Effective Seed Scheduling for Directed Fuzzing with Function Call Sequence Complexity Estimation

Effective Seed Scheduling for Directed Fuzzing with Function Call Sequence Complexity Estimation

Directed grey-box fuzzers focus on testing specific target code. They have been utilized in various security applications, such as reproducing known crashes and identifying vulnerabilities resulting from incomplete patches. Distance-guided directed fuzzers calculate the distance to the target node f...

Full description

Saved in:
Bibliographic Details
Main Authors: Xi Peng, Peng Jia, Ximing Fan, Cheng Huang, Jiayong Liu
Format: Article
Language:English
Published: MDPI AG 2025-07-01
Series:Applied Sciences
Subjects:
software security
software testing
fuzzing
Online Access:https://www.mdpi.com/2076-3417/15/15/8345
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Directed grey-box fuzzers focus on testing specific target code. They have been utilized in various security applications, such as reproducing known crashes and identifying vulnerabilities resulting from incomplete patches. Distance-guided directed fuzzers calculate the distance to the target node for each node in a CFG or CG, which has always been the mainstream in this field. However, the distance can only reflect the relationship between the current node and the target node, and it does not consider the impact of the reaching sequence before the target node. To mitigate this problem, we analyzed the properties of the instrumented function’s call graph after selective instrumentation, and the complexity of reaching the target function sequence was estimated. Assisted by the sequence complexity, we proposed a two-stage function call sequence-based seed-scheduling strategy. The first stage is to select seeds with a higher probability of generating test cases that reach the target function. The second stage is to select seeds that can generate test cases that meet the conditions for triggering the vulnerability as much as possible. We implemented our approach in SEZZ based on SelectFuzz and compare it with related works. We found that SEZZ outperformed AFLGo, Beacon, WindRanger, and SelectFuzz by achieving an average improvement of 13.7×, 1.50×, 9.78×, and 2.04× faster on vulnerability exposure, respectively. Moreover, SEZZ triggered three more vulnerabilities than the other compared tools.
ISSN:2076-3417

Similar Items