{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,11]],"date-time":"2026-04-11T02:14:13Z","timestamp":1775873653313,"version":"3.50.1"},"reference-count":62,"publisher":"Association for Computing Machinery (ACM)","issue":"ISSTA","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Proc. ACM Softw. Eng."],"published-print":{"date-parts":[[2025,6,22]]},"abstract":"Fuzzing is a popular software testing technique for discovering vulnerabilities. A central problem in fuzzing is identifying hot bytes that can influence program behavior. Taint analysis can track the data flow of hot bytes in a white-box fashion, but it often suffers from stability issues and cannot run on large real-world programs. Fuzzing-Driven Taint Inference (FTI) is a simple black-box technique to track hot bytes for fuzzing. It monitors the dynamic program behaviors of program execution instances and further infers hot bytes in a black-box fashion. However, this method requires additional O(N) program executions and incurs a large runtime overhead.<\/jats:p>\n We observe that a widely used mutation scheme in fuzzing--havoc mode can be adapted into a lightweight FTI with zero additional program execution. In this work, we first present a computational model of the havoc mode that formally describes its mutation process. Based on this model, we show that the havoc mode can simultaneously launch FTI while generating and executing new testcases. Further, we propose a novel FTI called ZTaint-Havoc that doesn't need any additional program execution. ZTaint-Havoc incurs minimal instrumentation overhead of 3.84% on UniBench and 12.58% on FuzzBench, respectively. In the end, we give an effective mutation algorithm using the hot bytes identified by ZTaint-Havoc.<\/jats:p>\n We conduct a comprehensive evaluation to investigate the computational model of havoc mode. Our evaluation result justifies that it is feasible to adapt the havoc mode to an efficient FTI without any additional program execution. We further implement our approach as a prototype ZTaint-Havoc based on the havoc mode of AFL++. We evaluate ZTaint-Havoc on two fuzzing datasets FuzzBench and UniBench. Our extensive evaluation results show that ZTaint-Havoc improves edge coverage by up to 33.71% on FuzzBench and 51.12% on UniBench over vanilla AFL++, with average improvements of 2.97% and 6.12% respectively, in 24-hour campaigns.<\/jats:p>","DOI":"10.1145\/3728916","type":"journal-article","created":{"date-parts":[[2025,6,22]],"date-time":"2025-06-22T10:52:56Z","timestamp":1750589576000},"page":"917-939","source":"Crossref","is-referenced-by-count":2,"title":["ZTaint-Havoc: From Havoc Mode to Zero-Execution Fuzzing-Driven Taint Inference"],"prefix":"10.1145","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0009-0008-0436-8183","authenticated-orcid":false,"given":"Yuchong","family":"Xie","sequence":"first","affiliation":[{"name":"Hong Kong University of Science and Technology, Hong Kong, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-5231-7736","authenticated-orcid":false,"given":"Wenhui","family":"Zhang","sequence":"additional","affiliation":[{"name":"Hunan University, Changsha, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6655-0468","authenticated-orcid":false,"given":"Dongdong","family":"She","sequence":"additional","affiliation":[{"name":"Hong Kong University of Science and Technology, Hong Kong, China"}]}],"member":"320","published-online":{"date-parts":[[2025,6,22]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"2023. SBST\u201923 Fuzzing Competition (C\/C++ Programs) Report. https:\/\/storage.googleapis.com\/www.fuzzbench.com\/reports\/experimental\/SBFT23\/Final-Coverage\/index.html"},{"key":"e_1_2_1_2_1","unstructured":"2024. a library for