# STOCHFUZZ: Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting

Zhuo Zhang, Wei You, Guanhong Tao, Yousra Aafer, Xuwei Liu, Xiangyu Zhang







Grey-box fuzzing is one of the most important techniques for software testing and vulnerability detection.

Grey-box fuzzing is one of the most important techniques for software testing and vulnerability detection.



**Bug Detection** 

- More than **21,000** bugs in the Chromium projects [1]
- More than **16,000** bugs in other open source projects [2]



- 79 Papers published in the top security conferences in the recent three years [3]
- 56 Papers published in the top software engineering conferences in the recent three years [3]

<sup>[1]</sup> https://bugs.chromium.org/p/chromium/issues/list?can=1&q=label%3AClusterFuzz+-status%3AWontFix%2CDuplicate&colspec=ID+Pri+M+Stars+ReleaseBlock+Component+Status+Owner+Summary+OS+Modified&x=m&y=releaseblock&cells=ids

<sup>[2]</sup> https://bugs.chromium.org/p/oss-fuzz/issues/list?can=1&q=-status%3AWontFix%2CDuplicate+-Infra&colspec=ID+Type+Component+Status+Proj+Reported+Owner+Summary&cells=ids

<sup>[3]</sup> https://wcventure.github.io/FuzzingPaper/

SŢOCHFUZZ: Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting







Another scenario: binary-only fuzzing (no source code)



Another scenario: binary-only fuzzing (no source code)



## Another scenario: binary-only fuzzing (no source code)

- Bugs in close-sourced programs can also have unprecedented impact (e.g., WannaCry ransomware attack).
- It is important to effectively detect bugs in programs without source.





**Stochastic Process** 

STOCHFUZZ: Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting

Existing solutions fall into three categories.



<u>Dynamic Binary Translation</u>: Translate a subject binary during its execution. It is sound but expensive (high overhead >600%).



<u>Dynamic Binary Translation</u>: Translate a subject binary during its execution. It is sound but expensive (high overhead >600%).



<u>Hardware-Assisted Tracing</u>: Make use of advanced hardware support such as Intel PT to collect runtime traces that can be post-processed (Relatively high overhead and **only coverage-based feedback**).



<u>Dynamic Binary Translation</u>: Translate a subject binary during its execution. It is sound but expensive (high overhead >600%).



<u>Hardware-Assisted Tracing</u>: Make use of advanced hardware support such as Intel PT to collect runtime traces that can be post-processed (Relatively high overhead and **only coverage-based feedback**).



Static Binary Instrumentation: Leverage advanced binary analysis to directly instrument binaries (cost-effective but usually unsound).



<u>Dynamic Binary Translation</u>: Translate a subject binary during its execution. It is sound but expensive (high overhead >600%).



<u>Hardware-Assisted Tracing</u>: Make use of advanced hardware support such as Intel PT to collect runtime traces that can be post-processed (Relatively high overhead and **only coverage-based feedback**).



Static Binary Instrumentation: Leverage advanced binary analysis to directly instrument binaries (cost-effective but usually unsound).

```
.CODE1:
0: lea rax, [rip+8]
7: mov rbx, [rax]
10: add rax, rbx
13: jmp rax

.DATA:
15: .long 8
```

.CODE2:

ret

| Inst | Var | Val | Note |
|------|-----|-----|------|
|      |     |     |      |
|      |     |     |      |
|      |     |     |      |
|      |     |     |      |
|      |     |     |      |

```
.CODE1:

0: lea rax, [rip+8]

7: mov rbx, [rax]

10: add rax, rbx

13: jmp rax

.DATA:

15: .long 8

.CODE2:
```

|    | Inst     |         | Var | Val | Note  |
|----|----------|---------|-----|-----|-------|
| 0: | lea rax, | [rip+8] | rax | 15  | .DATA |
|    |          |         |     |     |       |
|    |          |         |     |     |       |
|    |          |         |     |     |       |
|    |          |         |     |     |       |

```
.CODE1:
0: lea rax, [rip+8]
7: mov rbx, [rax]
10: add rax, rbx
13: jmp rax

.DATA:
15: .long 8

.CODE2:
```

|    | Inst     |         | Var | Val | Note       |
|----|----------|---------|-----|-----|------------|
| 0: | lea rax, | [rip+8] | rax | 15  | .DATA      |
| 7: | mov rbx, | [rax]   | rbx | 8   | .CODE2DATA |
|    |          |         |     |     |            |
|    |          |         |     |     |            |
|    |          |         |     |     |            |

```
.CODE1:

0: lea rax, [rip+8]

7: mov rbx, [rax]

10: add rax, rbx

13: jmp rax

.DATA:

15: .long 8

.CODE2:

23: ret
```

