SLOPT: Bandit Optimization Framework for Mutation-Based Fuzzing

TL;DR

SLOPT is a novel framework that combines bandit algorithms with mutation schemes to optimize fuzzing, leading to higher code coverage and discovery of new vulnerabilities across real-world programs.

Contribution

It introduces a unified optimization framework that integrates mutation schemes with bandit algorithms, adaptable to existing fuzzers like AFL and Honggfuzz.

Findings

SLOPT-AFL++ outperforms AFL++ in code coverage on FuzzBench programs.

SLOPT-AFL++ discovers three previously unknown vulnerabilities.

The framework can be integrated into existing fuzzers with minimal modifications.

Abstract

Mutation-based fuzzing has become one of the most common vulnerability discovery solutions over the last decade. Fuzzing can be optimized when targeting specific programs, and given that, some studies have employed online optimization methods to do it automatically, i.e., tuning fuzzers for any given program in a program-agnostic manner. However, previous studies have neither fully explored mutation schemes suitable for online optimization methods, nor online optimization methods suitable for mutation schemes. In this study, we propose an optimization framework called SLOPT that encompasses both a bandit-friendly mutation scheme and mutation-scheme-friendly bandit algorithms. The advantage of SLOPT is that it can generally be incorporated into existing fuzzers, such as AFL and Honggfuzz. As a proof of concept, we implemented SLOPT-AFL++ by integrating SLOPT into AFL++ and showed that the program-agnostic optimization delivered by SLOPT enabled SLOPT-AFL++ to achieve higher code coverage than AFL++ in all of ten real-world FuzzBench programs. Moreover, we ran SLOPT-AFL++ against several real-world programs from OSS-Fuzz and successfully identified three previously unknown vulnerabilities, even though these programs have been fuzzed by AFL++ for a considerable number of CPU days on OSS-Fuzz.