Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
110 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
44 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Make out like a (Multi-Armed) Bandit: Improving the Odds of Fuzzer Seed Scheduling with T-Scheduler (2312.04749v1)

Published 7 Dec 2023 in cs.CR

Abstract: Fuzzing is a highly-scalable software testing technique that uncovers bugs in a target program by executing it with mutated inputs. Over the life of a fuzzing campaign, the fuzzer accumulates inputs inducing new and interesting target behaviors, drawing from these inputs for further mutation. This rapidly results in a large number of inputs to select from, making it challenging to quickly and accurately select the "most promising" input for mutation. Reinforcement learning (RL) provides a natural solution to this "seed scheduling" problem: the fuzzer dynamically adapts its selection strategy by learning from past results. However, existing RL approaches are (a) computationally expensive (reducing fuzzer throughput) and/or (b) require hyperparameter tuning (reducing generality across targets and input types). To this end, we propose T-Scheduler, a seed scheduler built on multi-armed bandit theory that automatically adapts to the target without any hyperparameter tuning. We evaluate T-Scheduler over 35 CPU-yr of fuzzing, comparing it to 11 state-of-the-art schedulers. Our results show that T-Scheduler improves on these 11 schedulers on both bug-finding and coverage-expansion abilities.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (50)
  1. Adobe. 1992. TIFF, Revision 6.0. https://www.loc.gov/preservation/digital/formats/fdd/fdd000022.shtml
  2. Shipra Agrawal and Navin Goyal. 2017. Near-Optimal Regret Bounds for Thompson Sampling. Jorunal of the ACM 64, 5, Article 30 (2017), 24 pages. https://doi.org/10.1145/3088510
  3. Andrea Arcuri and Lionel Briand. 2011. A Practical Guide for Using Statistical Tests to Assess Randomized Algorithms in Software Engineering. In International Conference on Software Engineering (ICSE). ACM, 1–10. https://doi.org/10.1145/1985793.1985795
  4. REDQUEEN: Fuzzing with Input-to-State Correspondence. In Network and Distributed System Security (NDSS). The Internet Society, 15 pages. https://doi.org/10.14722/ndss.2019.23371
  5. Boosting Fuzzer Efficiency: An Information Theoretic Perspective. In European Software Engineering Conference and Foundations of Software Engineering (ESEC/FSE). ACM, 678–689. https://doi.org/10.1145/3368089.3409748
  6. Directed Greybox Fuzzing. In Computer and Communications Security (CCS). ACM, 2329–2344. https://doi.org/10.1145/3133956.3134020
  7. Coverage-Based Greybox Fuzzing as Markov Chain. In Computer and Communications Security (CCS). ACM, 1032–1043. https://doi.org/10.1145/2976749.2978428
  8. On the Reliability of Coverage-Based Fuzzer Benchmarking. In International Conference on Software Engineering (ICSE). ACM, 1621–1633. https://doi.org/10.1145/3510003.3510230
  9. Deep Reinforcement Fuzzing. In Security and Privacy Workshops (SPW). IEEE, 116–122. https://doi.org/10.1109/SPW.2018.00026
  10. Oliver Chang. 2023. Taking the next step: OSS-Fuzz in 2023. https://security.googleblog.com/2023/02/taking-next-step-oss-fuzz-in-2023.html
  11. MEUZZ: Smart Seed Scheduling for Hybrid Fuzzing. In Research in Attacks, Intrusions and Defenses (RAID). USENIX, 77–92.
  12. Optimizing Seed Inputs in Fuzzing with Machine Learning. In International Conference on Software Engineering: Companion (ICSE). IEEE, 244–245. https://doi.org/10.1109/ICSE-Companion.2019.00096
  13. Clang Team. 2022. Source-based Code Coverage. https://clang.llvm.org/docs/SourceBasedCodeCoverage.html
  14. Jacob Cohen. 1960. A Coefficient of Agreement for Nominal Scales. Educational and Psychological Measurement 20, 1 (1960), 37–46. https://doi.org/10.1177/001316446002000104
  15. AFL++: Combining Incremental Steps of Fuzzing Research. In Workshop on Offensive Technologies (WOOT). USENIX, 12 pages.
  16. Learn&Fuzz: Machine Learning for Input Fuzzing. In Automated Software Engineering (ASE). IEEE, 50–59.
  17. Magma: A Ground-Truth Fuzzing Benchmark. Measurement and Analysis of Computing Systems 4, 3, Article 49 (2020), 29 pages. https://doi.org/10.1145/3428334
  18. Seed Selection for Successful Fuzzing. In International Symposium on Software Testing and Analysis (ISSTA). ACM, 230–243. https://doi.org/10.1145/3460319.3464795
  19. Registered Report: datAFLow Towards a Data-Flow-Guided Fuzzer. In Fuzzing Workshop (FUZZING). The Internet Society, 11 pages. https://doi.org/10.14722/fuzzing.2022.23001
  20. Adaptive Grey-Box Fuzz-Testing with Thompson Sampling. In Artificial Intelligence and Security (AISec). ACM, 37–47. https://doi.org/10.1145/3270101.3270108
  21. Leo Katz. 1953. A new status index derived from sociometric analysis. Psychometrika (1953), 39–43. https://doi.org/10.1007/BF02289026
  22. Evaluating Fuzz Testing. In Computer and Communications Security (CCS). ACM, 2123–2138. https://doi.org/10.1145/3243734.3243804
  23. SLOPT: Bandit Optimization Framework for Mutation-Based Fuzzing. In Proceedings of the 38th Annual Computer Security Applications Conference (ACSAC). ACM, 519–533. https://doi.org/10.1145/3564625.3564659
  24. Tor Lattimore and Csaba Szepesvári. 2020. Bandit algorithms. Cambridge University Press.
  25. Deep Learning for Coverage-Guided Fuzzing: How Far are We? Transactions on Dependable and Secure Computing (2022), 1–13. https://doi.org/10.1109/TDSC.2022.3200525
  26. Nathan Mantel. 1966. Evaluation of survival data and two new rank order statistics arising in its consideration. Cancer Chemotherapy Reports 50, 3 (1966), 163–170.
