Jinyan Xu,Yiyuan Liu,Sirui He,Haoran Lin,Yajin Zhou,Cong Wang

DOI: https://doi.org/10.5281/zenodo.8024468

2023-01-01

Abstract:Modern processors are too complex to be bug free. Recently, a few hardware fuzzing techniques have shown promising results in verifying processor designs. However, due to the complexity of processors, they suffer from complex input grammar, deceptive mutation guidance, and model implementation differences. Therefore, how to effectively and efficiently verify processors is still an open problem. This paper proposes MorFuzz, a novel processor fuzzer that can efficiently discover software triggerable hardware bugs. The core idea behind MorFuzz is to use runtime information to generate instruction streams with valid formats and meaningful semantics. MorFuzz designs a new input structure to provide multi-level runtime mutation primitives and proposes the instruction morphing technique to mutate instruction dynamically. Besides, we also extend the co-simulation framework to various microarchitectures and develop the state synchronization technique to eliminate implementation differences. We evaluate MorFuzz on three popular open-source RISC-V processors: CVA6, Rocket, BOOM, and discover 17 new bugs (with 13 CVEs assigned). Our evaluation shows MorFuzz achieves 4.4x and 1.6x more state coverage than the state-of-the-art fuzzer, DifuzzRTL, and the famous constrained instruction generator, riscv-dv.

Jideng Han,Zhaoxin Zhang,Yuejin Du,Wei Wang,Xiuyuan Chen

DOI: https://doi.org/10.3390/electronics13081498

IF: 2.9

2024-04-15

Electronics

Abstract:WebAssembly code is designed to run in a sandboxed environment, such as a web browser, providing a high level of security and isolation from the underlying operating system and hardware. This enables the execution of untrusted code in a web browser without compromising the security and integrity of the user's system. This paper discusses the challenges associated with using fuzzing tools to identify vulnerabilities or bugs in WebAssembly interpreters. Our approach, known as ESFuzzer, introduces an efficient method for fuzzing WebAssembly interpreters using an Equivalent-Statement concept and the Stack Repair Algorithm. The samples generated by our approach successfully passed code validation. In addition, we developed effective mutation strategies to enhance the efficacy of our approach. ESFuzzer has demonstrated its ability to generate code that achieves 100% WebAssembly validation testing and achieves code coverage that is more than twice that of libFuzzer. Furthermore, the 24-h experiment results show that ESFuzzer performs ten times more efficiently than libFuzzer.

engineering, electrical & electronic,computer science, information systems,physics, applied

Daniel Lehmann,Martin Toldam Torp,Michael Pradel

DOI: https://doi.org/10.48550/arXiv.2110.15433

2021-10-29

Abstract:WebAssembly binaries are often compiled from memory-unsafe languages, such as C and C++. Because of WebAssembly's linear memory and missing protection features, e.g., stack canaries, source-level memory vulnerabilities are exploitable in compiled WebAssembly binaries, sometimes even more easily than in native code. This paper addresses the problem of detecting such vulnerabilities through the first binary-only fuzzer for WebAssembly. Our approach, called Fuzzm, combines canary instrumentation to detect overflows and underflows on the stack and the heap, an efficient coverage instrumentation, a WebAssembly VM, and the input generation algorithm of the popular AFL fuzzer. Besides as an oracle for fuzzing, our canaries also serve as a stand-alone binary hardening technique to prevent the exploitation of vulnerable binaries in production. We evaluate Fuzzm with 28 real-world WebAssembly binaries, some compiled from source and some found in the wild without source code. The fuzzer explores thousands of execution paths, triggers dozens of crashes, and performs hundreds of program executions per second. When used for binary hardening, the approach prevents previously published exploits against vulnerable WebAssembly binaries while imposing low runtime overhead.

