We take a motivation example to describe how our approach regulates the input contents and solves the comparisons.

Program Figure 1 is an example containing two representative complex path constraints. It reads contents from the input \text{FILE *fp} , and assigns values to the \text{magic} and \text{result} variables. Then, the program performs two checks on the two variables:

● C1: A magic number check at lines 3–9. Assuming that the value of \text{magic} is directly from the \text{0th, 1st, 2nd}, and \text{3rd} bytes of the input.

● C2: A simple format check at lines 11–20. The value of \text{checkresult} is a result of the \text{check}\mathrm{\_}\text{format} function, assuming that it is calculated according to the \text{8th, 12th, 16th}, and \text{20th} bytes of the input \text{fp}.

An error will be raised for input that satisfies any of the two checks.

Coverage-based fuzzing These two checks highlight the challenge in the random mutation used in the coverage based fuzzers. Because the random mutation is unware of the program, it has to randomly select input contents for random mutation. As a result, it is hard to satisfy the C1 or C2 check. For example, to handle the C1 check, the random mutation should select the \text{0th, 1st, 2nd, 3rd} bytes for mutation, and the obtained input contents need to be \text{0xdeadbeef} by chance.

\mathbf{P}\mathbf{u}\mathbf{s}\mathbf{h}\mathbf{e}\mathbf{r} Our approach generates the inputs that can satisfy C1 and C2 checks via the following steps.

● The program executes on an input s, the \text{magic} and \text{result} variables are assigned concrete values. We use V_m^s for the \text{magic} and V_c^s for the \text{result}. Therefore, the combination of \left(s,V_m^s,V_c^s\right) is a connection instance between the input contents and the comparison operands.

● The engine produces a new input s_0 by mutating on the \text{0th} byte of the input s. The program executes on s_0, and it obtains a new connection instance, \left(s_0,V_m^{s_0},V_c^{s_0}\right). By comparing inference that whether the \text{0th} byte affects on any corresponding comparison operands or not in this case, it would find that V_m^{s_0} is different from V_m^s, i.e., the \text{0th} byte can affect the \text{magic} variable.

● After traversing all the bytes of input s, the engine learns the knowledge that the \text{magic} variable is affected by the \text{0th, 1st, 2nd, 3rd} bytes, and the \text{checkresult} variable is based on the \text{8th, 12th, 16th, 20th} bytes (if the length of the input is larger than 20 bytes). These recognized bytes locate a reduced space for the searching. It addresses the challenge of searching in a sizable space.

● Finally, it adjusts the recognized bytes to making V_m be \text{0xdeadbeef}, and V_c be \text{result} and produces the corresponing inputs. In this process, the distance between V_m and \text{0xdeadbeef} (or V_c and \text{result}) acts as a feedback to direct the searching.

This paper designs a new fuzzer, which integrates the original coverage-based testing with our connection-based searching. Figure 2 depicts the framework of our approach.

We instruments target source code by adding comparison operand collection code and also generates static information for search-based testing component during compiling. Then we choose coverage-based fuzzing as one component in our fuzzer \text{Pusher} to quickly creates a seed pool for the searching component.

In the connection-based searching, the engine runs the inputs from the seed pool to collect the comparison operands, which compose the connection instances between the input contents and comparison operands. Then, an inference component is leveraged to locate the bytes that can affect the comparison operands. Afterward, a heuristic searching engine is introduced to solve the unsatisfied comparisons and generate the target inputs by mutating the recognized bytes. This process is iterated until all the inputs in the seed pool are conducted once.

The \text{cmp} and \text{test} instructions in the binary embody the comparisons in the source code. Without loss of generality, we take \text{cmp} instruction to typify the comparison in this paper.

To discriminate the \text{cmp} instructions, we assign each of them a unique label as the identity, which is calculated by three related basic blocks: the one where target \text{cmp} instruction locates and its two successive blocks according to the static control flow. Previous work has introduced a method to allocate unique IDs for each block, like i{d}_A is assigned for the block A. Therefore, the \text{cmp} instruction labels can be determined based on these IDs.

