Efficient Binary-Level Coverage Analysis
share
Coverage analysis plays an important role in the software testing process. More recently, the remarkable effectiveness of coverage feedback has triggered wide interest in feedback-guided fuzzing. In this work, we introduce bcov, a tool for binary-level coverage analysis. Our tool statically instruments x86-64 binaries in the ELF format without compiler support. We implement several techniques to improve efficiency and scale to large real-world software. First, we bring Agrawal's probe pruning technique to binary-level instrumentation and effectively leverage its super blocks to reduce overhead. Second, we introduce sliced microexecution, a robust technique for jump table analysis which improves CFG precision and enables us to instrument jump table entries. Additionally, smaller instructions in x86-64 pose a challenge for inserting detours. To address this challenge, we aggressively exploit padding bytes and systematically host detours in neighboring basic blocks. We evaluate bcov on a corpus of 95 binaries compiled from eight popular and well-tested packages. Two instrumentation policies, with different edge-level precision, are applied to all functions in this corpus - more than 1.6 million functions. Our precise policy has an average performance and memory overheads of 14 respectively. Instrumented binaries do not introduce any test regressions. Finally, our jump table analysis is comparable to that of IDA Pro on gcc binaries and outperform it on clang binaries.
READ FULL TEXT