As with any fuzzer, directing Generator-Based Fuzzers (GBF) to reach particular code targets can increase the fuzzer's effectiveness. In previous work, coverage-guided fuzzers used a mix of static analysis, taint analysis, and constraint-solving approaches to address this problem. However, none of these techniques were particularly crafted for GBF where input generators are used to construct program inputs. The observation is that input generators carry information about the input structure that is naturally present through the typing composition of the program input. In this paper, we introduce a type-based mutation heuristic, along with constant string lookup, for Java GBF. Our key intuition is that if one can identify which sub-part (types) of the input will likely influence the branching decision, then focusing on mutating the choices of the generators constructing these types is likely to achieve the desired coverages. We used our technique to fuzz AWSLambda applications. Results compared to a baseline GBF tool show an almost 20\% average improvement in application coverage, and larger improvements when third-party code is included.

翻译：与任何模糊测试器一样，引导生成式模糊测试器（GBF）到达特定的代码目标可以提高测试器的有效性。在以往的工作中，覆盖引导的模糊测试器采用了静态分析、污点分析和约束求解方法的组合来解决此问题。然而，这些技术均非专门为使用输入生成器来构建程序输入的GBF所设计。我们的观察是，输入生成器携带了关于输入结构的信息，这些信息通过程序输入的类型组合自然存在。本文针对Java GBF提出了一种基于类型的突变启发式方法，并结合了常量字符串查找。我们的核心直觉是：如果能够识别输入的哪些子部分（类型）可能影响分支决策，那么专注于突变构建这些类型的生成器的选择，则更有可能实现期望的覆盖率。我们应用该技术对AWSLambda应用程序进行了模糊测试。与基线GBF工具相比的结果显示，应用程序覆盖率平均提升了近20%，当包含第三方代码时提升更为显著。