What are the optimisations that the Fuzzer uses to achieve higher or quicker coverage

The fuzzer incorporates many known techniques (for instance, using coverage feedback) and also incorporates many custom techniques (see our publications for more details). Here’s just one of many examples:

If there is a path in the code that is only executed with a specific input value than it could take a very long time if the Fuzzer has to find it by random mutation. Instead, it starts with a random input and is able to measure the distance to the needed value without knowing the value itself. It then mutates - again randomly - and measures again. By comparison of the two distances the Fuzzer can determine the needed input value and therefore saves a lot of time.