JavaScript engines are widely used in web browsers, PDF readers, and server-side applications. The rise in concern over their security has led to the development of several targeted fuzzing techniques. However, existing approaches use random selection to determine where to perform mutations in JavaScript code. We postulate that the problem of selecting better mutation targets is suitable for combinatorial bandits with a volatile number of arms. Thus, we propose CLUTCH, a novel deep combinatorial bandit that can observe variable length JavaScript test case representations, using an attention mechanism from deep learning. Furthermore, using Concrete Dropout, CLUTCH can dynamically adapt its exploration. We show that CLUTCH increases efficiency in JavaScript fuzzing compared to three state-of-the-art solutions by increasing the number of valid test cases and coverage-per-testcase by, respectively, 20.3% and 8.9% on average. In volatile and combinatorial settings we show that CLUTCH outperforms state-of-the-art bandits, achieving at least 78.1% and 4.1% less regret in volatile and combinatorial settings, respectively.

翻译：JavaScript引擎广泛应用于网页浏览器、PDF阅读器和服务器端应用程序。对其安全性的日益关注催生了许多针对性模糊测试技术的发展。然而，现有方法通常采用随机选择来确定在JavaScript代码中进行变异的位置。我们认为，选择更优变异目标的问题适合用具有可变臂数的组合多臂赌博机框架来解决。为此，我们提出了CLUTCH，一种新型深度组合多臂赌博机，它能够观察可变长度的JavaScript测试用例表示，并利用深度学习中的注意力机制。此外，通过采用Concrete Dropout技术，CLUTCH能够动态调整其探索策略。实验表明，与三种前沿解决方案相比，CLUTCH显著提升了JavaScript模糊测试的效率：平均而言，有效测试用例数量和单测试用例覆盖率分别提高了20.3%和8.9%。在动态变化和组合设置下，CLUTCH的表现优于当前最先进的多臂赌博机方法，其遗憾值在动态变化和组合设置中分别至少降低了78.1%和4.1%。