As with any fuzzer, directing Generator-Based Fuzzers (GBF) to reach particular code targets can increase the fuzzer's effectiveness. In previous work, coverage-guided fuzzers used a mix of static analysis, taint analysis, and constraint-solving approaches to address this problem. However, none of these techniques were particularly crafted for GBF where input generators are used to construct program inputs. The observation is that input generators carry information about the input structure that is naturally present through the typing composition of the program input. In this paper, we introduce a type-based mutation heuristic, along with constant string lookup, for Java GBF. Our key intuition is that if one can identify which sub-part (types) of the input will likely influence the branching decision, then focusing on mutating the choices of the generators constructing these types is likely to achieve the desired coverages. We used our technique to fuzz AWSLambda applications. Results compared to a baseline GBF tool show an almost 20\% average improvement in application coverage, and larger improvements when third-party code is included.

翻译：与任何模糊测试工具一样，引导生成式模糊测试工具（GBF）到达特定代码目标能够提升测试效果。在先前的研究中，覆盖引导式模糊测试工具通过结合静态分析、污点分析和约束求解方法来解决此问题。然而，这些技术均非专门为GBF设计——在GBF中，输入生成器被用于构建程序输入。我们观察到，输入生成器携带的输入结构信息天然存在于程序输入的类型组合中。本文针对Java GBF提出了一种基于类型的突变启发式方法，并结合常量字符串查找机制。我们的核心思路是：若能识别输入的哪些子部分（类型）可能影响分支决策，则集中突构建这些类型的生成器的选择，便更可能实现期望的覆盖范围。我们将该技术应用于AWSLambda应用程序的模糊测试。与基线GBF工具相比，实验结果显示应用程序覆盖度平均提升近20%，当包含第三方代码时提升幅度更为显著。