AlphaFuzz: Evolutionary Mutation-based Fuzzing as Monte Carlo Tree Search

Fuzzing is becoming more and more popular in the field of vulnerability detection. In the process of fuzzing, seed selection strategy plays an important role in guiding the evolution direction of fuzzing. However, the SOTA fuzzers only focus on individual uncertainty, neglecting the multi-factor uncertainty caused by both randomization and evolution. In this paper, we consider seed selection in fuzzing as a large-scale online planning problem under uncertainty. We propose AlphaFuzz which is a new intelligent seed selection strategy. In Alpha-Fuzz, we leverage the MCTS algorithm to deal with the effects of the uncertainty of randomization and evolution of fuzzing. Especially, we analyze the role of the evolutionary relationship between seeds in the process of fuzzing, and propose a new tree policy and a new default policy to make the MCTS algorithm better adapt to the fuzzing. We compared AlphaFuzz with four state-of-the-art fuzzers in 12 real-world applications and LAVAM data set. The experimental results show that AlphaFuzz could find more bugs on lava-M and outperforms other tools in terms of code coverage and number of bugs discovered in the realworld applications. In addition, we tested the compatibility of AlphaFuzz , and the results showed that AlphaFuzz could improve the performance of existing tools such as MOPT and QSYM. *Corresponding author: leizhao@whu.edu.cn

[1]  Risto Ritala,et al.  Planning for robotic exploration based on forward simulation , 2015, Robotics Auton. Syst..

[2]  Nathan Michael,et al.  Efficient Online Multi-robot Exploration via Distributed Sequential Greedy Assignment , 2017, Robotics: Science and Systems.

[3]  Simon M. Lucas,et al.  Knowledge-based fast evolutionary MCTS for general video game playing , 2014, 2014 IEEE Conference on Computational Intelligence and Games.

[4]  Abhik Roychoudhury,et al.  Coverage-Based Greybox Fuzzing as Markov Chain , 2016, IEEE Transactions on Software Engineering.

[5]  Dinghao Wu,et al.  Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization , 2020, NDSS.

[6]  Simon M. Lucas,et al.  A Survey of Monte Carlo Tree Search Methods , 2012, IEEE Transactions on Computational Intelligence and AI in Games.

[7]  Robert Fitch,et al.  Adversarial patrolling with reactive point processes , 2016 .

[8]  Koushik Sen,et al.  FairFuzz: A Targeted Mutation Strategy for Increasing Greybox Fuzz Testing Coverage , 2018, 2018 33rd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[9]  Yong Tang,et al.  EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit , 2020, USENIX Security Symposium.

[10]  Song Wang,et al.  QTEP: quality-aware test case prioritization , 2017, ESEC/SIGSOFT FSE.

[11]  Abhik Roychoudhury,et al.  Directed Greybox Fuzzing , 2017, CCS.

[12]  Jan Willemson,et al.  Improved Monte-Carlo Search , 2006 .

[13]  Chao Zhang,et al.  MOPT: Optimized Mutation Scheduling for Fuzzers , 2019, USENIX Security Symposium.

[14]  Timothy Patten,et al.  Monte Carlo planning for active object classification , 2017, Autonomous Robots.

[15]  Janez Demsar,et al.  Statistical Comparisons of Classifiers over Multiple Data Sets , 2006, J. Mach. Learn. Res..

[16]  Seoyoung Kim,et al.  Intriguer: Field-Level Constraint Solving for Hybrid Fuzzing , 2019, CCS.

[17]  William K. Robertson,et al.  LAVA: Large-Scale Automated Vulnerability Addition , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[18]  Meng Xu,et al.  QSYM : A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing , 2018, USENIX Security Symposium.

[19]  Chao Zhang,et al.  GREYONE: Data Flow Sensitive Fuzzing , 2020, USENIX Security Symposium.

[20]  Robert Fitch,et al.  An approach to autonomous science by modeling geological knowledge in a Bayesian framework , 2017, 2017 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS).