Group-Based Corpus Scheduling for Parallel Fuzzing
Parallel fuzzing relies on hardware resources to guarantee test throughput and efficiency.
In industrial practice, it is well known that parallel fuzzing faces the challenge of task division, but most works neglect the important process of corpus allocation.
In this paper, we proposed a group-based corpus scheduling strategy to address these two issues, which has been accepted by the LLVM community. And we implement a parallel fuzzer based on this strategy called glibFuzzer.
glibFuzzer first groups the global corpus into different subsets and then assigns different energy scores and different scores to them.
The energy scores were mainly determined by the seed size and the length of coverage information, and the difference score can describe the degree of difference in the code covered by different subsets of seeds.
In each round of key local corpus construction, the master node selects high-quality seeds by combining the two scores to improve test efficiency and avoid task conflict.
To prove the effectiveness of the strategy, we conducted an extensive evaluation on the real-world programs and FuzzBench.
After 4$\times$24 CPU-hours, glibFuzzer covered 22.02% more branches and executed 19.42 times more test cases than libFuzzer in 18 real-world programs. glibFuzzer showed an average branch coverage increase of 73.02%, 55.02%, 55.86% over AFL, PAFL, UniFuzz, respectively.
More importantly, glibFuzzer found over 100 unique vulnerabilities.