Formally, the label calculation is as Eq. (1) shows. \mu is a symbol for the label of a \text{cmp} instruction; i{d}_c is denoted as the ID of the basic block where the \text{cmp} instruction is in, i{d}_t and i{d}_f are the IDs of the two successive basic blocks.

Moreover, the \text{cmp} instructions are reconstructed to ensure a uniform shape. In brief, each \text{cmp} instruction is characterized in three forms, shown in Table 1. \text{imm} means an immediate value, \text{reg} is referred to a value from registers, and \text{mem} is a value from the memory. For the first form, there are two immediate values in a \text{cmp} instruction, it is ruled out for its seldom usage. The second form is the expected shape with a dynamic operand and a fixed operand, the fixed operand is chosen as the target value (required in the searching). For the third form, both the two operands are dynamic, it would be reconstructed into the second form, creating a dynamic operand and a fixed operand. Afterwards, all the \text{cmp} instructions hold the same form, e.g., “ \text{cmp op,imm}”.

During execution, every input comes across some \text{cmp} instructions, as well as the concrete comparison operands. Then the input and the concrete comparison operands jointly make up a connection instance. Formally, given an input s, \text{COPMap}(s) collects all the concrete comparison operands, depicted as Eq. (2). Every combination of \left(s,\text{COPMap}(s)\right) is a connection instance.

where Labe{l}_{set}(s) denotes a set of labels of the \text{cmp} instruction emerged in the execution trace; \mu is the label for a \text{cmp} instruction, and O{p}_{\mu } is its dynamic operand value, i.e., the op in “ \text{cmp op,imm}”.

We design a novel method to collect \text{COPMap} (running by instrumentation) as Algorithm 1 shows. First, a memory block is initialized (line 2); during execution, the input would encounter some \text{cmp} instructions, of which the labels are collected (lines 3 and 4). Then, for each \text{cmp} instruction with label \mu, its operand value O{p}_{\mu } is obtained (line 6) and stored into the memory unit indexed by \mu (line 7). At last, the memory block preservers all the specific operand values of the emerged \text{cmp} instructions, i.e., \text{COPMap}(s).

Since not all input contents can affect the comparison operands (such as the example in Fig. 1, only the \text{0th, 1st, 2nd,} \text{3rd} bytes are used to get \text{magic} variable), the only mutation on such related bytes is promising to generate the inputs that can overcome the complex path constraints.

In our study, the connection between the input contents and the comparison operands means that, once the input contents change, the corresponding comparison operands change as a result. Therefore, we present sequential analyzing method to perform the connection inference, pointing out which input content affects which comparison operand.

As a common choice, the sequential analyzing is done byte-wise. Given an input s and its \text{COPMap}(s), a new input s_0 is produced by mutation on the \text{0th} byte, and \text{COPMap}(s_0) is obtained after executing. It decides whether the mutated byte belongs to the connection by comparing \text{COPMap}(s) and \text{COPMap}(s_0). For example, if \text{COPMap}(s) and \text{COPMap}(s_0) possess different values at a same comparison operad, then the \text{0th} byte is involved to this comparison. After traversing all the bytes, the connection inference is made on this input.

Formally, we take \text{CI}(s) to represent the connection inference results for the input s. It is a key-value storage shown in Eq. (3).

where len(s) is the input length, i is the key role, it denotes the index of each byte, labe{l}_{set}^i is the value role, it is a set including all the labels of the \text{cmp} instructions connected to the No.i byte. The quantity of labels in labe{l}_{set}^i can be \text{0, 1} or even larger.

Figure 3 shows an example of the partial inference process. The left part is the memory block of \text{COPMap}(s), and the right is \text{COPMap}(s_0) ( s_0 is produced by mutation on the \text{0th} byte of s). Their values at \text{5th} and \text{14th} memory units are different (marked as gray), it means the \text{0th} byte can affect the operands at the \text{cmp} instructions with labels of \text{5} and \text{14}. So that, it yields the connection as Eq. (4) shows.

The total connection inference can be made by traversing all the bytes of the input. Intuitively, an accurate way is assigning \text{0x00} to \text{0xFF} for each byte to produce new inputs. However, it inevitably results in too much overhead. To make a trade-off between the effectiveness and the accuracy, each byte is only assigned some random values (like \text{10} values).

