or behaves unexpectedly, it could indicate the presence of a security flaw. There are three main types of fuzzing: blackbox fuzzing, where the tester has zero knowledge of the target; whitebox fuzzing, where there is full knowledge of the target and the testing is done through the source code; and greybox fuzzing, where the tester has some knowledge of the targeted application.

Five researchers from the National University of Singapore, the Monash University in Australia, and the University Politehnica of Bucharest in Romania have been looking at ways to improve greybox fuzzing and they claim to have achieved impressive results.

Building upon the American Fuzzy Lop (AFL) fuzzer developed by security expert Michał Zalewski (aka lcamtuf), the researchers created a tool called AFLsmart, which implements what they call smart greybox fuzzing (SGF).

According to the experts, AFLsmart is highly efficient in analyzing libraries that parse structurally complex files, such as audio, video, image, document and database files.

In coverage-based greybox fuzzing, the fuzzer is provided a seed file and it randomly flips, deletes, copies or adds bits in order to generate new files that can be parsed by the tested library in order to find potential vulnerabilities. The problem, however, is that in the case of complex file formats, bit flips do not generate valid files.

The researchers have overcome this challenge by defining what they call “innovative mutation operators” that work on the virtual file structure rather than the bit level, which helps ensure that files remain valid.

“We introduce a novel validity-based power schedule that enables SGF to spend more time generating files that are more likely to pass the parsing stage of the program, which can expose vulnerabilities much deeper in the processing logic,” the researchers explained in a paper.

In their experiments, they tested 11 popular open source libraries that process executable binary (ELF), image, audio and video files. The list includes Binutils, LibPNG, ImageMagick, LibJPEG-turbo, LibJasper, FFmpeg, LibAV, WavPack, and OpenJPEG.

These libraries were tested with AFLsmart and, for comparison, with the AFL, AFLfast and Peach fuzzers. AFLsmart uncovered 33 vulnerabilities, double compared to AFL and AFLfast – Peach did not find any flaws.

AFLsmart fuzzing results

The new tool discovered a total of 42 vulnerabilities in the tests conducted by the researchers, and 17 of these issues have so far been assigned CVE identifiers. Of the 33 aforementioned bugs, 8 have been assigned CVEs. The types of security holes include assertion failures, heap and stack buffer overflows, null pointer dereferences, and divided-by-zero bugs.

The researchers said they plan on making the AFLsmart fuzzer available as open source.

Related: Microsoft Uses Neural Networks to Improve Fuzzing

Related: Google Wants More Projects Integrated With OSS-Fuzz

Related: Fuzzing Tests Show ICS Protocols Least Mature

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.