Traditional coverage grey-box fuzzers perform a breadth-first search of the state space of Program Under Test (PUT). This aimlessness wastes a lot of computing resources. Directed grey-box fuzzing focuses on the target of PUT and becomes one of the most popular topics of software testing. The early termination of unreachable test cases is a method to improve directed grey-box fuzzing. However, existing solutions have two problems: firstly, reachability analysis needs to introduce extra technologies (e.g., static analysis); secondly, the performance of reachability analysis and auxiliary technologies lack versatility. We propose FGo, a probabilistic exponential cut-the-loss directed grey-box fuzzer. FGo terminates unreachable test cases early with exponentially increasing probability. Compared to other technologies, FGo makes full use of the unreachable information contained in iCFG and doesn't generate any additional overhead caused by reachability analysis. Moreover, it is easy to generalize to all PUT. This strategy based on probability is perfectly adapted to the randomness of fuzzing. The experiment results show that FGo is 106% faster than AFLGo in reproducing crashes. We compare multiple parameters of probabilistic exponential cut-the-loss algorithm and analyze them in detail. In addition, for enhancing the inerpretability of FGo, this paper discusses the difference between the theoretical performance and the practical performance of probabilistic exponential cut-the-loss algorithm.

翻译：传统的覆盖引导灰盒模糊测试对被测程序的状态空间进行广度优先搜索，这种无目标性浪费了大量计算资源。有向灰盒模糊测试聚焦于被测程序的特定目标，已成为软件测试领域最受关注的热点之一。提前终止不可达测试用例是提升有向灰盒模糊测试性能的有效方法，但现有方案存在两个问题：首先，可达性分析需要引入额外技术（如静态分析）；其次，可达性分析及其辅助技术的性能缺乏通用性。本文提出FGo——一种采用概率指数止损策略的有向灰盒模糊测试工具。FGo以指数递增的概率提前终止不可达测试用例。与其他技术相比，FGo充分利用指令控制流图中蕴含的不可达信息，且不会因可达性分析产生任何额外开销。此外，该方案易于推广至所有被测程序。这种基于概率的策略完美契合了模糊测试的随机性。实验结果表明，在重现崩溃方面，FGo较AFLGo提速106%。我们对概率指数止损算法的多个参数进行了对比分析。同时，为增强FGo的可解释性，本文还探讨了概率指数止损算法理论性能与实际性能之间的差异。