HF-DGF: Hybrid Feedback Guided Directed Grey-box Fuzzing

TL;DR

HF-DGF introduces a hybrid feedback guided directed grey-box fuzzing framework that significantly improves crash reproduction speed and efficiency by integrating control-flow, value-flow, and coverage feedback with novel algorithms.

Contribution

The paper presents HF-DGF, a new directed grey-box fuzzing framework with hybrid feedback mechanisms and algorithms for precise control-flow distance calculation and state space exploration.

Findings

HF-DGF achieves up to 73.75 times faster crash reproduction than WindRanger.

HF-DGF outperforms existing tools in crash reproduction speed and static analysis efficiency.

HF-DGF demonstrates superior directionality and efficiency in real-world vulnerability testing.

Abstract

Directed Grey-box Fuzzing (DGF) has emerged as a widely adopted technique for crash reproduction and patch testing, leveraging its capability to precisely navigate toward target locations and exploit vulnerabilities. However, current DGF tools are constrained by insufficient runtime feedback, limiting their efficiency in reaching targets and exploring state spaces. This study presents HF-DGF, a novel directed grey-box fuzzing framework. Its seed scheduling is guided by a hybrid feedback mechanism integrating control-flow distance, value-flow influence score, and slice coverage. To enable precise control-flow distance feedback, we propose a backward-stepping algorithm to calculate basic block-level seed distances on a virtual inter-procedural control-flow graph (ICFG). For effective state space exploration, we introduce value-flow influence and a corresponding metric, the value-flow influence score. Additionally, to mitigate runtime overhead from hybrid feedback, we adopt a novel selective instrumentation strategy. Evaluations on 41 real-world vulnerabilities show HF-DGF outperforms existing tools: it achieves crash reproduction 5.05 times faster than AFL, 5.79 times faster than AFLGo, 73.75 times faster than WindRanger, 2.56 times faster than DAFL, and 8.45 times faster than Beacon on average. Notably, when all fuzzers triggered crashes, HF-DGF exhibited the lowest code coverage, demonstrating superior directionality and efficiency. It also surpasses AFLGo, WindRanger, DAFL, and Beacon in static analysis efficiency.