Peihong Lin,Pengfei Wang,Xu Zhou,Wei Xie,Gen Zhang,Kai Lu

DOI: https://doi.org/10.14722/ndss.2024.24514

2024-01-01

Abstract:Directed Greybox Fuzzing (DGF) is an effective approach designed to strengthen testing vulnerable code areas via predefined target sites.The state-of-the-art DGF techniques redefine and optimize the fitness metric to reach the target sites precisely and quickly.However, optimizations for fitness metrics are mainly based on heuristic algorithms, which usually rely on historical execution information and lack foresight on paths that have not been exercised yet.Thus, those hard-to-execute paths with complex constraints would hinder DGF from reaching the targets, making DGF less efficient.In this paper, we propose DeepGo, a predictive directed greybox fuzzer that can combine historical and predicted information to steer DGF to reach the target site via an optimal path.We first propose the path transition model, which models DGF as a process of reaching the target site through specific path transition sequences.The new seed generated by mutation would cause the path transition, and the path corresponding to the highreward path transition sequence indicates a high likelihood of reaching the target site through it.Then, to predict the path transitions and the corresponding rewards, we use deep neural networks to construct a Virtual Ensemble Environment (VEE), which gradually imitates the path transition model and predicts the rewards of path transitions that have not been taken yet.To determine the optimal path, we develop a Reinforcement Learning for Fuzzing (RLF) model to generate the transition sequences with the highest sequence rewards.The RLF model can combine historical and predicted path transitions to generate the optimal path transition sequences, along with the policy to guide the mutation strategy of fuzzing.Finally, to exercise the highreward path transition sequence, we propose the concept of an action group, which comprehensively optimizes the critical steps of fuzzing to realize the optimal path to reach the target efficiently.We evaluated DeepGo on 2 benchmark suites consisting of 25 programs with a total of 100 target sites.The experimental results show that DeepGo achieves 3.23×, 1.72×, 1.81×, and 4.83× speedup compared to AFLGo, BEACON, WindRanger, and ParmeSan, respectively in reaching target sites, and 2.61×, 3.32×, 2.43× and 2.53× speedup in exposing known vulnerabilities.

Qingyao Zeng,Dapeng Xiong,Zhongwang Wu,Kechang Qian,Yu Wang,Yinghao Su

DOI: https://doi.org/10.3390/electronics13112096

IF: 2.9

2024-05-29

Electronics

Abstract:As the directed greybox fuzzing (DGF) technique advances, it is being extensively utilized in various fields such as defect reproduction, patch testing, and vulnerability identification. Nevertheless, current DGFs waste a significant amount of resources due to their simplistic distance definitions and overly straightforward energy distribution for the seeds. To address these issues, a dynamic distance-weighting-based distance estimation strategy is proposed first, which facilitates strategies for seed distribution that take energy into consideration. Second, to overcome the limitations of current seed energy distribution strategies, the gray wolf optimizer (GWO) is improved by integrating four strategies, leading to the development of the improved gray wolf optimizer (IGWO). Lastly, an adaptive search algorithm is proposed, and the WolfFuzz prototype tool is implemented. In vulnerability recurrence scenarios, WolfFuzz is 3.2× faster on average compared with the baseline and reproduces 76.4% of existing bugs faster. WolfFuzz also discovers nine different types of bugs in seven real-world programs.

engineering, electrical & electronic,physics, applied,computer science, information systems

Weiwei Gong,Gen Zhang,Xu Zhou

DOI: https://doi.org/10.1007/978-3-319-72389-1_24

2017-01-01

Abstract:Fuzzing is an efficient testing technique to catch bugs early, before they turn into vulnerabilities. Without complex program analysis, it can generates interesting test cases by slightly changing input and find potential bugs in programs. However, previous fuzzers either are unable to explore deeper bugs, or some of them suffer from dramatic time complexity, thus we cannot depend on them in real world applications. In this paper, we focus on reducing time complexity in fuzzing by combining practical and light-weight deep learning methods, which fundamentally accelerate the process of identifying new test cases and finding bugs. In order to achieve expected fuzzing coverage, we implement our method by extending stage-of-the-art fuzzer AFL with deep learning methods and evaluate it on several wide-used and open source executable programs. On all of these programs, efficiency of our method is witnessed and significantly better outcomes are generated.

