[Review] autofz: Automated Fuzzer Composition at Runtime
This paper proposes a new fuzzing mechanism which integrates several fuzzers to perform a unique fuzzing process. For every workload, one or several optimal mixture of fuzzers are employed for fuzzing. Unlike the early work, autofz:
- Do not need presetting and human efforts.
- Allocate fuzzers for every workload, rather than every program.
Background:
- A large amount of fuzzers have been created, which makes it difficult to choose a proper fuzzer for a specific fuzzing.
- No universal fuzzer perpetually outperforms others, so choosing a optimal fuzzer will be difficult.
- The efficiency of a fuzzer may not last for the whole fuzzing process.
- Fuzzing is a random process, a optimal fuzzer may not always be that case.
Implementation:
- Divide fuzzing process into two phases, preparation phase and focus phase.
- In preparation phase, autofz tests every fuzzers and finds one or several well-performed fuzzers.
- In focus phase, autofz allocates different resources for fuzzers chosen from preparation phase to perform fuzzing.
- A workload is composed of a preparation phase and a focus phase, and a fuzzing process is composed of several workloads.
Evaluation:
- Setup: Ubuntu 20.04 equipped with AMD Ryzen 9 3900 having 24 cores and 32 GB memory.
- Baseline fuzzers: AFL, AFLFast, MOpt, FairFuzz, LearnAFL, QSYM, Angora, Redqueen, Radamsa, LAF-I NTEL, and libFuzzer.
- Evaluate coverage, bugs found, elasticity, and compare with collaborative fuzzing.
Future work:
- A better approach to choose the optimal fuzzers in the preparation phase.
- How to automatically choose the fuzzer set used.
[Review] autofz: Automated Fuzzer Composition at Runtime