Feature-Guided Fuzzing

• Feature-guided fuzzing is a testing approach that employs static, dynamic, and input-based features to inform mutation, scheduling, and triage decisions.
• It integrates feature extraction techniques from program code, execution traces, and input analytics to improve bug detection efficiency and precision.
• Empirical evaluations demonstrate significant gains in code coverage, reduced time-to-first-bug, and enhanced vulnerability discovery compared to traditional methods.

Feature-guided fuzzing is a class of automated software testing methodologies in which mutation, scheduling, or prioritization decisions are informed by static, dynamic, or learned features of program inputs, code, or execution state—rather than relying solely on coverage increments as the guiding criterion. This paradigm encompasses both traditional feature-selection/statistical schemes, explicit learning-based models, and on-the-fly marginal importance quantification approaches, driving substantial advancements in vulnerability discovery efficiency, precision, and scale in targets ranging from binary software and smart contracts to web engines.

1. Conceptual Foundations and Taxonomy

Feature-guided fuzzing generalizes the coverage-guided gray-box fuzzing (CGF) abstraction by replacing or augmenting the "edge-coverage-increase = interesting" fitness rule with quantitative or qualitative feature signals. Feature sources include:

• Static features: Metrics from program code structure, such as function-call graph degrees, instruction counts, opcode patterns, or AST/CFG properties (Upadhyay, 2024, Xue et al., 2021).
• Dynamic features: Execution metrics such as sanitizer-detected events, trace flags (e.g., JIT, GC, or allocation logs), or runtime variable states (Ganguly et al., 19 Dec 2025, Drozd et al., 2018).
• Input features: Properties intrinsic to input files (e.g., bytes, tokens, grammar symbols) or inferred from model predictions on their potential to unlock new behaviors (Rajpal et al., 2017, Zhang et al., 2023).
• Historical/learned features: Empirical evidence drawn from past fuzzing runs (success/failure traces, bug-triggering patterns) used to train ML models for risk or utility estimation (Ganguly et al., 19 Dec 2025, Xue et al., 2021).

Fuzzers leverage such features by: (1) prioritizing which inputs are mutated, (2) selecting mutation operators/locations, (3) narrowing the set of fuzzing targets (functions, code regions), or (4) directly suggesting new seed mutations.

2. Feature Extraction and Model Construction

Feature extraction pipelines are domain-specific and may combine static, dynamic, and input-centric analyses:

• Static analysis pipelines: For binary or source-code fuzzing, compilers or disassemblers output control-flow graphs (CFGs), function-call graphs (FCGs), loop metrics, branch counts, or opcode embeddings. For C/C++ code, FuzzDistillCC emits per-basic-block and per-function numerical features modeling potential vulnerability "hot spots" (Upadhyay, 2024). For smart contracts, opcode sequences are embedded via word2vec models and augmented with Boolean risk indicators (e.g., presence of CALL, TX.ORIGIN, or modifiers) (Xue et al., 2021).
• Dynamic trace metrics: In JavaScript engine fuzzing, relevant execution events (e.g., GC, JIT optimize/deopt, map transitions) are extracted by targeted parsing of trace logs, with minimal instrumentation (often ≤5 trace flags) yielding dozens of meaningful dynamic features (Ganguly et al., 19 Dec 2025).
• Input-centric encodings: Representations of seed files range from byte/bit sequences (Rajpal et al., 2017, Drozd et al., 2018) to higher-level grammar tokens, with further options for per-byte Shapley importance calculation (Zhang et al., 2023).
• Feature selection: Data-driven pipelines apply model-based gain metrics (e.g., XGBoost importance), mutual information, or SHAP-value explanations to prune uninformative features, keeping only those contributing substantially to predictive power (Ganguly et al., 19 Dec 2025).

The output is a fixed- or variable-length feature vector, $x \in \mathbb{R}^d$, used in downstream ML pipelines (classification, regression, ranking).

