AFGen: Whole-Function Fuzzing for Applications and Libraries

Download PDF
Open Webpage

Yuwei Liu, Yanhao Wang, Xiangkun Jia, Zheng Zhang, Purui Su

Published: 2024, Last Modified: 02 Feb 2026SP 2024EveryoneRevisionsBibTeXCC BY-SA 4.0
Abstract: Fuzzing technology has been widely used to discover vulnerabilities, but existing fuzzing techniques still cannot cover and explore all functions in an application or a library. The works that automatically generate fuzzing harnesses for API functions of libraries provide a way to test the target function directly. However, applying these approaches to arbitrary internal functions of a project (e.g., library) is challenging. Specifically, the context of an API function is usually simple and clear for users, but the complex dependence of the internal functions leads to a more complicated running context and constraints on their parameters, making it hard to generate fuzzing harnesses efficiently.In this paper, we propose whole-function fuzzing, a "bottom-up" approach that fuzzes applications and libraries by covering all functions. We argue that it is beneficial to vulnerability discovery if one achieves full function coverage with precision sacrifice that can be mitigated through a delicate design. To this end, we design and implement AFGen, a framework of automatic whole-function fuzzing. Given a target function, AFGen will generate a fuzzing harness that reaches the target function with proper initial program context, and it will refine the fuzzing harness based on the constraints of the discovered crashes. Specifically, it slices the calling statements of a target function based on the control flow and data flow dependency, assigns values for the necessary variables used in the sliced code according to their types, and searches the constraint statements of the variables related to crash. In this way, AFGen generates fuzzing harnesses with a low false positive rate. To verify the effectiveness of AFGen, we collected 102 known vulnerabilities from 11 open-source projects. AFGen successfully creates fuzzing harnesses for all vulnerable functions, and it identifies 66 vulnerabilities of the collected 102 known vulnerabilities, which outperforms all comparing tools and achieves 2x vulnerabilities discovered by the second best fuzzer (i.e., AFL++). The crashes triggered by AFGen achieve 77.1% precision, which is 10 times the precision of FUDGE. AFGen also discovers 24 unknown vulnerabilities confirmed with CVE IDs.