StorFuzz: Using Data Diversity to Overcome Fuzzing Plateaus

Abstract

Fuzzing is widely used to discover software bugs and vulnerabilities. Unfortunately, real-world long-running fuzzing campaigns often plateau and no progress can be made anymore, leaving code areas untested. State-of-the-art fuzzers leverage code coverage to measure progress and reach new areas, but this is insufficient to capture all program behavior, as code coverage may be the same for different behaviors, thus preventing progress and masking bugs.

In this paper, we introduce StorFuzz, a novel technique to overcome fuzzing plateaus and improve on code coverage by leveraging our new data coverage. StorFuzz automatically identifies and instruments memory stores to capture changes in program behavior invisible to control flow, which it uses to diversify the saturated corpora of plateaued campaigns. StorFuzz leverages this diversified corpus of test cases that changed internal states to improve navigation of the input space, which also enables conventional fuzzers to improve their code coverage. We implement StorFuzz in LibAFL and evaluate on FuzzBench, starting from a corpus that is saturated by multi-month OSS-Fuzz fuzzing campaigns and LibAFL.

We show that StorFuzz successfully generates new coverage for plateauing campaigns of widely-used and well-fuzzed software, leading to the discovery of 50 new bugs in 7 OSS-Fuzz projects, like VLC and PHP, with some bugs having been present in the code for 14 years. Our approach significantly outperforms both the state-of-the-art fuzzer LibAFL and data-guided fuzzer DDFuzz in 11 of 23 FuzzBench benchmarks, while performing equally on all others. StorFuzz is also complementary to WingFuzz, an approach guided by static data, as both fuzzers cover distinct code regions.

Source Code and Data: github.com/rub-softsec/StorFuzz