Rust and Go directed fuzzing with LibAFL-DiFuzz

TL;DR

This paper introduces a novel directed greybox fuzzing approach for Rust and Go, leveraging LibAFL-DiFuzz, which outperforms existing fuzzers in efficiency and accuracy through advanced preprocessing and instrumentation techniques.

Contribution

It extends directed fuzzing techniques to Rust and Go, providing a new, effective method with custom compiler modifications and graph-based targeting, outperforming existing tools.

Findings

Rust-LibAFL-DiFuzz achieves the best TTE results.

Go-LibAFL-DiFuzz outperforms competitors in most cases.

The approach demonstrates superior efficiency and accuracy.

Abstract

In modern SSDLC, program analysis and automated testing are essential for minimizing vulnerabilities before software release, with fuzzing being a fast and widely used dynamic testing method. However, traditional coverage-guided fuzzing may be less effective in specific tasks like verifying static analysis reports or reproducing crashes, while directed fuzzing, focusing on targeted program locations using proximity metrics, proves to be more effective. Some of the earliest directed fuzzers are, for example, AFLGo and BEACON, which use different proximity metric approaches. Although most automated testing tools focus on C/C++ code, the growing popularity of Rust and Go causes the need for precise and efficient testing solutions for these languages. This work expands the applicability of directed fuzzing beyond traditional analysis of C/C++ software. We present a novel approach to directed greybox fuzzing tailored specifically for Rust and Go applications. We introduce advanced preprocessing techniques, rustc compiler customizations, and elaborate graph construction and instrumentation methods to enable effective targeting of specific program locations. Our implemented fuzzing tools, based on LibAFL-DiFuzz backend, demonstrate competitive advantages compared to popular existing fuzzers like afl$.$rs, cargo-fuzz, and go-fuzz. According to TTE (Time to Exposure) experiments, Rust-LibAFL-DiFuzz outperforms other tools by the best TTE result. Some stability issues can be explained by different mutation approaches. Go-LibAFL-DiFuzz outperforms its opponent by the best and, in the majority of cases, by average result, having two cases with orders of magnitude difference. These results prove better efficiency and accuracy of our approach.