ColorGo: Directed Concolic Execution

TL;DR

ColorGo is a novel directed whitebox fuzzer that combines concolic execution with incremental coloration techniques to achieve high scalability and precision, significantly outperforming existing methods like AFLGo in reaching targets.

Contribution

This paper introduces ColorGo, a new directed fuzzing approach that integrates compilation-based concolic execution with incremental coloration for improved efficiency and effectiveness.

Findings

ColorGo outperforms AFLGo by up to 100x in reaching target sites.

ColorGo effectively reproduces target crashes in diverse real-world programs.

ColorGo maintains high precision while achieving scalability.

Abstract

Directed fuzzing is a critical technique in cybersecurity, targeting specific sections of a program. This approach is essential in various security-related domains such as crash reproduction, patch testing, and vulnerability detection. Despite its importance, current directed fuzzing methods exhibit a trade-off between efficiency and effectiveness. For instance, directed grey-box fuzzing, while efficient in generating fuzzing inputs, lacks sufficient precision. The low precision causes time wasted on executing code that cannot help reach the target site. Conversely, interpreter- or observer-based directed symbolic execution can produce high-quality inputs while incurring non-negligible runtime overhead. These limitations undermine the feasibility of directed fuzzers in real-world scenarios. To kill the birds of efficiency and effectiveness with one stone, in this paper, we involve compilation-based concolic execution into directed fuzzing and present ColorGo, achieving high scalability while preserving the high precision from symbolic execution. ColorGo is a new directed whitebox fuzzer that concretely executes the instrumented program with constraint-solving capability on generated input. It guides the exploration by \textit{incremental coloration}, including static reachability analysis and dynamic feasibility analysis. We evaluated ColorGo on diverse real-world programs and demonstrated that ColorGo outperforms AFLGo by up to \textbf{100x} in reaching target sites and reproducing target crashes.