Fuzzing has emerged as a powerful technique for finding security bugs in complicated real-world applications. American fuzzy lop (AFL), a leading fuzzing tool, has demonstrated its powerful bug finding ability through a vast number of reported CVEs. However, its random mutation strategy is unable to generate test inputs that satisfy complicated branching conditions (e.g., magic-byte comparisons, checksum tests, and nested if-statements), which are commonly used in image decoders/encoders, XML parsers, and checksum tools. Existing approaches (such as Steelix and Neuzz) on addressing this problem assume unrealistic assumptions such as we can satisfy the branch condition byte-to-byte or we can identify and focus on the important bytes in the input (called hot-bytes) once and for all. In this work, we propose an approach called \tool~which is designed based on the following principles. First, there is a complicated relation between inputs and branching conditions and thus we need not only an expressive model to capture such relationship but also an informative measure so that we can learn such relationship effectively. Second, different branching conditions demand different hot-bytes and we must adjust our fuzzing strategy adaptively depending on which branches are the current bottleneck. We implement our approach as an open source project and compare its efficiency with other state-of-the-art fuzzers. Our evaluation results on 10 real-world programs and LAVA-M dataset show that \tool~achieves sustained increases in branch coverage and discovers more bugs than other fuzzers.

翻译：模糊测试已成为发现复杂现实应用中安全漏洞的强大技术。领先的模糊测试工具美国模糊测试（AFL）通过大量已报告的CVE展现了其强大的漏洞发现能力。然而，其随机变异策略难以生成满足复杂分支条件（例如魔术字节比较、校验和测试及嵌套if语句）的测试输入，这些条件常见于图像编解码器、XML解析器和校验和工具中。现有方法（如Steelix和Neuzz）在解决此问题时存在不切实际的假设，例如假设可以逐字节满足分支条件，或能够一劳永逸地识别并聚焦输入中的关键字节（称为热字节）。本文提出一种名为\tool的方法，其设计基于以下原则：首先，输入与分支条件之间存在复杂关系，因此我们不仅需要表达力强的模型来捕获这种关系，还需要信息量丰富的度量标准以有效学习这种关系。其次，不同分支条件需要不同的热字节，因此必须根据当前瓶颈分支自适应调整模糊测试策略。我们将方法实现为开源项目，并与现有最先进的模糊测试工具进行效率比较。在10个真实程序及LAVA-M数据集上的评估结果表明，\tool在分支覆盖率上持续提升，且比其它模糊测试工具发现更多漏洞。