KCFuzz: Directed Fuzzing Based on Keypoint Coverage

“…• The fuzzing process has been enhanced with various approaches, such as using data-flow analysis and semantic analysis to generate valid input, using symbolic execution to pass complex constraints. Examples include TOFU [89], TIFF [98], SemFuzz [22], KCFuzz [96], 1DVUL [23] and SAVIOR [100]. • More complex algorithms are adopted to enhance directedness, such as ant colony optimization, optimized simulated annealing, and particle swarm algorithm.…”

“…necessary nodes required to reach the nodes in the target sequences) for all paths. Similarly, KCFuzz [96] regards the parent nodes in the path to the target as keypoints to cover. CAFL [93] regards the data conditions along the path to the target as constraints and drives the seeds to satisfy the constraints in order to finally reach the target.…”

“…In order to set target sites reasonably and effectively, researchers use auxiliary metadata, such as code changes from git commit logs [22], information extracted from bug traces [24], semantics from CVE vulnerability descriptions [15,27,28], or deep learning models [30][31][32]. Such auxiliary metadata can help identify vulnerable functions [27,28,[30][31][32], critical sites [96], syntax tokens [90], sanity checks [33,100], and patchrelated branches [23,26] in the code and set such vulnerable code parts or sites as targets. Nevertheless, such target identification schemes still rely on additional efforts to process the information and mark the target on the PUT.…”

“…using a numerical vector to describe the basic block in a control-flow graph, where each dimension of the vector denotes the value of a specific attribute of the basic block) to represent a binary program and extract features for deep learning. A further point to note is that directed hybrid fuzzing [23,28,87,96,100] combines the precision of DSE and the scalability of DGF to mitigate their individual weaknesses. DGF can prioritize and schedule input mutation to get closer to the targets rapidly, while DSE can reach more in-depth code by solving complex path constraints.…”

“…Directed fuzzing is then enabled by strategically scheduling the energy of fuzzing to stress the path prefix that might reach the target locations. KCFuzz [96] defines the parent nodes in the path to the target as keypoints and directs fuzzing using keypoint coverage. CAFL [93] aims to satisfy a sequence of constraints (i.e.…”

The progress, challenges, and perspectives of directed greybox fuzzing

“…• The fuzzing process has been enhanced with various approaches, such as using data-flow analysis and semantic analysis to generate valid input, using symbolic execution to pass complex constraints. Examples include TOFU [89], TIFF [98], SemFuzz [22], KCFuzz [96], 1DVUL [23] and SAVIOR [100]. • More complex algorithms are adopted to enhance directedness, such as ant colony optimization, optimized simulated annealing, and particle swarm algorithm.…”

“…necessary nodes required to reach the nodes in the target sequences) for all paths. Similarly, KCFuzz [96] regards the parent nodes in the path to the target as keypoints to cover. CAFL [93] regards the data conditions along the path to the target as constraints and drives the seeds to satisfy the constraints in order to finally reach the target.…”

“…In order to set target sites reasonably and effectively, researchers use auxiliary metadata, such as code changes from git commit logs [22], information extracted from bug traces [24], semantics from CVE vulnerability descriptions [15,27,28], or deep learning models [30][31][32]. Such auxiliary metadata can help identify vulnerable functions [27,28,[30][31][32], critical sites [96], syntax tokens [90], sanity checks [33,100], and patchrelated branches [23,26] in the code and set such vulnerable code parts or sites as targets. Nevertheless, such target identification schemes still rely on additional efforts to process the information and mark the target on the PUT.…”

“…using a numerical vector to describe the basic block in a control-flow graph, where each dimension of the vector denotes the value of a specific attribute of the basic block) to represent a binary program and extract features for deep learning. A further point to note is that directed hybrid fuzzing [23,28,87,96,100] combines the precision of DSE and the scalability of DGF to mitigate their individual weaknesses. DGF can prioritize and schedule input mutation to get closer to the targets rapidly, while DSE can reach more in-depth code by solving complex path constraints.…”

“…Directed fuzzing is then enabled by strategically scheduling the energy of fuzzing to stress the path prefix that might reach the target locations. KCFuzz [96] defines the parent nodes in the path to the target as keypoints and directs fuzzing using keypoint coverage. CAFL [93] aims to satisfy a sequence of constraints (i.e.…”

The progress, challenges, and perspectives of directed greybox fuzzing

Guiding Directed Fuzzing with Feasibility

An Empirical Study on the Distance Metric in Guiding Directed Grey-box Fuzzing