coverage-guided fuzz testing. https:\/\/llvm.org\/docs\/LibFuzzer.html"},{"key":"e_1_2_1_3_1","volume-title":"Evaluation report of aflpp on the Fuzzbench dataset. (May 28","year":"2024","unstructured":"2024. Evaluation report of aflpp on the Fuzzbench dataset. (May 28 2024). https:\/\/www.fuzzbench.com\/reports\/experimental\/2024-05-28-aflpp\/index.html"},{"key":"e_1_2_1_4_1","unstructured":"2025. SBST\u201925 Fuzzing Competition. https:\/\/sbft25.github.io\/tools\/fuzzing"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/1985793.1985795"},{"key":"e_1_2_1_6_1","volume-title":"REDQUEEN: Fuzzing with Input-to-State Correspondence.. In NDSS.","author":"Aschermann Cornelius","year":"2019","unstructured":"Cornelius Aschermann, Sergej Schumilo, Tim Blazytko, Robert Gawlik, and Thorsten Holz. 2019. REDQUEEN: Fuzzing with Input-to-State Correspondence.. In NDSS."},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICST53961.2022.00039"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134020"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978428"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510230"},{"key":"e_1_2_1_11_1","volume-title":"2018 IEEE Symposium on Security and Privacy (SP).","author":"Chen Peng","year":"2018","unstructured":"Peng Chen and Hao Chen. 2018. Angora: Efficient fuzzing by principled search. In 2018 IEEE Symposium on Security and Privacy (SP)."},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363225"},{"key":"e_1_2_1_13_1","volume-title":"Towards Smart Contract Fuzzing on GPU. In IEEE Symposium on Security and Privacy (SP). 1\u201315","author":"Chen Weimin","year":"2024","unstructured":"Weimin Chen, Xiapu Luo, Haipeng Cai, and Haoyu Wang. 2024. Towards Smart Contract Fuzzing on GPU. In IEEE Symposium on Security and Privacy (SP). 1\u201315."},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2019.00082"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE51524.2021.9678888"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/3597926.3598067"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/3597503.3623343"},{"key":"e_1_2_1_18_1","volume-title":"14th USENIX Workshop on Offensive Technologies (WOOT 20)","author":"Fioraldi Andrea","year":"2020","unstructured":"Andrea Fioraldi, Dominik Maier, Heiko Ei\u00df feldt, and Marc Heuse. 2020. $AFL++$: Combining incremental steps of fuzzing research. In 14th USENIX Workshop on Offensive Technologies (WOOT 20)."},{"key":"e_1_2_1_19_1","volume-title":"Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 1051\u20131065","author":"Fioraldi Andrea","year":"2022","unstructured":"Andrea Fioraldi, Dominik Christian Maier, Dongjia Zhang, and Davide Balzarotti. 2022. Libafl: A framework to build modular and reusable fuzzers. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 1051\u20131065."},{"key":"e_1_2_1_20_1","volume-title":"29th USENIX security symposium (USENIX Security 20). 2577\u20132594.","author":"Gan Shuitao","unstructured":"Shuitao Gan, Chao Zhang, Peng Chen, Bodong Zhao, Xiaojun Qin, Dong Wu, and Zuoning Chen. 2020. $GREYONE$: Data flow sensitive fuzzing. In 29th USENIX security symposium (USENIX Security 20). 2577\u20132594."},{"key":"e_1_2_1_21_1","volume-title":"Error detecting and error correcting codes. The Bell system technical journal, 29, 2","author":"Hamming Richard W","year":"1950","unstructured":"Richard W Hamming. 1950. Error detecting and error correcting codes. The Bell system technical journal, 29, 2 (1950), 147\u2013160."},{"key":"e_1_2_1_22_1","volume-title":"2022 IEEE Symposium on Security and Privacy (SP). 36\u201350","author":"Huang Heqing","year":"2022","unstructured":"Heqing Huang, Yiyuan Guo, Qingkai Shi, Peisen Yao, Rongxin Wu, and Charles Zhang. 