In Will's talk he defines two terms related to optimizing fuzzers [2]: Strategy and Tactics.<p>Strategy is the datum you choose to optimize for as the fuzzer randomly walks the states of the system. E.g. optimize to maximize Mario's X value, or optimize for reaching all tile positions etc. This generalizes the concept of "coverage guided" to include domain-specific details about your target program (e.g. that the program has the concept of a grid of possible positions).<p>Tactics is the choice of input distribution. Sometimes the frequency of the randomness should be tuned for the application. For example, randomly changing the state of the A button every frame is not a good frequency to properly test long jumps, maybe a normal distribution with average hold/not hold time of 1s would be better. Also, encoding the randomness within the program's valid domain can help avoid over-testing parsing/validation code at the expense of more interesting code further in the program. [1][2]<p>[0]: Barton P. Miller, Lars Fredriksen, and Bryan So. 1990. An empirical study of the reliability of UNIX utilities. Commun. ACM 33, 12 (Dec. 1990), 32–44. <a href="https://doi.org/10.1145/96267.96279" rel="nofollow">https://doi.org/10.1145/96267.96279</a><p>[1]: This reference appears to be related: Rohan Padhye, Caroline Lemieux, Koushik Sen, Laurent Simon, and Hayawardh Vijayakumar. 2019. FuzzFactory: domain-specific fuzzing with waypoints. Proc. ACM Program. Lang. 3, OOPSLA, Article 174 (October 2019), 29 pages. <a href="https://doi.org/10.1145/3360600" rel="nofollow">https://doi.org/10.1145/3360600</a><p>[2]: I introduce the concept of fuzzing in another comment: <a href="https://news.ycombinator.com/item?id=40068187#40071972">https://news.ycombinator.com/item?id=40068187#40071972</a>