Wei You,Xuwei Liu,Shiqing Ma,David Perry,Xiangyu Zhang,Bin Liang

DOI: https://doi.org/10.1109/ICSE.2019.00080

2019-01-01

Abstract:Fuzzing is an important technique to detect software bugs and vulnerabilities. It works by mutating a small set of seed inputs to generate a large number of new inputs. Fuzzers' performance often substantially degrades when valid seed inputs are not available. Although existing techniques such as symbolic execution can generate seed inputs from scratch, they have various limitations hindering their applications in real-world complex software. In this paper, we propose a novel fuzzing technique that features the capability of generating valid seed inputs. It piggy-backs on AFL to identify input validity checks and the input fields that have impact on such checks. It further classifies these checks according to their relations to the input. Such classes include arithmetic relation, object offset, data structure length and so on. A multi-goal search algorithm is developed to apply class-specific mutations in order to satisfy inter-dependent checks all together. We evaluate our technique on 20 popular benchmark programs collected from other fuzzing projects and the Google fuzzer test suite, and compare it with existing fuzzers AFL and AFLFast, symbolic execution engines KLEE and S2E, and a hybrid tool Driller that combines fuzzing with symbolic execution. The results show that our technique is highly effective and efficient, out-performing the other tools.

Yuntao Zhang,Zhongru Wang,Weiqiang Yu,Binxing Fang

DOI: https://doi.org/10.1109/trustcom53373.2021.00087

2021-01-01

Abstract:Greybox fuzzing has been widely used in vulnerabilities detection. Most greybox fuzzing tools are coverage-based, which usually use basic block transition to gain code coverage and focus on improving it to trigger more bugs. However, only increasing code coverage is insufficient to find some heap-based vulnerabilities such as use-after-free (UAF) and double-free (DF). This is because, to trigger these vulnerabilities, one needs not only to cover more code, but also to execute special heap operations to satisfy a particular temporal constraint (i.e., allocating heap memory, free memory, and accessing the heap memory). In this paper, we propose an approach, namely MDFuzz, to detect heap-based vulnerabilities adopting multi-level directed greybox fuzzing. The key idea is identifying different targets to guide the fuzzing process to cover specific heap operations without wasting resources exploring unrelated program components. We first perform a static analysis to automatically recognize three critical targets related to heap operations and then calculate each basic block's distance to the targets. Moreover, we propose a probability-based multi-level seed queue and a novel seed selection strategy to augment the guidance of directed fuzzing. To evaluate MDFuzz, we have performed an evaluation on 7 real-world applications. The experimental results demonstrate that MDFuzz significantly outperforms the state-of-the-art fuzzers, including AFL, AFLFast and VUzzer, in terms of the time consumed to discover heap-based vulnerabilities. Moreover, MD-Fuzz found 4 previously unknown vulnerabilities in real-world programs.

Hongliang Liang,Xinglin Yu,Xianglin Cheng,Jie Liu,Jin Li

DOI: https://doi.org/10.1109/tdsc.2023.3253120

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Directed greybox fuzzing (DGF) can quickly discover or reproduce bugs in programs by seeking to reach a program location or explore some locations in order. However, due to their static stage division and coarse-grained energy scheduling, prior DGF tools perform poorly when facing multiple target locations (targets for short). In this paper, we present multiple targets directed greybox fuzzing which aims to reach multiple programs locations in a fuzzing campaign. Specifically, we propose a novel strategy to adaptively coordinate exploration and exploitation stages, and a novel energy scheduling strategy by considering more relations between seeds and target locations. We implement our approaches in a tool called LeoFuzz and evaluate it on crash reproduction, true positives verification, and vulnerability exposure in real-world programs. Experimental results show that LeoFuzz outperforms six state-of-the-art fuzzers, i.e., QYSM, AFLGo, Lolly, Berry, Beacon and WindRanger in terms of effectiveness and efficiency. Moreover, LeoFuzz has detected 23 new vulnerabilities in real-world programs, and 12 of them have been assigned CVE IDs.

