… inputs that can explore these rare paths using path-guided concolic execution. We provide
… we guide fuzzers using our rare path analysis based on intra-paths, inter-paths and II-paths. …

… -guided fuzzers generally use the the number of basic blocks or edges explored to measure
code coverage. Path-… new mutation inputs that can hit a given rare branch. Choi et al.[15] …

… to guide fuzzing. American Fuzzy Lop (AFL) is one of the most famous CGF fuzzers and has
… and a seed schedule which prioritizes test cases executing rare paths. Lemieux et al. [17] …

… , no fuzzers that we are aware of track coverage at path granularity, however, we can imagine
future approaches leveraging Intel Processor Trace’s [35] ability to make tracking path … rare …

… guide fuzzing are crucial to coverage-guided fuzzers. However, tracking full and accurate path
… Sen, “FairFuzz: Targeting rare branches to rapidly increase greybox fuzz testing coverage,…

… testers [25], they use limited feedback from the program under test to guide their fuzzing …
Since AFLFast’s emphasis on rare paths is similar to our emphasis on rare branches, we will …

… In this paper, we present SAFL 1 , an efficient fuzzing testing … thus the later fuzzing process
can reach deep paths in program … It helps the fuzzing process to exercise rare and deep paths …

… In such (rare) cases, the bytes having been mutated are more likely to be related to a validation
… developed in this paper could advance the coverage-guided greybox fuzzing domain. …

… To evaluate our techniques for rare path-guided fuzzing we … in experimental evaluation of
existing fuzzing techniques. inih (… we guide fuzzers using our rare path analysis based on intra-…

… empt and terminate the fuzzing of paths that will never reach … guided fuzzing has long remained
coverage-guided fuzzing [… ] ensures that re-analysis is a rare event in practice—and thus …