COMPUTER SCIENCE
and ENGINEERING

Coverage-based fuzzing is widely used in finding program bugs. While state-of-the-art coverage-based fuzzers, either ignore the differences between newly discovered edges or consider only control flow features (e.g., depth) when prioritizing seeds for mutation. In this paper, we propose a semantic sensitive coverage-based fuzzing solutions, SSFuzzer. When new edges are discovered during fuzzing, it evaluates the semantic features of the new edges and update the weights of testcases. Seeds with heavier weights will first be picked to mutate and be given more energy to mutate (i.e., more testcases will be generated). We evaluate not only positive semantic features (e.g., memory access) but also negative ones (e.g., error handling) of edges. We implemented a prototype based on AFL. Experiment results demonstrate that SSFuzzer can discover vulnerabilities faster.

Fuzzing, Coverage-based, Semantic sensitive, Software security.