The Progress, Challenges, and Perspectives of Directed Greybox Fuzzing

TL;DR

This paper provides a comprehensive review of directed greybox fuzzing (DGF), analyzing its progress, challenges, and future directions by studying 42 related tools and categorizing DGF into location-directed and behavior-directed types.

Contribution

It offers the first in-depth empirical analysis of DGF, summarizes current research, identifies gaps, and proposes future research opportunities in the field.

Findings

DGF effectively targets bug-prone code areas, improving bug detection efficiency.

Current DGF tools face limitations in coverage and scalability.

The study categorizes DGF into location-directed and behavior-directed types.

Abstract

Greybox fuzzing is a scalable and practical approach for software testing. Most greybox fuzzing tools are coverage-guided as reaching high code coverage is more likely to find bugs. However, since most covered codes may not contain bugs, blindly extending code coverage is less efficient, especially for corner cases. Unlike coverage-guided greybox fuzzing which increases code coverage in an undirected manner, directed greybox fuzzing (DGF) spends most of its time allocation on reaching specific targets (e.g., the bug-prone zone) without wasting resources stressing unrelated parts. Thus, DGF is particularly suitable for scenarios such as patch testing,bug reproduction, and special bug detection. For now, DGF has become an active research area. However, DGF has general limitations and challenges that are worth further studying. Based on the investigation of 42 state-of-the-art fuzzers that are closely related to DGF, we conduct the first in-depth study to summarize the empirical evidence on the research progress of DGF. This paper studies DGF from a broader view, which takes into account not only the location-directed type that targets specific code parts, but also the behavior-directed type that aims to expose abnormal program behaviors. By analyzing the benefits and limitations of DGF research, we try to identify gaps in current research, meanwhile, reveal new research opportunities, and suggest areas for further investigation.