SpotFuzz: Fuzzing Based on Program Hot-Spots
AFL is the most widely used coverage-guided fuzzer, which relies on rough execution information to assign seeds energy, which can lead to waste. We track the program executed by AFL and discover that the hit counts of each edge might vary greatly when using different seeds as inputs. Some seeds, which are continuously given too much energy, experience very high hit counts of several edges without new crashes or edges being explored, which results in invalid execution and waste of performance. We also define time-consuming edges and discover that they only occupy a small part of the program. In this paper, we define invalid execution edges and time-consuming edges as hot-spots and propose a fuzzing solution SpotFuzz to solve energy waste caused by the above hot-spot phenomenon. It allocates seeds with more hot-spots during execution and uses less energy to reduce energy waste. Moreover, it preferentially selects seeds with less time-consuming edges as test cases, allowing for more edges to be explored in a limited time. We implement an SpotFuzz prototype based on AFL and test it on several real programs for 600 CPU days. The experimental results show that minimizing the invalid and time-consuming execution of edges can improve the fuzzing efficiency. On average, SpotFuzz could find 42.96% more unique crashes and 14.25% more edges than AFL on GNU Binutils and tcpdump.