Extending the capacity of program-aware fuzzing with binary-level static analysis

Abstract

Program-aware fuzzing is a way to utilize knowledge about program behaviors during a fuzzing campaign. In this dissertation, we argue that we can extend the capacity of program-aware fuzzing by applying binary-level static analysis on previously less-explored targets. First, OS-level system binaries are significantly larger than regular application binaries, and they could hardly become a target for static analysis. We enable a scalable static analysis on system binaries with the help of modular analysis and demonstrate the first Windows kernel fuzzer that is aware of high-level system call semantics. Second, there are recently emerging execution environments, such as EVM, where traditional binary-level analysis does not apply. We broaden the scope of static binary analysis to the EVM architecture and achieve the program-awareness in smart contract fuzzing by inferring meaningful function call orders with data-flow knowledge. With the two systems, we demonstrate that the program knowledge obtained from our static analyses can indeed enhance the performance of fuzzing.