Cryptography and Security,Software Engineering

Gaoning Pan,Tianxiang Luo,Yiming Tao,Xiao Lei,Shuangxi Chen,Hui Liu,Chunming Wu

DOI: https://doi.org/10.1109/PST58708.2023.10319984

2023-01-01

Abstract:With the popularity of computers and mobile devices and the development of the Internet, browsers (applications used to retrieve and display information resources on the World Wide Web) are often included by default and have become an indispensable software. Therefore, research on browser security issues is essential for protecting information assets. Among many browsers in the industry, Chrome, as a cross-platform web browser developed by Google, occupies a large market share in desktop browsers, and its security risks are further amplified as its kernel is used by many other browsers. Therefore, the research on the security issues of Chrome browser is critical for browser security. This paper focuses on the vulnerability detection of the process communication interface in Chrome browser, and designs and implements a fuzzing framework, auto-mojo-fuzz (AMF). The fuzzing process mainly designs a sample optimization technique to ensure the effectiveness of input samples and improve the efficiency of fuzzing. After implementing the AMF solution, we evaluate the generated test samples to demonstrate the effectiveness of the sample optimization technique. We also prove the possibility of discovering more vulnerabilities with AMF, and tests it with the latest version of Chrome browser, finding five unique crashes, four of which are verified as security vulnerabilities, effectively proving the automatic and efficient ability of this framework to discover vulnerabilities in the process communication interfaces in browsers.

Wenxuan Zhao,Ruiying Zeng,Yangfan Zhou

DOI: https://doi.org/10.1145/3650212.3680340

2024-01-01

Abstract:Reliability is the top concern to runtimes. This paper studies how to test Wasm runtime, by presenting Wapplique, the first Wasm bytecode mutation-based fuzzing tool. Wapplique solves the diversity/efficiency dilemma in generating test cases with a specifically-tailored code-fragment substitution approach for Wasm. In particular, Wapplique appliqués code fragments from real-world programs to seed programs to enhance the diversity of the seeds. Via sophisticated code analysis algorithms we design, Wapplique also guarantees the validity of the resulting programs. This allows Wapplique to generate tremendous valid and diverse Wasm programs as test cases to well exercise target runtimes. Our experiences on applying Wapplique in testing four prevalent real-world runtimes indicate that it can generate test cases efficiently, achieve high coverage, and find 20 previously unknown bugs.

Liqun Yang,Jian Yang,Chaoren Wei,Guanglin Niu,Ge Zhang,Yunli Wang,Linzheng ChaI,Wanxu Xia,Hongcheng Guo,Shun Zhang,Jiaheng Liu,Yuwei Yin,Junran Peng,Jiaxin Ma,Liang Sun,Zhoujun Li

2024-09-03

Abstract:Fuzzing is an important dynamic program analysis technique designed for finding vulnerabilities in complex software. Fuzzing involves presenting a target program with crafted malicious input to cause crashes, buffer overflows, memory errors, and exceptions. Crafting malicious inputs in an efficient manner is a difficult open problem and the best approaches often apply uniform random mutations to pre-existing valid inputs. In this work, we propose to adopt fine-tuned large language models (FuzzCoder) to learn patterns in the input files from successful attacks to guide future fuzzing explorations. Specifically, we develop a framework to leverage the code LLMs to guide the mutation process of inputs in fuzzing. The mutation process is formulated as the sequence-to-sequence modeling, where LLM receives a sequence of bytes and then outputs the mutated byte sequence. FuzzCoder is fine-tuned on the created instruction dataset (Fuzz-Instruct), where the successful fuzzing history is collected from the heuristic fuzzing tool. FuzzCoder can predict mutation locations and strategies locations in input files to trigger abnormal behaviors of the program. Experimental results show that FuzzCoder based on AFL (American Fuzzy Lop) gain significant improvements in terms of effective proportion of mutation (EPM) and number of crashes (NC) for various input formats including ELF, JPG, MP3, and XML.

Computation and Language

Xiaoqi Zhao,Haipeng Qu,Jianliang Xu,Shuo Li,Gai-Ge Wang

DOI: https://doi.org/10.1016/j.eswa.2022.118162

IF: 8.5

2022-01-01

Expert Systems with Applications

Abstract:Mutation-based fuzzing is one of the most popular software testing techniques. After allocating a specific amount of energy (i.e., the number of testcases generated by the seed) for the seed, it uses existing mutation operators to continuously mutate the seed to generate new testcases and feed them into the target program to discover unexpected behaviors, such as bugs, crashes, and vulnerabilities. However, the random selection of mutation operators and sequential selection of mutation positions in existing fuzzers affect path discovery and bug detection. In this paper, a novel adaptive mutation schedule framework, AMSFuzz is proposed. For the random selection of mutation operators, AMSFuzz has the ability to adaptively adjust the probability distribution of mutation operators to select mutation operators. Aiming at the sequential selection of mutation positions, seeds are dynamically sliced with different sizes during the fuzzing process and giving more seeds the opportunity to preferentially mutate, improving the efficiency of fuzzing. AMSFuzz is implemented and evaluated in 12 real-world programs and LAVA-M dataset. The results show that AMSFuzz substantially outperforms state-of-the-art fuzzers in terms of path discovery and bug detection. Additionally, AMSFuzz has detected 17 previously unknown bugs in several projects, 15 of which were assigned CVE IDs.

