MOT-Fuzz: A Novel Directed Greybox Fuzzing with Multiple Ordered Target Basic Blocks for Multistep Vulnerabilities
摘要
Existing directed greybox fuzzers have difficulty in discovering vulnerabilities such as use-after-free that require sequential arrival at multiple target basic blocks in order to be triggered, which we refer to as Multistep Vulnerabilities. On the one hand, it is because they seldom consider the sequential relationship between target basic blocks, leading to inefficient power scheduling. On the other hand, it is because the seed mutation usually takes a random and blind approach, leading to low quality of the generated test cases. In this paper, we introduce a novel Directed Greybox Fuzzing with Multiple Ordered Target Basic Blocks for Multistep Vulnerabilities (MOT-Fuzz). First, we design a multi-indicators power scheduling method to comprehensively consider multiple indicators such as sequence coverage and distance to allocate seed power. Then, we propose a seed mutation technique based on a multi-armed bandit to adaptively select the most favorable mutation operation and mutation location. We implement MOT-Fuzz based on AFLGo, and experimentally compare it with existing classic fuzzers to demonstrate its performance in exposing multi-target crashes.