Fuzzing Based on Function Importance by Interprocedural Control Flow Graph

TL;DR

This paper introduces a novel fuzzing approach that leverages function importance via an interprocedural control flow graph and PageRank to prioritize seed inputs, improving coverage and bug detection over traditional methods.

Contribution

It proposes a new fuzzing technique using an attributed interprocedural control flow graph and an importance calculation method to enhance seed selection and fuzzing efficiency.

Findings

Achieves 17% higher branch coverage on average.

Finds 13 bugs, including 3 CVEs.

Outperforms AFL and its improvements.

Abstract

Coverage-based graybox fuzzer (CGF), such as AFL has gained great success in vulnerability detection thanks to its ease-of-use and bug-finding power. Since some code fragments such as memory allocation are more vulnerable than others, various improving techniques have been proposed to explore the more vulnerable areas by collecting extra information from the program under test or its executions. However, these improvements only consider limited types of information sources and ignore the fact that the priority a seed input to be fuzzed may be influenced by all the code it covers. Based on the above observations, we propose a fuzzing method based on the importance of functions. First, a data structure called Attributed Interprocedural Control Flow Graph (AICFG) is devised to combine different features of code fragments. Second, the importance of each node in the AICFG is calculated based on an improved PageRank algorithm, which also models the influence between connected nodes. During the fuzzing process, the node importance is updated periodically by a propagation algorithm. Then the seed selection and energy scheduling of a seed input are determined by the importance of its execution trace. We implement this approach on top of AFL in a tool named FunAFL and conduct an evaluation on 14 real-world programs against AFL and two of its improvements. FunAFL, with 17% higher branch coverage than others on average, finds 13 bugs and 3 of them are confirmed by CVE after 72 hours.