{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,13]],"date-time":"2026-02-13T15:21:47Z","timestamp":1770996107964,"version":"3.50.1"},"reference-count":37,"publisher":"Association for Computing Machinery (ACM)","issue":"3","funder":[{"name":"Hunan Provincial Key Laboratory of Intelligent and Parallel Analysis for Software Security"},{"name":"science and technology innovation Program of Hunan Province","award":["2024RC3136"],"award-info":[{"award-number":["2024RC3136"]}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation China","doi-asserted-by":"crossref","award":["62272472, U22B2005, 62306328"],"award-info":[{"award-number":["62272472, U22B2005, 62306328"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"crossref"}]},{"name":"National Key Research and Development Program of China","award":["2021YFB0300101"],"award-info":[{"award-number":["2021YFB0300101"]}]},{"name":"National University of Defense Technology Research Project","award":["ZK23-14"],"award-info":[{"award-number":["ZK23-14"]}]},{"DOI":"10.13039\/501100004761","name":"HUNAN Province Natural Science Foundation","doi-asserted-by":"crossref","award":["2021JJ40692"],"award-info":[{"award-number":["2021JJ40692"]}],"id":[{"id":"10.13039\/501100004761","id-type":"DOI","asserted-by":"crossref"}]},{"name":"Research Project of Key Laboratory of the State Administration of Science, Technology and Industry for National Defense","award":["WDZC20245250105"],"award-info":[{"award-number":["WDZC20245250105"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Softw. Eng. Methodol."],"published-print":{"date-parts":[[2026,3,31]]},"abstract":"<jats:p>\n                    Directed Grey-Box Fuzzing (DGF) can improve bug exposure efficiency by stressing bug-prone areas. Recent studies have modeled DGF as the problem of finding and optimizing paths to reach target sites. However, they still face the \u201c\n                    <jats:italic toggle=\"yes\">multi-path<\/jats:italic>\n                    \u201d challenge. When a target site is reachable by multiple paths, it is crucial to comprehensively evaluate and effectively select these paths, as this affects the fuzzer\u2019s choice between reaching target sites via optimal paths and enhancing path diversity toward targets to expose hidden bugs in non-optimal paths. In this article, we propose MultiGo, a directed hybrid fuzzer designed for multi-path optimization. First, we propose a new fitness metric called\n                    <jats:italic toggle=\"yes\">path difficulty<\/jats:italic>\n                    to comprehensively evaluate the promising paths. This metric uses the Poisson distribution to estimate the probability of exploring basic blocks along execution paths based on statistical block frequency, distinguishing between optimal and challenging paths. With path difficulty as a key factor, a customized\n                    <jats:italic toggle=\"yes\">Contextual Multi-Armed Bandit<\/jats:italic>\n                    (CMAB) model is employed to efficiently optimize path scheduling by comprehensively considering the impact of testing conditions on path scheduling. We introduce the concept of the\n                    <jats:italic toggle=\"yes\">fuzzing context<\/jats:italic>\n                    to represent and evaluate testing conditions, which encompass factors such as path characteristics (e.g., path difficulty), the testing agent (e.g., fuzzing or symbolic execution), and the testing goal (e.g., path exploitation or exploration). Then, the CMAB model predicts the expected rewards for scheduling paths under different testing agents and goals, thereby optimizing path scheduling. By leveraging the CMAB model, MultiGo enhances DGF\u2019s capability to explore easier paths and symbolic execution\u2019s capacity to handle more complex ones, enabling efficient target reaching through optimal paths while ensuring sufficient coverage of non-optimal paths. MultiGo is evaluated on 136 target sites of 41 real-world programs from 3 benchmarks. The experimental results show that MultiGo outperforms the state-of-the-art directed fuzzers (AFLGo, SelectFuzz, Beacon, WindRanger, and DAFL) and hybrid fuzzers (SymCC and SymGo) in reaching target sites and exposing known vulnerabilities. Moreover, MultiGo also discovered 14 undisclosed vulnerabilities.