Tobias Holl (Ruhr University Bochum), Leon Weiß (Ruhr University Bochum), Kevin Borgolte (Ruhr University Bochum)

Fuzzing is one of the most successful techniques to test software and discover vulnerabilities. Due to its effectiveness and ease of scaling, it is often done in parallel on hundreds to thousands of CPU cores and improving fuzzers’ efficiency, efficacy, and performance has become a major research area. Typically focused on enhancing fuzzing itself, such as through better input generation or optimizing instrumentation to execute the program more frequently, the goal is to find more bugs or flaws in less time. On the other hand, optimizing the performance of the target program, which the fuzzer executes billions of times, specifically for fuzzing has received little attention.

We introduce Pogofuzz, a novel approach to improving fuzzing performance that is fuzzer-agnostic and target-agnostic. We leverage the insight that the inputs used for future mutations are known, to then use compiler-based profile-guided optimization (PGO) to optimize the target program specifically for these future inputs. By regularly creating new profiles based on the next inputs, recompiling the target program with new optimizations, and in-situ replacing the target in the fuzzing process with its newly optimized version, Pogofuzz improves fuzzing performance of the state-of-the-art fuzzer AFL++.

We provide preliminary results for Pogofuzz in different realistic experimental setups, comparing it to AFL++ on four software projects from the FuzzBench suite for 1–6 physical CPU cores per fuzzer, to demonstrate Pogofuzz’s advantages. Our preliminary results show that our approach has the potential to improve fuzzing throughput, despite incurring additional optimization and recompilation costs. Pogofuzz, as a fuzzer-target-agnostic approach, is a significant departure from traditional improvements in fuzzing, which are fuzzer-specific and/or target-specific, providing the opportunity for new, general performance improvements for large-scale, extended fuzzing.

To encourage adoption and reproducibility of our research, we will make Pogofuzz publicly available as open source before or with the publication of the extended paper.

View More Papers

Robust Fraud Transaction Detection: A Two-Player Game Approach

Qi Tan (College of Computer Science and Software Engineering, Shenzhen University), Yi Zhao (School of Cyberspace Science and Technology, Beijing Institute of Technology), Laizhong Cui (College of Computer Science and Software Engineering, Shenzhen University), Qi Li (Institute for Network Science and Cyberspace, Tsinghua University), Ming Zhu (Department of Computer Science and Technology, Tsinghua University), Xing…

Read More

On the Security Risks of Memory Adaptation and Augmentation...

Hocheol Nam (KAIST), Daehyun Lim (KAIST), Huancheng Zhou (Texas A&M University), Guofei Gu (Texas A&M University), Min Suk Kang (KAIST)

Read More

SAGA: A Security Architecture for Governing AI Agentic Systems

Georgios Syros (Northeastern University), Anshuman Suri (Northeastern University), Jacob Ginesin (Northeastern University), Cristina Nita-Rotaru (Northeastern University), Alina Oprea (Northeastern University)

Read More