  27. The Art, Science, and Engineering of Fuzzing: A Survey. Transactions on Software Engineering 47, 11 (2021), 2312–2331. https://doi.org/10.1109/TSE.2019.2946563
  28. FuzzBench: An Open Fuzzer Benchmarking Platform and Service. In European Software Engineering Conference and Foundations of Software Engineering (ESEC/FSE). ACM, 1393–1403. https://doi.org/10.1145/3468264.3473932
  29. NIST. 2019. CVE-2019-7663. https://nvd.nist.gov/vuln/detail/CVE-2019-7663
  30. Optimizing Seed Selection for Fuzzing. In USENIX Security (SEC). USENIX, 861–875.
  31. A Review of Machine Learning Applications in Fuzzing. arXiv Preprint abs/1906.11133 (2019), 12 pages. https://doi.org/10.48550/arXiv.1906.11133
  32. BanditFuzz: A Reinforcement-Learning Based Performance Fuzzer for SMT Solvers. In Verified Software: Theories, Tools, and Experiments (VSTTE). Springer-Verlag, 68–86. https://doi.org/10.1007/978-3-030-63618-0_5
  33. Evaluation and Analysis of the Performance of the EXP3 Algorithm in Stochastic Environments. In Proceedings of Machine Learning Research (PMLR, Vol. 24). PMLR, 103–116. http://proceedings.mlr.press/v24/seldin12a.html
  34. Kostya Serebryany. 2017. OSS-Fuzz - Google’s continuous fuzzing service for open source software. In USENIX Security (SEC). USENIX.
  35. Effective Seed Scheduling for Fuzzing with Graph Centrality Analysis. In Security and Privacy (S&P). IEEE, 2194–2211. https://doi.org/10.1109/SP46214.2022.9833761
  36. Richard S Sutton and Andrew G Barto. 2018. Reinforcement learning: An introduction. MIT press.
  37. William R Thompson. 1933. On the likelihood that one unknown probability exceeds another in view of the evidence of two samples. Biometrika 25, 3-4 (1933), 285–294.
  38. Jonas Benedict Wagner. 2017. Elastic Program Transformations: Automatically Optimizing the Reliability/Performance Trade-off in Systems Software. Ph. D. Dissertation. EPFL. https://doi.org/10.5075/epfl-thesis-7745
  39. SyzVegas: Beating Kernel Fuzzing Odds with Reinforcement Learning. In USENIX Security (SEC). USENIX, 2741–2758.
  40. Reinforcement Learning-based Hierarchical Seed Scheduling for Greybox Fuzzing. In Network and Distributed System Security Symposium (NDSS). The Internet Society, 17 pages. https://doi.org/10.14722/ndss.2021.24486
  41. Pengfei Wang and Xu Zhou. 2020. SoK: The Progress, Challenges, and Perspectives of Directed Greybox Fuzzing. CoRR abs/2005.11907 (2020).
  42. A systematic review of fuzzing based on machine learning techniques. PLOS ONE 15, 8 (2020), 1–37. https://doi.org/10.1371/journal.pone.0237749
  43. Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization. In Network and Distributed Systems Security (NDSS). The Internet Society, 17 pages. https://doi.org/10.14722/ndss.2020.24422
  44. Scheduling Black-Box Mutational Fuzzing. In Computer and Communications Security (CCS). ACM, 511–522. https://doi.org/10.1145/2508859.2516736
  45. Designing New Operating Primitives to Improve Fuzzing Performance. In Computer and Communications Security (CCS). ACM, 2313–2328. https://doi.org/10.1145/3133956.3134046
  46. EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit. In USENIX Security (SEC). USENIX, 2307–2324.
  47. Michał Zalewski. 2015. American Fuzzy Lop (AFL). http://lcamtuf.coredump.cx/afl/
  48. MobFuzz: Adaptive Multi-objective Optimization in Gray-box Fuzzing. In Network and Distributed Systems Security (NDSS). The Internet Society, 18 pages. https://doi.org/10.14722/ndss.2022.24314
  49. FishFuzz: Throwing Larger Nets to Catch Deeper Bugs. CoRR abs/2207.13393 (2022). https://doi.org/10.48550/arXiv.2207.13393
  50. FuzzGuard: Filtering out Unreachable Inputs in Directed Grey-box Fuzzing through Deep Learning. In USENIX Security (SEC). USENIX, 2255–2269.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (6)
  1. Simon Luo (6 papers)
  2. Adrian Herrera (5 papers)
  3. Paul Quirk (3 papers)
  4. Michael Chase (1 paper)
  5. Damith C. Ranasinghe (53 papers)
  6. Salil S. Kanhere (96 papers)
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now