In this paper, we propose a novel directed fuzzing solution named AFLRun, which features target path-diversity metric and unbiased energy assignment. Firstly, we develop a new coverage metric by maintaining extra virgin map for each covered target to track the coverage status of seeds that hit the target. This approach enables the storage of waypoints into the corpus that hit a target through interesting path, thus enriching the path diversity for each target. Additionally, we propose a corpus-level energy assignment strategy that guarantees fairness for each target. AFLRun starts with uniform target weight and propagates this weight to seeds to get a desired seed weight distribution. By assigning energy to each seed in the corpus according to such desired distribution, a precise and unbiased energy assignment can be achieved. We built a prototype system and assessed its performance using a standard benchmark and several extensively fuzzed real-world applications. The evaluation results demonstrate that AFLRun outperforms state-of-the-art fuzzers in terms of vulnerability detection, both in quantity and speed. Moreover, AFLRun uncovers 29 previously unidentified vulnerabilities, including 8 CVEs, across four distinct programs.

翻译：本文提出一种新型定向模糊测试解决方案AFLRun，其核心包括目标路径多样性度量与无偏能量分配机制。首先，我们通过为每个已覆盖目标维护独立原始位图，开发了新的覆盖率度量方法，用以追踪触及该目标的种子覆盖状态。该机制能够将经由有趣路径触及目标的路径点存入种子库，从而丰富每个目标的路径多样性。此外，我们提出一种基于种子库级别的能量分配策略，确保各目标获得公平分配。AFLRun从均匀目标权重出发，将该权重传播至种子以生成期望的种子权重分布，并根据此期望分布为种子库中每个种子分配能量，从而实现精确无偏的能量分配。我们构建了原型系统，并使用标准基准测试程序及多个经过广泛模糊测试的真实应用程序评估其性能。实验结果表明，AFLRun在漏洞检测数量与检测速度方面均优于现有最先进的模糊测试工具。此外，AFLRun在四个不同程序中发现了29个此前未知的漏洞，其中包含8个CVE编号。