ecofuzz: adaptive energy-saving greybox fuzzing as a ...ecofuzz: adaptive energy-saving greybox...
TRANSCRIPT
![Page 1: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/1.jpg)
EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit
Tai Yue Pengfei Wang Yong Tang Enze Wang
Bo Yu Kai Lu Xu Zhou
National University of Defense Technology
Email: [email protected]
EcoFuzz: https://github.com/MoonLight-SteinsGate/EcoFuzz
![Page 2: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/2.jpg)
• Effective approach for identifying vulnerabilities
• American Fuzzy Lop (AFL)
The bugs found by AFL
Coverage-based Greybox Fuzzing
![Page 3: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/3.jpg)
• Effective approach for identifying vulnerabilities
• American Fuzzy Lop (AFL)
Mutation operator (MOPT, FairFuzz)
Initial seeds (Skyfire)
Coverage-based Greybox Fuzzing
The bugs found by AFL
![Page 4: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/4.jpg)
• Effective approach for identifying vulnerabilities
• American Fuzzy Lop (AFL)
Mutation operator (MOPT, FairFuzz)
Initial seeds (Skyfire)
Coverage-based Greybox Fuzzing
The bugs found by AFL
![Page 5: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/5.jpg)
• Shortcomings in schedule algorithm
Assign too much energy on seeds exercising high-frequency paths
Simple select strategy
• Few works focus on this
AFLFast
• Limitation of current model
Motivation
![Page 6: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/6.jpg)
• Shortcomings in schedule algorithm
Assign too much energy on seeds exercising high-frequency paths
Simple select strategy
• Few works focus on this
AFLFast
• Limitation of current model
Motivation
![Page 7: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/7.jpg)
• Shortcomings in schedule algorithm
Assign too much energy on seeds exercising high-frequency paths
Simple select strategy
• Few works focus on this
AFLFast
• Limitation of current model
Motivation
![Page 8: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/8.jpg)
• Proposing a new model
• Improving schedule algorithm
Search strategy: selecting which seed
Power schedule: assigning how many energy
Motivation
![Page 9: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/9.jpg)
• Proposing a new model
• Improving schedule algorithm
Search strategy: selecting which seed
Power schedule: assigning how many energy
Motivation
![Page 10: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/10.jpg)
Contributions• One model: a variant of the Adversarial Multi-Armed Bandit
(VAMAB)
• One tool: an adaptive energy-saving fuzzer named EcoFuzz
• Comprehensive evaluation: a serial of experiments from different metrics
![Page 11: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/11.jpg)
Contributions• One model: a variant of the Adversarial Multi-Armed Bandit
(VAMAB)
• One tool: an adaptive energy-saving fuzzer named EcoFuzz
• Comprehensive evaluation: a serial of experiments from different metrics
![Page 12: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/12.jpg)
Classical Multi-Armed Bandit
• Constant number of arms
• Reward
• Reward probability
constant and unknown
• Target
maximizing the rewards in finite trials
Arm-1 Arm-3Arm-2 Arm-!n
�R1 �R2 �R3 �Rn
…
![Page 13: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/13.jpg)
Classical Multi-Armed Bandit
CGF
• Seeds
• Finding a new path
• Maximize path coverage
Classical MAB
• Arms
• Reward
• Maximize the rewards
![Page 14: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/14.jpg)
Classical Multi-Armed Bandit
CGF
• Seeds
• Finding a new path
• Maximize path coverage
• The number of seeds is variable
• The probability of finding new paths is decreasing
Classical MAB
• Arms
• Reward
• Maximize the rewards
• The number of arms is constant
• The reward probability is constant
![Page 15: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/15.jpg)
VAMAB
• Arms (seeds)
• Reward (Finding a new path)
• Maximize the rewards (path coverage) in finite trails
• The number of arms is variable (increasing), with a upper bound of �
