Grammar-aware test case trimming for efficient hybrid fuzzing

In recent years, hybrid fuzzing has garnered significant attention by combining the benefits of both fuzzing and concolic execution. However, existing hybrid fuzzing techniques face problems such as the performance overhead of concolic execution and low code coverage in real-world programs. In this study, we observed that concolic execution often falls into repetitive loop structures when analyzing inputs generated by fuzzing, leading to the construction of redundant constraint expressions, which severely impacts its efficiency. Based on this observation, we design a test case trimming approach to remove input fields related to repetitive loop structures. We propose a lightweight taint analysis technique to infer input’s grammatical structure and construct a hierarchical grammar tree. Then, through delta debugging, we identify nodes that do not affect the code coverage and remove the corresponding input fields. We implement a prototype ScissorFuzz. Experimental results show that our approach brings an average of 8.2% improvement in code coverage and triggers 115 more crashes compared to the state-of-the-art hybrid fuzzing technique QSYM. By eliminating redundant fields, our approach reduces the resource and time overhead associated with concolic execution during input processing, thereby enhancing the efficiency of hybrid fuzzing.