EdgeFuzz：針對灰盒模糊測試優先篩選高價值的控制流路徑

Abstract

以覆蓋率為導向的灰盒模糊測試（Coverage-based grey-box fuzzing）已成為發現軟體漏洞的主流標準。雖然像 AFL++ 這類現代模糊測試工具依賴「邊緣覆蓋率（Edge coverage）」來引導程式探索，但它們主要採用「種子粒度（Seed-granularity）」的調度方式，將種子執行軌跡中的所有邊緣視為等值。這種粗粒度的方法忽略了單個控制流邊緣（Control-flow edges）在探索潛力上的差異，導致將變異能量（Mutation energy）低效地分配給那些回報遞減的「平庸」邊緣。 在本論文中，我們提出了 EdgeFuzz，這是一個將調度範式從「以種子為中心」轉向「以邊緣為中心」的創新模糊測試框架。EdgeFuzz 將模糊測試過程建模為「多臂老虎機（Multi-Armed Bandit, MAB）」問題，其中每個控制流邊緣代表一個「手臂」。透過利用「置信區間上界（UCB）演算法」，它能動態量化每個邊緣的探索潛力，並整合這些評分來優先處理那些經過「高價值且探索不足」路徑的種子。 此外，我們引入了一種「邊緣目標變異策略（Edge-targeted mutation strategy）」，用於學習輸入位元組與關鍵邊緣之間的映射關係，從而實現精確的結構化變異。我們在 AFL++ 的基礎上實現了 EdgeFuzz，並在 UniBench 測試集上對比了五款最先進的模糊測試工具。實驗結果顯示，相較於表現最優秀的基準工具，EdgeFuzz 的邊緣覆蓋率提升了高達 5.6\%，發現的唯一崩潰（Unique crashes）增加了 41.6\%，並額外識別出三個現實世界的漏洞。這些研究結果證實，細粒度且具備邊緣感知能力的饋送機制，能顯著提升模糊測試技術的效能。

Coverage-based grey-box fuzzing has established itself as the common standard for discovering software vulnerabilities. While modern fuzzers like AFL++ rely on edge coverage to guide exploration, they predominantly employ seed-granularity scheduling, treating all edges within a seed's execution trace as equally valuable. This coarse-grained approach fails to account for the heterogeneous exploration potential of individual control-flow edges, leading to the inefficient allocation of mutation energy to "common" edges that offer diminishing returns. In this paper, we present EDGEFUZZ, a novel fuzzing framework that shifts the scheduling paradigm from seed-centric to edge-centric. EDGEFUZZ models the fuzzing process as a Multi-Armed Bandit (MAB) problem where individual control-flow edges represent arms. By utilizing the Upper Confidence Bound (UCB) algorithm, it dynamically quantifies the exploration potential of each edge and aggregates these scores to prioritize seeds traversing high-value, under-explored paths. Furthermore, we introduce an edge-targeted mutation strategy that learns the mapping between input bytes and critical edges, enabling precise structural mutations. We implemented EDGEFUZZ on top of AFL++ and evaluated it against five state-of-the-art fuzzers on the UniBench suite. Experimental results indicate that EDGEFUZZ achieves an increase in edge coverage of up to 5.6%, reveals 41.6% more unique crashes, and identifies three additional real-world vulnerabilities when compared to the most effective baseline. These findings confirm that fine-grained, edge-aware feedback significantly enhances the efficacy of fuzzing techniques.