• The reward probability, which is the probability to find new paths, is variable (decreasing)
np
A Variant of the Adversarial Multi-Armed Bandit (VAMAB)
![Page 16: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/16.jpg)
Seed-1 Seed-3Seed-2 Seed-!n
�PR1,n�PR2,n
�PR3,n�PRn,n
…
VAMAB
• Arms (seeds)
• Reward (Finding a new path)
• Maximize the rewards (path coverage) in finite trails
• The number of arms is variable (increasing), with a upper bound of �
• The reward probability, which is the probability to find new paths, is variable (decreasing)
np
A Variant of the Adversarial Multi-Armed Bandit (VAMAB)
![Page 17: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/17.jpg)
Seed-1 Seed-3Seed-2 Seed-!n
�PR1,n�PR2,n
�PR3,n�PRn,n
…
�PRi,n=
np
∑j=n+1
pij = 1 −n
∑j=1
pij
VAMAB
• Arms (seeds)
• Reward (Finding a new path)
• Maximize the rewards (path coverage) in finite trails
• The number of arms is variable (increasing), with a upper bound of �
• The reward probability, which is the probability to find new paths, is variable (decreasing)
np
A Variant of the Adversarial Multi-Armed Bandit (VAMAB)
![Page 18: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/18.jpg)
Seed-1 Seed-3Seed-2 Seed-!n
�PR1,n�PR2,n
�PR3,n�PRn,n
…
�PRi,n=
np
∑j=n+1
pij = 1 −n
∑j=1
pij
VAMAB
• Arms (seeds)
• Reward (Finding a new path)
• Maximize the rewards (path coverage) in finite trails
• The number of arms is variable (increasing), with a upper bound of �
• The reward probability, which is the probability to find new paths, is variable (decreasing)
np
Total Paths
A Variant of the Adversarial Multi-Armed Bandit (VAMAB)
![Page 19: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/19.jpg)
Seed-1 Seed-3Seed-2 Seed-!n
�PR1,n�PR2,n
�PR3,n�PRn,n
…
�PRi,n=
np
∑j=n+1
pij = 1 −n
∑j=1
pij
VAMAB
• Arms (seeds)
• Reward (Finding a new path)
• Maximize the rewards (path coverage) in finite trails
• The number of arms is variable (increasing), with a upper bound of �
• The reward probability, which is the probability to find new paths, is variable (decreasing)
npTransition ProbabilityThe probability of mutating the seed � to generate a test case executing the path � .
ij
Total Paths
A Variant of the Adversarial Multi-Armed Bandit (VAMAB)
![Page 20: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/20.jpg)
Seed-1 Seed-3Seed-2 Seed-!n
�PR1,n�PR2,n
�PR3,n�PRn,n
…
�PRi,n=
np
∑j=n+1
pij = 1 −n
∑j=1
pij �PRi,n> PRi,n+1
> . . . > PRi,np= 0
VAMAB
• Arms (seeds)
• Reward (Finding a new path)
• Maximize the rewards (path coverage) in finite trails
• The number of arms is variable (increasing), with a upper bound of �
• The reward probability, which is the probability to find new paths, is variable (decreasing)
npTransition ProbabilityThe probability of mutating the seed � to generate a test case executing the path � .
ij
Total Paths
A Variant of the Adversarial Multi-Armed Bandit (VAMAB)
![Page 21: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/21.jpg)
Seed-1 Seed-3Seed-2 Seed-!n
�PR1,n�PR2,n
�PR3,n�PRn,n
…
�PRi,n=
np
∑j=n+1
pij = 1 −n
∑j=1
pij �PRi,n> PRi,n+1
> . . . > PRi,np= 0
Probability attenuation
VAMAB
• Arms (seeds)
• Reward (Finding a new path)
• Maximize the rewards (path coverage) in finite trails
• The number of arms is variable (increasing), with a upper bound of �
• The reward probability, which is the probability to find new paths, is variable (decreasing)
npTransition ProbabilityThe probability of mutating the seed � to generate a test case executing the path � .
ij
Total Paths
A Variant of the Adversarial Multi-Armed Bandit (VAMAB)
![Page 22: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/22.jpg)
Exploration
• Estimate their reward probabilities
Exploitation
• Select the seed with a high reward probability
A Variant of the Adversarial Multi-Armed Bandit (VAMAB)
![Page 23: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/23.jpg)
Exploration
• Estimate their reward probabilities
Exploitation
• Select the seed with a high reward probability
Seed-1 Seed-3Seed-2 Seed-!m…
Seed-1 Seed-3Seed-2 Seed-!n
�PR1,n�PR2,n
�PR3,n ?
