🤖 AI Summary
This work addresses the inefficiency of traditional fuzzing in black-box or obfuscated binary programs where static instrumentation is infeasible and control-flow feedback is unavailable. The authors propose a dynamic feedback mechanism based on Execution Divergence Graphs (EDGs), which constructs control-flow-like structures at runtime by analyzing execution traces to precisely identify path divergences and avoid redundant exploration of loops. Requiring no static program information, the approach integrates divergence detection with an EDG-guided input mutation strategy. Evaluated on multiple obfuscated targets, it substantially outperforms blind fuzzers, demonstrating its effectiveness in non-instrumented settings. Furthermore, the framework is extensible to multidimensional feedback channels, such as power consumption, broadening its applicability in side-channel-aware fuzzing scenarios.
📝 Abstract
Fuzz testing is a popular approach to the security testing of proprietary software. Efficient testing strategies rely on execution feedback to guide the input generation process, particularly when the basic blocks in the binary can be directly observed and instrumented. Unfortunately, collecting such feedback is impossible in scenarios such as in-situ fuzzing of black-box devices and the fuzzing of obfuscated compiled binaries. In this work, we discuss approaches to guide the fuzzer using feedback derived from a control-flow-graph-like (CFG-like) structure constructed from runtime execution.
We start by outlining a simple divergence-detection approach that identifies unique execution traces, and then present an improved approach based on an Execution Divergence Graph (EDG). We implement both approaches and demonstrate that they outperform a baseline blind fuzzer. In addition, we discuss particular challenges, such as repeated code execution in loops, and show that the EDG-based approach handles them effectively. We then demonstrate that our approach enables effective fuzzing of a number of obfuscated targets, and compare its performance in scenarios where static instrumentation is impossible. While we focus on a scenario in which full instruction traces are directly observable by the attacker, our scheme can also be applied in scenarios with other feedback channels, such as power consumption.