Balance Seed Scheduling via Monte Carlo Planning

Scheduling seeds, i.e., selecting seed for mutation from a pool of candidates, significantly impacts the speed of a greybox fuzzer to achieve a target coverage rate. Despite much progress in improving seed scheduling, existing work cannot escape from the high-cost trap or the high-benefit trap: one line of approaches believes high cost implies high benefit and, thus, prefers the seeds that explore infrequently-visited paths; the other type of approach directly calculates the potential benefits, e.g., the number of blocks able to cover, and prefers high-benefit seeds. Due to the ignorance of the impacts of either the cost or the benefits, they often trap fuzzers into mutating the seeds without increasing coverage. This paper presents BELIEFFUZZ, which transforms fuzzing into a Monte Carlo planning with upper confidence bound system. The system allows us to dynamically compute both the benefits and the cost during the fuzzing process. The experimental results demonstrated that our approach achieves a significant efficiency improvement, with 2.12x-5.63x speedups and 1.18x-2.77x fewer executions needed, over the state of the art to achieve the same coverage. Moreover, BELIEFFUZZ detected 31 more previously-unseen bugs in the real-world projects evaluated, with 18 CVEs assigned.