…
?? ? ?Fuzz Fuzz Fuzz
A Variant of the Adversarial Multi-Armed Bandit (VAMAB)
![Page 24: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/24.jpg)
Exploration
• Estimate their reward probabilities
Exploitation
• Select the seed with a high reward probability
Seed-1 Seed-3Seed-2 Seed-!n…
Seed-1 Seed-3Seed-2 Seed-!n
�PR1,n+1�PR2,n+1
�PR3,n+1 ?
…
?�PR1,n�PR1,n
�PR1,n
Seed-!(n + 1)
Find a new path
?
A Variant of the Adversarial Multi-Armed Bandit (VAMAB)
![Page 25: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/25.jpg)
Exploration
• Estimate their reward probabilities
• Focusing on exploring new seeds:
Assigning fewer energy on the old seeds with high reward probabilities
Exploitation
• Select the seed with a high reward probability
• Focusing on exploiting old seeds:
Missing some new seeds with higher reward probabilities
A Variant of the Adversarial Multi-Armed Bandit (VAMAB)
![Page 26: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/26.jpg)
Exploration
• Estimate their reward probabilities
• Focusing on exploring new seeds:
Assigning fewer energy on the old seeds with high reward probabilities
Exploitation
• Select the seed with a high reward probability
• Focusing on exploiting old seeds:
Missing some new seeds with higher reward probabilities
A Variant of the Adversarial Multi-Armed Bandit (VAMAB)
![Page 27: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/27.jpg)
• Initial state: all seeds are unfuzzed
• Exploration state: part of seeds in the seed queue are fuzzed
• Exploitation State: all seeds in the seed queue have been fuzzed
Three States in CGF
![Page 28: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/28.jpg)
Search Strategy
Estimating the reward probability
Selecting the seeds with high reward probabilities
Power Schedule
Avoiding assigning too much energy to some seeds
How to Maximize Coverage
![Page 29: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/29.jpg)
Search Strategy
Estimating the reward probability
Selecting the seeds with high reward probabilities
Power Schedule
Avoiding assigning too much energy on some seeds
How to Maximize Coverage
![Page 30: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/30.jpg)
Contributions• One model: a variant of the Adversarial Multi-Armed Bandit
(VAMAB)
• One tool: an adaptive energy-saving fuzzer named EcoFuzz
• Comprehensive evaluation: a serial of experiments from different metrics
![Page 31: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/31.jpg)
Seed QueueSeed
Mutation
Random StageTest cases
Initial Seed
Initial
Exploration
Exploitation
State Determine
Choose next seed in order
Choose next seed by SPEM Assign energy by AAPS
Find new path
• Main FrameworkBased on AFL
Search strategy: Self-transition-based Probability Estimation Method (SPEM)
Power schedule: Adaptive Average-cost-based Power Schedule (AAPS)
Three states of VAMAB
EcoFuzz
![Page 32: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/32.jpg)
Seed QueueSeed
Mutation
Random StageTest cases
Initial Seed
Initial
Exploration
Exploitation
State Determine
Choose next seed in order
Choose next seed by SPEM Assign energy by AAPS
Find new path
• Main FrameworkBased on AFL
Search strategy: Self-transition-based Probability Estimation Method (SPEM)
Power schedule: Adaptive Average-cost-based Power Schedule (AAPS)
Three states of VAMAB
EcoFuzz
![Page 33: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/33.jpg)
Seed QueueSeed
Mutation
Random StageTest cases
Initial Seed
Initial
Exploration
Exploitation
State Determine
Choose next seed in order
Choose next seed by SPEM Assign energy by AAPS
Find new path
• Main FrameworkBased on AFL
Search strategy: Self-transition-based Probability Estimation Method (SPEM)
Power schedule: Adaptive Average-cost-based Power Schedule (AAPS)
Three states of VAMAB
EcoFuzz
![Page 34: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/34.jpg)
