Directed Fuzzing Based on Program Dynamic Instrumentation

In this paper we present a new approach for directed fuzzing. It enables faster generation of the input data for the target program's specific instructions execution. Existing fuzzing tools randomly generate or mutate input data to increase code coverage. This approach is not effective for analysis of special code regions. The basic idea behind of this paper is to instrument target program in a such way that interesting code fragments were executed as soon as possible. For that propose we detect all the paths in the program which are connecting program's entry point to the considered instructions. Then we apply two type of instrumentations. In the first case we insert coverage collection instructions only in detected paths, which enables fuzzing tool to consider generated or mutated input data valuable if the distances between executed blocks and target points are reduced. In the second case we additionally insert 'exit(0)' instructions in those basic blocks from which target points are unreachable and their execution has no any influence. It allows repeatedly increase fuzzing speed.