Windranger: A Directed Greybox Fuzzer driven by Deviation Basic Blocks

Abstract

Directed grey-box fuzzing (DGF) is a security testing technique that aims to steer the fuzzer towards predefined target sites in the program. To gain directedness, DGF prioritizes the seeds whose execution traces are closer to the target sites. Therefore, evaluating the distance between the execution trace of a seed and the target sites (aka, the seed distance) is important for DGF. The first directed grey-box fuzzer, AFLGo, uses an approach of calculating the basic block level distances during static analysis and accumulating the distances of the executed basic blocks to compute the seed distance. Following AFLGo, most of the existing state-of-the-art DGF techniques use all the basic blocks on the execution trace and only the control flow information for seed distance calculation. However, not every basic block is equally important and there are certain basic blocks where the execution trace starts to deviate from the target sites (aka, deviation basic blocks). In this paper, we propose a technique called Windranger which leverages deviation basic blocks to facilitate DGF. To identify the deviation basic blocks, Windranger applies both static reachability analysis and dynamic filtering. To conduct directed fuzzing, Windranger uses the deviation basic blocks and their related data flow information for seed distance calculation, mutation, seed prioritization as well as explore-exploit scheduling. We evaluated Windranger on 3 datasets consisting of 29 programs. The experiment results show that Windranger outperforms AFLGo, AFL, and FAIRFuzz by reaching the target sites 21%, 34%, and 37% faster and detecting the target crashes 44%, 66%, and 77% faster respectively. Moreover, we found a 0-day vulnerability with a CVE ID assigned in ffmpeg (a popular multimedia library extensively fuzzed by OSS-fuzz) with Windranger by supplying manually identified suspect locations as the target sites.