Seed QueueSeed
Mutation
Random StageTest cases
Initial Seed
Initial
Exploration
Exploitation
State Determine
Choose next seed in order
Choose next seed by SPEM Assign energy by AAPS
Find new path
• Main FrameworkBased on AFL
Search strategy: Self-transition-based Probability Estimation Method (SPEM)
Power schedule: Adaptive Average-cost-based Power Schedule (AAPS)
Three states of VAMAB
EcoFuzz
![Page 35: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/35.jpg)
Seed QueueSeed
Mutation
Random StageTest cases
Initial Seed
Initial
Exploration
Exploitation
State Determine
Choose next seed in order
Choose next seed by SPEM Assign energy by AAPS
Find new path
• Main FrameworkBased on AFL
Search strategy: Self-transition-based Probability Estimation Method (SPEM)
Power schedule: Adaptive Average-cost-based Power Schedule (AAPS)
Three states of VAMAB
EcoFuzz
![Page 36: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/36.jpg)
Seed QueueSeed
Mutation
Random StageTest cases
Initial Seed
Initial
Exploration
Exploitation
State Determine
Choose next seed in order
Choose next seed by SPEM Assign energy by AAPS
Find new path
• Main FrameworkBased on AFL
Search strategy: Self-transition-based Probability Estimation Method (SPEM)
Power schedule: Adaptive Average-cost-based Power Schedule (AAPS)
Three states of VAMAB
EcoFuzz
![Page 37: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/37.jpg)
Seed QueueSeed
Mutation
Random StageTest cases
Initial Seed
Initial
Exploration
Exploitation
State Determine
Choose next seed in order
Choose next seed by SPEM Assign energy by AAPS
Find new path
Based on AFL
Search strategy: Self-transition-based Probability Estimation Method (SPEM)
Power schedule: Adaptive Average-cost-based Power Schedule (AAPS)
Three states of VAMAB
EcoFuzz
• Main Framework
![Page 38: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/38.jpg)
Seed QueueSeed
Mutation
Random StageTest cases
Initial Seed
Initial
Exploration
Exploitation
State Determine
Choose next seed in order
Choose next seed by SPEM Assign energy by AAPS
Find new path
• Main FrameworkBased on AFL
Search strategy: Self-transition-based Probability Estimation Method (SPEM)
Power schedule: Adaptive Average-cost-based Power Schedule (AAPS)
Three states of VAMAB
EcoFuzz
![Page 39: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/39.jpg)
Seed QueueSeed
Mutation
Random StageTest cases
Initial Seed
Initial
Exploration
Exploitation
State Determine
Choose next seed in order
Choose next seed by SPEM Assign energy by AAPS
Find new path
• Main FrameworkBased on AFL
Search strategy: Self-transition-based Probability Estimation Method (SPEM)
Power schedule: Adaptive Average-cost-based Power Schedule (AAPS)
Three states of VAMAB
EcoFuzz
![Page 40: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/40.jpg)
Seed QueueSeed
Mutation
Random StageTest cases
Initial Seed
Initial
Exploration
Exploitation
State Determine
Choose next seed in order
Choose next seed by SPEM Assign energy by AAPS
Find new path
• Main FrameworkBased on AFL
Search strategy: Self-transition-based Probability Estimation Method (SPEM)
Power schedule: Adaptive Average-cost-based Power Schedule (AAPS)
Three states of VAMAB
EcoFuzz
![Page 41: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/41.jpg)
Self-transition-based Probability Estimation Method (SPEM)
![Page 42: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/42.jpg)
• Search strategy
Self-transition-based Probability Estimation Method (SPEM)
![Page 43: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/43.jpg)
• Search strategy
estimate the reward probabilities
select the next seed in exploitation state
Self-transition-based Probability Estimation Method (SPEM)
![Page 44: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/44.jpg)
• Search strategy
estimate the reward probabilities
select the next seed in exploitation state
