Full-Speed Fuzzing: Reducing Fuzzing Overhead through Coverage-Guided Tracing

2019 IEEE Symposium on Security and Privacy (SP) Pub Date : 2018-12-31 DOI:10.1109/SP.2019.00069

Stefan Nagy, Matthew Hicks

{"title":"Full-Speed Fuzzing: Reducing Fuzzing Overhead through Coverage-Guided Tracing","authors":"Stefan Nagy, Matthew Hicks","doi":"10.1109/SP.2019.00069","DOIUrl":null,"url":null,"abstract":"Coverage-guided fuzzing is one of the most successful approaches for discovering software bugs and security vulnerabilities. Of its three main components: (1) test case generation, (2) code coverage tracing, and (3) crash triage, code coverage tracing is a dominant source of overhead. Coverage-guided fuzzers trace every test case's code coverage through either static or dynamic binary instrumentation, or more recently, using hardware support. Unfortunately, tracing all test cases incurs significant performance penalties–-even when the overwhelming majority of test cases and their coverage information are discarded because they do not increase code coverage. To eliminate needless tracing by coverage-guided fuzzers, we introduce the notion of coverage-guided tracing. Coverage-guided tracing leverages two observations: (1) only a fraction of generated test cases increase coverage, and thus require tracing; and (2) coverage-increasing test cases become less frequent over time. Coverage-guided tracing encodes the current frontier of coverage in the target binary so that it self-reports when a test case produces new coverage–-without tracing. This acts as a filter for tracing; restricting the expense of tracing to only coverage-increasing test cases. Thus, coverage-guided tracing trades increased time handling coverage-increasing test cases for decreased time handling non-coverage-increasing test cases. To show the potential of coverage-guided tracing, we create an implementation based on the static binary instrumentor Dyninst called UnTracer. We evaluate UnTracer using eight real-world binaries commonly used by the fuzzing community. Experiments show that after only an hour of fuzzing, UnTracer's average overhead is below 1%, and after 24-hours of fuzzing, UnTracer approaches 0% overhead, while tracing every test case with popular white- and black-box-binary tracers AFL-Clang, AFL-QEMU, and AFL-Dyninst incurs overheads of 36%, 612%, and 518%, respectively. We further integrate UnTracer with the state-of-the-art hybrid fuzzer QSYM and show that in 24-hours of fuzzing, QSYM-UnTracer executes 79% and 616% more test cases than QSYM-Clang and QSYM-QEMU, respectively.","PeriodicalId":272713,"journal":{"name":"2019 IEEE Symposium on Security and Privacy (SP)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-12-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"95","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP.2019.00069","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 95

Abstract

Coverage-guided fuzzing is one of the most successful approaches for discovering software bugs and security vulnerabilities. Of its three main components: (1) test case generation, (2) code coverage tracing, and (3) crash triage, code coverage tracing is a dominant source of overhead. Coverage-guided fuzzers trace every test case's code coverage through either static or dynamic binary instrumentation, or more recently, using hardware support. Unfortunately, tracing all test cases incurs significant performance penalties–-even when the overwhelming majority of test cases and their coverage information are discarded because they do not increase code coverage. To eliminate needless tracing by coverage-guided fuzzers, we introduce the notion of coverage-guided tracing. Coverage-guided tracing leverages two observations: (1) only a fraction of generated test cases increase coverage, and thus require tracing; and (2) coverage-increasing test cases become less frequent over time. Coverage-guided tracing encodes the current frontier of coverage in the target binary so that it self-reports when a test case produces new coverage–-without tracing. This acts as a filter for tracing; restricting the expense of tracing to only coverage-increasing test cases. Thus, coverage-guided tracing trades increased time handling coverage-increasing test cases for decreased time handling non-coverage-increasing test cases. To show the potential of coverage-guided tracing, we create an implementation based on the static binary instrumentor Dyninst called UnTracer. We evaluate UnTracer using eight real-world binaries commonly used by the fuzzing community. Experiments show that after only an hour of fuzzing, UnTracer's average overhead is below 1%, and after 24-hours of fuzzing, UnTracer approaches 0% overhead, while tracing every test case with popular white- and black-box-binary tracers AFL-Clang, AFL-QEMU, and AFL-Dyninst incurs overheads of 36%, 612%, and 518%, respectively. We further integrate UnTracer with the state-of-the-art hybrid fuzzer QSYM and show that in 24-hours of fuzzing, QSYM-UnTracer executes 79% and 616% more test cases than QSYM-Clang and QSYM-QEMU, respectively.

查看原文本刊更多论文

全速模糊测试:通过覆盖引导跟踪减少模糊测试开销

覆盖引导的模糊测试是发现软件缺陷和安全漏洞的最成功的方法之一。在它的三个主要组成部分中:(1)测试用例生成，(2)代码覆盖跟踪，以及(3)崩溃分类，代码覆盖跟踪是开销的主要来源。覆盖率引导的fuzzers通过静态或动态二进制工具，或者最近使用硬件支持，跟踪每个测试用例的代码覆盖率。不幸的是，跟踪所有的测试用例会导致显著的性能损失——即使绝大多数的测试用例和它们的覆盖信息因为没有增加代码覆盖而被丢弃。为了消除覆盖引导模糊器的不必要跟踪，我们引入了覆盖引导跟踪的概念。覆盖引导的跟踪利用了两个观察结果:(1)只有一小部分生成的测试用例增加了覆盖，因此需要跟踪;(2)随着时间的推移，覆盖率增加的测试用例变得不那么频繁。覆盖引导的跟踪在目标二进制代码中编码覆盖的当前边界，这样当测试用例产生新的覆盖时，它就会自我报告——不需要跟踪。这可以作为跟踪的过滤器;将跟踪的费用限制为只增加覆盖率的测试用例。因此，覆盖引导的跟踪交易增加了处理覆盖增加的测试用例的时间，减少了处理非覆盖增加的测试用例的时间。为了展示覆盖引导跟踪的潜力，我们创建了一个基于静态二进制工具(称为UnTracer)的实现。我们使用模糊社区常用的八个真实世界二进制文件来评估UnTracer。实验表明，经过一个小时的模糊测试后，UnTracer的平均开销低于1%，经过24小时的模糊测试后，UnTracer的开销接近0%，而使用流行的白盒和黑盒二进制跟踪器AFL-Clang、AFL-QEMU和AFL-Dyninst跟踪每个测试用例的开销分别为36%、612%和518%。我们进一步将UnTracer与最先进的混合模糊器QSYM集成，并显示在24小时的模糊测试中，QSYM-UnTracer执行的测试用例分别比QSYM- clang和QSYM- qemu多79%和616%。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2019 IEEE Symposium on Security and Privacy (SP)

自引率

0.00%

发文量