WindArms: More Efficient DGF Coverage-Guided Tracing

Abstract

Directed Graybox Fuzzing is an enhanced fuzzing technique that is widely used in security testing of network communication protocols, desktop software, file systems, etc. It guides the execution flow of the program to the code area of the target site by constructing specific input data, and realizes the test of the specific code area. It is usually used in scenarios such as patch testing, crash reproduction, and static analysis report verification. However, we found that coverage-guided tracing used by the existing Directed Graybox Fuzzing not only has high performance overhead but also has little value, because most test cases cannot discover new execution paths, and are even less likely to reach the target area. It doesn't make much sense to trace the coverage of these test cases. To address this challenge, we propose a new coverage-guided tracing mechanism and implement it prototype, WindArms. It will only trace the coverage of those which can discover new execution paths or reach the target area to reduce the performance overhead of those meaningless coverage-guided tracing. Our evaluation show WindArms not only significantly improves the performance of Directed Graybox Fuzzing, but also can discover security vulnerabilities in real-world software.