TL;DR
This paper enhances coverage-guided fuzzing by adapting Coverage-guided Tracing (CGT) to finer-grain coverage metrics, significantly improving fuzzing speed and bug detection across diverse binaries.
Contribution
It introduces a suite of enhancements that extend CGT to edge coverage and hit counts while maintaining high performance, enabling more effective binary fuzzing.
Findings
Achieves near-identical speed to block-coverage CGT
Outperforms existing tracers by 2-24x
Finds more bugs in less time
Abstract
Coverage-guided fuzzing's aggressive, high-volume testing has helped reveal tens of thousands of software security flaws. While executing billions of test cases mandates fast code coverage tracing, the nature of binary-only targets leads to reduced tracing performance. A recent advancement in binary fuzzing performance is Coverage-guided Tracing (CGT), which brings orders-of-magnitude gains in throughput by restricting the expense of coverage tracing to only when new coverage is guaranteed. Unfortunately, CGT suits only a basic block coverage granularity -- yet most fuzzers require finer-grain coverage metrics: edge coverage and hit counts. It is this limitation which prohibits nearly all of today's state-of-the-art fuzzers from attaining the performance benefits of CGT. This paper tackles the challenges of adapting CGT to fuzzing's most ubiquitous coverage metrics. We introduce and…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
