Implementation Details

The main fuzzer logic of Cerebro is written in Rust - a fast native programming language.

The intuitions of making our own fuzzer (framework) but not base on AFL are:

AFL is compact and solid but also hard to modify.
The language features of Rust allow us to have some abstractions and make the fuzzer more modularized and easy to extend.

Cerebro is focusing on the logic of the fuzzer instead of static analysis.

So the design of the connection with static analysis is for the ease of extension and modification.

In the actual implementation, the fuzzer accepts a json file containing all the calculated complexity score and the initial potential score.

On the right hand side is a snippet of the json score file for mjs.

We can see from the snippet that each function is assigned with an unique ID.

The file and func properties are for readability and are not used by the fuzzer.

The bonus_map property keeps the bonus scores that the current function brings to its predecessors.

The score property keeps the complexity score.

The dyn_score keeps the initial potential score of the current function, contributed by its successors.