UMask-AFL: Unmasking All Reachable Targets for Comprehensive Agile Fuzzing

In Agile and Lean software development practices, ensuring the accuracy and security of software is paramount. The quality of software is contingent on how effectively vulnerabilities are identified prior to its deployment in production environments. Fuzz testing, an automated software testing technique, plays a pivotal role in uncovering crashes, bugs, and security vulnerabilities. Fuzz testing entails injecting erroneous and unexpected inputs into the software system to provoke potential issues. Often, these unconventional inputs result in system crashes, which are then analyzed by fuzzing tools. However, a limitation of existing fuzzing tools is their tendency to cease exploration after detecting the first target vulnerability. In our work, we address this limitation by introducing a novel approach that continues to uncover possible targets even after the initial detection, thereby unveiling previously masked vulnerabilities. This paper aligns with Agile and Lean principles and aims to identify previously concealed targets within the target program. We introduce UMask-AFL, a tool that integrates features from AFL (American Fuzzy Lop)1 and Crash Triage, leveraging our dataset 4 for experimentation. This amalgamation of techniques allows us to uncover latent vulnerabilities effectively. Our experimentation involved 51 C programs in which we injected a total of 1696 targets. Surprisingly, AFL detected only 341 unique targets, whereas UMask-AFL identified a remarkable 960 unique targets. This substantial improvement aligns with the Agile and Lean philosophy of continuous improvement and relentless pursuit of excellence in software quality and security.