Refined Grey-Box Fuzzing with SIVO
This work provides a more effective and adaptive grey-box fuzzer for security researchers and software testers, leading to higher code coverage and more vulnerability discoveries.
The paper introduces SIVO, a new grey-box fuzzer that refines data-flow fuzzing with a logarithmic-time taint inference engine and an efficient branch inversion method. It also improves code coverage tracking and dynamically optimizes fuzzing parameters. SIVO outperforms 11 state-of-the-art fuzzers on 27 benchmarks in both code coverage and vulnerability detection.
We design and implement from scratch a new fuzzer called SIVO that refines multiple stages of grey-box fuzzing. First, SIVO refines data-flow fuzzing in two ways: (a) it provides a new taint inference engine that requires only logarithmic in the input size number of tests to infer the dependency of all program branches on the input bytes, and (b) it deploys a novel method for inverting branches by solving directly and efficiently systems of inequalities. Second, our fuzzer refines accurate tracking and detection of code coverage with simple and easily implementable methods. Finally, SIVO refines selection of parameters and strategies by parameterizing all stages of fuzzing and then dynamically selecting optimal values during fuzzing. Thus the fuzzer can easily adapt to a target program and rapidly increase coverage. We compare our fuzzer to 11 other state-of-the-art grey-box fuzzers on 27 popular benchmarks. Our evaluation shows that SIVO scores the highest both in terms of code coverage and in terms of number of found vulnerabilities.