MinSIB: Minimized static instrumentation for fuzzing binaries

Abstract

Code instrumentation is widely used in software analysis. The coverage-guided fuzzers collect path information by instrumenting additional code into the executable to guide the mutator. Existing instrumentation tools try to instrument all basic blocks to achieve high code coverage. This causes additional run-time overhead to the target and slows down the fuzzing. Also, too many paths may lead to a hash collision, or distract the attention of the fuzzer to less important code. To pay more attention to the instrumented code and place the instrumentation points into the functional areas of interest or security-related basic blocks, this paper presents MinSIB (Minimized static instrumentation for fuzzing binaries), a static binary instrumentation toolkit for Windows binaries. It instruments additional code into the executable by inline mode to reduce the additional overhead caused by instrumentation. Meanwhile, three optimization approaches are adopted to minimize the number of instrumentation points. Based on this, MinSIB reduces the number of instrumentation points by 90% on average, and the run-time overhead is 79% less than that of full instrumentation. Also, MinSIB improves the efficiency of fuzzing by reproducing known vulnerabilities 4 to 24 times faster than the existing tools, and 14 unknown bugs are found from 6 real-world programs. The results indicate that MinSIB outperforms the state-of-the-art static binary instrumentation tool (PE-AFL) and dynamic instrumentation tool (DynamoRIO) for Windows PE files.