|     | Inst     |         | Var | Val | Note       |
|-----|----------|---------|-----|-----|------------|
| 0:  | lea rax, | [rip+8] | rax | 15  | .DATA      |
| 7:  | mov rbx, | [rax]   | rbx | 8   | .CODE2DATA |
| 10: | add rax, | rbx     | rax | 23  | .CODE2     |
|     |          |         |     |     |            |
|     |          |         |     |     |            |

```
.CODE1:

0: lea rax, [rip+8]

7: mov rbx, [rax]

10: add rax, rbx

13: jmp rax

.DATA:

15: .long 8

.CODE2:

23: ret
```

|     | Inst                        | Var | Val    | Note       |
|-----|-----------------------------|-----|--------|------------|
| 0:  | <pre>lea rax, [rip+8]</pre> | rax | 15     | .DATA      |
| 7:  | <pre>mov rbx, [rax]</pre>   | rbx | 8      | .CODE2DATA |
| 10: | add rax, rbx                | rax | 23     | .CODE2     |
| 13: | jmp rax                     | jmp | .CODE2 | -          |
|     |                             |     |        |            |

```
.CODE1:
0: lea rax, [rip+8]
7: mov rbx, [rax]
10: add rax, rbx
13: jmp rax

.DATA:
15: .long 8

.CODE2:
23: ret
```

|     | Inst                        | Var | Val    | Note       |
|-----|-----------------------------|-----|--------|------------|
| 0:  | <pre>lea rax, [rip+8]</pre> | rax | 15     | .DATA      |
| 7:  | <pre>mov rbx, [rax]</pre>   | rbx | 8      | .CODE2DATA |
| 10: | add rax, rbx                | rax | 23     | .CODE2     |
| 13: | <pre>jmp rax</pre>          | jmp | .CODE2 | -          |
| 23: | ret                         | _   | _      | -          |

```
.CODE1:

0: lea rax, [rip+8]

7: mov rbx, [rax]

10: add rax, rbx

13: jmp rax

.DATA:

15: .long 8

.CODE2:

23: ret
```

|     | Inst                        | Var | Val    | Note       |
|-----|-----------------------------|-----|--------|------------|
| 0:  | <pre>lea rax, [rip+8]</pre> | rax | 15     | .DATA      |
| 7:  | <pre>mov rbx, [rax]</pre>   | rbx | 8      | .CODE2DATA |
| 10: | add rax, rbx                | rax | 23     | .CODE2     |
| 13: | jmp rax                     | jmp | .CODE2 | -          |
| 23: | ret                         | _   | _      | _          |

```
.CODE1:

0: lea rax, [rip+8]

7: mov rbx, [rax]

10: add rax, rbx

13: jmp rax

.DATA:

15: .long 8

.CODE2:
```

|     | Inst                        | Var | Val    | Note       |
|-----|-----------------------------|-----|--------|------------|
| 0:  | <pre>lea rax, [rip+8]</pre> | rax | 15     | .DATA      |
| 7:  | <pre>mov rbx, [rax]</pre>   | rbx | 8      | .CODE2DATA |
| 10: | add rax, rbx                | rax | 23     | .CODE2     |
| 13: | jmp rax                     | jmp | .CODE2 | -          |
| 23: | ret                         | _   | _      | -          |

- <u>Identify the interleaved data section</u>: due to the inline data (.DATA), rewriters may not only mis-rewrite data as code, but also fail to identify the indirect jump target (.CODE2).
- <u>Distinguish between scalars and the address offsets</u>: misclassifying an address offset (<u>.CODE2-.DATA</u>) as a scalar may break the rewritten binaries (note that addresses have changed after instrumentation).

```
.CODE1:
     lea rax, [rip+8]
 7:
     mov rbx, [rax]
     add rax, rbx
10:
13:
     jmp rax
15:
     or [rax], al
17:
     add [rax], al
19:
     add [rax], al
21:
     add [rax], al
```

|     | Inst                        | Var | Val    | Note       |
|-----|-----------------------------|-----|--------|------------|
| 0:  | <pre>lea rax, [rip+8]</pre> | rax | 15     | .DATA      |
| 7:  | <pre>mov rbx, [rax]</pre>   | rbx | 8      | .CODE2DATA |
| 10: | add rax, rbx                | rax | 23     | .CODE2     |
| 13: | jmp rax                     | jmp | .CODE2 | -          |
| 23: | ret                         | _   | ı      | -          |

