Peeling Off the Cocoon: Unveiling Suppressed Golden Seeds for Mutational Greybox Fuzzing

Abstract

PoCo is a technique that aims to enhance modern coverage-based seed selection (CSS) techniques (such as afl-cmin) by gradually removing obstacle conditional statements and conducting deeper seed selection.

Figures (24)

• Figure 1: A golden seed $s_2$ suppressed by line 3.
• Figure 2: Unleashing $s_2$ by disabling line 3.
• Figure 4: An illustration about how PoCo works. Fig. \ref{['fig:example-process']}(a) and (b) display the inputs of PoCo (i.e., the fuzz target $p$ and the seed corpus $C$). Fig. \ref{['fig:example-process']}(c) displays and the guard hierarchies extracted from $p$, of which the guards in lines 3--7 are marked as $g_1$--$g_5$; the codes that are not guarded by any conditional statements are unified into a "Non-guard code" node for clarity. Fig. \ref{['fig:example-process']}(d) displays the simplified workflow of PoCo. Fig. \ref{['fig:example-process']}(e) displays a tabular overview of the manipulations in each round, where $S_b$ and $S_e$ are seed sets at the beginning and end of each round, $S'$ denotes the incremental seeds (i.e., $C'$$\setminus$$S_b$), and $G^-$ denotes the conditional guards disabled.
• Figure 5: A code snippet with two guards.
• Figure 6: CFG before inserting toggles.

Theorems & Definitions (6)

• definition 1
• definition 2
• definition 3
• definition 4
• definition 5
• definition 6