• Estimating probability by frequency
�PRi,n= 1 −
n
∑j=1
pij = 1 − pii −n
∑j=1,j≠i
pij
Self-transition-based Probability Estimation Method (SPEM)
![Page 45: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/45.jpg)
• Search strategy
estimate the reward probabilities
select the next seed in exploitation state
• Estimating probability by frequency
�PRi,n= 1 −
n
∑j=1
pij = 1 − pii −n
∑j=1,j≠i
pij
Self-transition-based Probability Estimation Method (SPEM)
![Page 46: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/46.jpg)
• Search strategy
estimate the reward probabilities
select the next seed in exploitation state
• Estimating probability by frequency
pii ≈ fii
�PRi,n= 1 −
n
∑j=1
pij = 1 − pii −n
∑j=1,j≠i
pij
�PRi,n= 1 −
n
∑j=1
pij ≈ 1 − fii −n
∑j=1,j≠i
pij
Self-transition-based Probability Estimation Method (SPEM)
![Page 47: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/47.jpg)
• Search strategy
estimate the reward probabilities
select the next seed in exploitation state
• Estimating probability by frequency
pii ≈ fii
�PRi,n= 1 −
n
∑j=1
pij = 1 − pii −n
∑j=1,j≠i
pij
�PRi,n= 1 −
n
∑j=1
pij ≈ 1 − fii −n
∑j=1,j≠i
pij
Self-transition-based Probability Estimation Method (SPEM)
![Page 48: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/48.jpg)
• Search strategy
estimate the reward probabilities
select the next seed in exploitation state
• Estimating probability by frequency
pii ≈ fii
fii +n
∑j=1,j≠i
pij ≈fii
i
�PRi,n= 1 −
n
∑j=1
pij = 1 − pii −n
∑j=1,j≠i
pij
�PRi,n= 1 −
n
∑j=1
pij ≈ 1 − fii −n
∑j=1,j≠i
pij
�PRi,n= 1 −
n
∑j=1
pij ≈ 1 −fii
i
Self-transition-based Probability Estimation Method (SPEM)
![Page 49: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/49.jpg)
Adaptive Average-cost-based Power Schedule (AAPS)
![Page 50: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/50.jpg)
• Average-cost
Adaptive Average-cost-based Power Schedule (AAPS)
![Page 51: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/51.jpg)
• Average-cost
C =total_testcasesfound_ paths
Adaptive Average-cost-based Power Schedule (AAPS)
![Page 52: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/52.jpg)
• Average-cost
C =total_testcasesfound_ paths
• Utilize average-cost as the basic line
Adaptive Average-cost-based Power Schedule (AAPS)
![Page 53: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/53.jpg)
• Average-cost
C =total_testcasesfound_ paths
• Utilize average-cost as the basic line
Adaptive Average-cost-based Power Schedule (AAPS)
![Page 54: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/54.jpg)
• Average-cost
C =total_testcasesfound_ paths
• Utilize average-cost as the basic line
Allocating energy no more than average-cost in the exploration stage
Adaptive Average-cost-based Power Schedule (AAPS)
![Page 55: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/55.jpg)
• Average-cost
C =total_testcasesfound_ paths
• Utilize average-cost as the basic line
Allocating energy no more than average-cost in the exploration stage
Less energy allocated on seeds exercising high-frequency paths
Adaptive Average-cost-based Power Schedule (AAPS)
![Page 56: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/56.jpg)
• Average-cost
C =total_testcasesfound_ paths
• Utilize average-cost as the basic line
Allocating energy no more than average-cost in the exploration stage
Less energy allocated on seeds exercising high-frequency paths
A context-adaptive energy allocation mechanism
Adaptive Average-cost-based Power Schedule (AAPS)
![Page 57: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/57.jpg)
Contributions• One model: a variant of the Adversarial Multi-Armed Bandit
(VAMAB)
• One tool: an adaptive energy-saving fuzzer named EcoFuzz
• Comprehensive evaluation: a serial of experiments from different metrics
![Page 58: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/58.jpg)
• 14 real-world programs
• Compared with 7 state-of-the-art tools
