Breaking Through Binaries: Compiler-quality Instrumentation for Better Binary-only Fuzzing

Stefan Nagy, Anh Nguyen-Tuong, Jason D. Hiser, Jack W. Davidson, Matthew Hicks
2021 USENIX Security Symposium  
Coverage-guided fuzzing is one of the most effective software security testing techniques. Fuzzing takes on one of two forms: compiler-based or binary-only, depending on the availability of source code. While the fuzzing community has improved compiler-based fuzzing with performanceand feedback-enhancing program transformations, binaryonly fuzzing lags behind due to the semantic and performance limitations of instrumenting code at the binary level. Many fuzzing use cases are binary-only (i.e.,
more » ... losed source). Thus, applying fuzzing-enhancing program transformations to binary-only fuzzing-without sacrificing performanceremains a compelling challenge. This paper examines the properties required to achieve compiler-quality binary-only fuzzing instrumentation. Based on our findings, we design ZAFL: a platform for applying fuzzing-enhancing program transformations to binary-only targets-maintaining compiler-level performance. We showcase ZAFL's capabilities in an implementation for the popular fuzzer AFL, including five compiler-style fuzzing-enhancing transformations, and evaluate it against the leading binaryonly fuzzing instrumenters AFL-QEMU and AFL-Dyninst. Across LAVA-M and real-world targets, ZAFL improves crashfinding by 26-96% and 37-131%; and throughput by 48-78% and 159-203% compared to AFL-Dyninst and AFL-QEMU, respectively-while maintaining compiler-level of overhead of 27%. We also show that ZAFL supports realworld open-and closed-source software of varying size (10K-100MB), complexity (100-1M basic blocks), platform (Linux and Windows), and format (e.g., stripped and PIC).
dblp:conf/uss/NagyNHDH21 fatcat:ey3q4amsgfezhh4qcyq3u5dwji