- <u>Identify the interleaved data section</u>: due to the inline data (.DATA), rewriters may not only mis-rewrite data as code, but also fail to identify the indirect jump target (.CODE2).
- <u>Distinguish between scalars and the address offsets</u>: misclassifying an address offset (<u>.CODE2-.DATA</u>) as a scalar may break the rewritten binaries (note that addresses have changed after instrumentation).

```
.CODE1:
     lea rax, [rip+8]
 7:
     mov rbx, [rax]
     add rax, rbx
10:
13:
     jmp rax
15:
     or [rax], al
17:
     add [rax], al
19:
     add [rax], al
21:
     add [rax], al
```

|     | Inst                        | Var | Val    | Note       |
|-----|-----------------------------|-----|--------|------------|
| 0:  | <pre>lea rax, [rip+8]</pre> | rax | 15     | .DATA      |
| 7:  | <pre>mov rbx, [rax]</pre>   | rbx | 8      | .CODE2DATA |
| 10: | add rax, rbx                | rax | 23     | .CODE2     |
| 13: | jmp rax                     | jmp | .CODE2 | -          |
| 23: | ret                         | _   | ı      | -          |

- <u>Identify the interleaved data section</u>: due to the inline data (.DATA), rewriters may not only mis-rewrite data as code, but also fail to identify the indirect jump target (.CODE2).
- <u>Distinguish between scalars and the address offsets</u>: misclassifying an address offset (<u>.CODE2-.DATA</u>) as a scalar may break the rewritten binaries (note that addresses have changed after instrumentation).

```
.CODE1:
     lea rax, [rip+8]
 7:
     mov rbx, [rax]
     add rax, rbx
10:
13:
     jmp rax
15:
     or [rax], al
17:
     add [rax], al
19:
     add [rax], al
21:
     add [rax], al
```

|     | Inst                        | Var | Val | Note   |
|-----|-----------------------------|-----|-----|--------|
| 0:  | <pre>lea rax, [rip+8]</pre> | rax | 15  | .DATA  |
| 7:  | <pre>mov rbx, [rax]</pre>   | rbx | 8   |        |
| 10: | add rax, rbx                | rax | 23  | .CODE2 |
| 13: | jmp rax                     | jmp | ??? | -      |
| 23: | ret                         | _   | -   | -      |

- <u>Identify the interleaved data section</u>: due to the inline data (.DATA), rewriters may not only mis-rewrite data as code, but also fail to identify the indirect jump target (.CODE2).
- <u>Distinguish between scalars and the address offsets</u>: misclassifying an address offset (<u>.CODE2-.DATA</u>) as a scalar may break the rewritten binaries (note that addresses have changed after instrumentation).

```
.CODE1:
0: lea rax, [rip+8]
7: mov rbx, [rax]
10: add rax, rbx
13: jmp rax
.DATA:
15: .long 8
```

|     | .CODE2 | • |
|-----|--------|---|
| 23: | ret    |   |

RetroWrite, e9patch, and datalog disassembly (the version before we reported the issue) all fail on a similar case.

| Inst |                             | Var | Val    | Note       |
|------|-----------------------------|-----|--------|------------|
| 0:   | <pre>lea rax, [rip+8]</pre> | rax | 15     | .DATA      |
| 7:   | <pre>mov rbx, [rax]</pre>   | rbx | 8      | .CODE2DATA |
| 10:  | add rax, rbx                | rax | 23     | .CODE2     |
| 13:  | jmp rax                     | jmp | .CODE2 | -          |
| 23:  | ret                         | _   | _      | -          |

- <u>Identify the interleaved data section</u>: due to the inline data (<u>.DATA</u>), rewriters may not only mis-rewrite data as code, but also fail to identify the indirect jump target (.CODE2).
- <u>Distinguish between scalars and the address offsets</u>: misclassifying an address offset (<u>.CODE2-.DATA</u>) as a scalar may break the rewritten binaries (note that addresses have changed after instrumentation).

STOCHFUZZ: Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting

How we handle the motivation case: Incremental Rewriting

The first technique we introduced is named Incremental Rewriting.

- While grey-box fuzzers continuously mutate inputs across test runs, they may as well be enhanced to mutate the program on-the-fly.
- As such, disassembly and static rewriting (which are difficult due to the lack of symbol information and difficulties in resolving indirect jumps/calls offline) can be *incrementally performed over time*.

The first technique we introduced is named Incremental Rewriting.

