Static Instrumentation Techniques in Fuzzing Testing

Fuzzing testing is a well-established method for detecting software defects. Its basic idea is generating a large number of random inputs to explore the program behavior extensively and then to monitor the crashes and reveal the software defects behind the crashes. Obviously, purely random inputs cannot explore program behavior efficiently and a large number of program defects can hardly lead to crashes. To further enhance the effectiveness of fuzzing testing, static instrumentation techniques are often introduced in fuzzing testing to speed up the exploration of the program state space and improve the ability of defect detection. As a result, using static instrumentation has become a de facto practice in fuzzing testing nowadays. In this paper, we focus on the instrumentation requirements under the background of fuzzing testing. Besides introducing the basics of static instrumentation, we systematically analyze the typical schemes of static instrumentation from two perspectives, i.e., security hardening and guidance collection. In addition, we investigate the challenge of execution overhead. Specifically, for a comprehensive set of instrumentation schemes, we measure the execution speed of the instrumented program and compare it to non-instrumented programs of the baseline. Finally, based on the above analyses and measurements, we provide a primitive analysis over the optimization directions of static instrumentation.