RegFuzz: A Linear Regression-Based Approach for Seed Scheduling in Directed Fuzzing

Abstract

Directed fuzzing aims to focus on fuzzing specific locations within a target program to enhance the efficiency of vulnerability discovery. However, directed fuzzing may yield fewer vulnerabilities and obtain lower code coverage when the specified locations have little to no vulnerabilities. Additionally, the existing directed fuzzing approaches often overlook the differences in variable values when calculating distances between seeds and specific locations. In order to address these issues, this paper introduces RegFuzz, a method that improves seed scheduling in directed fuzzing. RegFuzz utilizes a linear regression model to predict the effectiveness of a seed and allocates more fuzzing opportunities to efficient seeds. Specifically, first, RegFuzz defines several labels with the corresponding trainable weights for each seed. These labels encompass seed coverage, crash efficiency, seed distance, and more. In the calculation of seed distance, RegFuzz takes into account not only the basic block distance but also the variable distance contained within those basic blocks. Second, the linear regression model continually optimizes the label weights during fuzzing, and these optimized weights are employed to predict the effectiveness of seeds. In comparison with AFLGo, AFL, and AFL++, RegFuzz demonstrates higher code coverage and a more efficient bug-finding capability across seven real-world open-source programs.