Function relevance based fuzzing for coverage improvement

Abstract

Fuzzing has become popular as a software bug detection technique for its high bug detection ability (covering large execution space of a complex target program fast). Although semantic information of a target program can be useful to improve test coverage of fuzzing, still most fuzzers do not utilize valuable semantic information of a target program much. This is because obtaining such semantic information is technically difficult and/or costly (i.e., causing high runtime overhead). To resolve such limitation, this dissertation proposes FRIEND, which is the first fuzzer to use "dynamic function relevance'', which is a salient method to improve test coverage and crash bug detection ability cost-effectively. FRIEND identifies functions closely relevant to a target function $f_t$ containing a target branch $b_t$ and utilizes this information to select test inputs and input bytes to mutate. I found that the dynamic function relevance metric is simple and cheap to calculate and can improve fuzzing performance significantly. I have applied \tech to 4 LAVA-M benchmark programs and 10 popular real-world programs. The experiment results demonstrated that FRIEND covers significantly more execution paths and detects more crashes than other cutting-edge fuzzers (i.e., AFLFast, Angora, FairFuzz, and RedQueen).