- While grey-box fuzzers continuously mutate inputs across test runs, they may as well be enhanced to mutate the program on-the-fly.
- As such, disassembly and static rewriting (which are difficult due to the lack of symbol information and difficulties in resolving indirect jumps/calls offline) can be *incrementally performed over time*.

Our basic idea is to trigger an intentional crash once an unresolved control flow target is reached. Starting from the address where the crash happens, we can incrementally rewrite all directly reachable addresses.

The fuzzer continues fuzzing with the new binary and the incremental rewriting is invoked again if other intentional crashes occur.

STOCHFUZZ: Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting

How we handle the motivation case: Incremental Rewriting

```
0: lea rax, [rip+8]
7: mov rbx, [rax]
10: add rax, rbx
13: jmp rax
15: .long 8
23: ret
```

```
0: lea rax, [rip+8]
7: mov rbx, [rax]
10: add rax, rbx
13: jmp rax
15: .long 8
23: ret
```

- Our underlying binary analysis cannot find the indirect jump target (address 23 .CODE2).
- We can 100% accurately distinguish code and data (later, I will explain what if this assumption does not hold).



- Our underlying binary analysis cannot find the indirect jump target (address 23 .CODE2).
- We can 100% accurately distinguish code and data (later, I will explain what if this assumption does not hold).



- Our underlying binary analysis cannot find the indirect jump target (address 23 .CODE2).
- We can 100% accurately distinguish code and data (later, I will explain what if this assumption does not hold).



- Our underlying binary analysis cannot find the indirect jump target (address 23 .CODE2).
- We can 100% accurately distinguish code and data (later, I will explain what if this assumption does not hold).

#### How we handle the motivation case: Incremental Rewriting



For easy understanding, let's first assume:

- Our underlying binary analysis cannot find the indirect jump target (address 23 .CODE2).
- We can 100% accurately distinguish code and data (later, I will explain what if this assumption does not hold).

### How we handle the motivation case: Incremental Rewriting



For easy understanding, let's first assume:

- Our underlying binary analysis cannot find the indirect jump target (address 23 .CODE2).
- We can 100% accurately distinguish code and data (later, I will explain what if this assumption does not hold).

STOCHFUZZ: Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting

The second technique we introduced is named **Stochastic Rewriting**.

- During fuzzing, we can try different data and code separations.
- More samples we collect, more precise separation we can have.

The second technique we introduced is named **Stochastic Rewriting**.

- During fuzzing, we can try different data and code separations.
- More samples we collect, more precise separation we can have.

- A probabilistic inference to compute the likelihood of each byte being data (or code)
- Generating different binaries for different fuzzing runs
- A error diagnosis process to locate and repair rewriting errors

The second technique we introduced is named **Stochastic Rewriting**.

- During fuzzing, we can try different data and code separations.
- More samples we collect, more precise separation we can have.

- A probabilistic inference to compute the likelihood of each byte being data (or code)
- Generating different binaries for different fuzzing runs
- A error diagnosis process to locate and repair rewriting errors

The second technique we introduced is named **Stochastic Rewriting**.

- During fuzzing, we can try different data and code separations.
- More samples we collect, more precise separation we can have.

- A probabilistic inference to compute the likelihood of each byte being data (or code)
- Generating different binaries for different fuzzing runs
- A error diagnosis process to locate and repair rewriting errors

The second technique we introduced is named **Stochastic Rewriting**.

- During fuzzing, we can try different data and code separations.
- More samples we collect, more precise separation we can have.

- A probabilistic inference to compute the likelihood of each byte being data (or code)
- Generating different binaries for different fuzzing runs
- A error diagnosis process to locate and repair rewriting errors

```
0: lea rax, [rip+8]
7: mov rbx, [rax]
10: add rax, rbx
13: jmp rax
15: .long 8
23: ret
```

#### - Probability of being data bytes

```
0.0
     0:
          lea rax, [rip+8]
         mov rbx, [rax]
0.0
     7:
         add rax, rbx
    10:
0.0
   13:
          jmp rax
0.0
0.3 | 15:
          .long 8
0.1 | 23:
          ret
```









