Adaptive Grey-Box Fuzz-Testing with Thompson Sampling

TL;DR

This paper introduces an adaptive machine learning method using Thompson Sampling to optimize mutation operator selection in grey-box fuzzing, significantly improving bug detection and code coverage over traditional AFL.

Contribution

It presents a novel adaptive approach that learns and fine-tunes mutation operator distributions during fuzzing, enhancing effectiveness over existing methods.

Findings

Improved code coverage and crash discovery rates.

Adaptive mutator distribution outperforms baseline AFL.

Thompson Sampling effectively tunes fuzzing process in real-time.

Abstract

Fuzz testing, or "fuzzing," refers to a widely deployed class of techniques for testing programs by generating a set of inputs for the express purpose of finding bugs and identifying security flaws. Grey-box fuzzing, the most popular fuzzing strategy, combines light program instrumentation with a data driven process to generate new program inputs. In this work, we present a machine learning approach that builds on AFL, the preeminent grey-box fuzzer, by adaptively learning a probability distribution over its mutation operators on a program-specific basis. These operators, which are selected uniformly at random in AFL and mutational fuzzers in general, dictate how new inputs are generated, a core part of the fuzzer's efficacy. Our main contributions are two-fold: First, we show that a sampling distribution over mutation operators estimated from training programs can significantly improve performance of AFL. Second, we introduce a Thompson Sampling, bandit-based optimization approach that fine-tunes the mutator distribution adaptively, during the course of fuzzing an individual program. A set of experiments across complex programs demonstrates that tuning the mutational operator distribution generates sets of inputs that yield significantly higher code coverage and finds more crashes faster and more reliably than both baseline versions of AFL as well as other AFL-based learning approaches.