Refined Grey-Box Fuzzing with SIVO

TL;DR

SIVO is a new grey-box fuzzer that improves data-flow analysis, branch inversion, coverage detection, and adaptive parameter selection, leading to higher code coverage and vulnerability discovery compared to existing fuzzers.

Contribution

It introduces novel taint inference and branch inversion methods, along with adaptive parameterization, to enhance grey-box fuzzing effectiveness and efficiency.

Findings

SIVO achieves the highest code coverage among 12 fuzzers on 27 benchmarks.

SIVO finds more vulnerabilities than other state-of-the-art fuzzers.

The new techniques significantly improve fuzzing performance and adaptability.

Abstract

We design and implement from scratch a new fuzzer called SIVO that refines multiple stages of grey-box fuzzing. First, SIVO refines data-flow fuzzing in two ways: (a) it provides a new taint inference engine that requires only logarithmic in the input size number of tests to infer the dependency of all program branches on the input bytes, and (b) it deploys a novel method for inverting branches by solving directly and efficiently systems of inequalities. Second, our fuzzer refines accurate tracking and detection of code coverage with simple and easily implementable methods. Finally, SIVO refines selection of parameters and strategies by parameterizing all stages of fuzzing and then dynamically selecting optimal values during fuzzing. Thus the fuzzer can easily adapt to a target program and rapidly increase coverage. We compare our fuzzer to 11 other state-of-the-art grey-box fuzzers on 27 popular benchmarks. Our evaluation shows that SIVO scores the highest both in terms of code coverage and in terms of number of found vulnerabilities.