??? | 23:

ret











| A <u>ddr</u> | • | Byte |   | [Len | Decoded Instruction |
|--------------|---|------|---|------|---------------------|
| 0            | : | 48   | ı | [3]  | xor rcx, rcx        |
| 1            | : | 31   | 1 | [2]  | xor ecx, ecx        |
| 2            | : | с9   | 1 | [1]  | leave               |
| 3            | : | 48   | 1 | [4]  | cmp rcx, 5          |
| 4            | : | 83   | 1 | [3]  | cmp ecx, 5          |
| 5            | : | f9   | 1 | [1]  | stc                 |
| 6            | : | 05   | 1 | [0]  | INVALID             |
| 7            | : | с3   | 1 | [1]  | ret                 |



| Addr | • | Byte       |   | [Len] | ] De | coded      | Instruct | ion |
|------|---|------------|---|-------|------|------------|----------|-----|
| 0    | : | 48         | I | [3]   | xor  | rcx,       | rcx      |     |
| 1    | : | 31         | 1 | [2]   | xor  | ecx,       | ecx      |     |
| 2    | : | <b>c</b> 9 | ı | [1]   | leav | <i>7</i> e |          |     |
| 3    | : | 48         | 1 | [4]   | cmp  | rcx,       | 5        |     |
| 4    | : | 83         | 1 | [3]   | cmp  | ecx,       | 5        |     |
| 5    | : | f9         | 1 | [1]   | stc  |            |          |     |
| 6    | : | 05         | 1 | [0]   | INV  | ALID       |          |     |
| 7    | : | с3         | 1 | [1]   | ret  |            |          |     |



| Addr | • | Byte |   | [Len] | De   | coded      | Instruct | ion |
|------|---|------|---|-------|------|------------|----------|-----|
| 0    | : | 48   | ı | [3]   | xor  | rcx,       | rcx      |     |
|      |   |      |   |       |      | ecx,       |          |     |
| 2    | : | с9   | I | [1]   | leav | <b>7</b> e |          |     |
| 3    | : | 48   | I | [4]   | cmp  | rcx,       | 5        |     |
| 4    | : | 83   | 1 | [3]   | cmp  | ecx,       | 5        |     |
| 5    | : | f9   |   | [1]   | stc  |            |          |     |
| 6    | : | 05   | 1 | [0]   | INV  | ALID       |          |     |
| 7    | : | с3   | 1 | [1]   | ret  |            |          |     |

If there is a definition-use relation between two addresses, both addresses are likely to be code

• Address *0* and address *3* have a definition-use relation about register *rcx*.



| A <u>ddr</u> | • | Byte       |   | [Len] | <b>Decoded Instruction</b> |
|--------------|---|------------|---|-------|----------------------------|
| 0            | : | 48         | ı | [3]   | xor rcx, rcx               |
| 1            | : | 31         | 1 | [2]   | xor ecx, ecx               |
| 2            | : | <b>c9</b>  | 1 | [1]   | leave                      |
| 3            | : | 48         | 1 | [4]   | cmp rcx, 5                 |
| 4            | : | 83         | 1 | [3]   | cmp ecx, 5                 |
| 5            | : | f9         | ı | [1]   | stc                        |
| 6            | : | 05         | 1 | [0]   | INVALID                    |
| 7            | : | <b>c</b> 3 | I | [1]   | ret                        |

If there is a definition-use relation between two addresses, both addresses are likely to be code

• Address *0* and address *3* have a definition-use relation about register *rcx*.

The control flow cannot reach invalid instructions or data

• Address 5 cannot be a valid instruction boundary as it leads to an *invalid* instruction.

STOCHFUZZ: Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting

Error Diagnosis: Delta Debugging

# Error Diagnosis: Delta Debugging

- Stochastic Rewriting needs to locate and repair the crashs inducing rewriting errors.
- Delta Debugging
  - A binary-search like debugging technique
  - Check whether the unintentional crash can be reproduced with part of uncertain addresses patched

# Error Diagnosis: Delta Debugging

- Stochastic Rewriting needs to locate and repair the crashs inducing rewriting errors.
- Delta Debugging
  - A binary-search like debugging technique
  - Check whether the unintentional crash can be reproduced with part of uncertain addresses patched

We also address a number of practical challenges

- Rewriting optimization (e.g., removing flag register saving)
- Supporting stack unwinding (e.g., exception handling in C++)
- Reducing process set up cost
- Safeguarding non-crashing rewriting errors
- Handling overlapping rewriting

STOCHFUZZ: Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting

# Evaluation

#### Evaluation

#### **Benchmark:**

- Google Fuzzer Test Suite (Google FTS)
- Google Fuzzer Test Suite w/ inlined data
- Fuzzing benchmark from RetroWrite