Yijiang Xu,Hongrui Jia,Liguo Chen,Xin Wang,Zhengran Zeng,Yidong Wang,Qing Gao,Jindong Wang,Wei Ye,Shikun Zhang,Zhonghai Wu

2024-09-22

Abstract:Fuzz testing is crucial for identifying software vulnerabilities, with coverage-guided grey-box fuzzers like AFL and Angora excelling in broad detection. However, as the need for targeted detection grows, directed grey-box fuzzing (DGF) has become essential, focusing on specific vulnerabilities. The initial seed corpus, which consists of carefully selected input samples that the fuzzer uses as a starting point, is fundamental in determining the paths that the fuzzer explores. A well-designed seed corpus can guide the fuzzer more effectively towards critical areas of the code, improving the efficiency and success of the fuzzing process. Even with its importance, many works concentrate on refining guidance mechanisms while paying less attention to optimizing the initial seed corpus. In this paper, we introduce ISC4DGF, a novel approach to generating optimized initial seed corpus for DGF using Large Language Models (LLMs). By leveraging LLMs' deep software understanding and refined user inputs, ISC4DGF creates precise seed corpus that efficiently trigger specific vulnerabilities. Implemented on AFL and tested against state-of-the-art fuzzers like AFLGo, FairFuzz, and Entropic using the Magma benchmark, ISC4DGF achieved a 35.63x speedup and 616.10x fewer target reaches. Moreover, ISC4DGF focused on more effectively detecting target vulnerabilities, enhancing efficiency while operating with reduced code coverage.

Software Engineering

Haoran Fang,Kaikai Zhang,Donghui Yu,Yuanyuan Zhang

DOI: https://doi.org/10.1145/3650212.3680324

2024-01-01

Abstract:Coverage-Guided Fuzzing (CGF) has become the most popular and effective method for vulnerability detection. It is usually designed as an automated “black-box” tool. Security auditors start it and then just wait for the results. However, after a period of testing, CGF struggles to find new coverage gradually, thus making it inefficient. It is difficult for users to explain reasons that prevent fuzzing from making further progress and to determine whether the existing coverage is sufficient. In addition, there is no way to interact and direct the fuzzing process. In this paper, we design the dynamic directed greybox fuzzing (DDGF) to facilitate collaboration between the user and fuzzer. By leveraging Ball-Larus path profiling algorithm, we propose two new techniques: dynamic introspection and dynamic direction. Dynamic introspection reveals the significant imbalance in the distribution of path frequency through encoding and decoding. Based on the insight from introspection, users can dynamically direct the fuzzer to focus testing on the selected paths in real time. We implement DDGF based on AFL++. Experiments on Magma show that DDGF is effective in helping the fuzzer to reproduce vulnerabilities faster, with up to 100x speedup and only 13% performance overhead. DDGF shows the great potential of human-in-the-loop for fuzzing.

Gen Zhang,Xu Zhou,Yingqi Luo,Xugang Wu,Erxue Min

DOI: https://doi.org/10.1109/access.2018.2851237

IF: 3.9

2018-01-01

IEEE Access

Abstract:Greybox fuzzing, such as american fuzzy lop (AFL), is very efficient in finding software vulnerability, which makes it the state-of-the-art fuzzing technology. Greybox fuzzing leverages the branch information collected during program running as feedback to guide choosing seeds. Current greybox fuzzing generally uses two kinds of methods to collect branch information: compile-time instrumentation (AFL) and emulation [AFL extended with QEMU emulation (QAFL)]. Compile-time instrumentation is efficient, but it does not support binary programs. Meanwhile, emulation supports binary programs, but its efficiency is very low. In this paper, we propose a greybox fuzzing approach named PTfuzz, which leverages hardware mechanism (Intel Processor Trace) to collect branch information. Our approach supports binary programs, just like the emulation method, while it gains a comparable performance with the compile-time instrumentation method. Our experiments show that PTfuzz can fuzz the original binary programs without any modification, and we gain a 3× performance improvement compared to QAFL.

