GUIFuzz++: Unleashing Grey-box Fuzzing on Desktop Graphical User Interfacing Applications

Desktop applications represent one of today’s largest software ecosystems, accounting for over 96% of workplace computing and supporting essential operations across critical sectors such as healthcare, commerce, industry, and government. Though modern software is increasingly being vetted through fuzzing—an automated testing technique for large-scale bug discovery—a major component of desktop applications remains universally under-vetted: the Graphical User Interface (GUI). Existing desktop-based fuzzers like AFL++ and libFuzzer are limited to non-GUI interfaces (e.g., file- or buffer-based inputs), rendering them wholly incompatible with GUIs. Conversely, mobile app GUI fuzzers like Android’s Monkey and iOS’s XCMonkey rely on platform-specific SDKs and event-handling, rendering them fundamentally unportable to the broader, more complex landscape of desktop software. For these reasons, desktop GUI code remains largely under-tested, burdening users with numerous GUI-induced errors that should, in principle, be just as discoverable as any other well-fuzzed class of software bugs.This paper introduces GUIFuzz++: the first general-purpose fuzzer for desktop GUI software. Unlike desktop fuzzers that randomly mutate file- or buffer-based inputs, GUIFuzz++ exclusively targets GUI interactions—clicks, scrolls, key presses, window navigation, and more—to uncover complex event sequences triggering GUI-induced program errors. Central to our approach is a novel GUI Interaction Interpreter: a middle-layer translating fuzzer-generated random inputs into distinct GUI operations, enabling successful non-GUI fuzzers like AFL++ to be easily ported to testing GUIs. Beyond supporting today’s most popular GUI development frameworks like QT, GTK, and Xorg, we introduce a suite of enhancements capitalizing on ubiquitous Software Accessibility Technologies, significantly boosting GUI fuzzing precision as well as GUI bug-finding effectiveness.We integrate GUIFuzz++ as a prototype atop state-of-the-art GUI-agnostic fuzzer AFL++, and perform a large-scale ablation study of its fundamental components and enhancements. In an evaluation across 12 popular, real-world GUI applications, GUI-FUZZ++ uncovers 23 previously-unknown GUI-induced bugs— with 14 thus far confirmed or fixed by developers.