fuzzilli icon indicating copy to clipboard operation
fuzzilli copied to clipboard

Published 20 hours ago verified publisher icon googleprojectzero

Intelligent Selection of Code Generation, Mutation and Seed Selection with Multi-Armed Bandit

Open DeamonSpawn opened this issue 3 years ago • 3 comments

Coverage-based guidance mechanism for code generation, mutation, and seed selection tasks to optimize coverage growth. Utilizes the Multi-Armed Bandit Algorithms to navigate the search spaces for selection of tasks.

Addressing issue #172 .

Thesis with design and implementation: Intelligent Code Generation/ Mutation to aid fuzzing of JavaScript engines

DeamonSpawn avatar Jun 11 '22 14:06 DeamonSpawn

To answer your first question, I have performed tests for a single node setup of Fuzzilli without any distributed instances (no master-worker network or threading nodes) and no compiled/imported seeds used in the corpus. The tests where evaluated over 24 hours. I have conducted tests with the MAB implementation against instances with the basic (default) corpus and the Markov corpus respectively. These tests include MAB Code Gen\Mutator and MAB Corpus with their combined and individual contributions.

Summary Observations: The performance of each baseline instances (Basic and Markov) and MAB implementations (MAB Code Gen\Mutator and MAB Corpus) eventually converges after a period of 24 hours to the same rate of coverage discovery. In the isolated evaluation of MAB Code Gen\Mutator, the instance is found to reach the convergence point faster than Basic and Markov. In the isolated evaluation of MAB Corpus, the performance against baseline instances shows a faster coverage growth rate with higher coverage discovered in early time intervals before convergence. With the combined performance of MAB CodeGen\Mutator and MAB Corpus the higher coverage growth rate and convergence rate show an improved exploration of the corpus search space reducing the time taken for coverage discovery

I am waiting on the assessment of my Masters thesis before I upload my report with details to my implementation.

Networked nodes have been tested locally and are very much capable of operating with MAB Corpus. However, stats have not been collected for distributed nodes over 24 hours.

DeamonSpawn avatar Jul 07 '22 16:07 DeamonSpawn

Regarding the split of the PR. I can create the following 5 PRs:

  • Separation of Code Generation and Splicing (#346)
  • MAB for Mutator selection only (#348)
  • MAB for Code Genarator selection in combination with Mutator selection
  • Changes in Corpus Protocol to allow compiled seeds
  • MAB Corpus implementation

DeamonSpawn avatar Jul 07 '22 16:07 DeamonSpawn

I have updated the original comment with the link to my thesis.

DeamonSpawn avatar Jul 13 '22 12:07 DeamonSpawn