Directed grey-box fuzzing (DGF) is a target-guided fuzzing intended for testing specific targets (e.g., the potential buggy code). Despite numerous techniques proposed to enhance directedness, the existing DGF techniques still face challenges, such as taking into account the difficulty of reaching different basic blocks when designing the fitness metric, and promoting the effectiveness of symbolic execution (SE) when solving the complex constraints in the path to the target. In this paper, we propose a directed hybrid fuzzer called HyperGo. To address the challenges, we introduce the concept of path probability and combine the probability with distance to form an adaptive fitness metric called probability-based distance. By combining the two factors, probability-based distance can adaptively guide DGF toward paths that are closer to the target and have more easy-to-satisfy path constraints. Then, we put forward an Optimized Symbolic Execution Complementary (OSEC) scheme to combine DGF and SE in a complementary manner. The OSEC would prune the unreachable branches and unsolvable branches, and prioritize symbolic execution of the seeds whose paths are closer to the target and have more branches that are difficult to be covered by DGF. We evaluated HyperGo on 2 benchmarks consisting of 21 programs with a total of 100 target sites. The experimental results show that HyperGo achieves 38.47$\times$, 30.89$\times$, 28.52$\times$, 106.09$\times$ and 143.22$\times$ speedup compared to AFLGo, AFLGoSy, BEACON, WindRanger, and ParmeSan, respectively in reaching target sites, and 3.44$\times$, 3.63$\times$, 4.10$\times$, 3.26$\times$, and 3.00$\times$ speedup in exposing known vulnerabilities. Moreover, HyperGo discovered 37 undisclosed vulnerabilities from 7 real-world programs.

翻译：有向灰盒模糊测试（DGF）是一种针对特定目标（例如潜在的缺陷代码）进行引导的模糊测试方法。尽管已有许多技术被提出以增强其导向性，但现有DGF技术仍面临挑战，例如在设计适应度指标时难以考虑不同基本块的到达难度，以及在解决通往目标路径上的复杂约束时难以提升符号执行（SE）的有效性。本文提出了一种名为HyperGo的有向混合模糊测试工具。为应对这些挑战，我们引入了路径概率的概念，并将其与距离相结合，形成一种称为基于概率距离的自适应适应度指标。通过结合这两个因素，基于概率的距离能够自适应地引导DGF趋向那些更接近目标且路径约束更易于满足的路径。随后，我们提出了一种优化符号执行互补方案（OSEC），以互补方式结合DGF与SE。OSEC将剪枝无法到达的分支和不可解的分支，并优先对路径更接近目标、包含更多DGF难以覆盖分支的种子进行符号执行。我们在包含21个程序、共计100个目标点的两个基准测试集上评估了HyperGo。实验结果表明，在到达目标点方面，HyperGo相较于AFLGo、AFLGoSy、BEACON、WindRanger和ParmeSan分别实现了38.47倍、30.89倍、28.52倍、106.09倍和143.22倍的加速；在暴露已知漏洞方面，分别实现了3.44倍、3.63倍、4.10倍、3.26倍和3.00倍的加速。此外，HyperGo在7个真实世界程序中发现了37个未公开漏洞。