{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,22]],"date-time":"2026-01-22T08:04:21Z","timestamp":1769069061786,"version":"3.49.0"},"reference-count":69,"publisher":"Association for Computing Machinery (ACM)","issue":"2","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Softw. Eng. Methodol."],"published-print":{"date-parts":[[2026,2,28]]},"abstract":"Runtime feedback is at the heart of efficient greybox fuzzing, and the collection of runtime feedback is the most important infrastructure for greybox fuzzing. However, existing fuzzers have difficulty collecting runtime feedback for the memory, which is the most important and vulnerable component of a running program. The operating system does not support associative queries between arbitrary pointers and runtime objects. Therefore, existing works only capture aggregate statistics (e.g., memory usage) or random quantities (e.g., the random addresses stored in pointers) to provide low-precision memory-related feedback.<\/jats:p>\n \n This article presents\n Spinel<\/jats:sc>\n , a greybox fuzzer equipped with a brand-new infrastructure for memory feedback collection. It introduces an almost zero-overhead runtime system for associating arbitrary pointers with the corresponding runtime objects and offers spatial distance information as memory-related fuzzing feedback. To avoid introducing accumulated overhead upon silent error detectors (e.g., sanitizers that are used to detect memory safety violations), we introduce the post-execution validation technique to remove the expensive runtime safety checks while maintaining the same error detection ability. Our experiments on 33 real-world programs show that\n Spinel<\/jats:sc>\n detects 1.30\u00d7\u20132.33\u00d7 unique bugs compared to state-of-the-art fuzzers. Furthermore, according to the restricted mean survival time,\n Spinel<\/jats:sc>\n achieves 1.56\u00d7\u20138.21\u00d7 speed up in triggering ground-truth bugs collected by the Magma benchmark.\n <\/jats:p>","DOI":"10.1145\/3730580","type":"journal-article","created":{"date-parts":[[2025,4,18]],"date-time":"2025-04-18T10:41:21Z","timestamp":1744972881000},"page":"1-36","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["Efficient Fuzzing Infrastructure for Pointer-to-Object Association"],"prefix":"10.1145","volume":"35","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-5093-8262","authenticated-orcid":false,"given":"Hao","family":"Ling","sequence":"first","affiliation":[{"name":"Hong Kong University of Science and Technology, Hong Kong, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5328-3994","authenticated-orcid":false,"given":"Heqing","family":"Huang","sequence":"additional","affiliation":[{"name":"City University of Hong Kong, Hong Kong, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6340-1416","authenticated-orcid":false,"given":"Yuandao","family":"Cai","sequence":"additional","affiliation":[{"name":"Hong Kong University of Science and Technology, Hong Kong, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6417-1034","authenticated-orcid":false,"given":"Charles","family":"Zhang","sequence":"additional","affiliation":[{"name":"Hong Kong University of Science and Technology, Hong Kong, China"}]}],"member":"320","published-online":{"date-parts":[[2026,1,21]]},"reference":[{"key":"e_1_3_2_2_2","unstructured":"Android. n.