Paper review - Full Speed Fuzzing Reducing Fuzz Overhead using Coverage-guided tracing
June 19, 2019
Summary
AFL or mutation fuzzers in general use seed file to mutate inputs and uses instrumentation to generate coverage (by figuring whether new inputs hit new code paths).
Binary tracing takes a huge overhead for mutation fuzzer, how to improve this? Hybrid fuzzer = Mutation fuzzer + Symbolic execution
Interest oracle is added to code paths, and as fuzzing runs these oracles are removed. This marker can run fuzzing with inputs which trigger new code paths.
Strong Points
Unlike other papers which had new bugs found as a primary metric for evaluation, this paper focuses on performance improvement.
Idea simple and elegant.
Weak Points
Section 8 discussion A depends on results of kAFL paper to justify thay Intel IPT doesnt make redundant their work, which seems forced.
Interrupts need to be put after every code block. What happens when code block is 1 byte long and interrupt 2 bytes long?
Improvement
More work can be done comparing H/W fuzzing (like Intel IPT) with UnTracer.
More CVEs / CVEs found faster?
Different coverage metrics to include states (state coverage)? Useful to find bugs which rely on a specific state being executed in a program
PerfScope - identifies syscall sequences which result in bugs, useful for identifying malicious states which could call bad syscall sequences.