Directed fuzzing is a dynamic testing technique that focuses exploration on specific, pre targeted program locations. Like other types of fuzzers, directed fuzzers are most effective when maximizing testing speed and precision. To this end, recent directed fuzzers have begun leveraging path pruning: preventing the wasteful testing of program paths deemed irrelevant to reaching a desired target location. Yet, despite code pruning's substantial speedup, current approaches are imprecise failing to capture indirect control flow requiring additional dynamic analyses that diminish directed fuzzers' speeds. Thus, without code pruning that is both fast and precise, directed fuzzers' effectiveness will continue to remain limited. This paper aims to tackle the challenge of upholding both speed and precision in pruning-based directed fuzzing. We show that existing pruning approaches fail to recover common case indirect control flow; and identify opportunities to enhance them with lightweight heuristics namely, function signature matching enabling them to maximize precision without the burden of dynamic analysis. We implement our enhanced pruning as a prototype, TOPr (Target Oriented Pruning), and evaluate it against the leading pruning based and pruning agnostic directed fuzzers SieveFuzz and AFLGo. We show that TOPr's enhanced pruning outperforms these fuzzers in (1) speed (achieving 222% and 73% higher test case throughput, respectively); (2) reachability (achieving 149% and 9% more target relevant coverage, respectively); and (3) bug discovery time (triggering bugs faster 85% and 8%, respectively). Furthermore, TOPr's balance of speed and precision enables it to find 24 new bugs in 5 open source applications, with 18 confirmed by developers, 12 bugs labelled as "Priority - 1. High", and 12 bugs fixed, underscoring the effectiveness of our framework.

翻译：定向模糊测试是一种动态测试技术，其探索过程聚焦于程序中的特定预设目标位置。与其他类型模糊测试工具类似，最大化测试速度与精度是提升定向模糊测试效能的关键。为此，近年来的定向模糊测试器开始采用路径剪枝技术：通过避免对与抵达目标无关的程序路径进行无效测试来提升效率。然而，现有剪枝方法虽能带来显著加速，但在捕捉间接控制流方面存在精度缺陷，需要额外动态分析手段予以补偿，这反而削弱了定向模糊测试的速度优势。因此，缺乏兼具高效性与精确性的代码剪枝技术，将始终制约定向模糊测试的效能提升。本文致力于解决基于剪枝的定向模糊测试中速度与精度难以兼顾的挑战。我们通过实验揭示现有剪枝方法无法还原常见间接控制流的局限性，并提出采用轻量级启发式策略（如函数签名匹配）对其进行增强，从而在不引入动态分析负担的前提下最大化剪枝精度。我们将改进后的剪枝技术实现为原型系统TOPr（目标导向剪枝），并与当前主流的基于剪枝及无关剪枝的定向模糊测试器SieveFuzz和AFLGo进行对比评估。实验结果表明，TOPr的增强型剪枝在以下三方面均呈现显著优势：（1）测试速度——测试用例吞吐量分别提升222%和73%；（2）可达性——目标相关覆盖率分别提升149%和9%；（3）缺陷发现效率——漏洞触发时间分别缩减85%和8%。此外，TOPr凭借速度与精度的均衡优化，在5个开源应用中成功发现24个新漏洞，其中18个获得开发者确认、12个被标注为"优先级-1-高"，已有12个漏洞被修复，充分证明了本框架的有效性。