FuzzRDUCC: Grey-Box Fuzzing via Def-Use Chains
- FuzzRDUCC is a binary-only grey-box fuzzing framework that integrates def-use chain dataflow feedback to reveal vulnerabilities missed by control-flow-only methods.
- It employs static analysis with Angr and symbolic execution to reconstruct candidate def-use chains, which are then monitored at runtime using a bitmap-based feedback mechanism.
- Empirical evaluations show FuzzRDUCC uncovers deep bugs in stripped binaries, outperforming traditional fuzzers in scenarios with complex data dependencies.
FuzzRDUCC is a binary-only grey-box fuzzing framework devised to augment vulnerability discovery in compiled software by integrating dataflow feedback, specifically through the coverage of reconstructed definition-use (def-use) chains. It aims to overcome the fundamental inadequacy of control-flow-only feedback (as used in AFL++ and similar fuzzers) in exposing bugs that manifest primarily due to complex dataflow—rather than edge- or branch-specific execution traces—in the absence of source code or compiler-supplied instrumentation. FuzzRDUCC reconstructs def-use chains directly from stripped binaries via symbolic execution and employs a bitmap-based online feedback mechanism, offering new semantic guidance for test input generation and bug discovery in the binary-only fuzzing domain (Feng et al., 5 Sep 2025).
1. Motivation and Conceptual Grounds
Traditional binary fuzzers, such as AFL++, employ edge coverage to gauge the "novelty" of an input—inputs discovering new control-flow transitions are retained as seeds for further mutations. While efficient for structurally diverse programs, this approach fails to delineate subtle data-induced state changes when program paths remain unchanged but the propagation of input values leads to latent vulnerabilities. In domains such as binary parsers and relocation handlers in ELF utilities, the data processed by the program traverses complex paths, affecting deep program state independently of superficial branch transitions.
FuzzRDUCC addresses this by incorporating explicit coverage tracking of def-use chains—relations between definition sites of variables or memory/registers and their corresponding (potentially distant) use sites—thus enabling the exploration of inputs that may be semantically distinct in their data propagation, even where traditional control-flow coverage would register no novelty (Feng et al., 5 Sep 2025). This is particularly relevant when analyzing closed-source, stripped, or legacy binary-only targets common in security and embedded domains.
2. Static Dataflow Recovery and Symbolic Execution
The core of FuzzRDUCC's methodology is a static preprocessing stage that reconstructs the candidate def-use chains from the target binary. Using Angr as the binary analysis and symbolic execution engine, the binary is lifted to VEX IR to enable semantic reasoning and graph construction. A reaching-definition analysis is then conducted across the IR to produce an over-approximate set of def-use relations—this means that some infeasible chains may be included, but every chain recorded represents a potential runtime dataflow from a definition to a use that has not been overwritten in the presence of complex control flow.
The resulting set of def-use chains (identified as address pairs in the binary) is serialized to a JSON file for efficient runtime lookup. The static analysis thus shifts the expensive symbolic reasoning out of the time-critical fuzzing loop, permitting online guidance using the results of offline dataflow recovery (Feng et al., 5 Sep 2025).
3. Runtime Instrumentation and Chain Coverage Feedback
FuzzRDUCC extends the QEMU Tiny Code Generator (TCG) binary translation framework to enable dataflow instrumentation in the absence of source code. Dynamic execution proceeds block-by-block, and for each relevant translated block, the runtime system consults the precomputed JSON chains and emits helper calls in TCG IR to monitor execution of "use" sites tied to previously established definitions.
To efficiently record observed def-use chains, FuzzRDUCC replaces the canonical AFL++ edge-coverage bitmap hash:
with its own def-use chain hash:
where each pair represents a statically recovered relation. Online execution marks a chain as covered upon runtime observation, and input seeds producing new chain coverage are promoted for further mutation. This hybridizes static dataflow discovery and classic coverage-driven seed selection, targeting semantically richer exploration (Feng et al., 5 Sep 2025).
4. Heuristic Chain Selection and Performance Engineering
A principal challenge is the overhead inherent in monitoring all possible chains, especially as naive def-use logging may exacerbate code size and emulation latency, severely restricting execution throughput. The chain selection algorithm in FuzzRDUCC heuristically prunes the static chain set according to the following criteria:
- Exclusion of intra-block or intra-function chains, on the grounds that these are often trivial/local and unlikely to be semantically relevant for inter-block or interprocedural vulnerabilities.