Yuekang Li,Guozhu Meng,Jun Xu,Cen Zhang,Hongxu Chen,Xiaofei Xie,Haijun Wang,Yang Liu

DOI: https://doi.org/10.1109/ISSRE52982.2021.00039

2021-01-01

Abstract:Greybox fuzzing is a widely used technique for software testing that has been adopted by practitioners and researchers to disclose a great number of vulnerabilities in various software. However, adversaries also weaponize greybox fuzzing to mine vulnerabilities for malicious intentions. This poses considerable threats to software systems. To counteract the misuse of greybox fuzzing, we propose VALL-NUT, a novel approach to harden software with properties to combat greybox fuzzing. We dissect the major strategies that facilitate the success of greybox fuzzing, and accordingly propose three types of neutralizing schemesseed queue explosion, seed attenuation, and feedback contamination. We evaluate Vall-nut against the mainstream greybox fuzzers on multiple real-world benchmark programs. The results show that Vall-nut can reduce an average of 34 % code coverage and 76% detected crashes in 24-hour tests. Moreover, we conduct comparisons with two recent studies which show Vall-nut can achieve a superior deduction of detected crashes.

Tai Yue,Pengfei Wang,Yong Tang,Enze Wang,Bo Yu,Kai Lu,Xu Zhou

2020-01-01

Abstract:Fuzzing is one of the most effective approaches for identifying security vulnerabilities. As a state-of-the-art coverage-based greybox fuzzer, AFL is a highly effective and widely used technique. However, AFL allocates excessive energy (i.e., the number of test cases generated by the seed) to seeds that exercise the high-frequency paths and can not adaptively adjust the energy allocation, thus wasting a significant amount of energy. Moreover, the current Markov model for modeling coverage-based greybox fuzzing is not profound enough. This paper presents a variant of the Adversarial Multi-Armed Bandit model for modeling AFL's power schedule process. We first explain the challenges in AFL's scheduling algorithm by using the reward probability that generates a test case for discovering a new path. Moreover, we illustrated the three states of the seeds set and developed a unique adaptive scheduling algorithm as well as a probability-based search strategy. These approaches are implemented on top of AFL in an adaptive energy-saving greybox fuzzer called EcoFuzz. EcoFuzz is examined against other six AFL-type tools on 14 real-world subjects over 490 CPU days. According to the results, EcoFuzz could attain 214% of the path coverage of AFL with reducing 32% test cases generation of that of AFL. Besides, EcoFuzz identified 12 vulnerabilities in GNU Binutils and other software. We also extended EcoFuzz to test some IoT devices and found a new vulnerability in the SNMP component.

Pengfei Wang,Xu Zhou,Tai Yue,Peihong Lin,Yingying Liu,Kai Lu

DOI: https://doi.org/10.1002/stvr.1869

2023-01-01

Software Testing Verification and Reliability

Abstract:SummaryGreybox fuzzing is a scalable and practical approach for software testing. Most greybox fuzzing tools are coverage‐guided as reaching high code coverage is more likely to find bugs. However, since most covered codes may not contain bugs, blindly extending code coverage is less efficient, especially for corner cases. Unlike coverage‐guided greybox fuzzing which increases code coverage in an undirected manner, directed greybox fuzzing (DGF) spends most of its time allocation on reaching specific targets (e.g. the bug‐prone zone) without wasting resources stressing unrelated parts. Thus, DGF is particularly suitable for scenarios such as patch testing, bug reproduction, and special bug detection. For now, DGF has become an active research area. However, DGF has general limitations and challenges that are worth further studying. Based on the investigation of 42 state‐of‐the‐art fuzzers that are closely related to DGF, we conducted the first in‐depth study to summarize the empirical evidence on the research progress of DGF. This paper studies DGF from a broader view, which takes into account not only the location‐directed type that targets specific code parts but also the behavior‐directed type that aims to expose abnormal program behaviors. By analyzing the benefits and limitations of DGF research, we try to identify gaps in current research, meanwhile, reveal new research opportunities and suggest areas for further investigation.

