HyperGo: Probability-based Directed Hybrid Fuzzing
Peihong Lin, Pengfei Wang, Xu Zhou, Wei Xie, Kai Lu, Gen Zhang
TL;DR
This paper tackles directed grey-box fuzzing by addressing two core challenges: accurately guiding seeds toward targets via a probability-based distance that fuses path probability with BB distance, and effectively leveraging symbolic execution through a complementary scheme. HyperGo introduces three key innovations: a probability-based distance (with $d_p(m, T_b) = d_b(m, T_b) \cdot c^{-P(path_m)}$), a Directed Multi-Armed Bandit (DMAB) power schedule, and an Optimized Symbolic Execution Complementary (OSEC) scheme that prunes unreachable and unsolvable branches while prioritizing promising seeds. Empirical results on UniBench and AFLGo testsuite show HyperGo achieving up to $143.22\times$ speedups in reaching target sites and up to $4.10\times$ speedups in exposing vulnerabilities, along with discovering 37 undisclosed vulnerabilities. The work demonstrates practical improvements in targeted vulnerability discovery and presents an adaptable framework for directed fuzzing that integrates probabilistic guidance, energy allocation, and coordinated SE.
Abstract
Directed grey-box fuzzing (DGF) is a target-guided fuzzing intended for testing specific targets (e.g., the potential buggy code). Despite numerous techniques proposed to enhance directedness, the existing DGF techniques still face challenges, such as taking into account the difficulty of reaching different basic blocks when designing the fitness metric, and promoting the effectiveness of symbolic execution (SE) when solving the complex constraints in the path to the target. In this paper, we propose a directed hybrid fuzzer called HyperGo. To address the challenges, we introduce the concept of path probability and combine the probability with distance to form an adaptive fitness metric called probability-based distance. By combining the two factors, probability-based distance can adaptively guide DGF toward paths that are closer to the target and have more easy-to-satisfy path constraints. Then, we put forward an Optimized Symbolic Execution Complementary (OSEC) scheme to combine DGF and SE in a complementary manner. The OSEC would prune the unreachable branches and unsolvable branches, and prioritize symbolic execution of the seeds whose paths are closer to the target and have more branches that are difficult to be covered by DGF. We evaluated HyperGo on 2 benchmarks consisting of 21 programs with a total of 100 target sites. The experimental results show that HyperGo achieves 38.47$\times$, 30.89$\times$, 28.52$\times$, 106.09$\times$ and 143.22$\times$ speedup compared to AFLGo, AFLGoSy, BEACON, WindRanger, and ParmeSan, respectively in reaching target sites, and 3.44$\times$, 3.63$\times$, 4.10$\times$, 3.26$\times$, and 3.00$\times$ speedup in exposing known vulnerabilities. Moreover, HyperGo discovered 37 undisclosed vulnerabilities from 7 real-world programs.