Abstract
Fuzzing has become the de facto standard technique for finding softwarevulnerabilities. However, even the state-of-the-art fuzzers are not veryefficient at finding hard-to-trigger software bugs. Coverage-guidedevolutionary fuzzers, while fast and scalable, often get stuck at fruitlesssequences of random mutations. By contrast, more systematic techniques likesymbolic and concolic execution incur significant performance overhead andstruggle to scale to larger programs. We design, implement, and evaluate NEUZZ, an efficient fuzzer that guides thefuzzing input generation process using deep neural networks. NEUZZ efficientlylearns a differentiable neural approximation of the target program logic. Thedifferentiability of the surrogate neural program, unlike the original targetprogram, allows us to use efficient optimization techniques like gradientdescent to identify promising mutations that are more likely to triggerhard-to-reach code in the target program. We evaluate NEUZZ on 10 popular real-world programs and demonstrate thatNEUZZ consistently outperforms AFL, a state-of-the-art evolutionary fuzzer,both at finding new bugs and achieving higher edge coverage. In total, NEUZZfound 36 previously unknown bugs that AFL failed to find and achieved, onaverage, 70 more edge coverage than AFL. Our results also demonstrate thatNEUZZ can achieve average 9 more edge coverage while taking 16 less trainingtime than other learning-enabled fuzzers.