Algorithm 2 demonstrates the process of connection inference. It reads an input s, and finally outputs the result \text{CI}(s). Given an input, the engine traverses all its bytes (lines 2–11), and every byte is checked for \text{N} times (lines 5–10); every time a new input s^{\prime } is produced by mutation on one byte of s, its \text{COPMap}(s^{\prime }) is compared to \text{COPMap}(s), then it makes a decision about whether this byte belongs to the connection (lines 6–8); the \text{CI}(s) is updated after checking each byte (line 9).

Based on the connection inference results, many modern meta-heuristic algorithms can be used to search for the target inputs and penetrate the complex comparisons. However, our primary goal in this paper is not to optimize the meta-heuristic algorithms themselves, but rather to address the challenges in random mutation. So that we just adopt the genetic algorithm (GA for short) as a choice to verify the availability of our techniques. In a nutshell, this section illustrates how we handle the collected information and resort to GA engine to produce the target inputs.

First of all, for an input s, its connection inference result \text{CI}(s) is obtained. We transforme \text{CI}(s) into another keyvalue storage, in which the cmp instruction label acts as the key role, and a set of the input bytes, which can affect the corresponding \text{cmp} instruction operands, acts as the value role. This storage is named \text{TCI}(s), and formally shown in Eq. (5).

where P is the target program, Label_set(P) is a set of all the \text{cmp} instruction labels in the program, µ is the \text{cmp} instruction label, and Po{s}_{set}^{\mu } is the set of all the input bytes connected to the µ \text{cmp} instruction.

For example, the \text{CI}(s) in Eq. (4) is transformed into Eq. (6). Specifically, the \text{cmp} instruction with label \text{5} is connected to the \text{0th} input byte, and the \text{cmp} instruction with label \text{14} is connected to the \text{0th} input byte as well.

Furthermore, there is a target value for each \text{cmp} instruction (see Table 1). When compiling, all comparison instructions are instrumented in LLVM IR level to output the corresponding target values. For clear description, we utilize V_t^{\mu } to denote the target value of the \text{cmp} instruction with \mu label. Such as, the V_t^{\mu } for the comparison at line 8 in Fig. 1 is \text{0xdeadbeef}.

Based on \text{TCI}(s), Algorithm 3 is designed to apply a GA engine to satisfy our searching requirements. It reads an input s, and outputs several target inputs inpu{t}_{set}.

For a target program P, given an input s, its \text{TCI}(s) is obtained by the execution and conversion (lines 2, 3); for each \text{cmp} instruction contained in \text{TCI}(s), an individual GA based process is done to search for target inputs (lines 4-10); the set Po{s}_{set}^{\mu } of the connected input bytes and the target value V_t^{\mu } for the \mu\text{cmp} instruction are determined (lines 5, 6); then, according to the GA model, the Po{s}_{set}^{\mu } is considered as the GAGenes, and V_t^{\mu } is considered as the GATarget (lines 7, 8), both of them are delivered to the GA engine via the parameters; finally, the GA engine tries its best to produce the target inputs (line 9).

More specially, in GA engine, the inputs bytes in Po{s}_{set}^{\mu } are disassembled into bits, each of which acts as a gene in the GA model. And in the fitness function, we take the Euclidean distance between the two comparison operands, op and imm, as a feedback to decide the surviving possibility of each input in the evolution [22].

We investigate the evaluation experiments of other fuzzers according to their public papers, the results are shown in Table 2. Their experiments suggest a representative choice to evaluate LAVA-M [23], CGC, and some real-world programs. Therefore, we also perform the evaluation experiments on these three benchmark databases.

Experimental infrastructure All experiments were conducted on a server equipped with 2 Intel(R) Xeon(R) Gold 6154 CPU @ 3.00GHz (72 threads in total), running Linux Ubuntu 18.04.3 LTS AMD64. Besides, the fuzzers were launched in single mode, to avoid the performance fluctuation caused by the different parallel modes in various fuzzers [16, 25].

Research questions The following experiments were designed to answer three research questions:

● RQ1: How well is the bug detection of \text{Pusher}?

● RQ2: How well is the testing coverage of \text{Pusher}?

