Hybrid Approach to Directed Fuzzing

Program analysis and automated testing have recently become an essential part of SSDLC. Directed greybox fuzzing is one of the most popular automated testing methods that focuses on error detection in predefined code regions. However, it still lacks ability to overcome difficult program constraints. This problem can be well addressed by symbolic execution, but at the cost of lower performance. Thus, combining directed fuzzing and symbolic execution techniques can lead to more efficient error detection.

In this paper, we propose a hybrid approach to directed fuzzing with novel seed scheduling algorithm, based on target-related interestingness and coverage. The approach also performs minimization and sorting of objective seeds according to a target-related information. We implement our approach in Sydr-Fuzz tool using LibAFL-DiFuzz as directed fuzzer and Sydr as dynamic symbolic executor. We evaluate our approach with Time to Exposure metric and compare it with pure LibAFL-DiFuzz, AFLGo, and other directed fuzzers. According to the results, Sydr-Fuzz hybrid approach to directed fuzzing shows high performance and helps to improve directed fuzzing efficiency.

1. Howard M., Lipner S. The security development lifecycle. Microsoft Press Redmond (online), vol. 8, 2006. Available at: http://msdn.microsoft.com/en-us/library/ms995349.aspx, accessed 22.05.2025.

2. ISO/IEC 15408-3:2008: Information technology – Security techniques – Evaluation criteria for IT security – Part 3: Security assurance components. ISO Geneva (online), 2008. Available at: https://www.iso.org/standard/46413.html, accessed 22.05.2025.

3. GOST R 56939-2016: Information protection. Secure software development. General requirements. National Standard of Russian Federation (online), 2016. Available at: http://protect.gost.ru/document.aspx?control=7&id=203548, accessed 22.05.2025.

4. Serebryany K. Continuous fuzzing with libFuzzer and AddressSanitizer. 2016 IEEE Cybersecurity Development (SecDev), 2016, p. 157. DOI: 10.1109/secdev.2016.043.

5. Fioraldi A., Maier D., Eißfeldt H., Heuse M. AFL++: Combining incremental steps of fuzzing research. 14th USENIX Workshop on Offensive Technologies (WOOT 20), 2020.

6. Bohme M., Pham V.-T., Nguyen M.-D., Roychoudhury A. Directed greybox fuzzing. Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, 2017, pp. 2329–2344.

7. Shoshitaishvili Y., Wang R., Salls C., Stephens N., Polino M., Dutcher A., Grosen J., Feng S., Hauser C., Kruegel C., Vigna G. SOK: (state of) the art of war: Offensive techniques in binary analysis. 2016 IEEE Symposium on Security and Privacy (SP), 2016, pp. 138–157. DOI: 10.1109/SP.2016.17.

8. Borzacchiello L., Coppa E., Demetrescu C. FUZZOLIC: Mixing fuzzing and concolic execution. Computers & Security, 2021, vol. 108, p. 102368.

9. Vishnyakov A., Fedotov A., Kuts D., Novikov A., Parygina D., Kobrin E., Logunova V., Belecky P., Kurmangaleev S. Sydr: Cutting edge dynamic symbolic execution. 2020 Ivannikov ISPRAS Open Conference (ISPRAS), 2020, pp. 46–54. DOI: 10.1109/ISPRAS51486.2020.00014.

10. De Moura L., Bjørner N. Z3: An efficient SMT solver. Tools and Algorithms for the Construction and Analysis of Systems, 2008, pp. 337–340. DOI: 10.1007/978-3-540-78800-3_24.

11. Niemetz A., Preiner M. Bitwuzla at the SMT-COMP 2020. CoRR, vol. abs/2006.01621, 2020.

12. Vishnyakov A., Kuts D., Logunova V., Parygina D., Kobrin E., Savidov G., Fedotov A. Sydr-Fuzz: Continuous hybrid fuzzing and dynamic analysis for security development lifecycle. 2022 Ivannikov ISPRAS Open Conference (ISPRAS), 2022, pp. 111-123. DOI: 10.1109/ISPRAS57371.2022.10076861.

13. Parygina D., Mezhuev T., Kuts D. LibAFL-DiFuzz: Advanced Architecture Enabling Directed Fuzzing. 2024 Ivannikov ISPRAS Open Conference (ISPRAS), 2024. DOI: 10.1109/ISPRAS64596.2024.10899166.

14. Huang H., Guo Y., Shi Q., Yao P., Wu R., Zhang C. Beacon: Directed grey-box fuzzing with provable path pruning. 2022 IEEE Symposium on Security and Privacy (SP), 2022, pp. 36–50.

15. Xiang Y., Zhang X., Liu P., Ji S., Liang H., Xu J., Wang W. Critical code guided directed greybox fuzzing for commits. 33rd USENIX Security Symposium (USENIX Security 24), 2024, pp. 2459-2474.

16. Du Z., Li Y., Liu Y., Mao B. Windranger: A directed greybox fuzzer driven by deviation basic blocks. Proceedings of the 44th International Conference on Software Engineering, 2022, pp. 2440-2451.

17. Zheng H., Zhang J., Huang Y., Ren Z., Wang H., Cao C., Zhang Y., Toffalini F., Payer M. FISHFUZZ: Catch deeper bugs by throwing larger nets. 32nd USENIX Security Symposium (USENIX Security 23), 2023, pp. 1343-1360.

18. Zhang Z., Chen L., Wei H., Shi G., Meng D. Prospector: Boosting Directed Greybox Fuzzing for Large-Scale Target Sets with Iterative Prioritization. Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis, 2024, pp. 1351-1363.

19. Kirkpatrick S., Gelatt Jr C. D., Vecchi M. P. Optimization by simulated annealing. Science, 1983, vol. 220, no. 4598, pp. 671–680.

20. Cerny V. Thermodynamical approach to the traveling salesman problem: An efficient simulation algorithm. Journal of optimization theory and applications, 1985, vol. 45, pp. 41–51.

21. Peng J., Li F., Liu B., Xu L., Liu B., Chen K., Huo W. 1dvul: Discovering 1-day vulnerabilities through binary patches. 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2019, pp. 605-616.

22. Kim J., Yun J. Poster: Directed hybrid fuzzing on binary code. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 2019, pp. 2637-2639.

23. Liang H., Jiang L., Ai L., Wei J. Sequence directed hybrid fuzzing. 2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering, 2020, pp. 127-137.

24. Liang H., Yu X., Cheng X., Liu J., Li J. Multiple targets directed greybox fuzzing. IEEE Transactions on Dependable and Secure Computing, 21(1), 2023, pp. 325-339.

25. Lin P., Wang P., Zhou X., Xie W., Lu K., Zhang G. HyperGo: Probability-based directed hybrid fuzzing. Computers & Security, 142, 2024, p. 103851.

26. Swiecki R., Grobert F. Honggfuzz. Available at: https://github.com/google/honggfuzz, accessed 22.05.2025.

27. Parygina D., Vishnyakov A., Fedotov A. Strong optimistic solving for dynamic symbolic execution. 2022 Ivannikov Memorial Workshop (IVMEM), 2022, pp. 43-53. DOI: 10.1109/IVMEM57067.2022.9983965.

28. Kuts D. Towards symbolic pointers reasoning in dynamic symbolic execution. 2021 Ivannikov Memorial Workshop (IVMEM), 2021, pp. 42-49. DOI: 10.1109/IVMEM53963.2021.00014.