Ensemble Fuzzing with Dynamic Resource Scheduling and Multidimensional Seed Evaluation

TL;DR

Legion is an innovative ensemble fuzzing framework that dynamically allocates resources and evaluates seeds across multiple metrics, significantly improving vulnerability detection efficiency.

Contribution

This paper introduces Legion, a novel ensemble fuzzing system with dynamic resource scheduling and multidimensional seed evaluation, enhancing effectiveness over existing methods.

Findings

Outperforms existing fuzzers and ensemble techniques.

Detects 20 vulnerabilities, including 5 new and 3 CVEs.

Reduces resource waste through adaptive scheduling.

Abstract

Fuzzing is widely used for detecting bugs and vulnerabilities, with various techniques proposed to enhance its effectiveness. To combine the advantages of multiple technologies, researchers proposed ensemble fuzzing, which integrates multiple base fuzzers. Despite promising results, state-of-the-art ensemble fuzzing techniques face limitations in resource scheduling and performance evaluation, leading to unnecessary resource waste. In this paper, we propose Legion, a novel ensemble fuzzing framework that dynamically schedules resources during the ensemble fuzzing campaign. We designed a novel resource scheduling algorithm based on the upper confidence bound algorithm to reduce the resource consumption of ineffective base fuzzers. Additionally, we introduce a multidimensional seed evaluation strategy, which considers multiple metrics to achieve more comprehensive fine-grained performance evaluation. We implemented Legion as a prototype tool and evaluated its effectiveness on Google's fuzzer-test-suite as well as real-world open-source projects. Results show that Legion outperforms existing state-of-the-art base fuzzers and ensemble fuzzing techniques, detecting 20 vulnerabilities in real-world open-source projects-five previously unknown and three classified as CVEs.