SLOPT: Bandit Optimization Framework for Mutation-Based Fuzzing
This work addresses the challenge of program-agnostic optimization in fuzzing for software security researchers and developers, offering an incremental improvement by enhancing existing fuzzers like AFL++.
The paper tackles the problem of optimizing mutation-based fuzzing for vulnerability discovery by proposing SLOPT, a framework that integrates bandit-friendly mutation schemes and mutation-scheme-friendly bandit algorithms, resulting in higher code coverage than AFL++ in all ten FuzzBench programs and identifying three previously unknown vulnerabilities in OSS-Fuzz programs.
Mutation-based fuzzing has become one of the most common vulnerability discovery solutions over the last decade. Fuzzing can be optimized when targeting specific programs, and given that, some studies have employed online optimization methods to do it automatically, i.e., tuning fuzzers for any given program in a program-agnostic manner. However, previous studies have neither fully explored mutation schemes suitable for online optimization methods, nor online optimization methods suitable for mutation schemes. In this study, we propose an optimization framework called SLOPT that encompasses both a bandit-friendly mutation scheme and mutation-scheme-friendly bandit algorithms. The advantage of SLOPT is that it can generally be incorporated into existing fuzzers, such as AFL and Honggfuzz. As a proof of concept, we implemented SLOPT-AFL++ by integrating SLOPT into AFL++ and showed that the program-agnostic optimization delivered by SLOPT enabled SLOPT-AFL++ to achieve higher code coverage than AFL++ in all of ten real-world FuzzBench programs. Moreover, we ran SLOPT-AFL++ against several real-world programs from OSS-Fuzz and successfully identified three previously unknown vulnerabilities, even though these programs have been fuzzed by AFL++ for a considerable number of CPU days on OSS-Fuzz.