Program analysis and automated testing have recently become an essential part of SSDLC. Directed greybox fuzzing is one of the most popular automated testing methods that focuses on error detection in predefined code regions. However, it still lacks ability to overcome difficult program constraints. This problem can be well addressed by symbolic execution, but at the cost of lower performance. Thus, combining directed fuzzing and symbolic execution techniques can lead to more efficient error detection. In this paper, we propose a hybrid approach to directed fuzzing with novel seed scheduling algorithm, based on target-related interestingness and coverage. The approach also performs minimization and sorting of objective seeds according to a target-related information. We implement our approach in Sydr-Fuzz tool using LibAFL-DiFuzz as directed fuzzer and Sydr as dynamic symbolic executor. We evaluate our approach with Time to Exposure metric and compare it with pure LibAFL-DiFuzz, AFLGo, BEACON, WAFLGo, WindRanger, FishFuzz, and Prospector. The results show an improvement for 3 out of 7 examples with speedup up to 1.86 times over the second best result, as well as a significant improvement for 3 out of 7 examples over the pure LibAFL-DiFuzz fuzzer. Sydr-Fuzz hybrid approach to directed fuzzing shows high performance and helps to improve directed fuzzing efficiency.

翻译：程序分析与自动化测试已成为软件安全开发生命周期的重要组成部分。定向灰盒模糊测试作为最流行的自动化测试方法之一，专注于预定义代码区域的错误检测。然而，该方法仍难以突破复杂的程序约束。符号执行虽能有效解决此问题，但会带来性能损耗。因此，将定向模糊测试与符号执行技术相结合可实现更高效的错误检测。本文提出一种基于目标相关兴趣度与覆盖度的混合式定向模糊测试方法，并设计了新型种子调度算法。该方法还依据目标相关信息对目标种子进行最小化处理与排序。我们在Sydr-Fuzz工具中实现了该方案，采用LibAFL-DiFuzz作为定向模糊测试器，Sydr作为动态符号执行器。通过"暴露时间"指标进行评估，并与纯LibAFL-DiFuzz、AFLGo、BEACON、WAFLGo、WindRanger、FishFuzz及Prospector进行对比。实验结果显示：在7个测试案例中有3个案例的检测速度达到次优结果的1.86倍；与纯LibAFL-DiFuzz相比，7个案例中有3个案例实现显著提升。Sydr-Fuzz混合式定向模糊测试方法展现出优越性能，有效提升了定向模糊测试效率。