Han Zheng,Jiayuan Zhang,Yuhang Huang,Zezhong Ren,He Wang,Chunjie Cao,Yuqing Zhang,Flavio Toffalini,Mathias Payer

DOI: https://doi.org/10.48550/arXiv.2207.13393

2022-07-27

Abstract:Greybox fuzzing is the de-facto standard to discover bugs during development. Fuzzers execute many inputs to maximize the amount of reached code. Recently, Directed Greybox Fuzzers (DGFs) propose an alternative strategy that goes beyond "just" coverage: driving testing toward specific code targets by selecting "closer" seeds. DGFs go through different phases: exploration (i.e., reaching interesting locations) and exploitation (i.e., triggering bugs). In practice, DGFs leverage coverage to directly measure exploration, while exploitation is, at best, measured indirectly by alternating between different targets. Specifically, we observe two limitations in existing DGFs: (i) they lack precision in their distance metric, i.e., averaging multiple paths and targets into a single score (to decide which seeds to prioritize), and (ii) they assign energy to seeds in a round-robin fashion without adjusting the priority of the targets (exhaustively explored targets should be dropped). We propose FishFuzz, which draws inspiration from trawl fishing: first casting a wide net, scraping for high coverage, then slowly pulling it in to maximize the harvest. The core of our fuzzer is a novel seed selection strategy that builds on two concepts: (i) a novel multi-distance metric whose precision is independent of the number of targets, and (ii) a dynamic target ranking to automatically discard exhausted targets. This strategy allows FishFuzz to seamlessly scale to tens of thousands of targets and dynamically alternate between exploration and exploitation phases. We evaluate FishFuzz by leveraging all sanitizer labels as targets. Extensively comparing FishFuzz against modern DGFs and coverage-guided fuzzers shows that FishFuzz reached higher coverage compared to the direct competitors, reproduces existing bugs (70.2% faster), and finally discovers 25 new bugs (18 CVEs) in 44 programs.

Cryptography and Security

Weiming Li,Junqing Yu,Shaobo Ai

DOI: https://doi.org/10.3969/j.issn.1000-436x.2013.z2.013

2013-01-01

Abstract:Fuzz Testing is an effective method to mine all kinds of vulnerabilities. But the main drawbacks to current fuzz testing tools are: firstly, it produces high volume testing data and it's extraordinary time consumption; secondly, if the accessing needs authentication, the greatest part of test data will be abandoned. PyFuzzer, a novel automatic in-memory fuzz testing tool combining static analysis, dynamic analysis and in-memory fuzz testing, was presented. The tool is highly automatic and effective. Compared with 4n FTP Fuzzer in testing WarFTPD and Serv-U, PyFuzzer can discover all vulnerabilities and improve test efficiency greatly.