● RQ3: How well is the execution overhead of \text{Pusher}?

In 2016, to address the shortage of ground-truth corpora for vulnerability discovery evaluation, a new technique is developed in paper [23] to produce such corpora, LAVA-1, and LAVA-M. In LAVA-1, there are \text{69} instances of the \text{file} program, each of which is injected with a unique bug. Whereas in LAVA-M, there are four programs, each of which is injected with more than one bug. In terms of the bug discovery evaluation, LAVA-M is an appropriate benchmark database in a long run.

Both the authors and users of LAVA-M have arranged five hours of testing for bug detection. Keeping up with this standard, we also take \text{Pusher} on LAVA-M for five hours and compare its results with other fuzzers.

In particular, each bug in LAVA-M owns a unique ID. That is realized in lava\mathrm{\_}get function as Fig. 4 shows. Once any of the two comparisons at line 2 is satisfied, the input would trigger the crash, and the program outputs a bug\mathrm{\_}num as the ID of the bug. This mechanism can be leveraged for crash distinguishing, and the number of unique bugs can be counted easily.

After five hours of testing, the number of detected bugs by \text{Pusher} is shown in the last column in Table 3. Besides, the second column shows the number of inserted bugs according to the provided document (actually, this number is incomplete, some inserted bug are not mentioned [14]). The other columns summary the evaluation results of other fuzzers.

The results indicate that \text{Pusher} found 44 listed bugs and 4 unlisted bugs in \text{base64}, 57+4 bugs in \text{md5sum}, 28+1 bugs in \text{uniq}. and 1847+205 bugs in \text{who}. The unlisted bug IDs are acquired by running the crashes and collecting from their outputs. Overall, \text{Pusher} is the best among the 10 compared fuzzers on the bug discovery.

We invastigated why some bugs cannot be detected in the who program. The reason we found is that the inserted codes are too concentrated. For example, all the codes from line 743 to line 1353 (610 lines) in readutmp.c file are inserted by LAVA techniques, more importantly, the bugs among these codes are connected to the same four input bytes, such nested conditional branches make it difficult to find all the bugs. However, this scenario is not universal in the realworld program, so missing some bugs in the who program is acceptable.

Furthermore, \text{Pusher} is built on top of AFL by introducing a search-based method to handle the complex path constraints. The results show that \text{Pusher} outperforms AFL on the bug discovery, it is proof that our proposed approach is effective in solving more path constraints.

In 2016, the Defense Advanced Research Projects Agency (DARPA) held a Cyber Grand Challenge (CGC), and finally released a benchmark database for vulnerability discovery evaluation, which has been wildly used, such as Table 2 shows.

However, the original CGC binaries can only run under the DARPA Experimental Cyber Research Evaluation Environment (DECREE), which is a customized system. Due to the instrumentation dependency, \text{Pusher} cannot run on the DECREE system so far. Thanks to the work of Trail of Bits, a migration version is created in the Linux system. Therefore, we take \text{Pusher} on these migrated binaries for evaluation.

Though the sizes of these binaries are small, the vulnerabilities in which are quite diverse. We have tested these binaries and get some observations.

● I. Because of the migration problems [15] and the infinite loops of reading, some binaries cannot be tested by fuzzers.

● II. In some binaries, the vulnerabilities cannot be detected, whereas the testing coverages are even high. Because covering the related codes is not a guarantee to find these bugs, other detection techniques [26] are required.

● III. Some binaries contain some special paths guarded by complex condition predicates, like magic number comparison. Once these comparisons are penetrated, the testing coverage rises a lot, and the possibility of finding bugs also increases.

Because \text{Pusher} is designed to handle the comparisons, i.e., it is designed to address the binaries with No.III observations. So, we take \text{Pusher} to test some selected binaries and collected the branch coverage and number of crashes. The results are shown in Table 4 (We failed to build the CGC binaries with Angora).

The results indicate that on all 9 binaries, \text{Pusher} achieves a higher branch coverage than other fuzzers. For example, it achieves 94% branch coverage in CGC_Hangman_Game which is 7.8× than other tools. This is because there is a simple check \text{strcmp (inbuf, “HANGEMHIGH!”)} in the begining of main function, which prevents the other tools from testing further. However, by leveraging GA searching method, \text{Pusher} can quickly pass through this check to uncover more code areas. Besides, \text{Pusher} can find more bugs on these binaries (a total number of 180 crashes in 7 binaries).

