This work addresses the challenge of efficiently identifying input bytes that critically influence program behavior (“hot bytes”) in black-box fuzzing. We propose a taint inference method that incurs zero additional execution overhead by repurposing AFL++’s havoc mutation mechanism as a lightweight, on-the-fly taint inference engine—integrating taint analysis directly into test case generation without instrumentation or auxiliary program runs. We further design a hot-byte-aware mutation strategy and enhance seed scheduling via coverage feedback. Evaluation on UniBench and FuzzBench shows the approach introduces only 3.84% and 12.58% runtime overhead, respectively. In 24-hour fuzzing campaigns, it achieves up to 51.12% and an average 6.12% improvement in edge coverage, significantly enhancing both fuzzing efficiency and depth.

Fuzzing is a widely used technique for discovering software vulnerabilities, but identifying hot bytes that influence program behavior remains challenging. Traditional taint analysis can track such bytes white-box, but suffers from scalability issue. Fuzzing-Driven Taint Inference (FTI) offers a black-box alternative, yet typically incurs significant runtime overhead due to extra program executions. We observe that the commonly used havoc mutation scheme in fuzzing can be adapted for lightweight FTI with zero extra executions. We present a computational model of havoc mode, demonstrating that it can perform FTI while generating new test cases. Building on this, we propose ZTaint-Havoc, a novel, efficient FTI with minimal overhead (3.84% on UniBench, 12.58% on FuzzBench). We further design an effective mutation algorithm utilizing the identified hot bytes. Our comprehensive evaluation shows that ZTaint-Havoc, implemented in AFL++, improves edge coverage by up to 33.71% on FuzzBench and 51.12% on UniBench over vanilla AFL++, with average gains of 2.97% and 6.12% in 24-hour fuzzing campaigns.