2022. Beacon: Directed grey-box fuzzing with provable path pruning. In 2022 IEEE Symposium on Security and Privacy (SP). 36\u201350."},{"key":"e_1_2_1_23_1","volume-title":"Titan: Efficient Multi-target Directed Greybox Fuzzing. In 2024 IEEE Symposium on Security and Privacy (SP). 59\u201359","author":"Huang Heqing","year":"2023","unstructured":"Heqing Huang, Peisen Yao, Hung-Chun Chiu, Yiyuan Guo, and Charles Zhang. 2023. Titan: Efficient Multi-target Directed Greybox Fuzzing. In 2024 IEEE Symposium on Security and Privacy (SP). 59\u201359."},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00063"},{"key":"e_1_2_1_25_1","volume-title":"DARWIN: Survival of the Fittest Fuzzing Mutators. arXiv preprint arXiv:2210.11783.","author":"Jauernig Patrick","year":"2022","unstructured":"Patrick Jauernig, Domagoj Jakobovic, Stjepan Picek, Emmanuel Stapf, and Ahmad-Reza Sadeghi. 2022. DARWIN: Survival of the Fittest Fuzzing Mutators. arXiv preprint arXiv:2210.11783."},{"key":"e_1_2_1_26_1","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Kim Tae Eun","year":"2023","unstructured":"Tae Eun Kim, Jaeseung Choi, Kihong Heo, and Sang Kil Cha. 2023. $DAFL$: Directed Grey-box Fuzzing guided by Data Dependency. In 32nd USENIX Security Symposium (USENIX Security 23). 4931\u20134948."},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243804"},{"key":"e_1_2_1_28_1","unstructured":"Vladimir I Levenshtein. 1966. Binary codes capable of correcting deletions insertions and reversals. In Soviet physics doklady. 10 707\u2013710."},{"key":"e_1_2_1_29_1","volume-title":"PolyFuzz: Holistic Greybox Fuzzing of Multi-Language Systems. In 32nd USENIX Security Symposium (USENIX Security 23)","author":"Li Wen","year":"2023","unstructured":"Wen Li, Jinyang Ruan, Guangbei Yi, Long Cheng, Xiapu Luo, and Haipeng Cai. 2023. PolyFuzz: Holistic Greybox Fuzzing of Multi-Language Systems. In 32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, Anaheim, CA. 1379\u20131396. isbn:978-1-939133-37-3 https:\/\/www.usenix.org\/conference\/usenixsecurity23\/presentation\/li-wen (artifact evaluated; badges: Available)"},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3623166"},{"key":"e_1_2_1_31_1","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Li Yuwei","year":"2021","unstructured":"Yuwei Li, Shouling Ji, Yuan Chen, Sizhuang Liang, Wei-Han Lee, Yueyao Chen, Chenyang Lyu, Chunming Wu, Raheem Beyah, and Peng Cheng. 2021. $UniBench$: A holistic and pragmatic $Metrics-Driven$ platform for evaluating fuzzers. In 30th USENIX Security Symposium (USENIX Security 21). 2777\u20132794."},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833594"},{"key":"e_1_2_1_33_1","doi-asserted-by":"crossref","unstructured":"Dongge Liu Jonathan Metzman Marcel B\u00f6hme Oliver Chang and Abhishek Arya. 2023. SBFT Tool Competition 2023\u2013Fuzzing Track. arXiv preprint arXiv:2304.10070.","DOI":"10.1109\/SBFT59156.2023.00016"},{"key":"e_1_2_1_34_1","volume-title":"VD-Guard: DMA Guided Fuzzing for Hypervisor Virtual Device. In 2023 38th IEEE\/ACM International Conference on Automated Software Engineering (ASE). 1676\u20131687","author":"Liu Yuwei","year":"2023","unstructured":"Yuwei Liu, Siqi Chen, Yuchong Xie, Yanhao Wang, Libo Chen, Bin Wang, Yingming Zeng, Zhi Xue, and Purui Su. 2023. VD-Guard: DMA Guided Fuzzing for Hypervisor Virtual Device. In 2023 38th IEEE\/ACM International Conference on Automated Software Engineering (ASE). 1676\u20131687."},{"key":"e_1_2_1_35_1","volume-title":"28th USENIX Security Symposium (USENIX Security 19)","author":"Lyu Chenyang","year":"2019","unstructured":"Chenyang Lyu, Shouling Ji, Chao Zhang, Yuwei Li, Wei-Han Lee, Yu Song, and Raheem Beyah. 2019. $MOPT$: Optimized mutation scheduling for fuzzers. In 28th USENIX Security Symposium (USENIX Security 19)."