AFL2oop: Loop Coverage Guided Greybox Fuzz Testing

Abstract

Fuzz testing automatically generates and executes test cases, to detect more defects by covering more logical and state spaces of the program under test (PUT).However, it becomes more difficult to adequately test the PUT with increasing size and code complexity.Studies have shown that complex code is more likely to contain defects, and the loop is one of the main reasons for increased code complexity.Therefore, it is necessary to thoroughly test the loops, but existing fuzzers cannot focus on the loops of the PUT.To address this issue, we design a loop interval coverage metric to measure the testing adequacy of the loop.Additionally, we propose a greybox fuzz testing approach named AFL 2 oop (AFL for Loop), which uses loop coverage as guidance.First, we analyze the loops of the PUT and expand the bitmap.Then, fuzz testing is guided by loop interval coverage and branch coverage.A prototype tool is implemented based on the proposed method, and experiments are carried out on four real-world software programs, such as LibXml2, LibMing, etc.The results show that AFL 2 oop achieves higher coverage, triggers more crashes, and reproduces defects faster than AFL and FairFuzz.