3. Guidance and Integration into the Fuzzing Loop

Feature-guided fuzzers instantiate their guidance through programmatic or learned fitness functions that directly influence the main fuzzing algorithm:

• Guided mutation selection: Neural models predict per-byte mutation usefulness; a “sieve” only permits candidate inputs where the intersection of the mutation mask $\delta$ and predicted-importance mask $\lceil f(x) \rceil$ exceeds a threshold $\alpha$, as in byte-seive approaches (Rajpal et al., 2017).
• Shapley-guided bandit orchestration: Incremental Shapley value updates credit each input byte’s historical marginal gain in new coverage. A contextual multi-armed bandit (linear UCB) samples bytes for mutation in proportion to their estimated Shapley reward and uncertainty, balancing exploration with exploitation (Zhang et al., 2023).
• Static/dynamic risk scoring: Composite models (e.g., XGBoost ensembles) combine static code features and runtime traces to produce a vulnerability probability $f(x)$, which is then used to prioritize queue scheduling and mutation efforts (Ganguly et al., 19 Dec 2025).
• Function/region prioritization: Compile-time feature models trained to predict “vulnerability” rankings on code entities (functions, blocks) guide the fuzzer to focus on high-risk regions, explicitly adjusting the fuzzing strategy for better time/coverage efficiency (Upadhyay, 2024).
• Reinforcement learning (RL) mutation scheduling: Deep RL agents (“Q-Networks”) ingest program state (input bit arrays, potentially augmented with coverage/fault information), selecting mutation operators to maximize expected future reward (e.g., coverage gain, sanitizer triggers) (Drozd et al., 2018).

Algorithmic integration is realized in frameworks such as AFL (as an augmented selection phase), AFL++ (bandit-driven mutator), or libFuzzer–OpenAI Gym hybrids (asynchronous RL learning loops).

4. Empirical Evaluation and Impact

Feature-guided fuzzing consistently advances code coverage, bug-finding precision, and discovery rate relative to baseline, coverage-only, or unguided fuzzers:

• Static/graph-based approaches:
  • FuzzDistill, utilizing compile-time feature models, achieves 25–40% reduction in time-to-first-bug compared to random or unprioritized fuzzing. XGBoost-based models report ≥81% F1-score and AUC-ROC = 95.54% on the Juliet C/C++ suite (Upadhyay, 2024).
  • In cross-contract smart contract fuzzing, xFuzz detects 18 real cross-contract vulnerabilities (15 novel) and doubles non-cross-contract discovery while operating at <20% total fuzzing time of prior tools (Xue et al., 2021).
• Input-feature-based neural guidance:
  • Neural byte sieves improve code coverage by up to 10% (e.g., 12.20% → 13.46% in ELF parsing), and deliver substantially more unique crash discoveries than vanilla AFL (Rajpal et al., 2017).
  • ShapFuzz achieves +4170 edge coverage versus next-best schedule-reinforced peers and 11 previously unknown bugs on latest program versions (Zhang et al., 2023).
• Dynamic, hybrid, and RL approaches:
  • Data-centric, LLM-guided risk models surpass 85% precision (≤1% FPR) in vulnerability prediction and accelerate first-crash time by orders of magnitude versus legacy fuzzers in realistic V8 engine campaigns (Ganguly et al., 19 Dec 2025).
  • FuzzerGym’s RL policy generates both deeper maximum coverage and broader unique line discovery in libjpeg, png, SQL, and crypto parsers versus uniform-mutation baselines (Drozd et al., 2018).

Benchmarks consistently emphasize the significance of rich feature selection, guidance efficacy, and, crucially, the maintenance of low guidance overhead for large-input or high-throughput targets.

