Energy distribution matters in greybox fuzzing

Lingyun Situ, Linzhang Wang, Xuandong Li, Le Guan, Wenhui Zhang, Peng Liu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

7 Scopus citations

Abstract

Existing energy distribution strategies of AFL and its variants have two limitations. (1) They focus on increasing coverage but ignore the fact that some code regions are more likely to be vulnerable. (2) They randomly select mutators and deterministically specify the number to mutator, therefore lack insights regarding which granularity of mutators are more helpful at that particular stage. We improve the two limitations of AFL's fuzzing energy distribution in a principled way. We direct the fuzzer to strengthen fuzzing toward regions that have a higher probability to contain vulnerabilities based on static semantic metrics of the target program. Furthermore, granularity-aware scheduling of mutators is proposed, which dynamically assigns ratios to different mutation operators. We implemented these improvements as an extension to AFL. Large-scale experimental evaluations showed the effectiveness of each improvement and performance of integration. The proposed tool has helped us find 12 new bugs and expose three new CVEs.

Original languageEnglish (US)
Title of host publicationProceedings - 2019 IEEE/ACM 41st International Conference on Software Engineering
Subtitle of host publicationCompanion, ICSE-Companion 2019
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages270-271
Number of pages2
ISBN (Electronic)9781728117645
DOIs
StatePublished - May 2019
Event41st IEEE/ACM International Conference on Software Engineering: Companion, ICSE-Companion 2019 - Montreal, Canada
Duration: May 25 2019May 31 2019

Publication series

NameProceedings - 2019 IEEE/ACM 41st International Conference on Software Engineering: Companion, ICSE-Companion 2019

Conference

Conference41st IEEE/ACM International Conference on Software Engineering: Companion, ICSE-Companion 2019
Country/TerritoryCanada
CityMontreal
Period5/25/195/31/19

All Science Journal Classification (ASJC) codes

  • Organizational Behavior and Human Resource Management
  • Software
  • Safety, Risk, Reliability and Quality
  • Education

Fingerprint

Dive into the research topics of 'Energy distribution matters in greybox fuzzing'. Together they form a unique fingerprint.

Cite this