Take \text{Barcoder} as an example, when it tries to create a barcode from the input bitmap file, it firstly invokes function \text{validate}\mathrm{\_}\text{bmp}_ \text{headers} to check if the input file as a correct header. Only the input file that passes this check can be further processed. The check function is shown in Fig. 5. To pass this function, the input file needs to satisfy many validation checks such as magic number, file size, image size, etc. Fuzzers like AFL, AFL-lafintel and and Fairfuzz has no knowledge about the input-branch relationship, thus they cannot bypass the complex checks. Whereas, by extracting the target values when compiling and leveraging heuristic search method to solve them, \text{Pusher} can quickly generate a valid bitmap file to satisfy all the checks in this function.

We selected several real-world programs to evaluate the ability of unknown bug discovery of our system. The input types of this dataset cover ELF binary, image, and packet capture. To demonstrate the efficiency of our system, we also compared our results with AFL, AFL-lafintel, FairFuzz, and Angora. All the experiments are lasted for 72 hours to ensure soundness. The initial seeds are equal and from fuzz-data [27].

The testing result is shown in Table 5. We can see that \text{Pusher} outperforms all the other fuzzers in these four real-world programs from the tabe. Especially in \text{jhead} and \text{tcpdump}, \text{Pusher} can successfully uncover bugs while other fuzzers like AFL, AFL-lafintel, and Fairfuzz cannot. We will illustrate the reason for the performance improvment by checking the testing coverage in Section 4.5.

In conclusion, \text{Pusher} works well on the bug detection, especially the bugs guarded by the complex condition constraints.

Since it is hard to predict where a bug may appear in the software, maximizing the testing coverage is usually chosen as a proxy of increasing the probability of finding bugs. Therefore, we make an deep investigation of the testing coverage (i.e., branch coverage, line coverage, and function coverage) to illustate the bug detection performance improvment in Table 5. The results are shown in Table 6.

After the execution, Table 6 shows the final testing coverage results, and Fig. 6 shows the increasing process of the line coverage along with time. From an overall perspective, it is concluded that \text{Pusher} can achieve the highest testing coverage among the six compared fuzzers on the four programs. Besides, although \text{Pusher} is developed on the ground of AFL, it can achieve an 11% to 128% increase on the line coverage than the original AFL.

After an adequate test (72 hours), \text{Pusher} behaves better than AFLFast and AFL-lafintel. That is because both AFLFast and AFL-lafintel still leverage the random mutation to produce new inputs, which is powerless to penetrate complex paths. Whereas AFLFast introduces a power-based schedule, and AFL-lafintel exploits the program-transformation to help the testing, their improvements would become weak after a long time testing. On the contrary, \text{Pusher} is aware of the connection between the inputs and the comparisons, so that it successfully achieves a higher testing coverage.

Fairfuzz and Angora perform better than AFL in all these four programs except tcpdump, that is because they present related techniques to augment the mutation capacity. In Fairfuzz, it leverages the statistical results of execution to direct mutation, and Angora adopts the DataFlowSanitizer to do so. In comparison, it can be seen that \text{Pusher} acts better than these two fuzzers. That is because the statistical results in Fairfuzz are not absolutely accurate in the individual case, and the external library description requirements in Angora can also bring inaccuracy. Especially in tcpdump, since the input function like \text{fread} is implemented in external library libpcap that we are not interested in, we patched tcpdump so that taint data can be introduced.

In contrast, \text{Pusher} is easily deployed to test many programs, and it can conduct the input searching based on an accurate connection between the inputs and the comparisons. Therefore, it can achieve a higher testing coverage.

Case study An interesting sample is the testing on jhead program. In that case, AFL, AFLFast, AFL-lafintel, and Fairfuzz reach their top coverage at the very beginning, no new coverage is discovered in the following 72 hours. On the contrary, \text{Pusher} and Angora are continually exercising new codes during the testing.