\n                  <\/jats:p>","DOI":"10.1145\/3735555","type":"journal-article","created":{"date-parts":[[2025,5,13]],"date-time":"2025-05-13T12:23:51Z","timestamp":1747139031000},"page":"1-29","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Not All Paths Are Equal: Multi-path Optimization for Directed Hybrid Fuzzing"],"prefix":"10.1145","volume":"35","author":[{"ORCID":"https:\/\/orcid.org\/0009-0000-6880-9509","authenticated-orcid":false,"given":"Peihong","family":"Lin","sequence":"first","affiliation":[{"name":"National University of Defense Technology, Changsha, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3408-4153","authenticated-orcid":false,"given":"Pengfei","family":"Wang","sequence":"additional","affiliation":[{"name":"National University of Defense Technology, Changsha, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-8880-9295","authenticated-orcid":false,"given":"Xu","family":"Zhou","sequence":"additional","affiliation":[{"name":"National University of Defense Technology, Changsha, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-1667-4995","authenticated-orcid":false,"given":"Wei","family":"Xie","sequence":"additional","affiliation":[{"name":"National University of Defense Technology, Changsha, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7709-0751","authenticated-orcid":false,"given":"Gen","family":"Zhang","sequence":"additional","affiliation":[{"name":"National University of Defense Technology, Changsha, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2284-7897","authenticated-orcid":false,"given":"Kai","family":"Lu","sequence":"additional","affiliation":[{"name":"National University of Defense Technology, Changsha, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2026,2,13]]},"reference":[{"key":"e_1_3_1_2_2","unstructured":"Kostya Serebryany Matt Morehouse and Adrian Herrera. 2023. Google\u2019s Fuzzer-Test-Suite. Retrieved from https:\/\/github.com\/google\/fuzzer-test-suite"},{"key":"e_1_3_1_3_2","unstructured":"Maxime Arthaud Thomas Bailleux Guillaume Brat Cl\u00e9ment Decoodt and Arnaud Hamon. 2023. IKOS. Retrieved from https:\/\/github.com\/NASA-SW-VnV\/ikos"},{"key":"e_1_3_1_4_2","doi-asserted-by":"publisher","DOI":"10.1137\/S0097539701398375"},{"key":"e_1_3_1_5_2","first-page":"2329","volume-title":"ACM SIGSAC Conference on Computer & Communications Security","author":"BoHme Marcel","year":"2017","unstructured":"Marcel BoHme, Van Thuan Pham, Manh Dung Nguyen, and Abhik Roychoudhury. 2017. Directed greybox fuzzing. In ACM SIGSAC Conference on Computer & Communications Security, 2329\u20132344."},{"key":"e_1_3_1_6_2","unstructured":"Marcel B\u00f6hme. 2023. Directed Greybox Fuzzing with AFL. Retrieved from https:\/\/github.com\/aflgo\/aflgo"},{"key":"e_1_3_1_7_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2017.2785841"},{"key":"e_1_3_1_8_2","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243849"},{"key":"e_1_3_1_9_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00002"},{"key":"e_1_3_1_10_2","volume-title":"44st International Conference on Software Engineering (ICSE \u201922)","author":"Du Zhengjie","year":"2022","unstructured":"Zhengjie Du, Yuekang Li, Yang Liu, and Bing Mao. 2022. WindRanger: A directed greybox fuzzer driven by deviationbasic blocks. In 44st International Conference on Software Engineering (ICSE \u201922). ACM."},{"key":"e_1_3_1_11_2","doi-asserted-by":"publisher","DOI":"10.1145\/3597503.3623301"},{"key":"e_1_3_1_12_2","volume-title":"43rd IEEE Symposium on Security and Privacy (S&P \u201922)","author":"Huang Heqing","year":"2022","unstructured":"Heqing Huang, Yiyuan Guo, Qingkai Shi, Peisen Yao, Rongxin Wu, and Charles Zhang. 2022. Beacon: Directed grey-box fuzzing with provable path pruning. In 43rd IEEE Symposium on Security and Privacy (S&P \u201922)."