Invivo Fuzzing by Amplifying Actual Executions

A major bottleneck that remains when fuzzing software libraries is the need for fuzz drivers, i.e., the glue code between the fuzzer and the library. Despite years of fuzzing, critical security flaws are still found, e.g., by manual auditing, because the fuzz drivers do not cover the complex interac...

Full description

Saved in:
Bibliographic Details
Published in:Proceedings / International Conference on Software Engineering pp. 1566 - 1578
Main Authors: Galland, Octavio, Bohme, Marcel
Format: Conference Proceeding
Language:English
Published: IEEE 26.04.2025
Subjects:
Codes
Fuzzing
Manuals
Security
Software libraries
ISSN:1558-1225
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:A major bottleneck that remains when fuzzing software libraries is the need for fuzz drivers, i.e., the glue code between the fuzzer and the library. Despite years of fuzzing, critical security flaws are still found, e.g., by manual auditing, because the fuzz drivers do not cover the complex interactions between the library and the host programs using it. In this work we propose an alternative approach to library fuzzing, which leverages a valid execution context that is set up by a given program using the library (the host), and amplify its execution. More specifically, we execute the host until a designated function from a list of target functions has been reached, and then perform coverage-guided function-level fuzzing on it. Once the fuzzing quota is exhausted, we move on to fuzzing the next target from the list. In this way we not only reduce the amount of manual work needed by a developer to incorporate fuzzing into their workflow, but we also allow the fuzzer to explore parts of the library as they are used in real-world programs that may otherwise not have been tested due to the simplicity of most fuzz drivers.
ISSN:1558-1225
DOI:10.1109/ICSE55347.2025.00172