BACFuzz: Bayesian & Web Fuzzing Frameworks
- BACFuzz is a dual-framework approach merging Bayesian-guided fuzz testing with grey-box web fuzzing to detect software vulnerabilities.
- It employs Approximate Bayesian Computation to drive input generation, achieving up to an 89.7% posterior pass rate in targeted test regions.
- Its grey-box component leverages LLM-guided parameter selection and SQL-backed oracles to identify Broken Access Control flaws in PHP applications.
BACFuzz refers to two distinct, state-of-the-art research frameworks for software vulnerability detection, both sharing the BACFuzz moniker but differing fundamentally in technical approach and target domain. The first, introduced by (Vaisnor, 2024), is a Bayesian-guided, likelihood-free fuzz testing system that integrates Approximate Bayesian Computation (ABC) with the fuzzing loop to prioritize input regions likely to yield interesting program behaviors. The second, presented by (Dharmaadi et al., 21 Jul 2025), is the first grey-box web fuzzer for systematically uncovering Broken Access Control (BAC) vulnerabilities—specifically BOLA and BFLA—in PHP-based web applications, leveraging LLM-guided parameter selection, runtime PHP instrumentation, and a SQL-backed oracle for precise detection.
1. Bayesian-Guided Fuzzing: BACFuzz and ABC Integration
BACFuzz (Vaisnor, 2024) represents a proof-of-concept fuzz-testing system grounded in Approximate Bayesian Computation. This system addresses the infeasibility of exhaustively enumerating the effectively infinite parameter spaces typical of complex software applications. BACFuzz replaces purely random or brute-force input generation by employing ABC to iteratively concentrate a population of candidate inputs ("particles") toward input subspaces more likely to trigger user-specified, nontrivial behaviors (e.g., program crashes or assertion failures).
The core innovation is the marriage of Bayesian simulation to the fuzzing loop, resulting in a likelihood-free, population-based inference protocol. Rather than relying on a closed-form likelihood for input success, BACFuzz uses a distance-based surrogate likelihood that scores and selects particles based on similarity to desired test outcomes.
2. BACFuzz Pipeline: Prior, Inference, and Feedback
BACFuzz's architecture consists of three main modules:
- Prior-Input Generator:
- Initializes a population by sampling from a specified prior distribution. In experiments, every input is a 100-dimensional vector drawn from , with 30% manually set to guarantee a "pass" by fixing the first dimension.
- Inference Engine (ABC: SMC-ABC or MCMC-ABC):
- Sequential Monte Carlo ABC (SMC-ABC): Maintains a weighted particle set updated via resampling and perturbation, using a surrogate likelihood based on a user-defined distance metric . The SMC-ABC protocol anneals the acceptance threshold and narrows the kernel variance over time.
- Markov Chain Monte Carlo ABC (MCMC-ABC): Runs a Markov chain with a Gaussian proposal and accepts or rejects candidates based on the ABC surrogate likelihood.
- Test Harness / Feedback Loop:
- Each candidate input is evaluated against a fitness function (e.g., whether its first coordinate lies within ). The resulting score or pass/fail status feeds directly into the inference engine, guiding subsequent candidate selection.
This cyclical interplay between generation, evaluation, and statistical updating enables BACFuzz to progressively focus on high-value test regions.
3. BACFuzz for Web Security: BAC Vulnerability Detection in PHP Applications
Distinct from the ABC-based approach, BACFuzz (Dharmaadi et al., 21 Jul 2025) is a grey-box fuzzer tailored to expose silent Broken Access Control vulnerabilities in PHP web applications. It operates under a role-based access control (RBAC) threat model, requiring at least two accounts with different privileges and focusing strictly on code-level authorization failures.
Targeted BAC categories:
- Broken Object-Level Authorization (BOLA): Detects when users manipulate object identifiers in requests to access data outside their permitted set .
- Broken Function-Level Authorization (BFLA): Identifies endpoints or functions callable only by high-privileged roles being accessed by unauthorized roles .
