RumFuzz: Coverage-guided Greybox Fuzzing with Reasonable Use of Memory

Coverage-guided Greybox Fuzzing (CGF) is one of the most popular vulnerability detection methods. AFL-based fuzzers typically use a fixed-size 64KB bitmap to record edge coverage information. However, for small programs, 64KB is larger than their execution space. This will waste memory and limit the number of fuzzers that can run on one device at the same time, which will increase the time and resource cost of vulnerability detection. For large programs, this relatively small bitmap size will inevitably increase the probability of collision and limit the performance of the fuzzer. To solve this problem, we modify the instrumentation algorithm to set the appropriate bitmap size at compile time based on the number of Basic Blocks (BBs) in the program. This size is sensitive to the target program. However, reducing bitmap size according to the BB number directly will increase the probability of collision and hurt the fuzzer performance. In order to reduce memory consumption under the premise of ensuring the performance of the fuzzer, we design a metric to measure the distance between seed and crash seed set, and combine it with the modified Exp3 algorithm to optimize seed scheduling and energy allocation of CGF with lightweight algorithms. We implement the proposed method on the basis of MOPT-AFL and evaluate it on the LAVA-M dataset and real-world programs. The results show that for small programs, the proposed method finds 1.49x, 1.52x, and 1.31x more unique bugs and achieves 43.37%, 55.11%, and 13.66% more coverage with 4.32%, 6.37%, and 14.57% less average memory consumption than AFL, AFLFast, and MOPT-AFL, respectively. For large programs, the proposed method finds 58.06x, 6.46x, and 98.92% more unique bugs and achieves 2.27x, 92.01%, and 27.21% more coverage than AFL, AFLFast, and MOPT-AFL, respectively.