Binary fuzzing struggles to explore deep program paths and detect data-sensitive vulnerabilities due to its lack of fine-grained intra-procedural data-flow information. To address this, we propose a control-flow-guided fuzzing technique augmented with precise data-flow analysis. Our method automatically reconstructs definition-use (Def-Use) chains directly from binaries via lightweight symbolic execution and static binary analysis, then applies a lightweight heuristic to identify critical data-flow paths, which serve as a novel coverage feedback mechanism. Unlike conventional grey-box fuzzers that rely solely on edge-level control-flow coverage, our approach integrates data-flow guidance without incurring significant runtime overhead. Evaluated on the binutils benchmark suite, our technique triggers multiple unique crashes missed by state-of-the-art fuzzers—including AFL++ and Honggfuzz—demonstrating substantial improvements in both depth and breadth of vulnerability discovery.

Binary-only fuzzing often struggles with achieving thorough code coverage and uncovering hidden vulnerabilities due to limited insight into a program's internal dataflows. Traditional grey-box fuzzers guide test case generation primarily using control flow edge coverage, which can overlook bugs not easily exposed through control flow analysis alone. We argue that integrating dataflow analysis into the fuzzing process can enhance its effectiveness by revealing how data propagates through the program, thereby enabling the exploration of execution paths that control flow-based methods might miss. In this context, we introduce FuzzRDUCC, a novel fuzzing framework that employs symbolic execution to reconstruct definition-use (def-use) chains directly from binary executables. FuzzRDUCC identifies crucial dataflow paths and exposes security vulnerabilities without incurring excessive computational overhead, due to a novel heuristic algorithm that selects relevant def-use chains without affecting the thoroughness of the fuzzing process. We evaluate FuzzRDUCC using the binutils benchmark and demonstrate that it can identify unique crashes not found by state-of-the-art fuzzers. Hence, establishing FuzzRDUCC as a feasible solution for next generation vulnerability detection and discovery mechanisms.