KLUZZER: Whitebox Fuzzing on Top of LLVM

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11781)


Whitebox fuzzing (a.k.a. concolic testing) has been shown to be an effective bug finding technique on its own as well as in combination with coverage-guided greybox fuzzing. However, there is currently a lack of whitebox fuzzers operating above the binary code level. We present KLUZZER, a whitebox fuzzer targeting LLVM bitcode, and thus can be easily combined with the widely deployed LLVM’s coverage-guided greybox fuzzer LibFuzzer. Experimental evaluation on a set of benchmarks shows encouraging results.



This work was supported by the Central Research Development Fund of the University of Bremen.


  1. 1.
    Angr - a powerful and user-friendly binary analysis platform.
  2. 2.
    LibFuzzer - a library for coverage-guided fuzz testing.
  3. 3.
    Cadar, C., Dunbar, D., Engler, D.R.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: USENIX OSDI, pp. 209–224 (2008)Google Scholar
  4. 4.
    Cha, S.K., Avgerinos, T., Rebert, A., Brumley, D.: Unleashing mayhem on binary code. In: IEEE Symposium on Security and Privacy, pp. 380–394 (2012)Google Scholar
  5. 5.
    Chen, P., Chen, H.: Angora: efficient fuzzing by principled search. In: IEEE Symposium on Security and Privacy, pp. 711–725 (2018)Google Scholar
  6. 6.
    Chipounov, V., Kuznetsov, V., Candea, G.: S2E: a platform for in-vivo multi-path analysis of software systems. In: ASPLOS, pp. 265–278 (2011)Google Scholar
  7. 7.
    de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). Scholar
  8. 8.
    Fietkau, J., Shastry, B.: KleeFL - seeding fuzzers with symbolic execution. In: USENIX Security (Poster presentation) (2017)Google Scholar
  9. 9.
    Ganesh, V., Dill, D.L.: A decision procedure for bit-vectors and arrays. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 519–531. Springer, Heidelberg (2007). Scholar
  10. 10.
    Godefroid, P., Levin, M.Y., Molnar, D.A.: Automated whitebox fuzz testing. In: NDSS (2008)Google Scholar
  11. 11.
    Marinescu, P.D., Cadar, C.: Make test-zesti: a symbolic execution solution for improving regression testing. In: ICSE, pp. 716–726 (2012)Google Scholar
  12. 12.
    Martignoni, L., McCamant, S., Poosankam, P., Song, D., Maniatis, P.: Path-exploration lifting: hi-fi tests for lo-fi emulators. In: ASPLOS, pp. 337–348 (2012)CrossRefGoogle Scholar
  13. 13.
    Ruhstaller, M., Chang, O.: A new chapter for OSS-Fuzz.
  14. 14.
    Stephens, N., et al.: Driller: augmenting fuzzing through selective symbolic execution. In: NDSS (2016)Google Scholar
  15. 15.
    Wang, M., et al.: SAFL: increasing and accelerating testing coverage with symbolic execution and guided fuzzing. In: ICSE, pp. 61–64 (2018)Google Scholar
  16. 16.
    Yun, I., Lee, S., Xu, M., Jang, Y., Kim, T.: QSYM : a practical concolic execution engine tailored for hybrid fuzzing. In: USENIX Security, pp. 745–761 (2018)Google Scholar
  17. 17.
    Zalewski, M.: American fuzzy lop (AFL) white paper.
  18. 18.
    Zhao, L., Duan, Y., Yin, H., Xuan, J.: Send hardest problems my way: probabilistic path prioritization for hybrid fuzzing. In: NDSS (2019)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Group of Computer ArchitectureUniversity of BremenBremenGermany

Personalised recommendations