CSI-Fuzz: Full-speed Edge Tracing Using Coverage Sensitive Instrumentation

Abstract

Coverage-guided fuzzing is one of the most effective solutions for vulnerability discovery. Among coverage-guided fuzzing, full-speed fuzzing, such as UnTracer, traces test cases only when they discover new coverage. Due to the high expense of tracing test cases, full-speed fuzzers improve the efficiency of fuzzing by tracing only coverage-increasing test cases. However, the existing full-speed fuzzer (i.e., UnTracer) is based on basic block coverage, suffering a severe problem called edge collision. Moreover, such fuzzers neglect the path frequency, which affects fuzzing effectiveness. In this paper, we propose CSI-Fuzz, a fuzzer utilizing coverage sensitive instrumentation to address the problems of existing full-speed fuzzing. CSI-Fuzz directly instruments at edges, which solves the problem of edge collision. Meanwhile, CSI-Fuzz sets path identifiers to count the frequency of covered paths. Our CSI-Fuzz can be recognized as an add-on and seamlessly applied to existing coverage-guided fuzzers. We accordingly implement CSI-Fuzz based on two widely-adopted fuzzers, AFL and AFLFast, to evaluate its performance. The experiments demonstrate that CSI-Fuzz discovers more edges than AFL, AFLFast, and UnTracer. Additionally, CSI-Fuzz exposes more bugs than the other fuzzers.