Retrowrite: Statically Instrumenting COTS Binaries for Fuzzing and Sanitization
End users of closed-source software currently cannot easily analyze the securityof programs or patch them if flaws are found. Notably, end users can include developers who use third party libraries. The current state of the art for coverage-guidedbinary fuzzing or binary sanitization is dynamic binary translation, which resultsin prohibitive overhead. Existing static rewriting techniques cannot fully recoversymbolization information, and so have difficulty modifying binaries to track
... e for fuzzing or add security checks for sanitizers.The ideal solution for adding instrumentation is a static rewriter that can intelligently add in the required instrumentation as if it were inserted at compile time.This requires analysis to statically disambiguate between references and scalars, aproblem known to be undecidable in the general case. We show that recovering thisinformation is possible in practice for the most common class of software and libraries: 64 bit, position independent code. Based on our observation, we design abinary-rewriting instrumentation to support American Fuzzy Lop (AFL) and AddressSanitizer (ASan), and show that we achieve compiler levels of performance, while retaining precision. Binaries rewritten for coverage-guided fuzzing using RetroWriteare identical in performance to compiler-instrumented binaries and outperforms thedefault QEMU-based instrumentation by 7.5x while triggering more bugs. Our implementation of binary-only Address Sanitizer is 3x faster than Valgrind memcheck,the state-of-the-art binary-only memory checker, and detects 80% more bugs in oursecurity evaluation.