},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3468264.3473932"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00056"},{"key":"e_1_2_1_38_1","first-page":"1","article-title":"VUzzer: Application-aware evolutionary fuzzing","volume":"17","author":"Rawat Sanjay","year":"2017","unstructured":"Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. 2017. VUzzer: Application-aware evolutionary fuzzing.. In NDSS. 17, 1\u201314.","journal-title":"NDSS."},{"key":"e_1_2_1_39_1","volume-title":"Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 2595\u20132609","author":"Shah Abhishek","year":"2022","unstructured":"Abhishek Shah, Dongdong She, Samanway Sadhu, Krish Singal, Peter Coffman, and Suman Jana. 2022. MC2: Rigorous and Efficient Directed Greybox Fuzzing. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 2595\u20132609."},{"key":"e_1_2_1_40_1","volume-title":"Effective Seed Scheduling for Fuzzing with Graph Centrality Analysis. 2022 IEEE Symposium on Security and Privacy (SP), 2194\u20132211","author":"She Dongdong","year":"2022","unstructured":"Dongdong She, Abhishek Shah, and Suman Jana. 2022. Effective Seed Scheduling for Fuzzing with Graph Centrality Analysis. 2022 IEEE Symposium on Security and Privacy (SP), 2194\u20132211."},{"key":"e_1_2_1_41_1","volume-title":"Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. 765\u2013779","author":"She Dongdong","year":"2024","unstructured":"Dongdong She, Adam Storek, Yuchong Xie, Seoyoung Kweon, Prashast Srivastava, and Suman Jana. 2024. Fox: Coverage-guided fuzzing as online stochastic control. In Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. 765\u2013779."},{"key":"e_1_2_1_42_1","first-page":"1","article-title":"Driller: Augmenting fuzzing through selective symbolic execution","volume":"16","author":"Stephens Nick","year":"2016","unstructured":"Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2016. Driller: Augmenting fuzzing through selective symbolic execution.. In NDSS. 16, 1\u201316.","journal-title":"NDSS."},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/3551349.3560429"},{"key":"e_1_2_1_44_1","doi-asserted-by":"crossref","unstructured":"Jinghan Wang Chengyu Song and Heng Yin. 2021. Reinforcement learning-based hierarchical seed scheduling for greybox fuzzing.","DOI":"10.14722\/ndss.2021.24486"},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/3183440.3183494"},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2017.8115645"},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.37"},{"key":"e_1_2_1_48_1","doi-asserted-by":"crossref","unstructured":"Yanhao Wang Xiangkun Jia Yuwei Liu Kyle Zeng Tiffany Bao Dinghao Wu and Purui Su. 2020. Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization.. In NDSS.","DOI":"10.14722\/ndss.2020.24422"},{"key":"e_1_2_1_49_1","unstructured":"Eric W. Weisstein. [n. d.]. Vector Norm. From MathWorld\u2013A Wolfram Web Resource. https:\/\/mathworld.wolfram.com\/VectorNorm.html"},{"key":"e_1_2_1_50_1","volume-title":"ConFuzz: Towards Large Scale Fuzz Testing of Smart Contracts in Ethereum. In IEEE INFOCOM 2024-IEEE Conference on Computer Communications. 1691\u20131700","author":"Wong Taiyu","year":"2024","unstructured":"Taiyu Wong, Chao Zhang, Yuandong Ni, Mingsen Luo, HeYing Chen, Yufei Yu, Weilin Li, Xiapu Luo, and Haoyu Wang. 2024. ConFuzz: Towards Large Scale Fuzz Testing of Smart Contracts in Ethereum. In IEEE INFOCOM 2024-IEEE Conference on Computer Communications. 1691\u20131700."},{"key":"e_1_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510174"},{"key":"e_1_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/3597503.3639152"},{"key":"e_1_2_1_53_1","volume-title":"Michael Pradel, and Lingming Zhang.","author":"Xia Chunqiu Steven","year":"2023","unstructured":"Chunqiu Steven Xia, Matteo Paltenghi, Jia Le Tian, Michael Pradel, and Lingming Zhang. 