\u2009d. HWASan ASan and KASAN. Retrieved from https:\/\/source.android.com\/docs\/security\/test\/memory-safety\/hwasan-asan-kasan"},{"key":"e_1_3_2_3_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23371"},{"key":"e_1_3_2_4_2","doi-asserted-by":"publisher","DOI":"10.1145\/3551349.3561161"},{"key":"e_1_3_2_5_2","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978428"},{"key":"e_1_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510230"},{"key":"e_1_3_2_7_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00046"},{"key":"e_1_3_2_8_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00002"},{"key":"e_1_3_2_9_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICST.2019.00015"},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00009"},{"key":"e_1_3_2_11_2","doi-asserted-by":"publisher","DOI":"10.1145\/3385412.3385972"},{"key":"e_1_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.1145\/3192366.3192388"},{"key":"e_1_3_2_13_2","doi-asserted-by":"publisher","DOI":"10.1109\/JAS.2022.105860"},{"key":"e_1_3_2_14_2","first-page":"2829","volume-title":"30th USENIX Security Symposium (USENIX Security \u201921). USENIX Association","author":"Fioraldi Andrea","year":"2021","unstructured":"Andrea Fioraldi, Daniele Cono D\u2019Elia, and Davide Balzarotti. 2021. The use of likely invariants as feedback for fuzzers. In 30th USENIX Security Symposium (USENIX Security \u201921). USENIX Association, 2829\u20132846. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/fioraldi"},{"key":"e_1_3_2_15_2","unstructured":"Andrea Fioraldi Dominik Maier Heiko Ei\u00dffeldt and Marc Heuse. 2020. AFL++ : Combining incremental steps of fuzzing research. In 14th USENIX Workshop on Offensive Technologies (WOOT \u201920). USENIX Association. Retrieved from https:\/\/www.usenix.org\/conference\/woot20\/presentation\/fioraldi"},{"key":"e_1_3_2_16_2","first-page":"2577","volume-title":"29th USENIX Security Symposium (USENIX Security \u201920). USENIX Association","author":"Gan Shuitao","year":"2020","unstructured":"Shuitao Gan, Chao Zhang, Peng Chen, Bodong Zhao, Xiaojun Qin, Dong Wu, and Zuoning Chen. 2020. GREYONE: Data flow sensitive fuzzing. In 29th USENIX Security Symposium (USENIX Security \u201920). USENIX Association, 2577\u20132594. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/gan"},{"key":"e_1_3_2_17_2","doi-asserted-by":"publisher","DOI":"10.1109\/ASE51524.2021.9678913"},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.1109\/QRS51102.2020.00071"},{"key":"e_1_3_2_19_2","unstructured":"Google. 2018. Honggfuzz. Retrieved from https:\/\/honggfuzz.dev\/"},{"key":"e_1_3_2_20_2","unstructured":"Google. 2023. \\(\\{\\) ClusterFuzz \\(\\}\\) -scalable Fuzzing Infrastructure That Finds Security and Stability Issues in Software. Retrieved from https:\/\/github.com\/google\/clusterfuzz"},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.1145\/3428334"},{"key":"e_1_3_2_22_2","doi-asserted-by":"publisher","DOI":"10.1145\/3587156"},{"key":"e_1_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00063"},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3485364"},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.2307\/2281868"},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243804"},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1145\/3190508.3190553"},{"key":"e_1_3_2_28_2","unstructured":"LafIntel. n.\u2009d. Circumventing Fuzzing Roadblocks with Compiler Transformations. Retrieved from https:\/\/lafintel.wordpress.com\/2016\/08\/15\/circumventing-fuzzing-roadblocks-with-compiler-transformations\/"},{"key":"e_1_3_2_29_2","unstructured":"Chris Arthur Lattner. 2002. LLVM: An Infrastructure for Multi-stage Optimization. Retrieved from http:\/\/llvm.org"},{"key":"e_1_3_2_30_2","unstructured":"Gwangmu Lee Woo-Jae Shim and Byoungyoung Lee. 2021. Constraint-guided directed greybox fuzzing. In USENIX Security Symposium. Retrieved from https:\/\/api.semanticscholar.org\/CorpusID:235443322https:\/\/api.semanticscholar.org\/CorpusID:235443322"},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.1145\/3238147.3238176"},{"key":"e_1_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.1145\/3586027"},{"key":"e_1_3_2_33_2","unstructured":"Yuwei Li Shouling Ji Yuan Chen Sizhuang Liang Wei-Han Lee Yueyao Chen Chenyang Lyu Chunming Wu Raheem Beyah Peng Cheng et al. 2021. UNIFUZZ: A holistic and pragmatic metrics-driven platform for evaluating fuzzers. In 30th USENIX Security Symposium (USENIX Security \u201921). USENIX Association 2777\u20132794. