Based on the application domains, fuzzing can be categorized into general-purpose fuzzing (i.e., testing all kinds of software) and domain-specific fuzzing (e.g., testing a specific type of software). AFL havoc mode/AFL++ is the most powerful general-purpose fuzzer, and it has been used in the Google OSS-Fuzz project to harvest tons of bugs. Despite the significant advancement of fuzzing research, general-purpose fuzzing still relies on random strategies and human-written heuristics. In this talk, we show that by formulating general-purpose fuzzing as an online scholastic control problem, a combination of lightweight optimization algorithms can significantly boost its performance. We present FOX, a novel general-purpose fuzzer that can beat the strongest mode of AFL++ (with CMPLOG and fuzzing dictionary) up to 26.45% on standalone programs and 6.59% on FuzzBench programs.

Dongdong She is an assistant professor at the Hong Kong University of Science and Technology, CSE department. He obtained his PhD from the CS department at Columbia University. Before Columbia, He earned his M.S. from UC Riverside and B.S. from Huazhong University of Science and Technology. He is broadly interested in security and machine learning. He is particularly interested in applying data-driven approaches (e.g., LLM, optimization) to solve traditional security problems (e.g., vulnerability detection, software testing, program analysis).
 
Hiring: Multiple PhD positions are available; send me an email at dongdong@cse.ust.hk if you are interested.