改进种子选择策略的导向型灰盒模糊测试

Grey-box fuzzing is a very effective approach to discovery vulnerability. A directed grey-box fuzzer, AFLGo, can guide mutation towards pre-set target code region and efficiently explore bugs in there. However, in the exploration phase and exploitation phase, the strategy of AFLGo to choose a seed in the seed pool remains primitive AFL\'s algorithm, which means some runtime-information can\'t be utilized sufficiently, causing some limitations in terms of AFLGo\'s performance. This paper introduces an algorithm to improve AFLGo\'s strategy of choosing, which can enhance the test performance in both phases of AFLGo by using the number of low-frequency branches covered by a path and the distance of seeds to influence priority. And an improved directed grey-box fuzzing tool, dubbed HyFuzz, has been implemented. According to the experiment result, for four kinds of familiar open source software, compared to AFLGo, HyFuzz can increase coverage faster in the exploration phase, and also can generate seed that is closer to the target code region in the exploitation phase, which proved that HyFuzz is a better directed grey-box fuzzer than AFLGo.