Lianpei Zhou,Xi Xiao,Guangwu Hu,Hao Li,Xiangbo Wu,Tao Zhou

DOI: https://doi.org/10.1109/trustcom60117.2023.00138

2024-01-01

Abstract:Traditional coverage-based fuzzing gives equal attention to every part of a code. Despite much progress, we observe that existing schemes still not comprehensively use the coverage feedback mechanism when fuzzing bulky JavaScript engines because of severe path collisions. To improve the precision of coverage feedback and target the vulnerable JIT compiler of Javascript engines, we presented our fuzzer, called LF(Light Fuzzer), a lightweight and high-precision fuzzer for bulky JavaScript engines fuzzing. First, LF advocates a technique to confine instrumentation to the JIT-related "critical functions" to mitigate collisions. Additionally, LF utilizes static analysis to establish dominant relationships between critical functions. Lastly, LF incorporates seed scheduling with feedback information of control flow at the function level to dynamically target JIT. These combined strategies make LF a lightweight and high-precision fuzzer for fuzzing bulky JavaScript engines. In our evaluation, LF outperforms the state-of-art coverage-guided JavaScript fuzzer DIE in different coverage types, and LF is also more effective in triggering unique crashes compared to DIE.

Ying Fu,Meng Ren,Fuchen Ma,Heyuan Shi,Xin Yang,Yu Jiang,Huizhong Li,Xiang Shi

DOI: https://doi.org/10.1145/3338906.3341175

2019-01-01

Abstract:Ethereum Virtual Machine (EVM) is the run-time environment for smart contracts and its vulnerabilities may lead to serious problems to the Ethereum ecology. With lots of techniques being continuously developed for the validation of smart contracts, the testing of EVM remains challenging because of the special test input format and the absence of oracles. In this paper, we propose EVMFuzzer, the first tool that uses differential fuzzing technique to detect vulnerabilities of EVM. The core idea is to continuously generate seed contracts and feed them to the target EVM and the benchmark EVMs, so as to find as many inconsistencies among execution results as possible, eventually discover vulnerabilities with output cross-referencing. Given a target EVM and its APIs, EVMFuzzer generates seed contracts via a set of predefined mutators, and then employs dynamic priority scheduling algorithm to guide seed contracts selection and maximize the inconsistency. Finally, EVMFuzzer leverages benchmark EVMs as cross-referencing oracles to avoid manual checking. With EVMFuzzer, we have found several previously unknown security bugs in four widely used EVMs, and 5 of which had been included in Common Vulnerabilities and Exposures (CVE) IDs in U.S. National Vulnerability Database. The video is presented at https://youtu.be/9Lejgf2GSOk.

Xiaoqi Zhao,Haipeng Qu,Jiaohong Yi,Jinlong Wang,Miaoqing Tian,Feng Zhao

DOI: https://doi.org/10.3390/math12213431

IF: 2.4

2024-11-02

Mathematics

Abstract:Fuzzing is an extensively used automated vulnerability detection technique. Most existing fuzzers are guided by edge coverage, which makes them less effective in detecting specific vulnerabilities, especially use-after-free (UAF) vulnerabilities. This is because the triggering of a UAF vulnerability must not only cover a specific memory operation but also satisfy a specific sequence of operations. In this paper, we propose UAF-Fuzzer for detecting UAFs, which consists of static analysis and fuzzing stages. In the static analysis stage, UAF-Fuzzer first uses target identification to determine the basic blocks that may cause UAFs as the target basic blocks; subsequently, it then instruments these target basic blocks. Subsequently, we propose a memory operation evaluation method to assess the complexity of memory operations. In the fuzzing stage, UAF-Fuzzer assigns energy to seeds using a memory evaluation operation and employs a novel seed selection algorithm to prioritize the execution of test cases that are likely to trigger UAF vulnerabilities. We designed and implemented a UAF-Fuzzer to improve the detection of UAFs and compared it with AFL, AFLFast, FairFuzz, MOPT, EcoFuzz, and TortoiseFuzz in terms of UAF vulnerability detection, crash detection, and path discovery. The results showed that UAF-Fuzzer is more effective in terms of detecting UAF vulnerabilities. We have also discovered three UAF vulnerabilities, submitted them to the software maintainer for fixing, and obtained CVE IDs.

