Abstract:—Mutation-based fuzzing is one of the most popular approaches to discover vulnerabilities in a program. To alleviate the inefﬁciency of mutation-based fuzzing incurred by high randomness in the mutation process, multiple solutions are developed in recent years, especially coverage-based fuzzing. They mainly employ adaptive mutation strategies or integrate constraint-solving techniques to make a good exploration of the test cases which trigger unique paths and crashes. However, they lack a ﬁne-grained reusing of fuzzing history to construct these interesting test cases, i.e., they largely fail to properly utilize fuzzing history across different fuzzing trials. In fact, we discover that test cases in fuzzing history contain rich knowledge of the key mutation strategies that lead to the discovery of unique paths and crashes. Speciﬁcally, partial path constraint solutions implicitly carried in these mutation strategies can be reused to accelerate the discovery of new paths and crashes that share similar partial path constraints. Therefore, we ﬁrst propose a lightweight and efﬁcient Proba- bilistic Byte Orientation Model ( PBOM ) that properly captures the byte-level mutation strategies from intra- and inter-trial history and thus can effectively trigger unique paths and crashes. We then present a novel history-driven mutation framework named EMS that employs PBOM as one of the mutation operators to probabilistically provide desired mutation byte values according to the input ones. We evaluate EMS against state-of-the-art fuzzers including AFL, QSYM, MO PT , MO PT -dict, EcoFuzz, and AFL++ on 9 real world programs. The results show that EMS discovers up to 4.91 × more unique vulnerabilities than the baseline, and ﬁnds more line coverage than other fuzzers on most programs. We report all of the discovered new vulnerabilities to vendors and will open source the prototype of EMS on GitHub.

EMS: History-Driven Mutation for Coverage-based Fuzzing.

FA-Fuzz: A Novel Scheduling Scheme Using Firefly Algorithm for Mutation-Based Fuzzing

CMFuzz: Context-Aware Adaptive Mutation for Fuzzers

AMSFuzz: an Adaptive Mutation Schedule for Fuzzing

Mopt: Optimized Mutation Scheduling For Fuzzers

Fuzzing for CPS Mutation Testing

An Empirical Study on AST-level mutation-based fuzzing techniques for JavaScript Engines

V-Fuzz: Vulnerability Prediction-Assisted Evolutionary Fuzzing for Binary Programs

ES-FUZZ: Improving the Coverage of Firmware Fuzzing with Stateful and Adaptable MMIO Models

FuzzInMem: Fuzzing Programs Via In-memory Structures

Systematic Assessment of Fuzzers using Mutation Analysis

FuzzCoder: Byte-level Fuzzing Test via Large Language Model

NCMFuzzer: Using non-critical field mutation and test case combination to improve the efficiency of ICS protocol fuzzing

Evolutionary Mutation-based Fuzzing as Monte Carlo Tree Search

V-Fuzz: Vulnerability-Oriented Evolutionary Fuzzing

MOTIF: A tool for Mutation Testing with Fuzzing

EM-Fuzz: Augmented Firmware Fuzzing Via Memory Checking

Fuzzing with Quantitative and Adaptive Hot-Bytes Identification

Better Pay Attention Whilst Fuzzing.

FairFuzz: a targeted mutation strategy for increasing greybox fuzz testing coverage

MOCK: Optimizing Kernel Fuzzing Mutation with Context-aware Dependency