Blackbox Fuzzing of Distributed Systems with Multi-Dimensional Inputs and Symmetry-Based Feedback Pruning
Yonghao Zou
Network and Distributed System Security (NDSS) Symposium 2025 · Day 3 · Fuzzing 2
Modern digital infrastructure relies heavily on distributed systems, from databases like ClickHouse and RethinkDB to crucial coordination systems. However, the inherent complexity of these systems makes them highly susceptible to subtle bugs that can lead to significant economic losses and operational failures. This talk introduces **DisFuzz**, a novel blackbox fuzzer specifically designed to uncover these elusive vulnerabilities in distributed environments. DisFuzz distinguishes itself by employing an **extended input space** that encompasses regular client events, fault injections, and crucial timing intervals, combined with an innovative **symmetry-based feedback pruning** mechanism to efficiently navigate the vast state space of distributed systems.
AI review
DisFuzz is legitimate systems research with a real technical contribution: the symmetry-based pruning formalism is non-obvious, the 52-bug result across 10 production systems is reproducible evidence rather than marketing copy, and the multi-dimensional input model (regular events + fault events + timing intervals as a unified tuple) is a cleaner abstraction than anything I've seen in prior distributed fuzzing work. The visa-proxy delivery is unfortunate but doesn't undercut the paper.