InsFuzz: Fuzzing Binaries With Location Sensitivity

Fuzzing is a popular technique which is widely used to find the software bugs. However, fuzzing remains limited in finding bugs lying in deep paths since it has difficulty in bypassing the complex checks of the target program. In this paper, we propose a location sensitive fuzzing approach, named InsFuzz, that leverages the light-weight program analysis technique. We use the static analysis and binary instrumentation to infer the bytes that could influence comparison instructions, which we called key bytes, and, then, to infer the relationship between the key bytes and the comparison instructions during execution. This enables a fuzzer to know which bytes are worth mutating and how these bytes should be mutated. In addition, we collect the comparison progress information (i.e., we record the number of matching bytes between the two operands of an instruction) during execution and preserve the mutated inputs with higher comparison progress. Therefore, the fuzzer can break the comparison instructions efficiently. We first evaluated the InsFuzz on the LAVA-M dataset against other fuzzers, including AFL-Dyninst, and then compared InsFuzz with AFL-Dyninst on five real-world programs. The results show that InsFuzz found more bugs than the fuzzers that we compared with on the LAVA-M dataset. In addition, InsFuzz found some new bugs that the author of LAVA-M did not list. On the real-world programs, InsFuzz triggered more unique crashes and covered more code compared with the AFL-Dyninst.