Automated security testing of unexplored targets through feedback-guided fuzzingFuzzing is an automated method to uncover bugs in software. A fuzzer will generate inputs to a target program and execute the target repeatedly, in rapid succession. These random mutations aim to reach corner cases a human tester will not detect easily. Fuzzing has uncovered a variety of critical bugs in recent years. However, a large amount of low-level code remains un-fuzzed. Most research improves certain bits and pieces and focuses on easy-to-fuzz user space applications with available source code. While this makes it possible to evaluate and compare the proposed methods, novel targets will not get the much-needed attention. This thesis aims to scale and automate the detection of security-critical bugs across a wide range of previously unexplored and traditionally hard-to-test targets. We consolidate available fuzzing research with our tool AFL++, a fork of the well-known AFL fuzzer. We aim at a wide range of new targets using this state-of-the-art fuzzer. We pick targets that are hard to test, such as kernels, device drivers, and firmware. Even vendors with access to source code cannot use existing fuzzers for these targets. The architecture of fuzzers needs to be adapted to them. The tools written for this thesis uncovered memory corruptions in the Linux kernel, graphics card drivers, baseband chips of smartphones, servers, and smart contract VM implementations. We develop entirely new approaches, such as differential fuzzing, instrumentation for WebAssembly binaries, kernel-land snapshot fuzzing, and the snapshot-based FitM project, uncovering stateful bugs in network stacks.
