Directed Greybox Fuzzing

Marcel Böhme, Van-Thuan Pham, Manh-Dung Nguyen, Abhik Roychoudhury

Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

463 Citations (Scopus)


Existing Greybox Fuzzers (GF) cannot be effectively directed, for instance, towards problematic changes or patches, towards critical system calls or dangerous locations, or towards functions in the stacktrace of a reported vulnerability that we wish to reproduce. In this paper, we introduce Directed Greybox Fuzzing (DGF) which generates inputs with the objective of reaching a given set of target program locations efficiently. We develop and evaluate a simulated annealing-based power schedule that gradually assigns more energy to seeds that are closer to the target locations while reducing energy for seeds that are further away. Experiments with our implementation AFLGo demonstrate that DGF outperforms both directed symbolic-execution-based whitebox fuzzing and undirected greybox fuzzing. We show applications of DGF to patch testing and crash reproduction, and discuss the integration of AFLGo into Google's continuous fuzzing platform OSS-Fuzz. Due to its directedness, AFLGo could find 39 bugs in several well-fuzzed, security-critical projects like LibXML2. 17 CVEs were assigned.

Original languageEnglish
Title of host publicationProceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security
EditorsDavid Evans, Tal Maklin, Dongyan Xu
Place of PublicationNew York NY USA
PublisherAssociation for Computing Machinery (ACM)
Number of pages16
ISBN (Electronic)9781450349468
Publication statusPublished - 2017
Externally publishedYes
EventACM Conference on Computer and Communications Security 2017 - Hotel Sheraton Downtown Dallas, Dallas, United States of America
Duration: 30 Oct 20173 Nov 2017
Conference number: 24th (Conference website)


ConferenceACM Conference on Computer and Communications Security 2017
Abbreviated titleCCS 2017
Country/TerritoryUnited States of America
Internet address


  • Coverage-based greybox fuzzing
  • Crash reproduction
  • Directed testing
  • Patch testing
  • Reachability
  • Verifying true positives

Cite this