Path Sensitive Fuzzing for Native Applications

Abstract

Coverage-guided fuzzing is a widely used and effective solution to find software vulnerabilities. Tracking code coverage and utilizing it to guide fuzzing are crucial to coverage-guided fuzzers. However, tracking full and accurate path coverage is infeasible in practice due to the high instrumentation overhead. Popular fuzzers (e.g., AFL) often use <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">coarse</i> coverage information, e.g., edge hit counts stored in a compact bitmap, to achieve highly efficient greybox testing. Such inaccuracy and incompleteness in coverage introduce serious limitations to fuzzers. First, it causes <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">path collisions</i> , which prevent fuzzers from discovering potential paths that lead to new crashes. More importantly, it prevents fuzzers from making wise decisions on fuzzing strategies. In this article, we propose a coverage sensitive fuzzing solution CollAFL. It mitigates path collisions by providing more accurate coverage information, while still preserving low instrumentation overhead. It also utilizes the coverage information to apply three new fuzzing strategies, promoting the speed of discovering new paths and vulnerabilities. We implemented two variants of this solution, namely CollAFL (based on AFL) and CollAFL-bin (based on AFL-dyninst), to test applications with and without source code respectively, and evaluated them on 24 popular applications. The results showed that path collisions are common, i.e., up to 75 percent of edges could collide with others in some applications. But our solutions CollAFL and CollAFL-bin could reduce the edge collision ratio to nearly zero. Moreover, armed with the three fuzzing strategies, they outperform their counterparts (i.e., AFL and AFL-dyninst) in terms of both code coverage and vulnerability discovery. On average, CollAFL covered 20 percent more program paths, and found 320 percent more unique crashes and 260 percent more bugs than AFL in 200 hours. Moreover, CollAFL-bin covered 15 percent more paths, and found 200 percent more unique crashes and 150 percent more vulnerabilities than AFL-dyninst, showing that the proposed solution also works for binary application fuzzing. In total, CollAFL found 157 new security bugs with 95 new CVEs assigned.