Sand: Decoupling Sanitization from Fuzzing for Low Overhead

Sanitizers provide robust test oracles for various vulnerabilities. Fuzzing on sanitizer-enabled programs has been the best practice to find software bugs. Since sanitizers require heavy program instrumentation to insert run-time checks, sanitizerenabled programs have much higher overhead compared t...

Full description

Saved in:
Bibliographic Details
Published in:Proceedings / International Conference on Software Engineering pp. 255 - 267
Main Authors: Kong, Ziqiao, Li, Shaohua, Huang, Heqing, Su, Zhendong
Format: Conference Proceeding
Language:English
Published: IEEE 26.04.2025
Subjects:
afl
Best practices
Computer bugs
coverage-guided fuzzing
Fuzzing
Instruments
sanitizers
Software
Software engineering
ISSN:1558-1225
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Sanitizers provide robust test oracles for various vulnerabilities. Fuzzing on sanitizer-enabled programs has been the best practice to find software bugs. Since sanitizers require heavy program instrumentation to insert run-time checks, sanitizerenabled programs have much higher overhead compared to normally built programs. In this paper, we present SAND, a new fuzzing framework that decouples sanitization from the fuzzing loop. SAND performs fuzzing on a normally built program and only invokes the sanitizerenabled program when input is shown to be interesting. Since most of the generated inputs are not interesting, i.e., not bugtriggering, SAND allows most of the fuzzing time to be spent on the normally built program. We further introduce execution pattern to practically and effectively identify interesting inputs. We implement SAND on top of AFL++ and evaluate it on 20 real-world programs. Our extensive evaluation highlights its effectiveness: in 24 hours, compared to all the baseline fuzzers, SAND significantly discovers more bugs while not missing any.
ISSN:1558-1225
DOI:10.1109/ICSE55347.2025.00187