Instruction level branch condition penetration for BiFF

Abstract

Fuzzing is one of the most widely deployed techniques to discover software security vulnerabilities. Despite the increasing popularity of fuzzing, many existing fuzzers requires source code to conduct fuzzing. For binary-only fuzzing, the execution speed of existing fuzzers is usually slow due to heavy instrumentation. And many of them may not support fuzzing on multiple CPU architectures. A fuzzer named BiFF is designed to support fuzzing cross-architecture and fuzzing for binary-only target with reasonable overhead. Another problem with existing fuzzers is their limited code penetration and effectiveness as the new testing inputs are generated randomly and therefore hard to detect errors that reside on deeper level. A fuzzing approach called Steelix is designed to solve this problem. It collects program-state information (i.e., comparison progress information) and use it to guide the mutation of input. Steelix has proven to be both effective and efficient in terms of penetration and execution. To enhance the branch condition penetration power and support fast fuzzing on binary-only target cross-architecture, we integrated the idea of Steelix into the fuzzer BiFF. This report elaborates the mechanism, implementation and performance of BiFF with Steelix incorporated.