Glossary

Greybox Fuzzing

Fuzzing that uses partial runtime information — typically coverage feedback — without requiring full program analysis.

Greybox fuzzing sits between blackbox fuzzing (no program knowledge) and whitebox fuzzing (full symbolic analysis). A greybox fuzzer instruments the target to collect lightweight runtime information — most commonly branch or edge coverage — and uses that feedback to guide mutation without modeling the program's logic explicitly. The 'grey' refers to the partial, imprecise nature of the feedback: the fuzzer observes which code paths ran, but not why. AFL++, libFuzzer, and Honggfuzz are all greybox fuzzers. This approach scales to large, complex binaries because instrumentation is cheap and the feedback loop is tight — millions of executions per second are achievable. The tradeoff is that the fuzzer cannot reason about deep semantic constraints; it can find the comparison block but may struggle to satisfy multi-byte magic values without additional hints like CmpLog or a dictionary.

Blackbox Fuzzing

Fuzzing that generates inputs with no visibility into the target program's code or execution state.

Whitebox Fuzzing

Fuzzing that uses full program analysis — typically symbolic or concolic execution — to generate inputs that satisfy specific constraints.

Coverage-Guided Fuzzing

A fuzzing strategy that uses runtime code coverage feedback to steer input mutation toward unexplored code paths.

Instrumentation

The process of inserting probes into a program at compile or binary rewrite time to collect runtime information for the fuzzer.

AFL++

A community-maintained, highly optimised fork of American Fuzzy Lop that is the most widely deployed coverage-guided fuzzer.

Greybox Fuzzing

Related