Traditional coverage grey-box fuzzers perform a breadth-first search of the state space of Program Under Test (PUT). This aimlessness wastes a lot of computing resources. Directed grey-box fuzzing focuses on the target of PUT and becomes one of the most popular topics of software testing. The early termination of unreachable test cases is a method to improve directed grey-box fuzzing. However, existing solutions have two problems: firstly, reachability analysis needs to introduce extra technologies (e.g., static analysis); secondly, the performance of reachability analysis and auxiliary technologies lack versatility. We propose FGo, a probabilistic exponential cut-the-loss directed grey-box fuzzer. FGo terminates unreachable test cases early with exponentially increasing probability. Compared to other technologies, FGo makes full use of the unreachable information contained in iCFG and doesn't generate any additional overhead caused by reachability analysis. Moreover, it is easy to generalize to all PUT. This strategy based on probability is perfectly adapted to the randomness of fuzzing. The experiment results show that FGo is 106% faster than AFLGo in reproducing crashes. We compare multiple parameters of probabilistic exponential cut-the-loss algorithm and analyze them in detail. In addition, for enhancing the inerpretability of FGo, this paper discusses the difference between the theoretical performance and the practical performance of probabilistic exponential cut-the-loss algorithm.

翻译：传统覆盖引导的灰盒模糊测试对被测程序的状态空间进行广度优先搜索，这种无目标性浪费了大量计算资源。定向灰盒模糊测试聚焦于被测程序的特定目标，已成为软件测试领域最热门的研究方向之一。提前终止不可达测试用例是改进定向灰盒模糊测试的有效方法，但现有方案存在两个问题：首先，可达性分析需要引入额外技术（如静态分析）；其次，可达性分析及其辅助技术的性能缺乏通用性。本文提出FGo——一种采用概率指数级止损策略的定向灰盒模糊测试工具。FGo以指数递增的概率提前终止不可达测试用例。相较于其他技术，FGo充分利用了过程间控制流图中包含的不可达信息，且不会产生由可达性分析导致的额外开销。此外，该策略易于推广至所有被测程序。这种基于概率的策略完美契合了模糊测试的随机性。实验结果表明，在崩溃复现任务中FGo比AFLGo快106%。我们对概率指数级止损算法的多个参数进行了比较和详细分析。同时，为增强FGo的可解释性，本文探讨了该算法理论性能与实际性能之间的差异。