More specifically, this difference is due to a magic number check. Figure 7 shows the related code snippet, it reads some data and compares it to the “Exif” string, if satisfied, the \text{process}\mathrm{\_}\text{EXIF()} function would be invoked, otherwise, the program quits quickly.

If this comparison cannot be solved in the testing, the program would end directly, and the fuzzer cannot discover new codes. Because AFL, AFLFast, and AFL-lafintel have no idea about which input bytes are connected to this comparison, they have to conduct the searching in an enormous space, and fail at last. The strategy in Fairfuzz is invalid due to the inadequate statistical information, it also fails to penetrate this comparison.

Contrariwise, both \text{Pusher} and Angora are aware of which input bytes are connected to this comparison to direct the mutation to produce the expected inputs quickly. Even so, \text{Pusher} still achieves a higher coverage than Angora.

In conclusion, \text{Pusher} improves the testing coverage.

Execution overhead is an essential metric for vulnerability detection tools, and it seriously influences their application on the large software, i.e., symbolic execution is limited partly because of its serious overhead. Therefore, we analyze the execution overhead of \text{Pusher} in this section.

In the fuzzers, the execution overhead mainly comes from two aspects: instrumentation and analysis. For example, the execution overhead in AFL consists of the coverage collection and the testing schedule, as Table 7 shows. Developed on AFL, \text{Pusher} additionally increases the overhead by the comparison operands collection, the connection inference and the GA based searching, which is also shown in Table 7.

We utilize the total execution number after thorough testing as an indicator of the execution overhead of the fuzzers, i.e., in a fixed time, a fewer execution number denotes a more significant overhead. Because \text{Pusher} is based on AFL, we only compare \text{Pusher} with AFL and its variants (Angora is not taken into comparison) to avoid the affection of other unrelated factors.

The execution number results are shown in Fig. 8. Taken the execution number of AFL as the baseline, it can be seen that \text{Pusher} achieves a fewer number, it only executes 39% execution of that in AFL on jhead, 96% on nm, 80% on objdump, and 63% on tcpdump. Nevertheless, the execution number of \text{Pusher} is almost on the same order of magnitude as that in AFL. Moreover, the execution numbers of the AFL variant fuzzers are also on the same order of magnitude as that in AFL, and they are regarded as light techniques. Therefore, the overhead in \text{Pusher} is acceptable, and it belongs to the lightweight techniques.

We also carry out in-depth statistics about the execution numbers by the coverage-based testing and the search-based testing (consisting of the connection inference and the GA based searching), in an attempt to understand the execution distribution between these two stages.

For clarity, the execution numbers are transformed into the normalized rate, as Fig. 9 shows. From the results, it can be seen that the execution distribution between the two testing stages is reasonable.

For example, on the \text{jhead} program, the search-based testing only occupies 3% of the total execution, because the amount of the inputs in SeedPool is small, the search-based component can quickly accomplish its work, and wait for new inputs generated by the coverage based testing. Since \text{tcpdump} contains lots of \text{swith-case} statements that affected by input file in source code (as shown in Fig. 10), \text{Pusher} spends more time on overcoming such cases by search-based testing which occupies 46% quantity of the total execution. Whereas, the introduced overhead is within an acceptable scope, and the testing coverage is improved as a result.

Moreover, we further take a detailed statistic about the execution distribution between the connection inference and the GA based searching. The results in Table 8 indicate that the connection inference causes the primary execution overhead in the search-based testing. For example, the execution number of connection inference on the \text{tcpdump} binary is 81659k, whereas the number of GA based searching is just 1016k, which is almost negligible.

As far as we know, the other connection inference techniques, like taint analysis, symbolic execution, hold on heavier burdens than our approach when applying to specific program structures such as symbolic loops/implicit data flow that commoly exist in real world software. Whereas our approach still belongs to the lightweight techniques and more adaptive for complex program structures. In other words, our method is insensitive to the scale of target program (i.e., lines of code), the overhead and efficiency only can be affected by the quantity and complexity of branch instructions within the target program.

In addition, the execution distribution is imbalanced between the connection inference and GA based searching, it provides an explanation that why our researching emphasis is on the connection inference, and just select one off-the-shelf modern search algorithm as a representative to handle the comparisons.

