Coverage-guided fuzzing is one of the most effective approaches for discovering software defects and vulnerabilities. It executes all mutated tests from seed inputs to expose coverage-increasing tests. However, executing all mutated tests incurs significant performance penalties—most of the mutated tests are discarded because they do not increase code coverage. Thus, determining if a test increases code coverage without actually executing it is beneficial, but a paradoxical challenge. In this paper, we introduce the notion of prefix-guided execution (PGE) to tackle this challenge. PGE leverages two key observations: (1) Only a tiny fraction of the mutated tests increase coverage, thus requiring full execution; and (2) whether a test increases coverage may be accurately inferred from its partial execution. PGE monitors the execution of a test and applies early termination when the execution prefix indicates that the test is unlikely to increase coverage.
To demonstrate the potential of PGE, we implement a prototype on top of AFL++, which we call AFL++-PGE. We evaluate AFL++-PGE on MAGMA, a ground-truth benchmark set that consists of 21 programs from nine popular real-world projects. Our results show that, after 48 hours of fuzzing, AFL++-PGE finds more bugs, discovers bugs faster, and achieves higher coverage.
Prefix-guided execution is general and can benefit the AFL-based family of fuzzers.
Fri 27 OctDisplayed time zone: Lisbon change
11:00 - 12:30 | |||
11:00 18mTalk | Towards Better Semantics Exploration for Browser Fuzzing OOPSLA Chijin Zhou Tsinghua University, Quan Zhang Tsinghua University, Lihua Guo Tsinghua University, Mingzhe Wang Tsinghua University, Yu Jiang Tsinghua University, Qing Liao Harbin Institute of Technology, Zhiyong Wu National University of Defense Technology, Shanshan Li National University of Defense Technology, Bin Gu Beijing Institute of Control Engineering DOI | ||
11:18 18mTalk | Live Pattern Matching with Typed Holes OOPSLA Yongwei Yuan Purdue University, Scott Guest University of Michigan, Eric Griffis University of Michigan, Hannah Potter University of Washington, David Moon University of Michigan, Cyrus Omar University of Michigan DOI | ||
11:36 18mTalk | Interactive Debugging of Datalog Programs OOPSLA DOI | ||
11:54 18mTalk | Accelerating Fuzzing through Prefix-Guided Execution OOPSLA DOI | ||
12:12 18mTalk | MemPerf: Profiling Allocator-Induced Performance Slowdowns OOPSLA Jin Zhou University of Massachusetts at Amherst, Sam Silvestro University of Texas at San Antonio, Steven (Jiaxun) Tang University of Massachusetts at Amherst, Hanmei Yang University of Massachusetts at Amherst, Hongyu Liu University of Texas at San Antonio, Guangming Zeng Synopsys, Bo Wu Colorado School of Mines, Cong Liu University of Texas at Dallas, Tongping Liu University of Massachusetts at Amherst DOI | ||