Jifan Xiao, Key Laboratory of High Confidence Software Technologies, Peking University; Peng Jiang, Southeast University; Zixi Zhao, Ruizhe Huang, Junlin Liu, and Ding Li, Key Laboratory of High Confidence Software Technologies, Peking University
Currently, greybox fuzzing is a crucial technique for identifying software bugs. However, applying greybox fuzzing to Commercial-Off-the-Shelf ( COTS ) binaries is still a difficult task because gathering code coverage data is challenging. Existing methods for collecting code coverage in COTS binaries often lead to program crashes, notable performance reductions, and limited compatibility with various hardware platforms. As a result, none of the current approaches can effectively handle all COTS binaries.
This paper introduces a new feedback mechanism called system call pattern coverage, which is designed to support binaries that cannot be handled by existing approaches. Unlike other methods, system call pattern coverage does not involve rewriting binaries, using emulators, or relying on hardware such as Intel-PT. As a result, it enables fuzzing of binaries without the risk of breaking target applications, slow performance, or the need for specific hardware. To demonstrate the effectiveness of this mechanism, we developed fuzzers called SPFuzz and SPFuzz++ and conducted an evaluation using 29 real-world benchmarks. The results of our evaluation show that SPFuzz and SPFuzz++ perform comparably to conventional code coverage guidance and are capable of identifying new bugs even without access to the source code. In fact, we discovered six new CVEs in commercial applications like CUDA using SPFuzz.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