AFL, AFLFast, FidgetyAFL, AFLFast.new, MOPT, FairFuzz
• Configuration:
24 hours with 5 times
• Evaluation metric:
The number of discovered paths
The number of generated test cases
Average-cost
Evaluation
![Page 59: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/59.jpg)
• 14 real-world programs
• Compared with 7 state-of-the-art tools
AFL, AFLFast, FidgetyAFL, AFLFast.new, MOPT, FairFuzz
• Configuration:
24 hours with 5 times
• Evaluation metric:
The number of discovered paths
The number of generated test cases
Average-cost
Evaluation
![Page 60: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/60.jpg)
• 14 real-world programs
• Compared with 7 state-of-the-art tools
AFL, AFLFast, FidgetyAFL, AFLFast.new, MOPT, FairFuzz
• Configuration:
24 hours with 5 times
• Evaluation metric:
The number of discovered paths
The number of generated test cases
Average-cost
Evaluation
![Page 61: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/61.jpg)
• 14 real-world programs
• Compared with 7 state-of-the-art tools
AFL, AFLFast, FidgetyAFL, AFLFast.new, MOPT, FairFuzz
• Configuration:
24 hours with 5 times
• Evaluation metric:
The number of discovered paths
The number of generated test cases
Average-cost
Evaluation
![Page 62: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/62.jpg)
Evaluation
![Page 63: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/63.jpg)
• Outperform other AFL-type techniques
EcoFuzz finds 214% of the paths discovered by AFL and generates only 68% test cases of AFL, while reducing 65% average-cost of AFL
Evaluation
![Page 64: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/64.jpg)
• Evaluate the efficiency of SPEM and AAPS
• Configuration:
choosing each best performance of EcoFuzz, FidgetyAFL, FairFuzz, and AFLFast.new on fuzzing nm
recording the energy allocated in random strategies of each turns, denoted as � , which � is the order of turn�
recording the consumed energy for discovering the newest path of each turns, denoted as � , �
recording the frequency of allocation with finding new paths for the seeds chosen repeatedly in the exploitation stage
Ei i(1 ≤ i ≤ N)
ei 0 ≤ ei ≤ Ei
Evaluation
![Page 65: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/65.jpg)
• Evaluate the efficiency of SPEM and AAPS
• Configuration:
choosing each best performance of EcoFuzz, FidgetyAFL, FairFuzz, and AFLFast.new on fuzzing nm
recording the energy allocated in random strategies of each turns, denoted as � , which � is the order of turn�
recording the consumed energy for discovering the newest path of each turns, denoted as � , �
recording the frequency of allocation with finding new paths for the seeds chosen repeatedly in the exploitation stage
Ei i(1 ≤ i ≤ N)
ei 0 ≤ ei ≤ Ei
Evaluation
![Page 66: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/66.jpg)
• Evaluate the efficiency of SPEM and AAPS
• Configuration:
choosing each best performance of EcoFuzz, FidgetyAFL, FairFuzz, and AFLFast.new on fuzzing nm
recording the energy allocated in random strategies of each turns, denoted as � , which � is the order of turn�
recording the consumed energy for discovering the newest path of each turns, denoted as � , �
recording the frequency of allocation with finding new paths for the seeds chosen repeatedly in the exploitation stage
Ei i(1 ≤ i ≤ N)
ei 0 ≤ ei ≤ Ei
Evaluation
![Page 67: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/67.jpg)
• Evaluate the efficiency of SPEM and AAPS
• Configuration:
choosing each best performance of EcoFuzz, FidgetyAFL, FairFuzz, and AFLFast.new on fuzzing nm
recording the energy allocated in random strategies of each turns, denoted as � , which � is the order of turn�
recording the consumed energy for discovering the newest path of each turns, denoted as � , �
recording the frequency of allocation with finding new paths for the seeds chosen repeatedly in the exploitation stage
