Abstract

AFL++, an updating version of , suffers performance loss in some cases. Loss inherits to its directed-fuzzing fork implementations, too. We, directed fuzzing researchers, cannot tune on such losses forever, hence better to focus on robust ideas outside of runtime logic.

본문

AFL++ is a fork of with consistent update on scalability and efficiency. Notably, its LTO (link-time optimization) mode enumerates all edges in the global CFG, allowing shared map to resize dynamically suitable for instrumentation. This improves coverage accuracy and execution speed.

However, these features are not always additive. For example, AFL++ v4.05 fails to trigger known stack overflows in cxxfilt and nm, while variants and AFL++ v4.31 succeed. On the other hand, v4.31 underperforms v4.05 in MP4Box.

This suggests AFL++ can underperform due to unpredictable internal interactions.

Directed fuzzers implemented on AFL++, like and , inherit such side-effects. The on AFL++ even reports more bugs slower than on , especially on stack overflow bugs. AFL++ aims at higher coverage, hence on AFL++ achieves higher coverage, but it distorts the direction of reproducing the target bug.

The variant on even reports more bugs faster than on AFL++, especially on stack overflow bugs. undergo failure in reproducing target bugs.

Strictly saying, AFL++’s richness can interfere with the directed fuzzing’s orthogonal strategies. Directed fuzzing often relies on reducing the feedback and limiting mutation, while AFL++ also mixes in heuristics, schedules, and complex queue culling that can conflict with added logic. Even minor changes risk cutting effectiveness. Thus, implementing atop AFL++ requires care not to disrupt its core design too much.

This complexity reflects that improvements may be a sign of optimization. A method that excels in isolation may fail when composed with others. For the technique that will provide stable benefits across diverse fuzzers, we should focus on simple yet robust ideas, such as our novel target grouping, which cleanly will integrate into fuzzers without distorting their dynamics.

Each fuzzer claims they champion, but they aren’t.