Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

AFLGopher: Accelerating Directed Fuzzing via Feasibility-Aware Guidance

Weiheng Bai, Kefu Wu, Qiushi Wu, Kangjie Lu

TL;DR

This paper introduces AFLGopher, a feasibility-aware directed fuzzing framework that improves target reachability and vulnerability reproduction by integrating empirical branch feasibility into the guidance loop. It combines semantic clustering of conditional statements, LSTM-based next-function feasibility prediction for indirect calls, and a lightweight runtime update mechanism to refine predictions as fuzzing progresses. Across UniBench and the AFLGo Test Suite, AFLGopher achieves significant speedups in Time-to-Target and Time-to-Exposure compared to state-of-the-art baselines, demonstrating robust performance gains in both target-reaching and vulnerability-triggering tasks. The approach advances directed fuzzing by embedding probabilistic feasibility into guidance and enabling online adaptation with minimal interference to fuzzing throughput.

Abstract

Directed fuzzing is a useful testing technique that aims to efficiently reach target code sites in a program. The core of directed fuzzing is the guiding mechanism that directs the fuzzing to the specified target. A general guiding mechanism adopted in existing directed fuzzers is to calculate the control-flow distance between the current progress and the target, and use that as feedback to guide the directed fuzzing. A fundamental problem with the existing guiding mechanism is that the distance calculation is \emph{feasibility-unaware}. In this work, we propose feasibility-aware directed fuzzing named AFLGopher. Our new feasibility-aware distance calculation provides pragmatic feedback to guide directed fuzzing to reach targets efficiently. We propose new techniques to address the challenges of feasibility prediction. Our new classification method allows us to predict the feasibility of all branches based on limited traces, and our runtime feasibility-updating mechanism gradually and efficiently improves the prediction precision. We implemented AFLGopher and compared AFLGopher with state-of-the-art directed fuzzers including AFLGo, enhanced AFLGo, WindRanger, BEACON and SelectFuzz. AFLGopher is 3.76x, 2.57x, 3.30x, 2.52x and 2.86x faster than AFLGo, BEACON, WindRanger, SelectFuzz and enhanced AFLGo, respectively, in reaching targets. AFLGopher is 5.60x, 5.20x, 4.98x, 4.52x, and 5.07x faster than AFLGo, BEACON, WindRanger, SelectFuzz and enhanced AFLGo, respectively, in triggering known vulnerabilities.

AFLGopher: Accelerating Directed Fuzzing via Feasibility-Aware Guidance

TL;DR

This paper introduces AFLGopher, a feasibility-aware directed fuzzing framework that improves target reachability and vulnerability reproduction by integrating empirical branch feasibility into the guidance loop. It combines semantic clustering of conditional statements, LSTM-based next-function feasibility prediction for indirect calls, and a lightweight runtime update mechanism to refine predictions as fuzzing progresses. Across UniBench and the AFLGo Test Suite, AFLGopher achieves significant speedups in Time-to-Target and Time-to-Exposure compared to state-of-the-art baselines, demonstrating robust performance gains in both target-reaching and vulnerability-triggering tasks. The approach advances directed fuzzing by embedding probabilistic feasibility into guidance and enabling online adaptation with minimal interference to fuzzing throughput.

Abstract

Directed fuzzing is a useful testing technique that aims to efficiently reach target code sites in a program. The core of directed fuzzing is the guiding mechanism that directs the fuzzing to the specified target. A general guiding mechanism adopted in existing directed fuzzers is to calculate the control-flow distance between the current progress and the target, and use that as feedback to guide the directed fuzzing. A fundamental problem with the existing guiding mechanism is that the distance calculation is \emph{feasibility-unaware}. In this work, we propose feasibility-aware directed fuzzing named AFLGopher. Our new feasibility-aware distance calculation provides pragmatic feedback to guide directed fuzzing to reach targets efficiently. We propose new techniques to address the challenges of feasibility prediction. Our new classification method allows us to predict the feasibility of all branches based on limited traces, and our runtime feasibility-updating mechanism gradually and efficiently improves the prediction precision. We implemented AFLGopher and compared AFLGopher with state-of-the-art directed fuzzers including AFLGo, enhanced AFLGo, WindRanger, BEACON and SelectFuzz. AFLGopher is 3.76x, 2.57x, 3.30x, 2.52x and 2.86x faster than AFLGo, BEACON, WindRanger, SelectFuzz and enhanced AFLGo, respectively, in reaching targets. AFLGopher is 5.60x, 5.20x, 4.98x, 4.52x, and 5.07x faster than AFLGo, BEACON, WindRanger, SelectFuzz and enhanced AFLGo, respectively, in triggering known vulnerabilities.

Paper Structure

This paper contains 27 sections, 8 equations, 3 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Overview of AFLGopher
  3. Design of AFLGopher
  4. Semantic Clustering of Conditional Statements
  5. Feasibility Prediction
  6. Runtime Feasibility Update
  7. Implementation
  8. Constructing the Interprocedural CFG
  9. Normalization of Conditional Statements
  10. Feasibility-Aware Distance Calculation
  11. Basic Block Level.
  12. Function Level.
  13. Dynamic Distance Table
  14. Runtime Prediction and Incremental Model Updates
  15. Evaluation
  16. ...and 12 more sections

Figures (3)

  • Figure 1: A rare condition guards access to a vulnerability.
  • Figure 2: Overview of AFLGopher.
  • Figure 3: The impact of error threshold settings on runtime update process.