Static Instrumentation Techniques in Fuzzing Testing

Wang Mingzhe; Jiang Yu; Sun Jiaguang

doi:10.7544/issn1000-1239.202220883

Journal of Computer Research and Development > 2023 > 60(2): 262-273. > DOI: 10.7544/issn1000-1239.202220883 CSTR: 32373.14.issn1000-1239.202220883

Wang Mingzhe, Jiang Yu, Sun Jiaguang. Static Instrumentation Techniques in Fuzzing Testing[J]. Journal of Computer Research and Development, 2023, 60(2): 262-273. DOI: 10.7544/issn1000-1239.202220883

Citation:

PDF (1075 KB)

Static Instrumentation Techniques in Fuzzing Testing

School of Software, Tsinghua University, Beijing 100084

Funds: This work was supported by the National Key Research and Development Program of China (2022YFB3104000), the National Natural Science Foundation of China (62022046, 92167101, U1911401), and Webank Scholar Project (20212001829).

More Information

Received Date: October 20, 2022
Revised Date: December 12, 2022
Available Online: February 10, 2023

Graphical Abstract

Abstract

Abstract

Fuzzing testing is a well-established method for detecting software defects. Its basic idea is generating a large number of random inputs to explore the program behavior extensively and then to monitor the crashes and reveal the software defects behind the crashes. Obviously, purely random inputs cannot explore program behavior efficiently and a large number of program defects can hardly lead to crashes. To further enhance the effectiveness of fuzzing testing, static instrumentation techniques are often introduced in fuzzing testing to speed up the exploration of the program state space and improve the ability of defect detection. As a result, using static instrumentation has become a de facto practice in fuzzing testing nowadays. In this paper, we focus on the instrumentation requirements under the background of fuzzing testing. Besides introducing the basics of static instrumentation, we systematically analyze the typical schemes of static instrumentation from two perspectives, i.e., security hardening and guidance collection. In addition, we investigate the challenge of execution overhead. Specifically, for a comprehensive set of instrumentation schemes, we measure the execution speed of the instrumented program and compare it to non-instrumented programs of the baseline. Finally, based on the above analyses and measurements, we provide a primitive analysis over the optimization directions of static instrumentation.
- static instrumentation,
- fuzzing testing,
- software defects,
- program analysis,
- overhead

FullText(HTML)

References (32)