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/li-yuwei"},{"key":"e_1_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560598"},{"key":"e_1_3_2_35_2","unstructured":"Linux Foundation. 2024. Perf Wiki. Retrieved from https:\/\/perf.wiki.kernel.org\/index.php\/Main_Page"},{"key":"e_1_3_2_36_2","unstructured":"LLVM. 2024. libFuzzer\u2014A Library for Coverage-guided Fuzz Testing. Retrieved from https:\/\/llvm.org\/docs\/LibFuzzer.html"},{"key":"e_1_3_2_37_2","unstructured":"Chenyang Lyu Shouling Ji Chao Zhang Yuwei Li Wei-Han Lee Yu Song and Raheem Beyah. 2019. MOPT: Optimized mutation scheduling for fuzzers. In 28th USENIX Security Symposium (USENIX Security \u201919). USENIX Association 1949\u20131966. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity19\/presentation\/lyu"},{"key":"e_1_3_2_38_2","unstructured":"Magma. 2021. Magma Bug Rename. Retrieved from https:\/\/github.com\/HexHive\/magma\/commit\/35eab0ee81000bf7167d780ddefffc51b3975d32"},{"key":"e_1_3_2_39_2","unstructured":"MAGMA. 2023. libfuzzer Does Not Work for Some Targets\/Programs. Retrieved from https:\/\/github.com\/HexHive\/magma\/issues\/146"},{"key":"e_1_3_2_40_2","unstructured":"mp4v2. 2023. Memory Leak in MP4BytesProperty. Retrieved from https:\/\/github.com\/enzo1982\/mp4v2\/issues\/36"},{"key":"e_1_3_2_41_2","unstructured":"mp4v2. 2023. Memory Leak in mp4file_io. Retrieved from https:\/\/github.com\/enzo1982\/mp4v2\/issues\/37"},{"key":"e_1_3_2_42_2","doi-asserted-by":"publisher","DOI":"10.1145\/1250734.1250746"},{"key":"e_1_3_2_43_2","unstructured":"NIST. 2017. Software Assurance Reference Dataset. Retrieved from https:\/\/samate.nist.gov\/SARD\/test-suites"},{"key":"e_1_3_2_44_2","unstructured":"Sebastian \u00d6sterlund Kaveh Razavi Herbert Bos and Cristiano Giuffrida. 2020. ParmeSan: Sanitizer-guided greybox fuzzing. In 29th USENIX Security Symposium (USENIX Security \u201920). USENIX Association 2289\u20132306. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/osterlund"},{"key":"e_1_3_2_45_2","doi-asserted-by":"publisher","DOI":"10.1145\/3360600"},{"key":"e_1_3_2_46_2","doi-asserted-by":"publisher","DOI":"10.1145\/3551349.3556946"},{"key":"e_1_3_2_47_2","unstructured":"LLVM Project. Undefined Behavior Sanitizer. Retrieved from https:\/\/clang.llvm.org\/docs\/UndefinedBehaviorSanitizer.html"},{"key":"e_1_3_2_48_2","doi-asserted-by":"publisher","DOI":"10.1145\/3702974"},{"key":"e_1_3_2_49_2","doi-asserted-by":"publisher","DOI":"10.1145\/186025.186041"},{"key":"e_1_3_2_50_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00137"},{"key":"e_1_3_2_51_2","unstructured":"Kostya Serebryany. 2017. \\(\\{\\) OSS-Fuzz \\(\\}\\) -Google\u2019s Continuous Fuzzing Service for Open Source Software. Retrieved from https:\/\/github.com\/google\/oss-fuzz"},{"key":"e_1_3_2_52_2","first-page":"28","volume-title":"2012 USENIX Conference on Annual Technical Conference (USENIX ATC \u201912)","author":"Serebryany Konstantin","year":"2012","unstructured":"Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitry Vyukov. 2012. AddressSanitizer: A fast address sanity checker. In 2012 USENIX Conference on Annual Technical Conference (USENIX ATC \u201912). USENIX Association, 28. DOI: https:\/\/dl.acm.org\/doi\/10.5555\/2342821.2342849"},{"key":"e_1_3_2_53_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00052"},{"key":"e_1_3_2_54_2","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.2203.12064"},{"key":"e_1_3_2_55_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00010"},{"key":"e_1_3_2_56_2","unstructured":"The 2023 CWE Top 25 Team. 2023. 2023 CWE Top 25 Most Dangerous Software Weaknesses. Retrieved from https:\/\/cwe.mitre.org\/top25\/archive\/2023\/2023_kev_list.html"},{"key":"e_1_3_2_57_2","first-page":"1","volume-title":"22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID \u201919)","author":"Wang Jinghan","year":"2019","unstructured":"Jinghan Wang, Yue Duan, Wei Song, Heng Yin, and Chengyu Song. 2019. Be sensitive and collaborative: Analyzing impact of coverage metrics in greybox fuzzing. