Heap-Object State-Transition-Guided Fuzzing for Use-After-Free Vulnerabilities

Abstract

Use-after-free (UAF) is one of the most critical memory bugs and can be exploited to compromise software systems. Although many mitigation and discovery techniques have been proposed, discovering UAF vulnerabilities through fuzzing remains challenging because a UAF arises only when allocation, deallocation, and dereference operations occur in a specific temporal ordering on the same heap object. To address this challenge, recent fuzzing approaches guide input generation using feedback derived from heap operation sequences. HTFuzz, for example, promotes temporal diversity in heap behaviors by diversifying heap operation sequences observed at runtime. However, this feedback is not optimized for UAF discovery, as it does not distinguish heap operations by their target objects or explicitly capture pointer propagation required to expose UAF vulnerabilities. In this paper, we propose hsAFL, a heap-object state-transition-guided fuzzing approach that targets these limitations. hsAFL tracks object-level UAF-related state transitions, including pointer-copy operations, and prioritizes inputs that exercise new operation edges under object-specific state transitions. We evaluate hsAFL through repeated fuzzing experiments on seven real-world programs, with ten four-hour runs per target. Because hsAFL maintains state information for individual heap objects, it incurs additional runtime overhead and can reduce execution throughput. Despite this overhead, the results show that hsAFL discovers UAF vulnerabilities earlier than HTFuzz in four out of seven programs.