MSFuzz: Directed Greybox Fuzzing Using Multi-Target Sensitivity-Based Energy Scheduling

Directed Greybox Fuzzing DGF effectively targets specific program locations for bug discovery, but existing tools face challenges in multi-target directed fuzzing due to static stage division and coarse energy scheduling. Key challenges include global optimization biases that overlook lower-priority targets, inadequate prioritization of seeds that reach multiple targets, and inflexible exploration-exploitation stage allocation. This paper presents adaptive strategies to tackle these issues: a multi-target sensitivity-based energy scheduling approach that dynamically prioritizes seeds based on their target sensitivity, and a state-aware stage coordination strategy that balances exploration and exploitation using real-time fuzzing metrics to enable flexible stage transitions. We implemented these techniques in the tool MSFuzz, which optimizes resource allocation to avoid single-target bias and prevent inefficient stage durations. Evaluations on Magma, FuzzBench, and real-world programs show that MSFuzz outperforms state-of-the-art fuzzers like AFLGo, achieving 6.57× faster crash reproduction on Magma and 1.32× higher target-guided efficiency on FuzzBench. MSFuzz also discovered 27 unique crashes 13 CVEs in real-world programs.