GraphFuzz: Library API Fuzzing with Lifetime-aware Dataflow Graphs

We present the design and implementation of GraphFuzz, a new structure-, coverage-and object lifetime-aware fuzzer capable of automatically testing low-level Library APIs. Unlike other fuzzers, GraphFuzz models sequences of executed functions as a dataflow graph, thus enabling it to perform graph-based mutations both at the data and at the execution trace level. GraphFuzz comes with an automated specification generator to minimize the developer integration effort. We use GraphFuzz to analyze Skia-the rigorously tested Google Chrome graphics library-and benchmark GraphFuzz-generated fuzzing harnesses against hand-optimized, painstakingly written libFuzzer harnesses. We find that GraphFuzz generates test cases that achieve 2-3x more code coverage on average with minimal development effort, and also uncovered previous unknown defects in the process. We demonstrate GraphFuzz's applicability on lowlevel APIs by analyzing four additional open-source libraries and finding dozens of previously unknown defects. All security relevant findings have already been reported and fixed by the developers. Last, we open-source GraphFuzz under a permissive license and provide code to reproduce all results in this paper.