mathematics

Xuwei Liu,Wei You,Yapeng Ye,Zhuo Zhang,Jianjun Huang,Xiangyu Zhang

DOI: https://doi.org/10.1145/3597503.3639172

2024-01-01

Abstract:In recent years, coverage-based greybox fuzzing has proven to be an effective and practical technique for discovering software vulnerabilities. The availability of American Fuzzy Loop (AFL) has facilitated numerous advances in overcoming challenges in fuzzing. However, the issue of mutating complex file formats, such as PDF, remains unresolved due to strict constraints. Existing fuzzers often produce mutants that fail to parse by applications, limited by bit/byte mutations performed on input files. Our observation is that most in-memory representations of file formats are simple, and well-designed applications have built-in printer functions to emit these structures as files. Thus, we propose a new technique that mutates the in-memory structures of inputs and utilizes printer functions to regenerate mutated files. Unlike prior approaches that require complex analysis to learn file format constraints, our technique leverages the printer function to preserve format constraints. We implement a prototype called FuzzINMEM and compare it with AFL as well as other state-of-the-art fuzzers, including AFL++, Mopt, Weizz, and FormatFuzzer. The results show that FuzzINMEM is scalable and substantially outperforms general-purpose fuzzers in terms of valid seed generation and path coverage. By applying FuzzINMEM to real-world applications, we found 29 unique vulnerabilities and were awarded 5 CVEs

Thorsten Holz,Samuel Groß,Simon Koch,Lukas Bernhard,Martin Johns

DOI: https://doi.org/10.14722/ndss.2023.24290

Abstract:—JavaScript has become an essential part of the Internet infrastructure, and today’s interactive web applications would be inconceivable without this programming language. On the downside, this interactivity implies that web applications rely on an ever-increasing amount of computationally intensive JavaScript code, which burdens the JavaScript engine responsible for efficiently executing the code. To meet these rising performance demands, modern JavaScript engines ship with sophisticated just-in-time (JIT) compilers. However, JIT compilers are a complex technology and, consequently, provide a broad attack surface for potential faults that might even be security-critical. Previous work on discovering software faults in JavaScript engines found many vulnerabilities, often using fuzz testing. Unfortunately, these fuzzing approaches are not designed to generate source code that actually triggers JIT semantics. Consequently, JIT vulnerabilities are unlikely to be discovered by existing methods. In this paper, we close this gap and present the first fuzzer that focuses on JIT vulnerabilities. More specifically, we present the design and implementation of an intermediate representation (IR) that focuses on discovering JIT compiler vulnerabilities. We implemented a complete prototype of the proposed approach and evaluated our fuzzer over a period of six months. In total, we discovered 17 confirmed security vulnerabilities. Our results show that targeted JIT fuzzing is possible and a dangerously neglected gap in fuzzing coverage for JavaScript engines.

Computer Science

Xiajing Wang,Changzhen Hu,Rui Ma,Binbin Li,Xuefei Wang

DOI: https://doi.org/10.1109/ICTAI50040.2020.00098

2020-01-01

Abstract:Fuzzing is a well-known technique for efficiently finding software vulnerabilities. Unfortunately, due to syntax check, even the state-of-the-art fuzzers are not very efficient at discovering hard-to-trigger bugs in applications that expect highly structured inputs. Grammar-based fuzzers, while effective, often require expert knowledge and incur significant computational overhead. In this paper, we present LAFuzz, an automated fuzzer that generates high-quality seed inputs, which utilizes a variety of deep neural network model with different setup to efficiently fuzz programs that expect structured or unstructured inputs. We achieve this by combining mutation-based fuzzing and generation-based fuzzing offline. Our evaluation on 8 popular real-world applications demonstrated that LAFuzz-LSTM and LAFuzz-Attention significantly outperform AFL, a state-of-the-art fuzzer, on most cases both at discovering more crashes and achieving higher code coverage. In total, LAFuzz-LSTM and LAFuzz-Attention can effectively improve the code coverage over AFL by 7.55% and 7.67%; and both fuzzers can consistently discover 30.19% as well as 82.39% more unique crashes. Furthermore, extensive evaluation also showed that LAFuzz provides a great compatibility and expansibility.

