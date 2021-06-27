Fuzzing: can’t understand the concept of lookahead analysis?
Hi,
I am reading the paper at: https://arxiv.org/abs/1905.07147 ( Targeted greybox fuzzing with lookahead analysis)
I am trying to understand lookahead analysis page 4 out of 12. According to paper:
The no-target-ahead prefixes computed by Power schedule.
the lookahead analysis are used to control the fuzzer’s power sched
ule [15], which assigns more energy to certain inputs according to
two criteria.
First, it assigns more energy to inputs that exercise a rare (i.e.,
rarely explored) no-target-ahead prefix. The intuition is to fuzz
these inputs more in order to increase the chances of flipping a
branch along the rare prefix, and thereby, reaching a target loca
tion.
Note that flipping a branch in a suffix path can never lead to a
target location. For this reason, our power schedule no longer distin
guishes inputs based on the program path they exercise, but rather
based on their no-target-ahead prefix. To maximize the chances of
discovering a target location with fuzzing, the lookahead analysis
tries to identify the shortest no-target-ahead prefixes, which are
shared by the most suffix paths.
I can’t understand how this approach can easily access line#22 of figure2 of the paper.