Ei i(1 ≤ i ≤ N)
ei 0 ≤ ei ≤ Ei
Evaluation
![Page 68: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/68.jpg)
• Evaluate the efficiency of SPEM and AAPS
• Configuration:
choosing each best performance of EcoFuzz, FidgetyAFL, FairFuzz, and AFLFast.new on fuzzing nm
recording the energy allocated in random strategies of each turns, denoted as � , which � is the order of turn�
recording the consumed energy for discovering the newest path of each turns, denoted as � , �
recording the frequency of allocation with finding new paths for the seeds chosen repeatedly in the exploitation state
Ei i(1 ≤ i ≤ N)
ei 0 ≤ ei ≤ Ei
Evaluation
![Page 69: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/69.jpg)
• Evaluation metric:
The utilization ratio of energy
The average utilization ratio
The frequency of effective allocation
� ri =ei
Ei
� r̄ =
i=N∑i=1
ri
N
� p =|{i |ei > 0,1 ≤ i ≤ N} |
N
Evaluation
![Page 70: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/70.jpg)
Evaluation
![Page 71: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/71.jpg)
Scatter map of with ri i
Evaluation
![Page 72: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/72.jpg)
Scatter map of with ri i
• FidgetyAFL and AFLFast.new
ri < 0.5
Evaluation
![Page 73: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/73.jpg)
Scatter map of with ri i
• FidgetyAFL and AFLFast.new
ri < 0.5
• EcoFuzz
ri → 1.0
Evaluation
![Page 74: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/74.jpg)
Table of � and �
• EcoFuzz demonstrates the best performance
The least average-cost
The highest average utilization
The highest frequency of effective allocation
The highest ratio of effective allocation to the repeated chosen times in exploitation state
r̄ p
Evaluation
![Page 75: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/75.jpg)
• Detecting vulnerabilities
• 12 vulnerabilities
• 2 CVEs
Evaluation
![Page 76: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/76.jpg)
• Detecting vulnerabilities
• 12 vulnerabilities
• 2 CVEs
Evaluation
![Page 77: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/77.jpg)
Conclusion• VAMAB
Model the schedule process of CGF
Explain the exploration and exploitation in CGF
Point out how to improve greybox fuzzing
![Page 78: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/78.jpg)
Conclusion• VAMAB
Model the schedule process of CGF
Explain the exploration and exploitation in CGF
Point out how to improve greybox fuzzing
![Page 79: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/79.jpg)
Conclusion• VAMAB
Model the schedule process of CGF
Explain the exploration and exploitation in CGF
Point out how to improve greybox fuzzing
![Page 80: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/80.jpg)
Conclusion• VAMAB
Model the schedule process of CGF
Explain the exploration and exploitation in CGF
Point out how to improve greybox fuzzing
![Page 81: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/81.jpg)
Conclusion• VAMAB
Model the schedule process of CGF
Explain the exploration and exploitation in CGF
Point out how to improve greybox fuzzing
• Improving the reward probability of each seed:
FairFuzz(avoids mutating the crucial parts of seeds)
• Establishing the mechanism of evaluating the seeds:
AFLGo(utilizes distance to evaluate each seed)
• Optimizing the power schedule:AFLFast(increases the assigned energy monotonically)
![Page 82: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/82.jpg)
Conclusion• VAMAB
Model the schedule process of CGF
Explain the exploration and exploitation in CGF
Point out how to improve greybox fuzzing
• Improving the reward probability of each seed:
FairFuzz(avoids mutating the crucial parts of seeds)
• Establishing the mechanism of evaluating the seeds:
AFLGo(utilizes distance to evaluate each seed)
• Optimizing the power schedule:AFLFast(increases the assigned energy monotonically)