Weiming Li,Junqing Yu,Shaobo Ai

DOI: https://doi.org/10.3969/j.issn.1000-436x.2013.z2.013

2013-01-01

Abstract:Fuzz Testing is an effective method to mine all kinds of vulnerabilities. But the main drawbacks to current fuzz testing tools are: firstly, it produces high volume testing data and it's extraordinary time consumption; secondly, if the accessing needs authentication, the greatest part of test data will be abandoned. PyFuzzer, a novel automatic in-memory fuzz testing tool combining static analysis, dynamic analysis and in-memory fuzz testing, was presented. The tool is highly automatic and effective. Compared with 4n FTP Fuzzer in testing WarFTPD and Serv-U, PyFuzzer can discover all vulnerabilities and improve test efficiency greatly.

Wei You,Xuwei Liu,Shiqing Ma,David Perry,Xiangyu Zhang,Bin Liang

DOI: https://doi.org/10.1109/ICSE.2019.00080

2019-01-01

Abstract:Fuzzing is an important technique to detect software bugs and vulnerabilities. It works by mutating a small set of seed inputs to generate a large number of new inputs. Fuzzers' performance often substantially degrades when valid seed inputs are not available. Although existing techniques such as symbolic execution can generate seed inputs from scratch, they have various limitations hindering their applications in real-world complex software. In this paper, we propose a novel fuzzing technique that features the capability of generating valid seed inputs. It piggy-backs on AFL to identify input validity checks and the input fields that have impact on such checks. It further classifies these checks according to their relations to the input. Such classes include arithmetic relation, object offset, data structure length and so on. A multi-goal search algorithm is developed to apply class-specific mutations in order to satisfy inter-dependent checks all together. We evaluate our technique on 20 popular benchmark programs collected from other fuzzing projects and the Google fuzzer test suite, and compare it with existing fuzzers AFL and AFLFast, symbolic execution engines KLEE and S2E, and a hybrid tool Driller that combines fuzzing with symbolic execution. The results show that our technique is highly effective and efficient, out-performing the other tools.

Yisen Wang,Weiyu Dong,Zicong Gao,Rui Chang

DOI: https://doi.org/10.1002/cpe.5756

2020-04-08

Abstract:Fuzzing is an effective approach to detect software vulnerabilities utilizing changeable generated inputs. However, fuzzing the network protocol on the firmware of IoT devices is limited by inefficiency of test case generation, cross‐architecture instrumentation, and fault detection. In this article, we propose the Fw‐fuzz, a coverage‐guided and crossplatform framework for fuzzing network services running in the context of firmware on embedded architectures, which can generate more valuable test cases by introspecting program runtime information and using a genetic algorithm model. Specifically, we propose novel dynamic instrumentation in Fw‐fuzz to collect the running state of the firmware program. Then Fw‐fuzz adopts a genetic algorithm model to guide the generation of inputs with high code coverage. We fully implement the prototype system of Fw‐fuzz and conduct evaluations on network service programs of various architectures in MIPS, ARM, and PPC. By comparing with the protocol fuzzers Boofuzz and Peach in metrics of edge coverage, our prototype system achieves an average growth of 33.7% and 38.4%, respectively. We further verify six known vulnerabilities and discover 5 0‐day vulnerabilities with the Fw‐fuzz, which prove the validity and utility of our framework. The overhead of our system expressed as an additional 5% of memory growth.

Computer Science,Engineering

Wenjie Wang,Donghai Tian,Rui Ma,Hang Wei,Qianjin Ying,Xiaoqi Jia,Lei Zuo

DOI: https://doi.org/10.23919/jcc.2021.08.001

2021-01-01

China Communications

Abstract:Fuzzing is an effective technique to find security bugs in programs by quickly exploring the input space of programs. To further discover vulnerabilities hidden in deep execution paths, the hybrid fuzzing combines fuzzing and concolic execution for going through complex branch conditions. In general, we observe that the execution path which comes across more and complex basic blocks may have a higher chance of containing a security bug. Based on this observation, we propose a hybrid fuzzing method assisted by static analysis for binary programs. The basic idea of our method is to prioritize seed inputs according to the complexity of their associated execution paths. For this purpose, we utilize static analysis to evaluate the complexity of each basic block and employ the hardware trace mechanism to dynamically extract the execution path for calculating the seed inputs' weights. The key advantage of our method is that our system can test binary programs efficiently by using the hardware trace and hybrid fuzzing. To evaluate the effectiveness of our method, we design and implement a prototype system, namely SHFuzz. The evaluation results show SHFuzz discovers more unique crashes on several real-world applications and the LAVA-M dataset when compared to the previous solutions.

