Full Program »
Cupid: Automatic Fuzzer Selection for Collaborative Fuzzing
Combining the strength of individual fuzzing methods is an appealing idea to find software bugs more efficiently, especially when the computing budget is limited. In prior work, EnFuzz introduced this idea and devised three heuristics to classify properties of fuzzers in terms of diversity. Based on these heuristics, the authors manually picked a combination of fuzzers that collaborate. In this paper, we generalize this idea by collecting and applying empirical data from single, isolated fuzzer runs to automatically identify a set of fuzzers that complement each other when executed collaboratively. To this end, we present Cupid, a collaborative fuzzing framework allowing automated, data-driven selection of multiple complementary fuzzers for parallelized and distributed fuzzing. We evaluate the automatically selected target-independent combination of fuzzers by Cupid on Google's fuzzer-test-suite, a collection of real-world binaries, as well as on the synthetic Lava-M dataset.We find that Cupid outperforms two expert-guided, target-specific hand-picked combinations (EnFuzz, EnFuzz-Q) on Google's fuzzer-test-suite in terms of branch coverage, and improves bug finding on Lava-M by 10%. Most importantly, we improve the latency for obtaining 95% and 99% of the coverage by 90% and 64%, respectively. Furthermore, Cupid reduces the amount of CPU hours needed to find the best-performing combination of fuzzers by multiple orders of magnitude compared to an exhaustive evaluation.