PrescientFuzz: A more effective exploration approach for grey-box fuzzing

TL;DR

PrescientFuzz enhances grey-box fuzzing by using CFG semantic information to prioritize inputs, significantly improving code coverage and effectiveness over existing fuzzers in benchmark tests.

Contribution

It introduces a novel input scheduling method based on CFG proximity, boosting fuzzing efficiency and coverage in grey-box fuzzers.

Findings

PrescientFuzz outperforms other fuzzers in code coverage.

It achieves higher average rankings in benchmarks.

The CFG-based input prioritization improves fuzzing effectiveness.

Abstract

Since the advent of AFL, the use of mutational, feedback directed, grey-box fuzzers has become critical in the automated detection of security vulnerabilities. A great deal of research currently goes into their optimisation, including improving the rate at which they achieve branch coverage early in a campaign. We produce an augmented version of LibAFL's `fuzzbench' fuzzer, called PrescientFuzz, that makes use of semantic information from the target program's control flow graph (CFG). We develop an input corpus scheduler that prioritises the selection of inputs for mutation based on the proximity of their execution path to uncovered edges. Simple as this idea is, PrescientFuzz leads all fuzzers using the Google FuzzBench at the time of writing -- in both average code coverage and average ranking, across the benchmark SUTs. Whilst the existence of uncovered edges in the CFG does not guarantee their feasibility, the improvement in coverage over the state-of-the-art fuzzers suggests that this is not an issue in practice.