AFLGopher: Accelerating Directed Fuzzing via Feasibility-Aware Guidance

TL;DR

AFLGopher introduces a feasibility-aware guiding mechanism for directed fuzzing, significantly improving efficiency in reaching target code sites and triggering vulnerabilities compared to existing state-of-the-art tools.

Contribution

The paper presents a novel feasibility-aware distance calculation and prediction method that enhances directed fuzzing guidance, addressing limitations of existing feasibility-unaware approaches.

Findings

AFLGopher is up to 3.76x faster in reaching targets.

AFLGopher is up to 5.60x faster in triggering vulnerabilities.

The new method improves guidance accuracy and efficiency.

Abstract

Directed fuzzing is a useful testing technique that aims to efficiently reach target code sites in a program. The core of directed fuzzing is the guiding mechanism that directs the fuzzing to the specified target. A general guiding mechanism adopted in existing directed fuzzers is to calculate the control-flow distance between the current progress and the target, and use that as feedback to guide the directed fuzzing. A fundamental problem with the existing guiding mechanism is that the distance calculation is \emph{feasibility-unaware}. In this work, we propose feasibility-aware directed fuzzing named AFLGopher. Our new feasibility-aware distance calculation provides pragmatic feedback to guide directed fuzzing to reach targets efficiently. We propose new techniques to address the challenges of feasibility prediction. Our new classification method allows us to predict the feasibility of all branches based on limited traces, and our runtime feasibility-updating mechanism gradually and efficiently improves the prediction precision. We implemented AFLGopher and compared AFLGopher with state-of-the-art directed fuzzers including AFLGo, enhanced AFLGo, WindRanger, BEACON and SelectFuzz. AFLGopher is 3.76x, 2.57x, 3.30x, 2.52x and 2.86x faster than AFLGo, BEACON, WindRanger, SelectFuzz and enhanced AFLGo, respectively, in reaching targets. AFLGopher is 5.60x, 5.20x, 4.98x, 4.52x, and 5.07x faster than AFLGo, BEACON, WindRanger, SelectFuzz and enhanced AFLGo, respectively, in triggering known vulnerabilities.