Boosting Fuzzing Performance with Differential Seed Scheduling

Fuzzing is a common technique used to perform automated vulnerability discovery. Fuzzing performance could be improved by various means. In this paper, we discuss the impacts of seed scheduling, and propose differential seed scheduling to maximize fuzzing performance by increasing the number of crashes identified within a limited time. Differential seed scheduling works for grey-box fuzzers that generate seeds based on runtime code coverage measurement. It attempts to evaluate the value of fuzzing seeds and selectively pick the best one to achieve balance between fuzzing effectiveness and efficiency. Our contribution is four-fold. First, we proposed differential seed scheduling to improve overall fuzzing performance. Second, we implemented AFLExplorer by integrating differential seed scheduling with the open-source American Fuzzy Lop (AFL) fuzzer. Third, we conducted in-depth experiments with AFLExplorer to show the effectiveness and the efficiency of seed scheduling. Our evaluations showed that AFLExplorer can discover up to 90% more unique crashes compared with a vanilla fuzzer. Last, we reported newly identified vulnerabilities to the authors of the tested applications, had them fixed, and 15 common vulnerabilities and exposures (CVE) numbers were assigned as of writing of this paper.