![Page 83: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/83.jpg)
Conclusion• VAMAB
Model the schedule process of CGF
Explain the exploration and exploitation in CGF
Point out how to improve greybox fuzzing
• Improving the reward probability of each seed:
FairFuzz(avoids mutating the crucial parts of seeds)
• Establishing the mechanism of evaluating the seeds:
AFLGo(utilizes distance to evaluate each seed)
• Optimizing the power schedule:AFLFast(increases the assigned energy monotonically)
![Page 84: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/84.jpg)
Conclusion• VAMAB
Model the schedule process of CGF
Explain the exploration and exploitation in CGF
Point out how to improve greybox fuzzing
• EcoFuzz
Search strategy (Self-transition-based Probability Estimation Method)
Power schedule (Adaptive Average-cost-based Power Schedule)
• Comprehensive evaluation:
Attain 214% of the path coverage of AFL with reducing 32% test cases
Identifying 12 vulnerabilities
![Page 85: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/85.jpg)
Conclusion• VAMAB
Model the schedule process of CGF
Explain the exploration and exploitation in CGF
Point out how to improve greybox fuzzing
• EcoFuzz
Search strategy (Self-transition-based Probability Estimation Method)
Power schedule (Adaptive Average-cost-based Power Schedule)
• Comprehensive evaluation:
Attain 214% of the path coverage of AFL with reducing 32% test cases
Identifying 12 vulnerabilities
![Page 86: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/86.jpg)
Conclusion• VAMAB
Model the schedule process of CGF
Explain the exploration and exploitation in CGF
Point out how to improve greybox fuzzing
• EcoFuzz
Search strategy (Self-transition-based Probability Estimation Method)
Power schedule (Adaptive Average-cost-based Power Schedule)
• Comprehensive evaluation:
Attain 214% of the path coverage of AFL with reducing 32% test cases
Identifying 12 vulnerabilities
![Page 87: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/87.jpg)
Conclusion• VAMAB:
Model the schedule process of CGF
Explain the exploration and exploitation in CGF
Point out how to improve greybox fuzzing
• EcoFuzz:
Search strategy (Self-transition-based Probability Estimation Method)
Power schedule (Adaptive Average-cost-based Power Schedule)
• Comprehensive evaluation:
Attain 214% of the path coverage of AFL with reducing 32% test cases
Identifying 12 vulnerabilities
![Page 88: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/88.jpg)
Conclusion• VAMAB:
Model the schedule process of CGF
Explain the exploration and exploitation in CGF
Point out how to improve greybox fuzzing
• EcoFuzz:
Search strategy (Self-transition-based Probability Estimation Method)
Power schedule (Adaptive Average-cost-based Power Schedule)
• Comprehensive evaluation:
Attain 214% of the path coverage of AFL with reducing 32% test case
Identifying 12 vulnerabilities
![Page 89: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/89.jpg)
Conclusion• VAMAB:
Model the schedule process of CGF
Explain the exploration and exploitation in CGF
Point out how to improve greybox fuzzing
• EcoFuzz:
Search strategy (Self-transition-based Probability Estimation Method)
Power schedule (Adaptive Average-cost-based Power Schedule)
• Comprehensive evaluation:
Attain 214% of the path coverage of AFL with reducing 32% test case
Identifying 12 vulnerabilities
![Page 90: EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a ...EcoFuzz: Adaptive Energy-Saving Greybox Fuzzing as a Variant of the Adversarial Multi-Armed Bandit Tai Yue Pengfei Wang Yong](https://reader035.vdocuments.us/reader035/viewer/2022071516/613830bd0ad5d20676491ada/html5/thumbnails/90.jpg)
National University of Defense Technology
Email: [email protected]
EcoFuzz: https://github.com/MoonLight-SteinsGate/EcoFuzz
Thank you!
If you have some questions about our work, welcome to contact us!