DSFuzz: Detecting Deep State Bugs with Dependent State Exploration

Traditional random mutation-based fuzzers are ineffective at reaching deep program states that require specific input values. Consequently, a large number of deep bugs remain undiscovered. To enhance the effectiveness of input mutation, previous research has utilized taint analysis to identify control-dependent critical bytes and only mutates those bytes. However, existing works do not consider indirect control dependencies, in which the critical bytes for taking one branch can only be set in a basic block that is control dependent on a series of other basic blocks. These critical bytes cannot be identified unless that series of basic blocks are visited in the execution path. Existing approaches would take an unacceptably long time and computation resources to attempt multiple paths before setting these critical bytes. In other words, the search space for identifying the critical bytes cannot be effectively explored by the current mutation strategies. In this paper, we aim to explore a new input generation strategy for satisfying a series of indirect control dependencies that can lead to deep program states. We present DSFuzz, a directed fuzzing scheme that effectively constructs inputs for exploring particular deep states. DSFuzz focuses on the deep targets reachable by only satisfying a set of indirect control dependencies. By analyzing the conditions that a deep state indirectly depends on, it can generate dependent critical bytes for taking the corresponding branches. It also rules out the control flows that are unlikely to lead to the target state. As a result, it only needs to mutate under a limited search space. DSFuzz significantly outperformed state-of-the-art directed greybox fuzzers in detecting bugs in deep program states: it detected eight new bugs that other tools failed to find.