Coverage guided fuzzing (also known as greybox fuzzing) uses program instrumentation to trace the code coverage reached by each input fed to a fuzz target. Fuzzing engines use this information to make informed decisions about which inputs to mutate to maximize coverage.
For every target, the fuzzing engine builds a corpus of inputs. These grow in coverage over time as the engine discovers new inputs through mutation.
Coverage guided fuzzing is recommended as it is generally the most effective. This works best when:
- The target is self-contained.
- The target is deterministic.
- The target can execute dozens or more times per second (ideally hundreds or more).
For example, binary format (e.g. image format) parsers are very well suited to this.
A blackbox fuzzer generates inputs for a target program without knowledge of its internal behaviour or implementation.
A blackbox fuzzer may generate inputs from scratch, or rely on a static corpus of valid input files to base mutations on. Unlike coverage guided fuzzing, the corpus does not grow here.
Blackbox fuzzing works well when:
- The target is large.
- The target is not deterministic for the same input.
- The target is slow.
For example, a browser DOM fuzzer may generate HTML inputs that are run against a target such as Chrome, without any coverage feedback to guide its mutations.