Data Coverage for Guided Fuzzing

Authors: 

Mingzhe Wang, Jie Liang, Chijin Zhou, Zhiyong Wu, Jingzhou Fu, and Zhuo Su, Tsinghua University; Qing Liao, Harbin Institute of Technology; Bin Gu, Beijing Institute of Control Engineering; Bodong Wu, Huawei Technologies Co., Ltd; Yu Jiang, Tsinghua University

Distinguished Paper Award Winner

Abstract: 

Code coverage is crucial for fuzzing. It helps fuzzers identify areas of a program that have not been explored, which are often the most likely to contain bugs. However, code coverage only reflects a small part of a program's structure. Many crucial program constructs, such as constraints, automata, and Turing-complete domain-specific languages, are embedded in a program as constant data. Since this data cannot be effectively reflected by code coverage, it remains a major challenge for modern fuzzing practices.

To address this challenge, we propose data coverage for guided fuzzing. The idea is to detect novel constant data references and maximize their coverage. However, the widespread use of constant data can significantly impact fuzzing throughput if not handled carefully. To overcome this issue, we optimize for real-world fuzzing practices by classifying data access according to semantics and designing customized collection strategies. We also develop novel storage and utilization techniques for improved fuzzing efficiency. Finally, we enhance libFuzzer with data coverage and submit it to Google's FuzzBench for evaluation. Our approach outperforms many state-of-the-art fuzzers and achieves the best coverage score in the experiment. Furthermore, we have discovered 28 previously-unknown bugs on OSS-Fuzz projects that were well-fuzzed using code coverage.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {299790,
author = {Mingzhe Wang and Jie Liang and Chijin Zhou and Zhiyong Wu and Jingzhou Fu and Zhuo Su and Qing Liao and Bin Gu and Bodong Wu and Yu Jiang},
title = {Data Coverage for Guided Fuzzing},
booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
year = {2024},
isbn = {978-1-939133-44-1},
address = {Philadelphia, PA},
pages = {2511--2526},
url = {https://www.usenix.org/conference/usenixsecurity24/presentation/wang-mingzhe},
publisher = {USENIX Association},
month = aug
}