TY - GEN
T1 - Performant Binary Fuzzing without Source Code using Static Instrumentation
AU - Pauley, Eric
AU - Tan, Gang
AU - Zhang, Danfeng
AU - McDaniel, Patrick
N1 - Publisher Copyright:
© 2022 IEEE.
PY - 2022
Y1 - 2022
N2 - Advancements in fuzz testing have achieved the ability to quickly and comprehensively find security-critical faults in software systems. Yet, some of these techniques rely on access to source code, which is often unavailable in practice. In this paper, we explore techniques to replicate the depth and efficiency of source-code available fuzzers via static binary instrumentation. Developing such instrumentation is difficult because compilation is a lossy process, and much of the source-level semantics leveraged by these techniques are not available in binaries. We recover much of this information via heuristic control flow reconstruction, a shadow stack for function identification, and a novel technique for instrumenting comparison instructions. We evaluate RWFUZZ on the LAVA-M dataset, achieving the same effectiveness as a best-in-class source-available fuzzer with a 3.4 × execution time overhead (lower than existing dynamic fuzzing approaches). In this way, we show that techniques for binary fuzzing may approach the functional ability of source-available fuzzing.
AB - Advancements in fuzz testing have achieved the ability to quickly and comprehensively find security-critical faults in software systems. Yet, some of these techniques rely on access to source code, which is often unavailable in practice. In this paper, we explore techniques to replicate the depth and efficiency of source-code available fuzzers via static binary instrumentation. Developing such instrumentation is difficult because compilation is a lossy process, and much of the source-level semantics leveraged by these techniques are not available in binaries. We recover much of this information via heuristic control flow reconstruction, a shadow stack for function identification, and a novel technique for instrumenting comparison instructions. We evaluate RWFUZZ on the LAVA-M dataset, achieving the same effectiveness as a best-in-class source-available fuzzer with a 3.4 × execution time overhead (lower than existing dynamic fuzzing approaches). In this way, we show that techniques for binary fuzzing may approach the functional ability of source-available fuzzing.
UR - http://www.scopus.com/inward/record.url?scp=85143416769&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85143416769&partnerID=8YFLogxK
U2 - 10.1109/CNS56114.2022.9947273
DO - 10.1109/CNS56114.2022.9947273
M3 - Conference contribution
AN - SCOPUS:85143416769
T3 - 2022 IEEE Conference on Communications and Network Security, CNS 2022
SP - 226
EP - 235
BT - 2022 IEEE Conference on Communications and Network Security, CNS 2022
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2022 IEEE Conference on Communications and Network Security, CNS 2022
Y2 - 3 October 2022 through 5 October 2022
ER -