JavaScript engines are widely used in web browsers, PDF readers, and server-side applications. The rise in concern over their security has led to the development of several targeted fuzzing techniques. However, existing approaches use random selection to determine where to perform mutations in JavaScript code. We postulate that the problem of selecting better mutation targets is suitable for combinatorial bandits with a volatile number of arms. Thus, we propose CLUTCH, a novel deep combinatorial bandit that can observe variable length JavaScript test case representations, using an attention mechanism from deep learning. Furthermore, using Concrete Dropout, CLUTCH can dynamically adapt its exploration. We show that CLUTCH increases efficiency in JavaScript fuzzing compared to three state-of-the-art solutions by increasing the number of valid test cases and coverage-per-testcase by, respectively, 20.3% and 8.9% on average. In volatile and combinatorial settings we show that CLUTCH outperforms state-of-the-art bandits, achieving at least 78.1% and 4.1% less regret in volatile and combinatorial settings, respectively.

翻译：JavaScript引擎广泛应用于网页浏览器、PDF阅读器及服务器端应用程序。对其安全性的日益关注催生了多种针对性模糊测试技术的发展。然而，现有方法通常采用随机选择来确定JavaScript代码中的变异位置。我们认为，选择更优变异目标的问题适合采用具有可变臂数的组合式赌博机模型。为此，我们提出CLUTCH——一种新型深度组合式赌博机，它能够通过深度学习中的注意力机制观察可变长度的JavaScript测试用例表示。此外，借助Concrete Dropout技术，CLUTCH能够动态调整其探索策略。实验表明，与三种先进解决方案相比，CLUTCH将有效测试用例数量和单测试用例覆盖率分别平均提升了20.3%和8.9%，从而显著提高了JavaScript模糊测试的效率。在动态变化和组合设置场景中，CLUTCH优于现有最先进的赌博机模型，其遗憾值在动态场景和组合场景中分别至少降低了78.1%和4.1%。