Coverage guided vs blackbox fuzzing
Coverage guided fuzzing
Coverage guided fuzzing (also known as greybox fuzzing) uses program instrumentation to trace the code coverage reached by each input fed to a fuzz target. Fuzzing engines use this information to make informed decisions about which inputs to mutate to maximize coverage.
For every target, the fuzzing engine builds a corpus of inputs. These grow in coverage over time as the engine discovers new inputs through mutation.
When should I use coverage guided fuzzing?
Coverage guided fuzzing is recommended as it is generally the most effective. This works best when:
- The target is self-contained.
- The target is deterministic.
- The target can execute dozens or more times per second (ideally hundreds or more).
For example, binary format (e.g. image format) parsers are very well suited to this.
A blackbox fuzzer generates inputs for a target program without knowledge of its internal behaviour or implementation.
A blackbox fuzzer may generate inputs from scratch, or rely on a static corpus of valid input files to base mutations on. Unlike coverage guided fuzzing, the corpus does not grow here.
When should I use blackbox fuzzing?
Blackbox fuzzing works well when:
- The target is large.
- The target is not deterministic for the same input.
- The target is slow.
For example, a browser DOM fuzzer may generate HTML inputs that are run against a target such as Chrome, without any coverage feedback to guide its mutations.