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID \u201919). USENIX Association, 1\u201315. Retrieved from https:\/\/www.usenix.org\/conference\/raid2019\/presentation\/wang"},{"key":"e_1_3_2_58_2","unstructured":"Mingzhe Wang Jie Liang Chijin Zhou Zhiyong Wu Jingzhou Fu Zhuo Su Qing Liao Bin Gu Bodong Wu and Yu Jiang. 2024. Data coverage for guided fuzzing. In 33rd USENIX Security Symposium (USENIX Security 24). USENIX Association 2511\u20132526. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity24\/presentation\/wang-mingzhe"},{"key":"e_1_3_2_59_2","doi-asserted-by":"publisher","unstructured":"Yanhao Wang Xiangkun Jia Yuwei Liu Kyle Zeng Tiffany Bao Dinghao Wu and Purui Su. 2020. Not all coverage measurements are equal: Fuzzing by coverage accounting for input prioritization. DOI: 10.14722\/ndss.2020.24422","DOI":"10.14722\/ndss.2020.24422"},{"key":"e_1_3_2_60_2","doi-asserted-by":"publisher","DOI":"10.1145\/3377811.3380396"},{"key":"e_1_3_2_61_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00078"},{"key":"e_1_3_2_62_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2024.3391795"},{"key":"e_1_3_2_63_2","doi-asserted-by":"publisher","DOI":"10.1145\/3551349.3560415"},{"key":"e_1_3_2_64_2","unstructured":"Michal Zalewski. 2018. American Fuzzy Lop. Retrieved from https:\/\/lcamtuf.coredump.cx\/afl"},{"key":"e_1_3_2_65_2","first-page":"479","volume-title":"15th USENIX Symposium on Operating Systems Design and Implementation (OSDI \u201921). USENIX Association","author":"Zhang Jiang","year":"2021","unstructured":"Jiang Zhang, Shuai Wang, Manuel Rigger, Pinjia He, and Zhendong Su. 2021. SANRAZOR: Reducing redundant sanitizer checks in C\/C++ programs. In 15th USENIX Symposium on Operating Systems Design and Implementation (OSDI \u201921). USENIX Association, 479\u2013494. Retrieved from https:\/\/www.usenix.org\/conference\/osdi21\/presentation\/zhang"},{"key":"e_1_3_2_66_2","doi-asserted-by":"crossref","unstructured":"Kunpeng Zhang Xiaogang Zhu Xi Xiao Minhui Xue Chao Zhang and Sheng Wen. 2024. ShapFuzz: Efficient fuzzing via shapley-guided byte selection. arXiv:2308.09239. Retrieved from https:\/\/arxiv.org\/abs\/2308.09239","DOI":"10.14722\/ndss.2024.23134"},{"key":"e_1_3_2_67_2","first-page":"4345","volume-title":"31st USENIX Security Symposium (USENIX Security \u201922)","author":"Zhang Yuchen","year":"2022","unstructured":"Yuchen Zhang, Chengbin Pang, Georgios Portokalidis, Nikos Triandopoulos, and Jun Xu. 2022. Debloating address sanitizer. In 31st USENIX Security Symposium (USENIX Security \u201922). USENIX Association, 4345\u20134363. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/zhang-yuchen"},{"key":"e_1_3_2_68_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00109"},{"key":"e_1_3_2_69_2","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484596"},{"key":"e_1_3_2_70_2","doi-asserted-by":"publisher","DOI":"10.1145\/3512345"}],"container-title":["ACM Transactions on Software Engineering and Methodology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3730580","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,21]],"date-time":"2026-01-21T16:33:55Z","timestamp":1769013235000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3730580"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1,21]]},"references-count":69,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2026,2,28]]}},"alternative-id":["10.1145\/3730580"],"URL":"https:\/\/doi.org\/10.1145\/3730580","relation":{},"ISSN":["1049-331X","1557-7392"],"issn-type":[{"value":"1049-331X","type":"print"},{"value":"1557-7392","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1,21]]},"assertion":[{"value":"2024-09-18","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-04-07","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2026-01-21","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}