Evaluating the Fork-Awareness of Coverage-Guided Fuzzers

TL;DR

This paper introduces the fork-awareness property to evaluate how well coverage-guided fuzzers handle systems using forks, revealing their current limitations in managing such complex systems.

Contribution

It defines the fork-awareness property and assesses 14 popular fuzzers, highlighting their ineffectiveness against systems employing forks.

Findings

Most fuzzers are ineffective against fork-based systems

Fork-awareness is a critical property for effective fuzzing of complex systems

Current coverage-guided fuzzers lack adequate support for forked processes

Abstract

Fuzz testing (or fuzzing) is an effective technique used to find security vulnerabilities. It consists of feeding a software under test with malformed inputs, waiting for a weird system behaviour (often a crash of the system). Over the years, different approaches have been developed, and among the most popular lies the coverage-based one. It relies on the instrumentation of the system to generate inputs able to cover as much code as possible. The success of this approach is also due to its usability as fuzzing techniques research approaches that do not require (or only partial require) human interactions. Despite the efforts, devising a fully-automated fuzzer still seems to be a challenging task. Target systems may be very complex; they may integrate cryptographic primitives, compute and verify check-sums and employ forks to enhance the system security, achieve better performances or manage different connections at the same time. This paper introduces the fork-awareness property to express the fuzzer ability to manage systems using forks. This property is leveraged to evaluate 14 of the most widely coverage-guided fuzzers and highlight how current fuzzers are ineffective against systems using forks.