Tai Yue,Pengfei Wang,Yong Tang,Enze Wang,Bo Yu,Kai Lu,Xu Zhou

2020-01-01

Abstract:Fuzzing is one of the most effective approaches for identifying security vulnerabilities. As a state-of-the-art coverage-based greybox fuzzer, AFL is a highly effective and widely used technique. However, AFL allocates excessive energy (i.e., the number of test cases generated by the seed) to seeds that exercise the high-frequency paths and can not adaptively adjust the energy allocation, thus wasting a significant amount of energy. Moreover, the current Markov model for modeling coverage-based greybox fuzzing is not profound enough. This paper presents a variant of the Adversarial Multi-Armed Bandit model for modeling AFL's power schedule process. We first explain the challenges in AFL's scheduling algorithm by using the reward probability that generates a test case for discovering a new path. Moreover, we illustrated the three states of the seeds set and developed a unique adaptive scheduling algorithm as well as a probability-based search strategy. These approaches are implemented on top of AFL in an adaptive energy-saving greybox fuzzer called EcoFuzz. EcoFuzz is examined against other six AFL-type tools on 14 real-world subjects over 490 CPU days. According to the results, EcoFuzz could attain 214% of the path coverage of AFL with reducing 32% test cases generation of that of AFL. Besides, EcoFuzz identified 12 vulnerabilities in GNU Binutils and other software. We also extended EcoFuzz to test some IoT devices and found a new vulnerability in the SNMP component.

You Wu,Qi Zhan,Haipeng Qu,Xiaoqi Zhao

DOI: https://doi.org/10.1109/icstw55395.2022.00054

2022-01-01

Abstract:In recent years, coverage-based greybox fuzzing (CGF) has become one of the most important techniques to discover security bugs. The existing fuzzers score the seeds, and then allocate the energy to the seeds according to the scoring results, but most seeds obtain the same energy, and then repeatedly select the same seeds for fuzzing. These strategies have been proved to be inefficient. Our experimental observations show that various seeds have diverse efficiency, and the efficiency of test cases changes increase with execution time. In this paper, we propose a novel yet lightweight energy allocation strategy, called AcoFuzz, to improve fuzzing efficiency. AcoFuzz has one following distinct advantage: Dynamically allocate energy for seeds to cope with their efficiency variation. Extensive experiments based on real-world programs and the LAVA-M dataset have been conducted to evaluate the path discovery and vulnerability detection ability of AcoFuzz, which substantially outperforms 3 state-of-the-art fuzzers.

Tai D. Nguyen,Long H. Pham,Jun Sun

2023-07-05

Abstract:Fuzzing has emerged as a powerful technique for finding security bugs in complicated real-world applications. American fuzzy lop (AFL), a leading fuzzing tool, has demonstrated its powerful bug finding ability through a vast number of reported CVEs. However, its random mutation strategy is unable to generate test inputs that satisfy complicated branching conditions (e.g., magic-byte comparisons, checksum tests, and nested if-statements), which are commonly used in image decoders/encoders, XML parsers, and checksum tools. Existing approaches (such as Steelix and Neuzz) on addressing this problem assume unrealistic assumptions such as we can satisfy the branch condition byte-to-byte or we can identify and focus on the important bytes in the input (called hot-bytes) once and for all. In this work, we propose an approach called \tool~which is designed based on the following principles. First, there is a complicated relation between inputs and branching conditions and thus we need not only an expressive model to capture such relationship but also an informative measure so that we can learn such relationship effectively. Second, different branching conditions demand different hot-bytes and we must adjust our fuzzing strategy adaptively depending on which branches are the current bottleneck. We implement our approach as an open source project and compare its efficiency with other state-of-the-art fuzzers. Our evaluation results on 10 real-world programs and LAVA-M dataset show that \tool~achieves sustained increases in branch coverage and discovers more bugs than other fuzzers.

Cryptography and Security,Software Engineering