#### **Baselines**:

- <u>E9patch</u>: static binary rewriting [PLDI'20]
- <u>Datalog Disassembly</u>: static binary rewriting [USENIX Security'20]
- *RetroWrite*: static binary rewriting [S&P'20]
- <u>PTFuzzer</u>: hardware-assisted fuzzing [IEEE Access'18]
- <u>AFL-Qemu</u>: dynamic binary translation
- <u>AFL-GCC</u>: compiler-based instrumentation
- <u>AFL-Clang-fast</u>: compiler-based instrumentation

#### Evaluation

#### **Benchmark:**

- Google Fuzzer Test Suite (Google FTS)
- Google Fuzzer Test Suite w/ inlined data
- Fuzzing benchmark from RetroWrite

#### **Baselines**:

- <u>E9patch</u>: static binary rewriting [PLDI'20]
- <u>Datalog Disassembly</u>: static binary rewriting [USENIX Security'20]
- *RetroWrite*: static binary rewriting [S&P'20]
- <u>PTFuzzer</u>: hardware-assisted fuzzing [IEEE Access'18]
- <u>AFL-Qemu</u>: dynamic binary translation
- <u>AFL-GCC</u>: compiler-based instrumentation
- <u>AFL-Clang-fast</u>: compiler-based instrumentation

#### Evaluation

#### **Benchmark:**

- Google Fuzzer Test Suite (Google FTS)
- Google Fuzzer Test Suite w/ inlined data
- Fuzzing benchmark from RetroWrite

#### **Baselines**:

- <u>E9patch</u>: static binary rewriting [PLDI'20]
- <u>Datalog Disassembly</u>: static binary rewriting [USENIX Security'20]
- *RetroWrite*: static binary rewriting [S&P'20]
- <u>PTFuzzer</u>: hardware-assisted fuzzing [IEEE Access'18]
- <u>AFL-Qemu</u>: dynamic binary translation
- <u>AFL-GCC</u>: compiler-based instrumentation
- <u>AFL-Clang-fast</u>: compiler-based instrumentation

STOCHFUZZ: Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting







- Existing static rewriting techniques (e9patch and datalog disasm) fail on 12.5–37.5% of the programs, while StochFuzz succeeds on all the 24 programs.
- Compared with *afl-clang-fast*, the IR-based instrumentation, StochFuzz only has **11.77%** slowdown on average.
- Other tools have relatively higher overhead.
  - AFL-Qemu: **88.71%**
  - PTFuzzer: **75.81%**







- Existing static rewriting techniques (e9patch and datalog disasm) fail on 12.5–37.5% of the programs, while StochFuzz succeeds on all the 24 programs.
- Compared with *afl-clang-fast*, the IR-based instrumentation, StochFuzz only has **11.77%** slowdown on average.
- Other tools have relatively higher overhead.
  - AFL-Qemu: **88.71%**
  - PTFuzzer: 75.81%





- Existing static rewriting techniques (e9patch and datalog disasm) fail on 12.5–37.5% of the programs, while StochFuzz succeeds on all the 24 programs.
- Compared with *afl-clang-fast*, the IR-based instrumentation, StochFuzz only has **11.77%** slowdown on average.
- Other tools have relatively higher overhead.
  - AFL-Qemu: **88.71%**
  - PTFuzzer: 75.81%





- Existing static rewriting techniques (e9patch and datalog disasm) fail on 12.5–37.5% of the programs, while StochFuzz succeeds on all the 24 programs.
- Compared with *afl-clang-fast*, the IR-based instrumentation, StochFuzz only has **11.77%** slowdown on average.
- Other tools have relatively higher overhead.
  - AFL-Qemu: **88.71%**
  - PTFuzzer: 75.81%





- Existing static rewriting techniques (e9patch and datalog disasm) fail on 12.5–37.5% of the programs, while StochFuzz succeeds on all the 24 programs.
- Compared with *afl-clang-fast*, the IR-based instrumentation, StochFuzz only has **11.77%** slowdown on average.
- Other tools have relatively higher overhead.
  - AFL-Qemu: **88.71%**
  - PTFuzzer: 75.81%







- Existing static rewriting techniques (e9patch and datalog disasm) fail on 12.5–37.5% of the programs, while StochFuzz succeeds on all the 24 programs.
- Compared with *afl-clang-fast*, the IR-based instrumentation, StochFuzz only has **11.77%** slowdown on average.
- Other tools have relatively higher overhead.