References

[1]	Miller B P, Fredriksen L, So B. An empirical study of the reliability of UNIX utilities[J]. Communications of the ACM, 1990, 33(12): 32−40
[2]	Godefroid P, Levin M Y, Molnar D A. Automated whitebox fuzz testing[C/OL] //Proc of the Network and Distributed System Security Symp 2008. Reston, VA: The Internet Society, 2008 [2022-10-12]. https://www.ndss-symposium.org/ndss2008/automated-whitebox-fuzz-testing/
[3]	Zalewski M. American fuzzy lop[CP/OL]. [2022-10-12]. http://lcamtuf.coredump.cx/afl/.
[4]	Serebryany K. OSS-Fuzz-Google’s continuous fuzzing service for open source software[C/OL] //Proc of the 26th USENIX Security Symp. Vancouver, BC: USENIX Association, 2017 [2022-10-12]. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/serebryany
[5]	Campbell J, Walker M. Microsoft announces new project OneFuzz framework, an open source developer tool to find and fix bugs at scale - microsoft security blog[EB/OL]. (2020) [2022-10-12]. https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/.
[6]	Brereton F. Binspector: Evolving a security tool[EB/OL]. (2015)[2022-10-12]. https://blogs.adobe.com/security/2015/05/binspector-evolving-a-security-tool.html.
[7]	Serebryany K. Sanitize, fuzz, and harden your C++ code[C/OL] //Proc of USENIX Enigma Symp. San Francisco, CA: USENIX Association, 2016 [2022-10-12]. https://www.usenix.org/conference/ enigma2016/conference-program/presentation/serebryany
[8]	Serebryany K, Bruening D, Potapenko A, et al. Address Sanitizer: A fast address sanity checker[C] //Proc of 2012 USENIX Annual Technical Conf. Berkeley, CA: USENIX Association, 2012: 309−318.
[9]	Stepanov E, Serebryany K. Memory Sanitizer: Fast detector of uninitialized memory use in C++[C] //Proc of the 13th Annual IEEE/ACM Int Symp on Code Generation and Optimization. Washington, DC: IEEE Computer Society, 2015: 46−55
[10]	Serebryany K, Potapenko A, Iskhodzhanov T, et al. Dynamic race detection with LLVM compiler[C] //Proc of the 2nd Int Conf Runtime Verification. Berlin: Springer, 2011: 110−114
[11]	Lattner C, Adve V S. LLVM: A compilation framework for lifelong program analysis & transformation[C] //Proc of the 2nd IEEE / ACM Int Symp on Code Generation and Optimization. Washington, DC: IEEE Computer Society, 2004: 75−88
[12]	Bernat A R, Miller B P. Anywhere, any-time binary instrumentation[C] //Proc of the 10th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools. NewYork: ACM, 2011: 9−16
[13]	Nethercote N, Seward J. Valgrind: A framework for heavyweight dynamic binary instrumentation[C] //Proc of the ACM SIGPLAN 2007 Conf on Programming Language Design and Implementation. New York: ACM, 2007: 89−100
[14]	ISO/IEC JTC 1/SC 22. ISO/IEC 9899: 2011 Information technology—Programming languages—C[S]. Geneva, CH: International Organization for Standardization, 2011
[15]	Metzman J, Szekeres L, Simon L, et al. FuzzBench: An open fuzzer benchmarking platform and service[C] //Proc of the 29th ACM Joint European Software Engineering Conf and Symp on the Foundations of Software Engineering. New York: ACM, 2021: 1393−1403.
[16]	Wang M, Liang J, Zhou C, et al. RIFF: Reduced instruction footprint for coverage-guided fuzzing[C] //Proc of 2021 USENIX Annual Technical Conf. Berkeley, CA: USENIX Association, 2021: 147−159
[17]	Liljestrand H, Nyman T, Wang K, et al. PAC it up: Towards pointer integrity using ARM pointer authentication[C] //Proc of the 28th USENIX Security Symp. Berkeley, CA: USENIX Association, 2019: 177−194
[18]	Yoo S, Park J, Kim S, et al. In-Kernel Control-Flow integrity on commodity OSes using ARM pointer authentication[C] //Proc of the 31st USENIX Security Symp. Berkeley, CA: USENIX Association, 2022: 89−106
[19]	Li Yuan, Tan Wende, Lv Zhizheng, et al. PACMem: Enforcing spatial and temporal memory safety via ARM pointer authentication[C] //Proc of the 2022 ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2022: 1901−1915
[20]	Bernhard L, Rodler M, Holz T, et al. xTag: Mitigating use-after-free vulnerabilities via software-based pointer tagging on intel x86−64[C] //Proc of the IEEE 7th European Symp on Security and Privacy. Piscataway, NJ: IEEE, 2022: 502−519
[21]	Delshadtehrani L, Canakci S, Zhou B, et al. PHMon: A programmable hardware monitor and its security use cases[C] //Proc of the 29th USENIX Security Symp. Berkeley, CA: USENIX Association, 2020: 807−824
[22]	Ning Zhenyu, Zhang Fengwei. Understanding the security of arm debugging features[C] //Proc of 2019 IEEE Symp on Security and Privacy. Piscataway, NJ: IEEE, 2019: 602−619
[23]	Iannillo A K, Natella R, Cotroneo D, et al. Chizpurfle: A gray-box android fuzzer for vendor service customizations[C] //Proc of the IEEE 28th Int Symp on Software Reliability Engineering. Piscataway, NJ: IEEE, 2017: 1−11
[24]	Schumilo S, Aschermann C, Abbasi A, et al. Nyx: Greybox hypervisor fuzzing using fast snapshots and affine types[C] //Proc of the 30th USENIX Security Symp. Vancouver, BC: USENIX Association, 2021: 2597−2614
[25]	Hsu C C, Wu C Y, Hsiao H C, et al. INSTRIM: Lightweight instrumentation for coverage-guided fuzzing[C/OL] //Proc of the 25th Annual Network and Distributed System Security Symp. Reston, VA: The Internet Society, 2018 [2022-10-12]. https://doi.org/10.14722/bar.2018.23014
[26]	Nagy S, Hicks M. Full-speed fuzzing: Reducing fuzzing overhead through coverage-guided tracing[C] //Proc of IEEE Symp on Security and Privacy. Piscataway, NJ: IEEE, 2019: 787−802
[27]	Zhou Chijin, Wang Mingzhe, Liang Jie, et al. Zeror: Speed up fuzzing with coverage-sensitive tracing and scheduling[C] //Proc of the 35th IEEE/ACM Int Conf on Automated Software Engineering. Piscataway, NJ: IEEE, 2020: 858−870
[28]	Wang Mingzhe, Wu Zhiyong, Xu Xinyi, et al. Industry practice of coverage-guided enterprise-level DBMS fuzzing[C] //Proc of the 2021 Int Conf on Software Engineering: Software Engineering in Practice. Piscataway, NJ: IEEE, 2021: 328−337
[29]	Gan S, Zhang C, Qin X, et al. Collafl: Path sensitive fuzzing[C] //Proc of 2018 IEEE Symp on Security and Privacy. Piscataway, NJ: IEEE, 2018: 679−696
[30]	Wagner J, Kuznetsov V, Candea G, et al. High system-code security with low overhead[C] //Proc of 2015 IEEE Symp on Security and Privacy. Pidcataway, NJ: IEEE, 2015:866 −879
[31]	Zhang Jiang, Wang Shuai, Rigger M, et al. SANRAZOR: Reducing redundant sanitizer checks in C/C++ programs[C] //Proc of the 15th USENIX Symp on Operating Systems Design and Implementation. Vancouver, BC: USENIX Association, 2021: 479−494
[32]	Wang Mingzhe, Liang Jie, Zhou Chijin, et al. Odin: On-demand instrumentation with on-the-fly recompilation[C] //Proc of 2022 ACM SIGPLAN Int Conf on Programming Language Design and Implementation. New York: ACM, 2022: 1010−1024

