Go to DBLP homepageMultiple Targets Directed Greybox Fuzzing: From Reachable to Exploited
Abstract: Directed Greybox Fuzzing (DGF) is a technique used to efficiently cover specific program locations, making it suitable for vulnerability discovery and regression testing. However, previous DGF tools often suffer from the issue of getting trapped in local optima, where some targets are adequately covered while other targets remain unexploited. We propose the concept of Target-Directed Basic Blocks to efficiently guide the fuzzer, a multi-dimensional energy scheduling algorithm to guide the generation of seeds, and an adaptive exploration-exploitation strategy to prevent falling into local optima. Moreover, we optimize the mutation algorithm by employing a branch-sensitive strategy and a reinforcement learning algorithm based on the multi-armed bandit model. We implemented these algorithms in a tool called SAFuzz and conducted extensive experiments and evaluations in real-world scenarios. The results demonstrate that SAFuzz is effective in bug reproduction, guiding different targets, and validating static analysis results compared to state-of-the-art benchmark tools, i.e., AFLGo, Windranger, AFL++, and Lolly. Moreover, SA Fuzz has detected seven new vulnerabilities in real-world programs, and one of them could not be found by other baseline fuzzers within the time budget.
Loading