• AFL-Qemu: **88.71%** 

• PTFuzzer: **75.81%** 

| • AFL-GCC:                               | 124.1 million        |
|------------------------------------------|----------------------|
| • AFL-Clang-fast:                        | 138.1 million        |
| • AFL-Qemu:                              | 16.0 million         |
| • PTFuzzer:                              | 24.4 million         |
| • E9patch:                               | 23.8 million         |
| <ul> <li>Datalog Disassembly:</li> </ul> | 98.7 million         |
| • STOCHFUZZ:                             | <b>129.3</b> million |

- Existing static rewriting techniques (e9patch and datalog disasm) fail on 12.5–37.5% of the programs, while StochFuzz succeeds on all the 24 programs.
- Compared with *afl-clang-fast*, the IR-based instrumentation, StochFuzz only has **11.77%** slowdown on average.
- Other tools have relatively higher overhead.

• AFL-Qemu: **88.71%** 

• PTFuzzer: **75.81%** 

| • AFL-GCC:                               | 124.1 million        |
|------------------------------------------|----------------------|
| • AFL-Clang-fast:                        | 138.1 million        |
| • AFL-Qemu:                              | 16.0 million         |
| • PTFuzzer:                              | 24.4 million         |
| • E9patch:                               | 23.8 million         |
| <ul> <li>Datalog Disassembly:</li> </ul> | 98.7 million         |
| • STOCHFUZZ:                             | <b>129.3</b> million |

- Existing static rewriting techniques (e9patch and datalog disasm) fail on 12.5–37.5% of the programs, while StochFuzz succeeds on all the 24 programs.
- Compared with *afl-clang-fast*, the IR-based instrumentation, StochFuzz only has **11.77%** slowdown on average.
- Other tools have relatively higher overhead.

• AFL-Qemu: **88.71%** 

• PTFuzzer: **75.81%** 

| • AFL-GCC:                               | 124.1 million        |
|------------------------------------------|----------------------|
| • AFL-Clang-fast:                        | 138.1 million        |
| • AFL-Qemu:                              | 16.0 million         |
| • PTFuzzer:                              | 24.4 million         |
| • E9patch:                               | 23.8 million         |
| <ul> <li>Datalog Disassembly:</li> </ul> | 98.7 million         |
| • STOCHFUZZ:                             | <b>129.3</b> million |

STOCHFUZZ: Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting

Evaluation: Progress of Incremental and Stochastic Rewriting (*freetype2*)

We hence modify the compilation tool-chain of Google FTS to force .*rodata* sections to be interleaved with .*text* sections.

We hence modify the compilation tool-chain of Google FTS to force .*rodata* sections to be interleaved with .*text* sections.

We hence modify the compilation tool-chain of Google FTS to force .*rodata* sections to be interleaved with .*text* sections.



We hence modify the compilation tool-chain of Google FTS to force .*rodata* sections to be interleaved with .*text* sections.



We hence modify the compilation tool-chain of Google FTS to force .*rodata* sections to be interleaved with .*text* sections.



We hence modify the compilation tool-chain of Google FTS to force .*rodata* sections to be interleaved with .*text* sections.



We hence modify the compilation tool-chain of Google FTS to force .*rodata* sections to be interleaved with .*text* sections.



We hence modify the compilation tool-chain of Google FTS to force .*rodata* sections to be interleaved with .*text* sections.



We hence modify the compilation tool-chain of Google FTS to force .*rodata* sections to be interleaved with .*text* sections.

- The process almost converges at the first 5 minutes.
- The number of crashes by rewriting errors is very small compared to that of intentional crashes (i.e., most rewriting errors are fixed by observing new coverage, without triggering unintentional crashes).



We hence modify the compilation tool-chain of Google FTS to force .*rodata* sections to be interleaved with .*text* sections.

- The process almost converges at the first 5 minutes.
- The number of crashes by rewriting errors is very small compared to that of intentional crashes (i.e., most rewriting errors are fixed by observing new coverage, without triggering unintentional crashes).



We hence modify the compilation tool-chain of Google FTS to force .*rodata* sections to be interleaved with .*text* sections.

- The process almost converges at the first 5 minutes.
- The number of crashes by rewriting errors is very small compared to that of intentional crashes (i.e., most rewriting errors are fixed by observing new coverage, without triggering unintentional crashes).



```
while (...) {
    afl_coverage();
    char c = input();
    if (c == 'A') {
        afl_coverage();
        x = change(x, c);
    } else {
        afl_coverage();
        y = change(y, c);
    }
}
```

**AFL** Instrumentation

```
while (...) {
    afl_coverage();
    char c = input();
    if (c == 'A') {
        afl_coverage();
        x = change(x, c);
    } else {
        afl_coverage();
        y = change(y, c);
    }
}
```

