Unleashing Coveraged-Based Fuzzing Through Comprehensive, Efficient, and Faithful Exploitable-Bug Exposing

Fuzzing has become an essential means of finding software bugs. Bug finding through fuzzing requires two parts-exploring code paths to reach bugs and exposing bugs when they are reached. Existing fuzzing research has primarily focused on improving code coverage but not on exposing bugs. Sanitizers such as AddressSanitizer (ASAN) and MemorySanitizer (MSAN) have been the dominating tools for exposing bugs. However, sanitizer-based bug exposing has the following limitations. (1) sanitizers are not compatible with each other. (2) sanitizers incur significant runtime overhead. (3) sanitizers may generate false positives, and (4) exposed bugs may not be exploitable. To address these limitations, we propose Expozzer, a fuzzing system that can expose bugs comprehensively, efficiently, and faithfully. The intuition of Expozzer is to detect bugs through divergences in a properly diversified dual-execution environment, which does not require maintaining or checking execution metadata. We design a practical and deterministic dual-execution engine, a co-design for dual-execution and fuzzers, bug-sensitive diversification, comprehensive, and efficient divergence detection to ensure the effectiveness of Expozzer. The results of evaluations show that Expozzer can detect not only CVE-assigned vulnerabilities reliably, but also new vulnerabilities in well-tested real-world programs. Expozzer is 10 times faster than MemorySanitizer and is similar to AddressSanitizer.