EdgeFuzz：針對灰盒模糊測試優先篩選高價值的控制流路徑

李蒼易; Tsang-Yi Li

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/102204

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	王凡	zh_TW
dc.contributor.advisor	Farn Wang	en
dc.contributor.author	李蒼易	zh_TW
dc.contributor.author	Tsang-Yi Li	en
dc.date.accessioned	2026-04-08T16:16:30Z	-
dc.date.available	2026-04-09	-
dc.date.copyright	2026-04-08	-
dc.date.issued	2026	-
dc.date.submitted	2026-03-23	-
dc.identifier.citation	[1] P. Auer, N. Cesa-Bianchi, and P. Fischer. Finite-time analysis of the multiarmed bandit problem. Machine Learning, 2002. [2] M. Böhme, V.-T. Pham, and A. Roychoudhury. Coverage-based greybox fuzzing as markov chain. In Proceedings of the 23rd ACM SIGSAC Conference on Computer and Communications Security, 2016. [3] S. Bubeck and N. Cesa-Bianchi. Regret analysis of stochastic and non-stochastic multi-armed bandit problems. Foundations and Trends in Machine Learning, 2012. [4] C. Cadar, D. Dunbar, and D. Engler. Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs. In OSDI, 2008. [5] S. K. Cha, T. Avgerinos, A. Rebert, and D. Brumley. Unleashing mayhem on binary code. In IEEE Security and Privacy, 2012. [6] D. Chen, L. Wei, H. Zhang, Y. Feng, and B. Liang. Ecofuzz: Adaptive energy-saving greybox fuzzing as a variant of the adversarial multi-armed bandit. In 2020 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2020.43 [7] P. Chen and H. Chen. Angora: Efficient fuzzing by principled search. In 27th USENIX Security Symposium, 2018. [8] E. Community. boofuzz: Network protocol fuzzer. https://github.com/jtpereyda/boofuzz, 2017. [9] Eddington, Michael. Peach fuzzer community edition. https://peachtech.gitlab.io/peach-fuzzer-community/, 2020. [10] A. Fioraldi, D. Maier, H. Eißfeldt, and M. Heuse. Afl++: combining incremen-tal steps of fuzzing research. In Proceedings of the 14th USENIX Conference on Offensive Technologies, WOOT’20, USA, 2020. USENIX Association. [11] A. Fioraldi, D. Maier, D. Zhang, and D. Balzarotti. Libafl: A framework to build modular and reusable fuzzers. In Proceedings of the 31st USENIX Security Symposium (CCS ＇22). USENIX Association, 2022. [12] P. Godefroid, M. Y. Levin, and D. Molnar. Automated whitebox fuzz testing. In NDSS, 2008. [13] A. Helin. Radamsa fuzzer. https://gitlab.com/akihe/radamsa, 2019. [14] E. Kaufmann, O. Cappé, and A. Garivier. Bayesian upper confidence bounds for bandit problems. In Proceedings of the 25th Conference on Learning Theory, 2012. [15] L. Kocsis and C. Szepesvári. Bandit based monte-carlo planning. In European Conference on Machine Learning, 2006. [16] T. L. Lai and H. Robbins. Asymptotically efficient adaptive allocation rules. Advances in Applied Mathematics, 1985. 44 doi:10.6342/NTU202600849 [17] C. Lemieux and K. Sen. Fairfuzz: Targeting rare branches to rapidly increase grey- box fuzz testing coverage. In Proceedings of the 40th International Conference on Software Engineering (ICSE), pages 475–485. ACM, 2018. [18] Y. Li, Z. Xu, L. Chen, W. Wang, Y. Chen, Z. Liang, Y. Zhou, and Y. Liu. Unifuzz: A holistic and pragmatic metrics-driven platform for evaluating fuzzers. In 30th USENIX Security Symposium (USENIX Security 21), pages 2777–2794. USENIX Association, 2021. [19] C. Lyu, S. Ji, Z. M. Wang, S. Wu, W. Chen, Y. Li, B. Liu, and D. D. Yao. Mopt: Optimized mutation scheduling for fuzzers. In Proceedings of the 28th USENIX Security Symposium, pages 1949–1966, 2019. [20] National Institute of Standards and Technology (NIST). CVE-2016-7993. https://nvd.nist.gov/vuln/detail/CVE-2016-7933, 2016. [21] National Institute of Standards and Technology (NIST). CVE-2017-14930. https://nvd.nist.gov/vuln/detail/CVE-2017-14930, 2017. [22] National Institute of Standards and Technology (NIST). CVE-2017-15022. https://nvd.nist.gov/vuln/detail/CVE-2017-15022, 2017. [23] National Institute of Standards and Technology (NIST). CVE-2017-15939. https://nvd.nist.gov/vuln/detail/CVE-2017-15939, 2017. [24] National Institute of Standards and Technology (NIST). CVE-2017-17723. https://nvd.nist.gov/vuln/detail/CVE-2017-17723, 2017. [25] National Institute of Standards and Technology (NIST). CVE-2017-6595. https://nvd.nist.gov/vuln/detail/CVE-2017-6595, 2017.45doi:10.6342/NTU202600849 [26] National Institute of Standards and Technology (NIST). CVE-2019-13288. https://nvd.nist.gov/vuln/detail/CVE-2019-13288, 2019. [27] National Institute of Standards and Technology (NIST). CVE-2019-9877. https://nvd.nist.gov/vuln/detail/CVE-2019-9877, 2019. [28] National Institute of Standards and Technology (NIST). CVE-2023-1579. https://nvd.nist.gov/vuln/detail/CVE-2023-1579, 2023. [29] H. Robbins. Some aspects of the sequential design of experiments. Bulletin of the American Mathematical Society, 1952. [30] J. Vermorel and M. Mohri. Multi-armed bandit algorithms and empirical evaluation.In European Conference on Machine Learning, 2005. [31] H. Xu, L. Chen, S. Gan, C. Zhang, Z. Li, J. Ji, B. Chen, and F. Hu. Graphuzz: Data-driven seed scheduling for coverage-guided greybox fuzzing. ACM Trans. Softw.Eng. Methodol., 33(7), Aug. 2024. [32] G.-Y. Yang, F. Wang, and K.-H. Yeh. GNN-enhanced traffic anomaly detection for next-generation sdn-enabled consumer electronics. IEEE Transactions on Consumer Electronics, 2025. [33] M. Zalewski. American fuzzy lop (afl) fuzzer. https://lcamtuf.coredump.cx/afl/, 2013. Accessed: 2025-10-29. [34] J. Zhang, X. Wang, H. Zhang, H. Sun, X. Liu, C. Hu, and Y. Liu. Detecting condition-related bugs with control flow graph neural network. In Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, pages 1370–1382, 2023. 46 doi:10.6342/NTU202600849 [35] K. Zhang, X. Zhu, X. Xiao, M. Xue, C. Zhang, and S. Wen. Shapfuzz: Effi-cient fuzzing via shapley-guided byte selection. In Proceedings of the 31st Annual Network and Distributed System Security Symposium (NDSS), 2024. [36] H. Zheng, F. Toffalini, M. Böhme, and M. Payer. Mendelfuzz: The return of the deterministic stage. Proceedings of the ACM on Software Engineering, 2(FSE):44–64, 2025	-
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/102204	-
dc.description.abstract	以覆蓋率為導向的灰盒模糊測試（Coverage-based grey-box fuzzing）已成為發現軟體漏洞的主流標準。雖然像 AFL++ 這類現代模糊測試工具依賴「邊緣覆蓋率（Edge coverage）」來引導程式探索，但它們主要採用「種子粒度（Seed-granularity）」的調度方式，將種子執行軌跡中的所有邊緣視為等值。這種粗粒度的方法忽略了單個控制流邊緣（Control-flow edges）在探索潛力上的差異，導致將變異能量（Mutation energy）低效地分配給那些回報遞減的「平庸」邊緣。在本論文中，我們提出了 EdgeFuzz，這是一個將調度範式從「以種子為中心」轉向「以邊緣為中心」的創新模糊測試框架。EdgeFuzz 將模糊測試過程建模為「多臂老虎機（Multi-Armed Bandit, MAB）」問題，其中每個控制流邊緣代表一個「手臂」。透過利用「置信區間上界（UCB）演算法」，它能動態量化每個邊緣的探索潛力，並整合這些評分來優先處理那些經過「高價值且探索不足」路徑的種子。此外，我們引入了一種「邊緣目標變異策略（Edge-targeted mutation strategy）」，用於學習輸入位元組與關鍵邊緣之間的映射關係，從而實現精確的結構化變異。我們在 AFL++ 的基礎上實現了 EdgeFuzz，並在 UniBench 測試集上對比了五款最先進的模糊測試工具。實驗結果顯示，相較於表現最優秀的基準工具，EdgeFuzz 的邊緣覆蓋率提升了高達 5.6\%，發現的唯一崩潰（Unique crashes）增加了 41.6\%，並額外識別出三個現實世界的漏洞。這些研究結果證實，細粒度且具備邊緣感知能力的饋送機制，能顯著提升模糊測試技術的效能。	zh_TW