[1]	Liao Xiaojian, Yang Zhe, Yang Hongzhang, Tu Yaofeng, Shu Jiwu. A Low-Latency Storage Engine with Low CPU Overhead[J]. Journal of Computer Research and Development, 2022, 59(3): 489-498. DOI: 10.7544/issn1000-1239.20210574
[2]	Liu Fang, Li Ge, Hu Xing, Jin Zhi. Program Comprehension Based on Deep Learning[J]. Journal of Computer Research and Development, 2019, 56(8): 1605-1620. DOI: 10.7544/issn1000-1239.2019.20190185
[3]	Wu Qiyu, Zhou Fucai, Wang Qiang, Li Yuxi. Publicly Verifiable Databases Scheme with Efficient Updates and Low Storage Overhead[J]. Journal of Computer Research and Development, 2018, 55(8): 1800-1808. DOI: 10.7544/issn1000-1239.2018.20170320
[4]	Zheng Peng, Hu Chengchen, Li Hao. Reducing the Southbound Interface Overhead for OpenFlow Based on the Flow Volume Characteristics[J]. Journal of Computer Research and Development, 2018, 55(2): 346-357. DOI: 10.7544/issn1000-1239.2018.20160743
[5]	Zhang Dongsong, Wang Jue, Zhao Zhifeng, Wu Fei. PLUFS: An Overhead-Aware Online Energy-Efficient Scheduling Algorithm for Periodic Real-Time Tasks in Multiprocessor Systems[J]. Journal of Computer Research and Development, 2016, 53(7): 1454-1466. DOI: 10.7544/issn1000-1239.2016.20160163
[6]	Zhang Zhitian, Li Zhaopeng, Chen Yiyun, and Liu Gang. An Automatic Program Verifier for PointerC: Design and Implementation[J]. Journal of Computer Research and Development, 2013, 50(5): 1044-1054.
[7]	Kuang Jishun, Jin Liyun, Wang Weizheng, You Zhiqiang. Two Methods for Reducing the Area Overheads of Self-Feedback Testing[J]. Journal of Computer Research and Development, 2012, 49(4): 880-886.
[8]	Sun Yan, Zhang Minxuan, Li Shaoqing, and Gao Changlei. Optimizing Soft Error Rate and Overhead of Circuits Based on Sensitive Registers Replacement[J]. Journal of Computer Research and Development, 2011, 48(1): 28-35.
[9]	Chen Wei, Wang Zhiying, Xiao Nong, Shen Li, and Lu Hongyi. Decoded Instruction Cache for Reducing Startup Overhead in Co-Designed Virtual Machines[J]. Journal of Computer Research and Development, 2011, 48(1): 19-27.
[10]	Wu Ping, Chen Yiyun, Zhang Jian. Static Data-Race Detection for Multithread Programs[J]. Journal of Computer Research and Development, 2006, 43(2): 329-335.

Cited By

Cited by

Periodical cited type(2)

1.	唐成华，蔡维嘉，杨萌萌，强保华. CBFuzzer：基于执行上下文导向及保护突破的程序缺陷模糊检测. 计算机研究与发展. 2025(03): 790-807 . 本站查看
2.	唐成华，蔡维嘉，林和，强保华. 软件漏洞模糊测试的关键分支探索及热点更新算法. 计算机应用研究. 2024(07): 2179-2183 .