RLTG: Multi-targets directed greybox fuzzing

Directed greybox fuzzing guides fuzzers to explore specific objective code areas and has achieved good performance in some scenarios such as patch testing. However, if there are multiple objective code to explore, existing directed greybox fuzzers, such as AFLGo and Hawkeye, often neglect some targets because they use harmonic means of distance and prefers to test those targets with shorter reachable path. Besides, existing directed greybox fuzzers cannot calculate the accurate distance due to indirect calls in the program. In addition, existing directed greybox fuzzers fail to address the exploration and exploitation problem and have poor efficiency in seed scheduling. To address these problems, we propose a dynamic seed distance calculation scheme, it increase the seed distance dynamically when the reachable path encounter indirect call. Besides, the seed distance calculation can deal with the bias problem in multi-targets scenarios. With the seed distance calculation method, we propose a new seed scheduling algorithm based on the upper confidence bound algorithm to deal with the exploration and exploitation problem in drected greybox fuzzing. We implemented a prototype RLTG and evaluate it on real-world programs. Evaluation of our prototype shows that our approach outperforms a state-of-the-art directed fuzzer AFLGo. On the multi-targets benchmark Magma, RLTG reproduces bugs with 6.9x speedup and finds 66.7% more bugs than AFLGo.