dc.description.abstract	Coverage-based grey-box fuzzing has established itself as the common standard for discovering software vulnerabilities. While modern fuzzers like AFL++ rely on edge coverage to guide exploration, they predominantly employ seed-granularity scheduling, treating all edges within a seed's execution trace as equally valuable. This coarse-grained approach fails to account for the heterogeneous exploration potential of individual control-flow edges, leading to the inefficient allocation of mutation energy to "common" edges that offer diminishing returns. In this paper, we present EDGEFUZZ, a novel fuzzing framework that shifts the scheduling paradigm from seed-centric to edge-centric. EDGEFUZZ models the fuzzing process as a Multi-Armed Bandit (MAB) problem where individual control-flow edges represent arms. By utilizing the Upper Confidence Bound (UCB) algorithm, it dynamically quantifies the exploration potential of each edge and aggregates these scores to prioritize seeds traversing high-value, under-explored paths. Furthermore, we introduce an edge-targeted mutation strategy that learns the mapping between input bytes and critical edges, enabling precise structural mutations. We implemented EDGEFUZZ on top of AFL++ and evaluated it against five state-of-the-art fuzzers on the UniBench suite. Experimental results indicate that EDGEFUZZ achieves an increase in edge coverage of up to 5.6%, reveals 41.6% more unique crashes, and identifies three additional real-world vulnerabilities when compared to the most effective baseline. These findings confirm that fine-grained, edge-aware feedback significantly enhances the efficacy of fuzzing techniques.	en
dc.description.provenance	Submitted by admin ntu (admin@lib.ntu.edu.tw) on 2026-04-08T16:16:30Z No. of bitstreams: 0	en
dc.description.provenance	Made available in DSpace on 2026-04-08T16:16:30Z (GMT). No. of bitstreams: 0	en
dc.description.tableofcontents	Verification Letter from the Oral Examination Committee ........... i Acknowledgements ................................................... iii 摘要 ............................................................... v Abstract ........................................................... vii Contents ........................................................... ix List of Figures ................................................... xiii List of Tables .................................................... xv Denotation ........................................................ xvii Chapter 1 Introduction ............................................. 1 Chapter 2 Background ............................................... 5 2.1 Coverage-Based Grey-Box Fuzzing ................................ 5 2.2 Multi-Armed Bandit Algorithm ................................... 6 Chapter 3 Motivation ............................................... 9 3.1 The Heterogeneity of Edge Exploration .......................... 9 3.2 The Accessibility Gap ......................................... 10 3.3 Motivating Example ............................................ 10 Chapter 4 Methdology .............................................. 13 4.1 Methodology ................................................... 13 4.1.1 Overview ................................................ 13 4.1.2 Adaptive Edge-Aware Scheduling .......................... 13 4.1.2.1 Edge Exploration Potential ...................... 14 4.1.2.2 Seed Prioritization via Value Density ........... 15 4.1.3 Edge-Targeted Mutation .................................. 16 4.1.3.1 Rare Edge Identification ........................ 16 4.1.3.2 Important Position Extraction ................... 