Ziheng He,Peng Jia,Yong Fang,Yuying Liu,Hairu Luo

DOI: https://doi.org/10.3390/app122111097

2022-01-01

Applied Sciences

Abstract:In recent years, fuzzing has become a powerful tool for security researchers to uncover security vulnerabilities. It is used to discover software vulnerabilities by continuously generating malformed inputs to trigger bugs. Directed grey-box fuzzing has also been widely used in the verification of patch testing and in vulnerability reproduction. For directed grey-box fuzzing, the core problem is to make test cases reach the target and trigger vulnerabilities faster. Selecting seeds that are closer to the target site to be mutated first is an effective method. For this purpose, the DGF calculates the distance between the execution path and the target site by a specific algorithm. However, as time elapses in the execution process, the seeds covering a larger amount of basic blocks may be overlooked due to their long distances. At the same time, directed fuzzing often ignores the impact of coverage on test efficiency, resulting in a local optimum problem without accumulating enough valuable test cases. In this paper, we analyze and discuss these problems and propose SwitchFuzz, a fuzzer that can switch short-term goals during execution. SwitchFuzz keeps shortening the distance of test cases to reach the target point when it performs well and prioritizes reaching the target point. When positive feedback is not achieved over a period of time, SwitchFuzz tries to explore more possibilities. We compared the efficiency of SwitchFuzz with that of AFLGO in setting single target and multiple targets for crash recurrence in our experiments, respectively. The results show that SwitchFuzz produces a significant improvement over AFLGO in both the speed and the probability of triggering a specified crash. SwitchFuzz can discover more edges than AFLGO in the same amount of time and can generate seeds with smaller distances.

Van-Thuan Pham,Marcel Böhme,Andrew E. Santosa,Alexandru Răzvan Căciulescu,Abhik Roychoudhury

DOI: https://doi.org/10.48550/arXiv.1811.09447

2018-11-23

Abstract:Coverage-based greybox fuzzing (CGF) is one of the most successful methods for automated vulnerability detection. Given a seed file (as a sequence of bits), CGF randomly flips, deletes or bits to generate new files. CGF iteratively constructs (and fuzzes) a seed corpus by retaining those generated files which enhance coverage. However, random bitflips are unlikely to produce valid files (or valid chunks in files), for applications processing complex file formats. In this work, we introduce smart greybox fuzzing (SGF) which leverages a high-level structural representation of the seed file to generate new files. We define innovative mutation operators that work on the virtual file structure rather than on the bit level which allows SGF to explore completely new input domains while maintaining file validity. We introduce a novel validity-based power schedule that enables SGF to spend more time generating files that are more likely to pass the parsing stage of the program, which can expose vulnerabilities much deeper in the processing logic. Our evaluation demonstrates the effectiveness of SGF. On several libraries that parse structurally complex files, our tool AFLSmart explores substantially more paths (up to 200%) and exposes more vulnerabilities than baseline AFL. Our tool AFLSmart has discovered 42 zero-day vulnerabilities in widely-used, well-tested tools and libraries; so far 17 CVEs were assigned.

Cryptography and Security

Lei Sun,Xumei Li,Haipeng Qu,Xiaoshuai Zhang

DOI: https://doi.org/10.1109/issre5003.2020.00017

2020-01-01

Abstract:Coverage-based greybox fuzzing (CGF) is a common method utilizing coverage information to guide fuzzing. American Fuzzy Lop (AFL) is one of the most famous CGF fuzzers and has been used to uncover thousands of vulnerabilities in many software. However, AFL has two major drawbacks, which impedes it from boosting path discovery: (1) aggressively growing mutation overhead; (2) ineffective mutation region selection. In this paper, we propose three new approaches to overcome the drawbacks: (1) Interruptible mutation, which uses a hang monitor to avoid unnecessary mutation overhead; (2) Locality-based mutation, which utilizes mutation information in previous rounds to guide fuzzing useful regions in future rounds; (3) Hotspot-aware fuzzing, which exploits a pre-evaluation process to identify metadata and only mutates these regions. We combine these approaches into a tool named AFLTurbo based on AFL 2.52b. Furthermore, the effectiveness of AFLTurbo is evaluated in terms of both path discovery and bug detection on eight programs as well as LAVA-M with state-of-the-art fuzzers. The experimental results manifest that AFLTurbo can find 141%, 101% and 41% more paths, and reveal 14×, 30× and 5× more bugs than AFL, AFLFast and FairFuzz respectively. Additionally, AFLTurbo discovers 20 vulnerabilities, of which 18 are assigned with CVEs.