**AFL** Instrumentation

```
while (...) {
    afl_coverage();
    char c = input();
    if (c == 'A') {
        afl_coverage();
        x = change(x, c);
    } else {
        afl_coverage();
        y = change(y, c);
    }
}
```

**AFL** Instrumentation

```
while (...) {
    afl_coverage();
    char c = input();
    if (c == 'A') {
        afl_coverage();
        x = change(x, c);
    } else {
        afl_coverage();
        y = change(y, c);
    }
    ijon value(x, y);
}
```

**IJON Instrumentation** 

```
while (...) {
    afl_coverage();
    char c = input();
    if (c == 'A') {
        afl_coverage();
        x = change(x, c);
    } else {
        afl_coverage();
        y = change(y, c);
    }
}
```

**AFL** Instrumentation

```
while (...) {
    afl_coverage();
    char c = input();
    if (c == 'A') {
        afl_coverage();
        x = change(x, c);
    } else {
        afl_coverage();
        y = change(y, c);
    }
    ijon value(x, y);
}
```

**IJON Instrumentation** 

- *IJON*: state-aware fuzzing [S&P'20]
- We port IJON to support binary-only fuzzing based on AFL-Qemu and STOCHFUZZ
- The same maze experiment
- STOCHFUZZ is 8× faster than afl-qemu, and only has around 8% slowdown compared with source-code based IJON

```
while (...) {
    afl_coverage();
    char c = input();
    if (c == 'A') {
        afl_coverage();
        x = change(x, c);
    } else {
        afl_coverage();
        y = change(y, c);
    }
}
```

**AFL** Instrumentation

```
while (...) {
    afl_coverage();
    char c = input();
    if (c == 'A') {
        afl_coverage();
        x = change(x, c);
    } else {
        afl_coverage();
        y = change(y, c);
    }
    ijon value(x, y);
}
```

**IJON Instrumentation** 

#### Related Works

#### **Binary Rewriting and Binary-only Fuzzing:**

- Flores-Montoya, Antonio, and Eric Schulte. "Datalog disassembly." 29th {USENIX} Security Symposium ({USENIX} Security 20). 2020.
- Duck, Gregory J., Xiang Gao, and Abhik Roychoudhury. "Binary rewriting without control flow recovery." *Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation*. 2020.
- Dinesh, Sushant, et al. "Retrowrite: Statically instrumenting cots binaries for fuzzing and sanitization." 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 2020.
- Zhang, Gen, et al. "Ptfuzz: Guided fuzzing with processor trace feedback." *IEEE Access* 6 (2018): 37302-37313.
- Chen, Yaohui, et al. "Ptrix: Efficient hardware-assisted fuzzing for cots binary." *Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security*. 2019.
- S.Schumilo, C.Aschermann, R.Gawlik, S.Schinzel, and T.Holz, "kafl: Hardware-assisted feedback fuzzing for {OS} kernels," in USENIX Security, 2017, pp. 167–182.

#### **Probabilistic Program Analysis:**

- Borges, Mateus, et al. "Iterative distribution-aware sampling for probabilistic symbolic execution." *Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering*. 2015.
- Miller, Kenneth, et al. "Probabilistic disassembly." 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE). IEEE, 2019.



#### We develop a new fuzzing technique for stripped binaries.

- It features a novel incremental and stochastic rewriting technique that piggy-backs on the fuzzing procedure.
- It leverages the large number of trial-and-error chances provided by the numerous fuzzing runs to improve rewriting accuracy over time.
- It has probabilistic guarantees on soundness.
- The empirical results show that it outperforms state-of-the-art binary-only fuzzers that are either not sound or having higher overhead.

#### We develop a new fuzzing technique for stripped binaries.

- It features a novel incremental and stochastic rewriting technique that piggy-backs on the fuzzing procedure.
- It leverages the large number of trial-and-error chances provided by the numerous fuzzing runs to improve rewriting accuracy over time.
- It has probabilistic guarantees on soundness.
- The empirical results show that it outperforms state-of-the-art binary-only fuzzers that are either not sound or having higher overhead.

# Thanks!

#### We develop a new fuzzing technique for stripped binaries.

- It features a novel incremental and stochastic rewriting technique that piggy-backs on the fuzzing procedure.
- It leverages the large number of trial-and-error chances provided by the numerous fuzzing runs to improve rewriting accuracy over time.
- It has probabilistic guarantees on soundness.
- The empirical results show that it outperforms state-of-the-art binary-only fuzzers that are either not sound or having higher overhead.

Thanks!



Github Repo



zhan3299@purdue.edu