Greybox fuzzing as a contextual bandits problem

Patil, Ketan; Kanade, Aditya

doi:10.48550/arxiv.1806.03806

Cited by 3 publications

(4 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Patil et al [40] employed a contextual multi-arm bandit machine model to ascertain the allocation of seed energy in the fuzzing process. Additionally, they utilized reinforcement learning techniques to attain the optimal energy allocation.…”

Section: B Mab Model In Fuzzingmentioning

confidence: 99%

LinFuzz: Program-Sensitive Seed Scheduling Greybox Fuzzing Based on LinUCB Algorithm

Su,

Xiong,

Wan

et al. 2024

IEEE Access

View full text Add to dashboard Cite

The mutation-based grey box fuzz testing technique is one of the widely used dynamic vulnerability mining techniques. It generates test cases for testing by mutating input seeds. In the process of fuzz testing, the seed scheduling strategy and energy scheduling strategy impact the test results and efficiency. Existing seed scheduling strategies, however, only consider a few specific seed attributes and ignore contextual information during seed execution. This oversight makes it challenging to prioritize the selection of suitable seeds based on historical fuzz test results. Meanwhile, current methods for calculating coverage lack evaluation of software paths, which makes it easy to waste time on testing high-frequency and low-risk paths. This article proposes a new grey box fuzz scheme, LinFuzz, which transforms the seed scheduling problem into a contextual multi-arm bandit machine model. It utilizes the LinUCB algorithm to assess the value of seeds for scheduling by considering their historical execution information. At the same time, LinFuzz enhances the calculation method for fuzz testing path rewards and the seed energy scheduling algorithm. It allocates more energy for low-frequency paths in the testing program, thereby enhancing the exploration efficiency and path coverage ability of the testing tool. This article evaluated the proposed LinFuzz on 12 real programs in comparison with other open-source tools like AFL, AFLFast, FairFuzz, Neuzz, etc. The results show that under the same testing time budget, LinFuzz outperforms other tools in terms of vulnerability discovery quantity and code coverage ability. Compared with complex fuzz testing optimization algorithms, LinFuzz has lower memory consumption and time complexity.INDEX TERMS Coverage-guided fuzzing, LinUCB Algorithm, Seed Scheduling

show abstract

Section: B Mab Model In Fuzzingmentioning

confidence: 99%

LinFuzz: Program-Sensitive Seed Scheduling Greybox Fuzzing Based on LinUCB Algorithm

Su,

Xiong,

Wan

et al. 2024

IEEE Access

View full text Add to dashboard Cite

show abstract

“…For example, AFLFast optimized a parameter called energy, which denotes the number of times a seed is used to generate new inputs by modeling fuzzing as a Markov chain [13]. Similarly, Böhme et al employed information theory [12] and Patil and Kanade adopted reinforcement learning [45] to regulate the energy parameter. In another direction, Rebert et al optimized seeds to be kept in a seed set as a minimal set cover problem [50].…”

Section: Related Work 31 Improvements On Mutation-based Fuzzermentioning

confidence: 99%

SLOPT: Bandit Optimization Framework for Mutation-Based Fuzzing

Koike¹,

Katsura²,

Yakura³

et al. 2022

Proceedings of the 38th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Mutation-based fuzzing has become one of the most common vulnerability discovery solutions over the last decade. Fuzzing can be optimized when targeting specific programs, and given that, some studies have employed online optimization methods to do it automatically, i.e., tuning fuzzers for any given program in a program-agnostic manner. However, previous studies have neither fully explored mutation schemes suitable for online optimization methods, nor online optimization methods suitable for mutation schemes. In this study, we propose an optimization framework called SLOPT that encompasses both a bandit-friendly mutation scheme and mutation-scheme-friendly bandit algorithms. The advantage of SLOPT is that it can generally be incorporated into existing fuzzers, such as AFL and Honggfuzz. As a proof of concept, we implemented SLOPT-AFL++ by integrating SLOPT into AFL++ and showed that the program-agnostic optimization delivered by SLOPT enabled SLOPT-AFL++ to achieve higher code coverage than AFL++ in all of ten real-world FuzzBench programs. Moreover, we ran SLOPT-AFL++ against several real-world programs from OSS-Fuzz and successfully identified three previously unknown vulnerabilities, even though these programs have been fuzzed by AFL++ for a considerable number of CPU days on OSS-Fuzz. CCS CONCEPTS• Security and privacy → Software security engineering; • Theory of computation → Sequential decision making.

show abstract

“…AFL uses a bitmap with edges as keys and top-rate seeds as values to maintain the best performance seeds for each edge. It selects favored seeds from the top_rated queue, and gives these seeds preference over the non-favored ones by giving the favored one more fuzzing chances [38].…”

Section: B Coverage-guide Greybox Fuzzingmentioning

confidence: 99%

“…(3) Exploration-exploitation. Researchers [38,40] model the greybox fuzzing process as a "multi-armed bandit problem" where the seeds are considered as arms of a multiarmed bandit. For coverage-based greybox fuzzing, the whole process is essentially a tradeoff of the exploration-exploitation problem, where exploration stands for trying as many seeds as possible while exploitation means mutating a certain seed as much as possible.…”

Section: Difference Between Cgf and Dgfmentioning

confidence: 99%

The Progress, Challenges, and Perspectives of Directed Greybox Fuzzing

Wang¹,

Zhang²,

Lü³

et al. 2020

Preprint

View full text Add to dashboard Cite

Greybox fuzzing has been the most scalable and practical approach to software testing. Most greybox fuzzing tools are coverage guided as code coverage is strongly correlated with bug coverage. However, since most covered codes may not contain bugs, blindly extending code coverage is less efficient, especially for corner cases. Unlike coverage-based fuzzers who extend the code coverage in an undirected manner, a directed fuzzer spends most of its time budget on reaching specific target locations (e.g., the bug-prone zone) without wasting resources stressing unrelated parts. Thus, directed greybox fuzzing is particularly suitable for scenarios such as patch testing, bug reproduction, and special bug hunting. In this paper, we conduct the first in-depth study of directed greybox fuzzing. We investigate 28 state-of-the-art fuzzers (82% are published after 2019) closely related to DGF, which have various directed types and optimization techniques. Based on the feature of DGF, we extract 15 metrics to conduct a thorough assessment of the collected tools and systemize the knowledge of this field. Finally, we summarize the challenges and provide perspectives of this field, aiming to facilitate and boost future research on this topic.

show abstract

Greybox fuzzing as a contextual bandits problem

Cited by 3 publications

References 12 publications

LinFuzz: Program-Sensitive Seed Scheduling Greybox Fuzzing Based on LinUCB Algorithm

LinFuzz: Program-Sensitive Seed Scheduling Greybox Fuzzing Based on LinUCB Algorithm

SLOPT: Bandit Optimization Framework for Mutation-Based Fuzzing

The Progress, Challenges, and Perspectives of Directed Greybox Fuzzing

Contact Info

Product

Resources

About