DynamicFuzz: Confidence-based directed greybox fuzzing for programs with unreliable call graphs

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-10-01 DOI:10.1016/j.cose.2025.104691

Hao Jiang, Kang Wang, Yujie Yang, Shan Zhong, Shuai Zhang, Chengjie Liu, Xiarun Chen, Weiping Wen

{"title":"DynamicFuzz: Confidence-based directed greybox fuzzing for programs with unreliable call graphs","authors":"Hao Jiang, Kang Wang, Yujie Yang, Shan Zhong, Shuai Zhang, Chengjie Liu, Xiarun Chen, Weiping Wen","doi":"10.1016/j.cose.2025.104691","DOIUrl":null,"url":null,"abstract":"<div><div>Directed greybox fuzzing (DGF) is a security testing technique designed to test specific targets. Current DGF techniques face challenges due to the dynamic nature of indirect calls. The main challenges include mitigating the influence of indirect call omissions and misjudgments on seed guidance and guiding fuzzing on unreliable function call graphs.</div><div>This paper introduces DynamicFuzz, a novel dynamic guidance mechanism that uses the confidence of indirect calls to update the call graph and adjust path priorities during fuzzing. Our key insight is that functions connected by indirect calls tend to form function islands in the call graph. These islands help focus fuzzing on critical areas, improving both guidance efficiency and control over complex program structures. DynamicFuzz also incorporates two depth metrics – function depth and island depth – to better estimate the importance of each path. Based on this, DynamicFuzz employs four guiding strategies: the Target Function Selection Strategy, the Function Island Prioritization Strategy, the High-Confidence Path Prioritization Strategy, and the Deep Indirect Call Prioritization Strategy. These strategies allow DynamicFuzz to guide fuzzing effectively even when the call graph is unreliable. We evaluate DynamicFuzz on 17 benchmarks from three test suites. Compared to AFLGo, AFL, and FairFuzz, it reaches target locations 5.64<span><math><mo>×</mo></math></span> , 3.01<span><math><mo>×</mo></math></span> , and 2.89<span><math><mo>×</mo></math></span> faster, and detects target crashes 69.8<span><math><mo>×</mo></math></span> , 48.37<span><math><mo>×</mo></math></span> , and 161.20<span><math><mo>×</mo></math></span> faster, respectively. Additionally, DynamicFuzz discovered 8 CVEs from the real world.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104691"},"PeriodicalIF":5.4000,"publicationDate":"2025-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825003803","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Directed greybox fuzzing (DGF) is a security testing technique designed to test specific targets. Current DGF techniques face challenges due to the dynamic nature of indirect calls. The main challenges include mitigating the influence of indirect call omissions and misjudgments on seed guidance and guiding fuzzing on unreliable function call graphs.

This paper introduces DynamicFuzz, a novel dynamic guidance mechanism that uses the confidence of indirect calls to update the call graph and adjust path priorities during fuzzing. Our key insight is that functions connected by indirect calls tend to form function islands in the call graph. These islands help focus fuzzing on critical areas, improving both guidance efficiency and control over complex program structures. DynamicFuzz also incorporates two depth metrics – function depth and island depth – to better estimate the importance of each path. Based on this, DynamicFuzz employs four guiding strategies: the Target Function Selection Strategy, the Function Island Prioritization Strategy, the High-Confidence Path Prioritization Strategy, and the Deep Indirect Call Prioritization Strategy. These strategies allow DynamicFuzz to guide fuzzing effectively even when the call graph is unreliable. We evaluate DynamicFuzz on 17 benchmarks from three test suites. Compared to AFLGo, AFL, and FairFuzz, it reaches target locations 5.64

\times

, 3.01

\times

, and 2.89

\times

faster, and detects target crashes 69.8

\times

, 48.37

\times

, and 161.20

\times

faster, respectively. Additionally, DynamicFuzz discovered 8 CVEs from the real world.

查看原文本刊更多论文

DynamicFuzz：针对具有不可靠调用图的程序的基于信任的定向灰盒模糊测试

定向灰盒模糊测试（DGF）是一种用于测试特定目标的安全测试技术。由于间接调用的动态性，当前的DGF技术面临挑战。主要的挑战包括减轻间接调用遗漏和错误判断对种子引导的影响以及对不可靠函数调用图的引导模糊。DynamicFuzz是一种新的动态引导机制，它利用间接调用的置信度来更新调用图并在模糊过程中调整路径优先级。我们的主要见解是，通过间接调用连接的函数倾向于在调用图中形成功能孤岛。这些孤岛有助于将模糊集中在关键区域，提高制导效率和对复杂项目结构的控制。DynamicFuzz还结合了两个深度指标——函数深度和岛屿深度——以更好地估计每条路径的重要性。在此基础上，DynamicFuzz采用了四种指导策略：目标功能选择策略、功能岛优先级策略、高置信度路径优先级策略和深度间接呼叫优先级策略。这些策略允许DynamicFuzz在调用图不可靠的情况下有效地指导模糊测试。我们在三个测试套件的17个基准上评估DynamicFuzz。与AFLGo、AFL和FairFuzz相比，它到达目标位置的速度分别快5.64倍、3.01倍和2.89倍，检测目标崩溃的速度分别快69.8倍、48.37倍和161.20倍。此外，DynamicFuzz从现实世界中发现了8个cve。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.