In conclusion, the execution overhead introduced by our approach in \text{Pusher} is within an acceptable scope.

Vuzzer [12] proposed an application-aware evolutionary fuzzing strategy that does not require any prior knowledge of the application or input format. Instead, it leverages control and data flow features based on static and dynamic analysis to infer the critical bytes of comparison instructions to maximize coverage and explore deeper paths. However, even though the critical bytes are located, their mutation strategies are still based on random mutations. To relieve the overhead introduced by taint analysis of Vuzzer, Steelix [15] presented a program-state based fuzzing method. It leverages light-weight static analysis and binary instrumentation to provide coverage information and comparison progress information to help fuzzer to locate the magic bytes. However, its muation methods still belong to random strategies. Angora [14] leverages the similar searching based muation method (i.e., gradient descent) to our GA method, which can improve the quality of generated testcase. However, as demonstrated in [28], Angora uses the expensive taint tracking step only sparsely to overcome hard-to-solve conditions bringing more overhead. What’s worse, one has to make a compromise between precision and usability. This is because, to successfully build a target program with Angora’s compiler, one has to ignore the taint propagation in many libraries [14]. Similar to our method, redqueen [28] implements a light weight “taint analysis” to locate the bytes related to magic bytes or checksums. For magic bytes cases, redqueen employs several specific mutation strategies to overcome them. For checksum cases, it uses the “patch-solve” method to overcome them, which introduces the high-weight symbolic execution. However, our method uses light-weight searching method to solve the constraints which is considered to be more scalable.

Hybrid fuzz testing uses concolic execution to discover frontier nodes that represent unique paths in the program. For example, Driller is an up-to-date hybrid testing tool that leverages fuzz testing and concolic execution in a complementary manner to find deeper bugs [6]. It is more practical than previous hybrid tools. DeepFuzz [29] defined a novel method to assign probabilities to program paths to maximize both the execution path depth and the degree of freedom in input parameters for exploitation. SAFL leverages symbolic analysis to generate high-quality seed inputs for the fuzzer, and prioritizing the fuzzing towards seeds which have exercised rarely executed branches to help the fuzzing process to exercise rare and deep paths with higher probability [30]. DigFuzz designs a novel Monte Carlo based probabilistic path prioritization model to quantify each path’s difficulty and prioritize them for concolic execution which improves the number of bug detected and the code coverage [7]. Intriguer proposed a field-level constraint solving, which optimizes symbolic execution with field-level knowledge. It performs instruction-level taint analysis and records execution traces without data transfer instructions like \text{mov}. Then reduces the execution traces for tainted instructions that accessed a wide range of input bytes, and infers input fields to build field transition trees [31].

Gong et al. trained a deep learning model based on samples generated by AFL that caused the program state to be changed and the program state to be unchanged [32]. Whether the sample generated by the new round of AFL could change the program state can be predicted by the trained model. Therefore, AFL cannot execute samples that cannot generate new states, improving the efficiency of the fuzzer. NeuFuzz [33] learns the known vulnerability programs and hidden vulnerability patterns in the sample through LSTM to discover the execution path containing the vulnerability. Then, NeuFuzz preferentially executes the seed files that can cover the path containing the vulnerability, and assigns more mutation energy to these seed files based on the prediction results. NEUZZ proposed a novel program smoothing technique using surrogate neural network models that can incrementally learn smooth approximations of a complex, real-world program’s branching behaviors to improve the efficiency of fuzzing [34].

Taintscope is the first method that is aware of checksums like CRC and can bypass them automatically [35]. It uses heuristic method to locate the checksum point and then replaces the checksum part in the input with the calculated checksum value to bypass the check. However, this method may fail when dealing with the example in Fig. 1. Taintscope bypasses checksum by adjusting the checksum part in the input, thus this method fails in our cases in Fig. 1 since \text{magic} and \text{FORM} are both constant values. Taintscope can bypass the path constraint like f(x)=c where c is a constant value with the help of constraint solvers, but that method is regarded as a kind of hybrid fuzz testing method. CAFA presents a approach based on taint analysis to identify the checksum point automatically. Then the application is statically patched in an antilogical manner at the checksum point to bypass the checksum verification [36].