FAQs

Q: What is the relation between Hawkeye and other fuzzing techniques?

A: The existing fuzzing techniques (see the embedded table below) mainly focus on increasing the code coverage rather than directing the fuzzing procedure to specific target sites. This means that these techniques will frequently miss the program target sites when they are busy with exploring other functions/branches in the program. This is unfair when we compare them with DGF. SemFuzz theoretically has the ability to do directed fuzzing in a taint-style way by detecting the suspicious vulnerabilities; the scenarios however are mostly on kernel fuzzing for now and it's based on syzkaller. VUzzer is another taint-style fuzzing tool that works on binary and binary-instrumentation fuzzing is known to be slower than source-code-instrumentation fuzzing. In the experiment, we use AFL as the baseline since all the tools, AFLGo, HE-Go, and Hawkeye are inspired by AFL. Despite that, static analysis enhanced fuzzing techniques such as CollAFL, orthrus, and Skyfire can be integrated into Hawkeye; the context-sensitive instrumentation and the taint-style bookkeeping in Angora and Steelix can also be additionally implemented in Hawkeye.

Q: Where is the description about the underlying FOT framework?

A: See https://sites.google.com/view/fot-the-fuzzer for details.