PRNG

June 19, 2019

Summary

AFL or mutation fuzzers in general use seed file to mutate inputs and uses instrumentation to generate coverage (by figuring whether new inputs hit new code paths).

Binary tracing takes a huge overhead for mutation fuzzer, how to improve this? Hybrid fuzzer = Mutation fuzzer + Symbolic execution

Interest oracle is added to code paths, and as fuzzing runs these oracles are removed. This marker can run fuzzing with inputs which trigger new code paths.

Strong Points

Unlike other papers which had new bugs found as a primary metric for evaluation, this paper focuses on performance improvement.

Idea simple and elegant.

Weak Points

Section 8 discussion A depends on results of kAFL paper to justify thay Intel IPT doesnt make redundant their work, which seems forced.

Interrupts need to be put after every code block. What happens when code block is 1 byte long and interrupt 2 bytes long?

Improvement

More work can be done comparing H/W fuzzing (like Intel IPT) with UnTracer.

More CVEs / CVEs found faster?

Different coverage metrics to include states (state coverage)? Useful to find bugs which rely on a specific state being executed in a program

PerfScope - identifies syscall sequences which result in bugs, useful for identifying malicious states which could call bad syscall sequences.