Abstract

Grouping works only if it lowers the round-robin divisor, but safe grouping is hard because targets often compete and degrade each other’s search efficiency. Redirecting all group energy to already-covered targets, using a find-and-prune strategy, helps resolve this contention.

본문

We aim to extend a single-target directed fuzzer to support multiple targets simultaneously. Our baseline implementation uses a round-robin scheduler that divides time equally among targets, but with large number of targets, each gets too little attention. To reduce the divisor, we attempt grouping, but only when it avoids intra-group inefficiency.

Targets interfere when their guidance does not help each other. One indicator is when their semantic slices do not overlap, meaning targets are on divergent paths. Even with overlap, grouping slices of different sizes can be inefficient, since smaller slices often provide more focused guidance, and merging it harms its usefulness. Moreover, targets with similar slices may still differ in how inputs evolve toward them, for example, if their call-graph paths diverge. These issues make safe grouping rare, causing most combinations to collapse to atomic scheduling.

To preserve the gains of grouping, we tolerate limited contention but control energy dynamically. We group by slice or call-graph similarity to assure similar guidance, and reassign energy within a group to seeds that reach any target locations. This rewards easy-to-reach targets, which can be a guiding light to all targets in the group. Additionally, timely pruning of reached targets is required to avoid overinvestment and to increase energy for remaining members. Currently pruning when the crash reproduction for the location completes is one idea.

In short, effective grouping tolerates minor interference by dynamic control, like rewarding early progress. Other ideas in mind are to weigh on small-slice targets (under the intuition that such have more focused guidance), or to keep slices separate and simply divide group-rationed time evenly.