17 Chapter 5 Implementation .......................................... 19 5.1 Implementation ................................................ 19 Chapter 6 Evaluation .............................................. 21 6.1 Evaluation .................................................... 21 6.1.1 Experimental Setup ...................................... 22 6.1.1.1 Benchmark ....................................... 22 6.1.1.2 Baselines ....................................... 22 6.1.1.3 Environment ..................................... 23 6.1.2 RQ1: Edge Heterogeneity ................................. 23 6.1.2.1 Metric Definition ............................... 23 6.1.2.2 Target Statistics ............................... 24 6.1.2.3 Distribution Analysis ........................... 24 6.1.2.4 Summary ......................................... 25 6.1.3 RQ2: Exploration Efficiency ............................. 26 6.1.3.1 Metric Definition ............................... 26 6.1.3.2 Quantitative Comparison ......................... 27 6.1.3.3 Analysis of Results ............................. 27 6.1.3.4 Summary ......................................... 28 6.1.4 RQ3: Hyperparameter ..................................... 28 6.1.4.1 Quantitative Evaluation ......................... 29 6.1.4.2 Analysis of Trade-offs .......................... 29 6.1.5 RQ4: Coverage ........................................... 30 6.1.5.1 Overall Performance ............................. 31 6.1.5.2 Temporal Coverage Growth ........................ 31 6.1.5.3 Case Study – Deep Logic in tiffsplit ............ 32 6.1.6 RQ5: Crash Discovery .................................... 33 6.1.6.1 Metric Definition: Unique Crash ................. 34 6.1.6.2 Quantitative Analysis ........................... 34 6.1.6.3 Causal Analysis ................................. 35 6.1.6.4 Summary ......................................... 36 6.1.7 RQ6: Real-world Impact .................................. 36 6.1.7.1 Comparative Results ............................. 37 6.1.7.2 Case Study – Exclusive Detections ............... 37 6.1.8 RQ7: Overhead ........................................... 38 Chapter 7 Discussion and Limitation ............................... 39 7.1 Discussion and Limitation ..................................... 39 Chapter 8 Conclusion .............................................. 41 8.1 Conclusion .................................................... 41 References ........................................................ 43	-
dc.language.iso	en	-
dc.subject	軟體測試	-
dc.subject	軟體安全	-
dc.subject	灰盒測試	-
dc.subject	Software Testing	-
dc.subject	Software Security	-
dc.subject	Coverage-Based Greybox Fuzzing	-
dc.title	EdgeFuzz：針對灰盒模糊測試優先篩選高價值的控制流路徑	zh_TW
dc.title	EdgeFuzz: Prioritizing High-Value Control-Flow Edges in Greybox Fuzzing	en
dc.type	Thesis	-
dc.date.schoolyear	114-2	-
dc.description.degree	碩士	-
dc.contributor.oralexamcommittee	李念澤;陳銘憲;黃世昆;梁德容	zh_TW
dc.contributor.oralexamcommittee	Nian-Ze Lee;Ming-Syan Chen;Shih-Kun Huang;Deron Liang	en
dc.subject.keyword	軟體測試,軟體安全灰盒測試	zh_TW
dc.subject.keyword	Software Testing,Software SecurityCoverage-Based Greybox Fuzzing	en
dc.relation.page	47	-
dc.identifier.doi	10.6342/NTU202600849	-
dc.rights.note	同意授權(全球公開)	-
dc.date.accepted	2026-03-23	-
dc.contributor.author-college	電機資訊學院	-
dc.contributor.author-dept	電機工程學系	-
dc.date.embargo-lift	2026-04-09	-
顯示於系所單位：	電機工程學系

文件中的檔案：

檔案	大小	格式
ntu-114-2.pdf	1.67 MB	Adobe PDF	檢視/開啟

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。