School of Information Management, Nanjing University,Zuo Zhi-Qiang,Guan Le,Wang Lin-Zhang,Li Xuan-Dong,Shi Jin,Liu Peng

DOI: https://doi.org/10.1007/s11390-021-1196-0

IF: 1.871

2021-01-01

Journal of Computer Science and Technology

Abstract:Fuzzing is known to be one of the most effective techniques to uncover security vulnerabilities of large-scale software systems. During fuzzing, it is crucial to distribute the fuzzing resource appropriately so as to achieve the best fuzzing performance under a limited budget. Existing distribution strategies of American Fuzzy Lop (AFL) based greybox fuzzing focus on increasing coverage blindly without considering the metrics of code regions, thus lacking the insight regarding which region is more likely to be vulnerable and deserves more fuzzing resources. We tackle the above drawback by proposing a vulnerable region-aware greybox fuzzing approach. Specifically, we distribute more fuzzing resources towards regions that are more likely to be vulnerable based on four kinds of code metrics. We implemented the approach as an extension to AFL named RegionFuzz. Large-scale experimental evaluations validate the effectiveness and efficiency of RegionFuzz-11 new bugs including three new CVEs are successfully uncovered by RegionFuzz.

Han Zheng,Jiayuan Zhang,Yuhang Huang,Zezhong Ren,He Wang,Chunjie Cao,Yuqing Zhang,Flavio Toffalini,Mathias Payer

DOI: https://doi.org/10.48550/arxiv.2207.13393

2022-01-01

Abstract:Fuzzers effectively explore programs to discover bugs. Greybox fuzzers mutate seed inputs and observe their execution. Whenever a seed reaches new behavior ( e.g., new code or higher execution frequency), it is stored for further mutation. Greybox fuzzers directly measure exploration and, by repeating execution of the same targets with large amounts of mutated seeds, passively exploit any lingering bugs. Directed greybox fuzzers (DGFs) narrow the search to a few code locations but so far generalize distance to all targets into a single score and do not prioritize targets dynamically. FISHFUZZ introduces an input prioritization strategy that builds on three concepts: (i) a novel multi-distance metric whose precision is independent of the number of targets, (ii) a dynamic target ranking to automatically discard exhausted targets, and (iii) a smart queue culling algorithm, based on hyperparameters, that alternates between exploration and exploitation . FISHFUZZ enables fuzzers to seamlessly scale among thousands of targets and prioritize seeds toward interesting locations, thus achieving more comprehensive program testing. To demonstrate generality, we implement FISHFUZZ over two well-established greybox fuzzers (AFL and AFL++). We evaluate FISHFUZZ by leveraging all sanitizer labels as targets. In comparison to modern DGFs and state-of-the-art coverage guided fuzzers, FISHFUZZ reaches higher coverage compared to the direct competitors, finds up to 2.8x more bugs compared with the baseline and reproduces 68.3% existing bugs faster. FISHFUZZ also discovers 56 new bugs (38 CVEs) in 47 programs.

You Wu,Qi Zhan,Haipeng Qu,Xiaoqi Zhao

DOI: https://doi.org/10.1109/icstw55395.2022.00054

2022-01-01

Abstract:In recent years, coverage-based greybox fuzzing (CGF) has become one of the most important techniques to discover security bugs. The existing fuzzers score the seeds, and then allocate the energy to the seeds according to the scoring results, but most seeds obtain the same energy, and then repeatedly select the same seeds for fuzzing. These strategies have been proved to be inefficient. Our experimental observations show that various seeds have diverse efficiency, and the efficiency of test cases changes increase with execution time. In this paper, we propose a novel yet lightweight energy allocation strategy, called AcoFuzz, to improve fuzzing efficiency. AcoFuzz has one following distinct advantage: Dynamically allocate energy for seeds to cope with their efficiency variation. Extensive experiments based on real-world programs and the LAVA-M dataset have been conducted to evaluate the path discovery and vulnerability detection ability of AcoFuzz, which substantially outperforms 3 state-of-the-art fuzzers.