},{"key":"e_1_3_1_13_2","first-page":"18","volume-title":"32nd USENIX Conference on Security Symposium (SEC \u201923)","author":"Tae Eun Kim","year":"2023","unstructured":"Tae Eun Kim, Jaeseung Choi, Kihong Heo, and Sang Kil Cha. 2023. DAFL: Directed grey-box fuzzing guided by data dependency. In 32nd USENIX Conference on Security Symposium (SEC \u201923). USENIX Association, Article 276, 18 pages."},{"key":"e_1_3_1_14_2","first-page":"1214","volume-title":"29th Conference on Learning Theory (COLT \u201916)JMLR Workshop and Conference Proceedings, Vol","volume":"49","author":"Lattimore Tor","year":"2016","unstructured":"Tor Lattimore. 2016. Regret analysis of the finite-horizon gittins index strategy for multi-armed bandits. In 29th Conference on Learning Theory (COLT \u201916). Vitaly Feldman, Alexander Rakhlin, and Ohad Shamir (Eds.), JMLR Workshop and Conference Proceedings, Vol. 49, JMLR.org, 1214\u20131245. Retrieved from http:\/\/proceedings.mlr.press\/v49\/lattimore16.html"},{"key":"e_1_3_1_15_2","first-page":"3559","volume-title":"30th USENIX Security Symposium (USENIX Security \u201921)","author":"Lee Gwangmu","year":"2021","unstructured":"Gwangmu Lee, Woochul Shim, and Byoungyoung Lee. 2021. Constraint-guided directed greybox fuzzing. In 30th USENIX Security Symposium (USENIX Security \u201921). USENIX Association, 3559\u20133576. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/lee-gwangmu"},{"key":"e_1_3_1_16_2","unstructured":"Penghui Li Wei Meng and Chao Zhang. 2024. SDFuzz: Target states driven directed fuzzing. In 33rd USENIX Security Symposium (USENIX Security \u201924). Davide Balzarotti and Wenyuan Xu (Eds.) USENIX Association. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity24\/presentation\/li-penghui"},{"key":"e_1_3_1_17_2","first-page":"2777","volume-title":"30th USENIX Security Symposium (USENIX Security \u201921)","author":"Li Yuwei","year":"2021","unstructured":"Yuwei Li, Shouling Ji, Yuan Chen, Sizhuang Liang, Wei-Han Lee, Yueyao Chen, Chenyang Lyu, Chunming Wu, Raheem Beyah, Peng Cheng, et al. 2021. UNIFUZZ: A holistic and pragmatic metrics-driven platform for evaluating fuzzers. In 30th USENIX Security Symposium (USENIX Security \u201921). USENIX Association, 2777\u20132794. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/li-yuwei"},{"key":"e_1_3_1_18_2","doi-asserted-by":"publisher","DOI":"10.1109\/SANER48275.2020.9054807"},{"key":"e_1_3_1_19_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICPC.2019.00044"},{"key":"e_1_3_1_20_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2024.103851"},{"key":"e_1_3_1_21_2","volume-title":"Network and Distributed System Security (NDSS) Symposium 2024","author":"Lin Peihong","unstructured":"Peihong Lin, Pengfei Wang, Xu Zhou, Wei Xie, Gen Zhang, and Kai Lu. 2024. DeepGo: Predictive Directed Greybox Fuzzing. In Network and Distributed System Security (NDSS) Symposium 2024. The Internet Society. Retrieved from https:\/\/www.ndss-symposium.org\/wp-content\/uploads\/2024-514-paper.pdf"},{"key":"e_1_3_1_22_2","volume-title":"2023 IEEE Symposium on Security and Privacy (SP)","author":"Luo Changhua","year":"2023","unstructured":"Changhua Luo, Wei Meng, and Penghui Li. 2023. SelectFuzz: Efficient directed fuzzing with selective path exploration. In 2023 IEEE Symposium on Security and Privacy (SP)."},{"key":"e_1_3_1_23_2","first-page":"47","volume-title":"23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID \u201920)","author":"Nguyen Manh-Dung","year":"2020","unstructured":"Manh-Dung Nguyen, S\u00e9bastien Bardin, Richard Bonichon, Roland Groz, and Matthieu Lemerre. 2020. Binary-level directed fuzzing for use-after-free vulnerabilities. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID \u201920). USENIX Association, 47\u201362. Retrieved from https:\/\/www.usenix.org\/conference\/raid2020\/presentation\/nguyen"},{"key":"e_1_3_1_24_2","doi-asserted-by":"publisher","DOI":"10.18420\/se2019-16"},{"key":"e_1_3_1_25_2","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2019.00066"},{"key":"e_1_3_1_26_2","first-page":"181","volume-title":"29th USENIX Security Symposium (USENIX Security \u201920)","author":"Poeplau Sebastian","year":"2020","unstructured":"Sebastian Poeplau and Aur\u00e9lien Francillon. 