PrescientFuzz: A more effective exploration approach for grey-box fuzzing
Daniel Blackwell, David Clark
TL;DR
The paper tackles slow early coverage in grey-box fuzzing by introducing CFG-informed dynamic feedback mechanisms. It presents PrescientFuzz, an LLVM-compatible enhancement of LibAFL's fuzzbench that uses Direct Uncovered Neighbours, Reachable Blocks, rarity, and depth weighting to steer input mutations. Evaluation on the FuzzBench suite shows PrescientFuzz achieves the highest median coverage across benchmarks and benefits from a cooldown to manage computation. The approach is generalizable to any LLVM-supported language and can inform campaign termination and concolic fuzzing strategies, broadening the applicability of CFG-semantics in fuzzing.
Abstract
Since the advent of AFL, the use of mutational, feedback directed, grey-box fuzzers has become critical in the automated detection of security vulnerabilities. A great deal of research currently goes into their optimisation, including improving the rate at which they achieve branch coverage early in a campaign. We produce an augmented version of LibAFL's `fuzzbench' fuzzer, called PrescientFuzz, that makes use of semantic information from the target program's control flow graph (CFG). We develop an input corpus scheduler that prioritises the selection of inputs for mutation based on the proximity of their execution path to uncovered edges. Simple as this idea is, PrescientFuzz leads all fuzzers using the Google FuzzBench at the time of writing -- in both average code coverage and average ranking, across the benchmark SUTs. Whilst the existence of uncovered edges in the CFG does not guarantee their feasibility, the improvement in coverage over the state-of-the-art fuzzers suggests that this is not an issue in practice.