In this paper, we propose a novel directed fuzzing solution named AFLRun, which features target path-diversity metric and unbiased energy assignment. Firstly, we develop a new coverage metric by maintaining extra virgin map for each covered target to track the coverage status of seeds that hit the target. This approach enables the storage of waypoints into the corpus that hit a target through interesting path, thus enriching the path diversity for each target. Additionally, we propose a corpus-level energy assignment strategy that guarantees fairness for each target. AFLRun starts with uniform target weight and propagates this weight to seeds to get a desired seed weight distribution. By assigning energy to each seed in the corpus according to such desired distribution, a precise and unbiased energy assignment can be achieved. We built a prototype system and assessed its performance using a standard benchmark and several extensively fuzzed real-world applications. The evaluation results demonstrate that AFLRun outperforms state-of-the-art fuzzers in terms of vulnerability detection, both in quantity and speed. Moreover, AFLRun uncovers 29 previously unidentified vulnerabilities, including 8 CVEs, across four distinct programs.

翻译：本文提出了一种名为AFLRun的新型定向模糊测试方案，该方案具有目标路径多样性度量与无偏能量分配两大特性。首先，我们通过为每个覆盖的目标维护独立的原始映射图来追踪命中该目标的种子的覆盖状态，从而开发了一种新的覆盖度量标准。这种方法能够将经过有趣路径命中目标的航点存储到语料库中，从而丰富每个目标的路径多样性。此外，我们提出了一种语料库级别的能量分配策略，确保对每个目标的公平性。AFLRun从均匀的目标权重出发，并将该权重传播给种子以获得期望的种子权重分布。通过根据该期望分布为语料库中的每个种子分配能量，可以实现精确且无偏的能量分配。我们构建了原型系统，并使用标准基准测试和多个经过广泛模糊测试的真实世界应用程序评估了其性能。评估结果表明，AFLRun在漏洞检测的数量和速度方面均优于现有最先进的模糊测试工具。此外，AFLRun在四个不同程序中发现了29个先前未知的漏洞，其中包括8个CVE。