- Disregard for definitions not actually used or reliably detected in static analysis, eliminating noise introduced by incomplete or overapproximated static analysis.
- Focus on interprocedural chains, which are more often implicated in security-relevant data propagation.
- Special treatment of common external library calls (notably
malloc,calloc, andfree) by simulating them via Angr SimProcedures and filtering out their internal dataflow, reducing both overhead and coverage of non-vulnerability-relevant chains.
This chain-selection process raised execution speed from approximately 50 exec/s to 150 exec/s in empirical binutils benchmarks while retaining effectiveness in finding relevant def-use coverage (Feng et al., 5 Sep 2025).
5. Comparative Evaluation and Vulnerability Findings
The experimental campaign targets eight binutils binaries over 24-hour fuzzing intervals, benchmarking FuzzRDUCC against AFL++, DDfuzz (source-level data dependency guidance), uafuzz, and ZAFL. Key empirical findings include:
- On aggregate edge coverage and total crash count, AFL++ and DDfuzz dominate, attesting to efficiency for edge/directed fuzzing workloads.
- FuzzRDUCC outperforms uafuzz and ZAFL on edge coverage and exhibits superior guidance on parsers such as
strip, where standard edge fuzzers stagnate. - Crucially, FuzzRDUCC discovers unique segmentation faults in
strip, linked to null pointer dereference in the relocation entry processing ofcopy_relocations_in_section. These bugs are missed by AFL++ and others, attributed to FuzzRDUCC’s unique dataflow feedback that preserves and mutates input such that internal data structures reach deeper processing logic before validation or rejection occurs. - The overall implication is that reconstructing def-use chains from binaries, despite cost, exposes deep bugs unreachable by control-flow-only fuzzing guidance (Feng et al., 5 Sep 2025).
6. Framework Integration, Limitations, and Reproducibility
FuzzRDUCC is implemented as a QEMU/AFL++ extension, using Angr for offline static analysis and runtime Python/C integration for chaining binary analysis with bitmap-driven coverage policies. The approach is portable across architectures supported by Angr and QEMU TCG, but the paper notes limitations including:
- Considerable runtime overhead even with heuristic pruning.
- Approximate precision in chain recovery due to binary lifting artifacts, aggressive compiler optimizations, indirect/jump table control flow, and the potential imprecision of VEX IR translation.
- Evaluation limited to binutils and primary evidence for “unique” bug discovery tied to a small set of vulnerabilities.
- Explicit recognition that in some domains control-flow novelty aligns with bug discovery and dataflow coverage may not offer significant advantage.
Source code supporting experimental reproduction is available at https://github.com/MaksimFeng/AFLplusplus (Feng et al., 5 Sep 2025).
7. Relationship to Root-Cause Deduplication and Semantic Bug Grouping
FuzzRDUCC's incorporation of dataflow feedback complements advances in semantic crash deduplication. Systems such as FuzzerAid, which operationalize crash grouping via fault signatures—reduced executable programs containing only necessary statements for bug manifestation—demonstrate that shallow heuristics (coverage, stack hash) overcount unique bugs and fail to align reported crashes with true root causes (Joshy et al., 2022). FuzzRDUCC's def-use-centric feedback mechanism offers enriched provenance information for each discovered bug, facilitating integration with root-cause deduplication logic as employed in FuzzerAid: candidate crashes can be further grouped according to fault-signature replay and merging schemes, yielding a deduplicated, semantically-driven vulnerability corpus.
8. Significance and Future Directions
The significance of FuzzRDUCC lies in establishing reconstructed def-use chain coverage as a practical, deployable semantic feedback signal for binary-only fuzzing. Its initial results substantiate the claim that dataflow-guided exploration enables the discovery of bugs evading control-flow-based fuzzers in programs with minimally variant execution paths. The approach foregrounds the need for further research into scalable data-centric feedback, the integration with advanced semantic deduplication, and the application to broader classes of targets including embedded firmware and highly optimized or obfuscated binaries (Feng et al., 5 Sep 2025, Joshy et al., 2022).