2023. Universal fuzzing via large language models. arXiv preprint arXiv:2308.04748."},{"key":"e_1_2_1_54_1","volume-title":"Proceedings of the 18th ACM\/IEEE International Workshop on Search-Based and Fuzz Testing.","author":"Xie Yuchong","year":"2025","unstructured":"Yuchong Xie, Yu Liu, Zhibo He, Rundong Yang, Jin Wei, and Dongdong She. 2025. HFuzz: Havoc Mode Guided Fuzzing. In Proceedings of the 18th ACM\/IEEE International Workshop on Search-Based and Fuzz Testing."},{"key":"e_1_2_1_55_1","volume-title":"2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE). 1174\u20131186","author":"Yang Chenyuan","year":"2023","unstructured":"Chenyuan Yang, Yinlin Deng, Jiayi Yao, Yuxing Tu, Hanchi Li, and Lingming Zhang. 2023. Fuzzing automatic differentiation in deep-learning libraries. In 2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE). 1174\u20131186."},{"key":"e_1_2_1_56_1","volume-title":"2019 IEEE symposium on security and privacy (SP). 769\u2013786","author":"You Wei","year":"2019","unstructured":"Wei You, Xueqiang Wang, Shiqing Ma, Jianjun Huang, Xiangyu Zhang, XiaoFeng Wang, and Bin Liang. 2019. Profuzzer: On-the-fly input type probing for better zero-day vulnerability discovery. In 2019 IEEE symposium on security and privacy (SP). 769\u2013786."},{"key":"e_1_2_1_57_1","volume-title":"27th USENIX Security Symposium (USENIX Security 18)","author":"Yun Insu","year":"2018","unstructured":"Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang, and Taesoo Kim. 2018. $QSYM$: A practical concolic execution engine tailored for hybrid fuzzing. In 27th USENIX Security Symposium (USENIX Security 18). 745\u2013761."},{"key":"e_1_2_1_58_1","unstructured":"Micha\u0142 Zalewski. [n. d.]. American Fuzz Lop. https:\/\/github.com\/google\/AFL"},{"key":"e_1_2_1_59_1","unstructured":"Kunpeng Zhang Zongjie Li Daoyuan Wu Shuai Wang and Xin Xia. 2025. Low-Cost and Comprehensive Non-textual Input Fuzzing with LLM-Synthesized Input Generators. arXiv preprint arXiv:2501.19282."},{"key":"e_1_2_1_60_1","volume-title":"Your Fix Is My Exploit: Enabling Comprehensive DL Library API Fuzzing with Large Language Models. In 2025 IEEE\/ACM 47th International Conference on Software Engineering (ICSE). 508\u2013520","author":"Zhang Kunpeng","year":"2024","unstructured":"Kunpeng Zhang, Shuai Wang, Jitao Han, Xiaogang Zhu, Xian Li, Shaohua Wang, and Sheng Wen. 2024. Your Fix Is My Exploit: Enabling Comprehensive DL Library API Fuzzing with Large Language Models. In 2025 IEEE\/ACM 47th International Conference on Software Engineering (ICSE). 508\u2013520."},{"key":"e_1_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510063"},{"key":"e_1_2_1_62_1","volume-title":"SHAPFUZZ: Efficient Fuzzing via Shapley-Guided Byte Selection. arXiv preprint arXiv:2308.09239.","author":"Zhang Kunpeng","year":"2023","unstructured":"Kunpeng Zhang, Xiaogang Zhu, Xi Xiao, Minhui Xue, Chao Zhang, and Sheng Wen. 2023. SHAPFUZZ: Efficient Fuzzing via Shapley-Guided Byte Selection. arXiv preprint arXiv:2308.09239."}],"container-title":["Proceedings of the ACM on Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3728916","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,16]],"date-time":"2025-07-16T16:55:04Z","timestamp":1752684904000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3728916"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,6,22]]},"references-count":62,"journal-issue":{"issue":"ISSTA","published-print":{"date-parts":[[2025,6,22]]}},"alternative-id":["10.1145\/3728916"],"URL":"https:\/\/doi.org\/10.1145\/3728916","relation":{},"ISSN":["2994-970X"],"issn-type":[{"value":"2994-970X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,6,22]]}}}