2020. Symbolic execution with SymCC: Don\u2019t interpret, compile!. In 29th USENIX Security Symposium (USENIX Security \u201920). Srdjan Capkun and Franziska Roesner (Eds.), USENIX Association, 181\u2013198. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/poeplau"},{"key":"e_1_3_1_27_2","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560648"},{"key":"e_1_3_1_28_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833761"},{"key":"e_1_3_1_29_2","doi-asserted-by":"publisher","DOI":"10.1145\/3377811.3380386"},{"key":"e_1_3_1_30_2","doi-asserted-by":"publisher","DOI":"10.1145\/3180155.3180177"},{"key":"e_1_3_1_31_2","volume-title":"Network and Distributed System Security Symposium","author":"Wang Y.","year":"2020","unstructured":"Y. Wang, X. Jia, Y. Liu, K. Zeng, and P. Su. 2020. Not all coverage measurements are equal: Fuzzing by coverage accounting for input prioritization. In Network and Distributed System Security Symposium."},{"key":"e_1_3_1_32_2","doi-asserted-by":"publisher","DOI":"10.1145\/3377811.3380396"},{"key":"e_1_3_1_33_2","doi-asserted-by":"publisher","DOI":"10.1145\/3597926.3598102"},{"key":"e_1_3_1_34_2","first-page":"2307","volume-title":"29th USENIX Security Symposium (USENIX Security \u201920)","author":"Yue Tai","year":"2020","unstructured":"Tai Yue, Pengfei Wang, Yong Tang, Enze Wang, Bo Yu, Kai Lu, and Xu Zhou. 2020. EcoFuzz: Adaptive energy-saving greybox fuzzing as a variant of the adversarial multi-armed bandit. In 29th USENIX Security Symposium (USENIX Security \u201920). USENIX Association, 2307\u20132324. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/yue"},{"key":"e_1_3_1_35_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00040"},{"key":"e_1_3_1_36_2","volume-title":"26th Annual Network and Distributed System Security Symposium (NDSS \u201919)","author":"Zhao Lei","year":"2019","unstructured":"Lei Zhao, Yue Duan, Heng Yin, and Jifeng Xuan. 2019. Send hardest problems my way: Probabilistic path prioritization for hybrid fuzzing. In 26th Annual Network and Distributed System Security Symposium (NDSS \u201919). The Internet Society. Retrieved from https:\/\/www.ndss-symposium.org\/ndss-paper\/send-hardest-problems-my-way-probabilistic-path-prioritization-for-hybrid-fuzzing\/"},{"key":"e_1_3_1_37_2","first-page":"1343","volume-title":"32nd USENIX Security Symposium (USENIX Security \u201923)","author":"Zheng Han","year":"2023","unstructured":"Han Zheng, Jiayuan Zhang, Yuhang Huang, Zezhong Ren, He Wang, Chunjie Cao, Yuqing Zhang, Flavio Toffalini, and Mathias Payer. 2023. FISHFUZZ: Catch deeper bugs by throwing larger nets. In 32nd USENIX Security Symposium (USENIX Security \u201923). USENIX Association, Anaheim, CA, 1343\u20131360. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity23\/presentation\/zheng"},{"key":"e_1_3_1_38_2","first-page":"2255","volume-title":"29th USENIX Security Symposium (USENIX Security \u201920)","author":"Zong Peiyuan","year":"2020","unstructured":"Peiyuan Zong, Tao Lv, Dawei Wang, Zizhuang Deng, Ruigang Liang, and Kai Chen. 2020. FuzzGuard: Filtering out unreachable inputs in directed grey-box fuzzing through deep learning. In 29th USENIX Security Symposium (USENIX Security \u201920). USENIX Association, 2255\u20132269. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/zong"}],"container-title":["ACM Transactions on Software Engineering and Methodology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3735555","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,2,13]],"date-time":"2026-02-13T14:37:08Z","timestamp":1770993428000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3735555"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,2,13]]},"references-count":37,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2026,3,31]]}},"alternative-id":["10.1145\/3735555"],"URL":"https:\/\/doi.org\/10.1145\/3735555","relation":{},"ISSN":["1049-331X","1557-7392"],"issn-type":[{"value":"1049-331X","type":"print"},{"value":"1557-7392","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,2,13]]},"assertion":[{"value":"2024-10-21","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-05-06","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2026-02-13","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}