PrescientFuzz: A more effective exploration approach for grey-box fuzzing (2404.18887v2)
Abstract: Since the advent of AFL, the use of mutational, feedback directed, grey-box fuzzers has become critical in the automated detection of security vulnerabilities. A great deal of research currently goes into their optimisation, including improving the rate at which they achieve branch coverage early in a campaign. We produce an augmented version of LibAFL's `fuzzbench' fuzzer, called PrescientFuzz, that makes use of semantic information from the target program's control flow graph (CFG). We develop an input corpus scheduler that prioritises the selection of inputs for mutation based on the proximity of their execution path to uncovered edges. Simple as this idea is, PrescientFuzz leads all fuzzers using the Google FuzzBench at the time of writing -- in both average code coverage and average ranking, across the benchmark SUTs. Whilst the existence of uncovered edges in the CFG does not guarantee their feasibility, the improvement in coverage over the state-of-the-art fuzzers suggests that this is not an issue in practice.