TOFU: Target-Oriented FUzzer
This addresses the need for efficient bug and vulnerability detection in software testing by enabling targeted exploration of specific program points, representing an incremental advance over existing methods.
The paper tackled the directed fuzzing problem by developing TOFU, a target-oriented fuzzer that biases search using a distance metric and input-structure awareness, resulting in a 28% speed improvement and 45% more targets reached compared to AFLGo.
Program fuzzing---providing randomly constructed inputs to a computer program---has proved to be a powerful way to uncover bugs, find security vulnerabilities, and generate test inputs that increase code coverage. In many applications, however, one is interested in a target-oriented approach-one wants to find an input that causes the program to reach a specific target point in the program. We have created TOFU (for Target-Oriented FUzzer) to address the directed fuzzing problem. TOFU's search is biased according to a distance metric that scores each input according to how close the input's execution trace gets to the target locations. TOFU is also input-structure aware (i.e., the search makes use of a specification of a superset of the program's allowed inputs). Our experiments on xmllint show that TOFU is 28% faster than AFLGo, while reaching 45% more targets. Moreover, both distance-guided search and exploitation of knowledge of the input structure contribute significantly to TOFU's performance.