Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

FOX: Coverage-guided Fuzzing as Online Stochastic Control

Dongdong She, Adam Storek, Yuchong Xie, Seoyoung Kweon, Prashast Srivastava, Suman Jana

TL;DR

FOX reframes coverage-guided fuzzing as an online stochastic-control problem, introducing frontier-branch feedback and a Newton-based mutator to aggressively flip unvisited edges. The scheduler and mutator are tightly coupled through a greedy, provably near-optimal strategy that prioritizes seeds likely to decrease frontier-branch distances, reducing the control space and overhead. Empirically, FOX achieves significant coverage improvements (up to 26.45% on standalone targets and up to 6.59% on FuzzBench targets) and uncovers numerous real-world bugs, including eight previously unknown in-the-wild findings. This work demonstrates practical impact by delivering a principled, actionable framework with open-source release to advance real-world vulnerability discovery.

Abstract

Fuzzing is an effective technique for discovering software vulnerabilities by generating random test inputs and executing them against the target program. However, fuzzing large and complex programs remains challenging due to difficulties in uncovering deeply hidden vulnerabilities. This paper addresses the limitations of existing coverage-guided fuzzers, focusing on the scheduler and mutator components. Existing schedulers suffer from information sparsity and the inability to handle fine-grained feedback metrics. The mutators are agnostic of target program branches, leading to wasted computation and slower coverage exploration. To overcome these issues, we propose an end-to-end online stochastic control formulation for coverage-guided fuzzing. Our approach incorporates a novel scheduler and custom mutator that can adapt to branch logic, maximizing aggregate edge coverage achieved over multiple stages. The scheduler utilizes fine-grained branch distance measures to identify frontier branches, where new coverage is likely to be achieved. The mutator leverages branch distance information to perform efficient and targeted seed mutations, leading to robust progress with minimal overhead. We present FOX, a proof-of-concept implementation of our control-theoretic approach, and compare it to industry-standard coverage-guided fuzzers. 6 CPU-years of extensive evaluations on the FuzzBench dataset and complex real-world programs (a total of 38 test programs) demonstrate that FOX outperforms existing state-of-the-art fuzzers, achieving average coverage improvements up to 26.45% in real-world standalone programs and 6.59% in FuzzBench programs over the state-of-the-art AFL++. In addition, it uncovers 20 unique bugs in popular real-world applications including eight that are previously unknown, showcasing real-world security impact.

FOX: Coverage-guided Fuzzing as Online Stochastic Control

TL;DR

FOX reframes coverage-guided fuzzing as an online stochastic-control problem, introducing frontier-branch feedback and a Newton-based mutator to aggressively flip unvisited edges. The scheduler and mutator are tightly coupled through a greedy, provably near-optimal strategy that prioritizes seeds likely to decrease frontier-branch distances, reducing the control space and overhead. Empirically, FOX achieves significant coverage improvements (up to 26.45% on standalone targets and up to 6.59% on FuzzBench targets) and uncovers numerous real-world bugs, including eight previously unknown in-the-wild findings. This work demonstrates practical impact by delivering a principled, actionable framework with open-source release to advance real-world vulnerability discovery.

Abstract

Fuzzing is an effective technique for discovering software vulnerabilities by generating random test inputs and executing them against the target program. However, fuzzing large and complex programs remains challenging due to difficulties in uncovering deeply hidden vulnerabilities. This paper addresses the limitations of existing coverage-guided fuzzers, focusing on the scheduler and mutator components. Existing schedulers suffer from information sparsity and the inability to handle fine-grained feedback metrics. The mutators are agnostic of target program branches, leading to wasted computation and slower coverage exploration. To overcome these issues, we propose an end-to-end online stochastic control formulation for coverage-guided fuzzing. Our approach incorporates a novel scheduler and custom mutator that can adapt to branch logic, maximizing aggregate edge coverage achieved over multiple stages. The scheduler utilizes fine-grained branch distance measures to identify frontier branches, where new coverage is likely to be achieved. The mutator leverages branch distance information to perform efficient and targeted seed mutations, leading to robust progress with minimal overhead. We present FOX, a proof-of-concept implementation of our control-theoretic approach, and compare it to industry-standard coverage-guided fuzzers. 6 CPU-years of extensive evaluations on the FuzzBench dataset and complex real-world programs (a total of 38 test programs) demonstrate that FOX outperforms existing state-of-the-art fuzzers, achieving average coverage improvements up to 26.45% in real-world standalone programs and 6.59% in FuzzBench programs over the state-of-the-art AFL++. In addition, it uncovers 20 unique bugs in popular real-world applications including eight that are previously unknown, showcasing real-world security impact.
Paper Structure (31 sections, 1 theorem, 13 equations, 4 figures, 15 tables, 2 algorithms)

This paper contains 31 sections, 1 theorem, 13 equations, 4 figures, 15 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Theory
  3. Problem Definition
  4. Fuzzing as Online Stochastic Control
  5. Decomposing $cov({\bf x}, S_i)$
  6. Fuzzing Algorithm
  7. Optimal-control-based Scheduler
  8. Optimizing Mutation
  9. Implementation
  10. Frontier Branch Identification
  11. Branch Distance Tracking
  12. Scheduler
  13. Mutator
  14. Evaluation
  15. RQ1: Code Coverage
  16. ...and 16 more sections

Key Result

Theorem 1

Given a fixed branch flip probability before each stage $i$, a greedy schedule that chooses $u_{i+1}$ such that it maximizes the expected coverage gain at each stage $i$ of the problem described by eq: general fuzzing as stochastic control is optimal.

Figures (4)

  • Figure 1: Workflow of FOX
  • Figure 2: The arithmetic mean edge coverage for FOX and FOX+D against three other fuzzers running for 24 hours over ten runs on the standalone programs. The error bars indicate one standard deviation.
  • Figure 3: Control space comparison of FOX with AFLPP on xmllint over the course of a 24 hour fuzzing campaign.
  • Figure 4: The arithmetic mean edge coverage for FOX and FOX+D against three other fuzzers running for 24 hours over 10 runs on the FuzzBench programs. The error bars indicate one standard deviation.

Theorems & Definitions (1)

  • Theorem 1