4. Web Fuzzing Pipeline: Instrumentation, LLM-Guided Parameter Selection, and SQL Oracle
BACFuzz's detection pipeline involves:
- Request Collection: Automated browser-driven crawling (via Playwright) for each role, building a corpus of request signatures and parameters.
- Parameter Analysis:
- Identification of "sys-gen" fields (object IDs, nonces) differing from injected random fillers.
- Use of an LLM (e.g., DeepSeek-V3) to label parameters as potential references (), security fields (), or "less important."
- Fuzzing and Mutation:
- Weighted-random mutation prioritizing requests with reference parameters.
- Reference mutations for BOLA (replacing authorized object IDs with others), function-level authentication bypass attempts for BFLA, and low-probability random mutations elsewhere.
- Instrumentation:
- PHP interpreter hooks (via uopz) log all SQL statements and coverage (PCOV).
- Feedback from basic block coverage, HTTP 500 errors, and SQL logs drives adaptive input selection.
- SQL-Based Oracle Checking:
- Rule-based analysis of SQL queries to determine unauthorized data manipulation or endpoint access, requiring repeated confirmation across multiple request mutations to suppress false positives.
5. Experimental Results and Evaluation
ABC-Based BACFuzz (Vaisnor, 2024)
- Setup: Toy white-box test function with a constructed 100-D input space, ten initial particles, and 1,000 SMC-ABC or MCMC-ABC steps.
- Findings:
- SMC-ABC posterior pass rate: 89.7%, compared to the prior's 30%.
- MCMC-ABC posterior pass rate: 23%, exhibiting slow mixing and high autocorrelation.
- SMC-ABC monitored effective sample size for convergence; MCMC-ABC chains displayed poor stationarity.
- Limitations: The experimental configuration leveraged known-good inputs in the prior, favoring ABC's success. The results are not directly indicative of black-box or unknown-domain scenarios, where no such initialization is possible.
Web BACFuzz (Dharmaadi et al., 21 Jul 2025)
- Testbed: 20 real-world PHP web applications, including 15 with known BAC CVEs, two testbed apps (DVWA, XVWA), and three large challenge cases.
- Metrics and Outcomes:
- Detected 16/17 known CVEs (94% recall; one CVE undetectable due to hidden ID translation).
- Uncovered 26 previously unknown BAC vulnerabilities.
- False positive rate below 10%.
- Instrumentation overhead: <100 ms/request for large apps; <10 ms for small apps.
- 61–100% of mutated requests were accepted (non-rejected), with reference-guided mutations substantially more effective than random fuzzers.
6. Limitations and Future Research Directions
BACFuzz (Vaisnor, 2024) highlights limitations in ABC inference speed (especially MCMC chain mixing in high dimensions), reliance on prior seeding for initial "passing" particles, and lack of direct applicability to true black-box scenarios. Proposed research extensions include the use of the test function as the ABC likelihood, batch and online re-estimation of thresholds, expansion of input space modeling to execution paths, and security tasks beyond input fuzzing.
The web BACFuzz framework (Dharmaadi et al., 21 Jul 2025) is currently specialized to PHP and DML-query-based oracles, limiting its scope regarding state-dependent BAC and SELECT-only leakages. The authors identify the need for richer state tracking (state-machine learning), improved handling of context-dependent or multi-step BAC, and alternative oracles (e.g., DOM differencing, HTML snapshot comparison) for passive information leaks.
7. Broader Impact and Significance
BACFuzz (Vaisnor, 2024) establishes that Bayesian simulation can systematically guide fuzz testing toward fruitful regions of the input space, offering potential for more efficient, principled, and explainable vulnerability discovery. BACFuzz for web security (Dharmaadi et al., 21 Jul 2025) demonstrates that combining lightweight instrumentation, LLM-guided parameter focus, and SQL-based runtime oracles is effective at surfacing silent BAC vulnerabilities, outperforming crash-oriented fuzzers and black-box scanners in empirical tests. These frameworks exemplify the trend toward inference-driven and feedback-oriented security testing, with implications for improved software assurance and automated vulnerability triage in both research and applied settings.