Anatomy of a fuzzer

A fuzzer can be divided into several parts:

Fuzz target

In order to use fuzzing, so-called fuzz targets need to be created. Fuzz targets are small programs that test predefined API functions, similar to unit tests. However, the inputs are not provided by the developer but produced with a fuzz generator.

Fuzz generator

Fuzz generators are responsible for creating random mutations of inputs that are sent to the software under test (SUT). There are different input generation patterns that, to a large extent, influence the fuzzing process. During generation, inputs are changed in a number of ways: parts of the inputs are interchanged, added or deleted. Feedback provided by Sanitizers plays a large role in this process.

Delivery mechanism

The output of a fuzz generator (i.e. random inputs) are then sent to the SUT. The delivery mechanism processes inputs from fuzz generator and feeds them to SUT for execution.

Monitoring system

The monitoring system keeps track of how the inputs are executed within SUT and detects triggered bugs. The monitoring system plays a critical part in the fuzzing process as it also influences what types of vulnerabilities can be discovered during fuzzing.