Yu-Chuan Liang, Hsu-Chun Hsiao (National Taiwan University)

libFuzzer is a powerful fuzzer that has helped find thousands of bugs in real-world programs. However, fuzzers that seek to compare with libFuzzer and its variants face two significant limitations. First, they are restricted to use the time-to-first-crash metric rather than the code-coverage metric because libFuzzer will abort whenever the fuzzing target crashes. Second, even if libFuzzer in the ignore-crash mode can continue after finding a crash, it may produce wrong results for programs expecting a clean global context. Thus, fuzzers wishing to compare with libFuzzer are restricted to use carefully modified programs or programs without global-context dependency. To solve this context pollution problem and enhance comparability between libFuzzer and other fuzzers, we present a new libFuzzer mode called isolated-context mode (icLibFuzzer) that isolates the contexts of each fuzzer instance and fuzzing target, allowing to reinitialize the fuzzing target’s context after each execution efficiently. To implement icLibFuzzer, we modify libFuzzer’s in-process infrastructure into a lightweight forkserver infrastructure inspired by AFL’s design and propose structure packing, which speeds up the fuzzing speed by about 2x. We compare icLibFuzzer with four state-of-the-art fuzzers (AFL, Angora, QSYM, and Honggfuzz) using several real-world programs. The experiment result shows that icLibFuzzer outperforms these four fuzzers in most target programs after 24 hours of fuzzing and maintains the lead from 24 to 72 hours. To demonstrate that we can easily keep up with libFuzzer’s updates, we upgrade icLibFuzzer to using the latest libFuzzer (from LLVM9 to LLVM11) with no change to our code base. Our preliminary evaluation hints at icLibFuzzer-LLVM11’s promising improvement compared with icLibFuzzer-LLVM9 and AFL++, one of the latest fuzzers in the AFL family. We hope icLibFuzzer can serve as another baseline for fuzzing research. Our source code is available at GitHub.

View More Papers

Hunting the Haunter — Efficient Relational Symbolic Execution for...

Lesly-Ann Daniel (CEA, List, France), Sébastien Bardin (CEA, List, France), Tamara Rezk (Inria, France)

Read More

A Formal Analysis of the FIDO UAF Protocol

Haonan Feng (Beijing University of Posts and Telecommunications), Hui Li (Beijing University of Posts and Telecommunications), Xuesong Pan (Beijing University of Posts and Telecommunications), Ziming Zhao (University at Buffalo)

Read More

Safer Illinois and RokWall: Privacy Preserving University Health Apps...

Vikram Sharma Mailthody, James Wei, Nicholas Chen, Mohammad Behnia, Ruihao Yao, Qihao Wang, Vedant Agarwal, Churan He, Lijian Wang, Leihao Chen, Amit Agarwal, Edward Richter, Wen-mei Hwu, and Christopher Fletcher (University of Illinois at Urbana-Champaign); Jinjun Xiong (IBM); Andrew Miller and Sanjay Patel (University of Illinois at Urbana-Champaign)

Read More

On Building the Data-Oblivious Virtual Environment

Tushar Jois (Johns Hopkins University), Hyun Bin Lee, Christopher Fletcher, Carl A. Gunter (University of Illinois at Urbana-Champaign)

Read More