5. Feature-Oriented Evaluation and Corpus Design

Beyond fuzzing algorithmics, feature-guided approaches have informed the construction of more meaningful, diagnostic corpora for fuzzer evaluation. FEData synthesizes C programs embedding four formal “search-hampering” features—dataflow depth ($F_1$), path explosion ($F_2$), magic-value checks ($F_3$), and checksums ($F_4$)—enabling controlled diagnosis of fuzzer failures:

Feature	Notation	Description
Dataflow	$F_1$	Input constraint depth
Path-explode	$F_2$	#Paths (bug path depth + 1)
Magic-value	$F_3$	Hard equality guards
Checksum	$F_4$	Computed constraint guards

Post-mortem analysis can thus attribute "why" failure (e.g., cycle explosion, magic-value neglect), driving targeted improvements in strategy and energy scheduling (Zhu et al., 2019).

6. Limitations, Design Insights, and Future Directions

Feature-guided fuzzing faces challenges in feature generalization, model transfer, scalability, and domain-specific constraints:

• Model/scenario sensitivity: ML models trained on one corpus or program family may underperform on novel or obfuscated inputs/devices (Ganguly et al., 19 Dec 2025, Upadhyay, 2024).
• Scalability: Large input seeds (e.g., PDFs, binaries) may bottleneck neural guidance or Shapley estimation; optimizations include partial caching, faster inference, or Monte Carlo Shapley approximations (Zhang et al., 2023, Rajpal et al., 2017).
• Feedback loop: Static-feature models can lack adaptivity compared to dynamic- or online-learned feature mechanisms; incorporation of runtime evidence/active learning remains a major opportunity (Upadhyay, 2024).
• Input field awareness and semantics: For byte-centric or grammar-agnostic schemes, breaking family invariance or field meaning can degrade effectiveness—future designs may benefit from grammar/semantic inference and integration.
• Hybridization: Integration with lightweight symbolic, byte-taint, or constraint-solving can amplify the reach of feature-guided approaches, especially in deep or constraint-heavy control structures (Xue et al., 2021, Zhu et al., 2019).
• Corpus-driven analysis: Feature-oriented corpora provide objective insight into "how" and "why" fuzzers succeed or stall, enabling principled benchmarking and method refinement (Zhu et al., 2019).

Open research questions include:

• Cross-program feature transfer and meta-learning,
• Adaptive sampling for high-dimensional feature or input spaces,
• Extension of feature-guided principles to large-scale or distributed fuzzing ecosystems,
• Direct ML-based mutation synthesis rather than mere mutation-selection guidance.

7. Comparative Summary Table

Approach/Tool	Feature Source	Model/Strategy	Key Metric(s) / Gains	Reference
FuzzDistill	CFG, FCG (static)	XGBoost, DNN	25–40% time-to-bug reduction, AUC-ROC 95%	(Upadhyay, 2024)
xFuzz	Opcode, AST/CFG	EasyEnsemble ADAboost	2x bugs, +10% precision, <20% time	(Xue et al., 2021)
Neural Byte Sieve	Input bytes	LSTM/Seq2Seq	+10% coverage, many more unique crashes	(Rajpal et al., 2017)
ShapFuzz	Byte positions	Incremental Shapley, Bandit	+4170 edges, new bugs, low overhead	(Zhang et al., 2023)
DataCentricFuzzJS	Static+dynamic	XGBoost	>85% precision, <1% FPR, faster bugs	(Ganguly et al., 19 Dec 2025)
FuzzerGym	Input+sanitizers	RL, Q-learning	Max coverage on all targets	(Drozd et al., 2018)
FEData	Synthetically inserted	Formal feature corpus	Diagnosability: "why" fuzzer failed	(Zhu et al., 2019)

The spectrum of feature-guided fuzzing methodologies—spanning static, dynamic, input-centric, and learned feature models—continues to redefine the efficiency and interpretability of automated vulnerability discovery workflows. Recent works highlight the centrality of systematic feature engineering/selection, the integration of low-overhead inference, and the move beyond coverage as the sole signal of progress in software testing and security assurance.