HyperGo: Probability-based Directed Hybrid Fuzzing

TL;DR

HyperGo is a novel probability-based directed hybrid fuzzing approach that effectively guides testing toward specific targets, significantly improving reachability and vulnerability discovery compared to existing methods.

Contribution

The paper introduces a probability-based fitness metric and an optimized symbolic execution scheme to enhance directed fuzzing effectiveness.

Findings

Achieves up to 143x speedup in reaching target sites.

Discovers 37 new vulnerabilities in real-world programs.

Outperforms existing directed fuzzing tools in efficiency.

Abstract

Directed grey-box fuzzing (DGF) is a target-guided fuzzing intended for testing specific targets (e.g., the potential buggy code). Despite numerous techniques proposed to enhance directedness, the existing DGF techniques still face challenges, such as taking into account the difficulty of reaching different basic blocks when designing the fitness metric, and promoting the effectiveness of symbolic execution (SE) when solving the complex constraints in the path to the target. In this paper, we propose a directed hybrid fuzzer called HyperGo. To address the challenges, we introduce the concept of path probability and combine the probability with distance to form an adaptive fitness metric called probability-based distance. By combining the two factors, probability-based distance can adaptively guide DGF toward paths that are closer to the target and have more easy-to-satisfy path constraints. Then, we put forward an Optimized Symbolic Execution Complementary (OSEC) scheme to combine DGF and SE in a complementary manner. The OSEC would prune the unreachable branches and unsolvable branches, and prioritize symbolic execution of the seeds whose paths are closer to the target and have more branches that are difficult to be covered by DGF. We evaluated HyperGo on 2 benchmarks consisting of 21 programs with a total of 100 target sites. The experimental results show that HyperGo achieves 38.47$\times$, 30.89$\times$, 28.52$\times$, 106.09$\times$ and 143.22$\times$ speedup compared to AFLGo, AFLGoSy, BEACON, WindRanger, and ParmeSan, respectively in reaching target sites, and 3.44$\times$, 3.63$\times$, 4.10$\times$, 3.26$\times$, and 3.00$\times$ speedup in exposing known vulnerabilities. Moreover, HyperGo discovered 37 undisclosed vulnerabilities from 7 real-world programs.