Fast Fuzzing for Memory Errors
Greybox fuzzing is a proven effective testing method for the detection of security vulnerabilities and other bugs in modern software systems. Greybox fuzzing can also be used in combination with a sanitizer, such as AddressSanitizer (ASAN), to further enhance the detection of certain classes of bug such as buffer overflow and use-after-free errors. However, sanitizers also introduce additional performance overheads, and this can degrade the performance of greybox fuzzing – measured in the order of 2.36x for fuzzing with ASAN – potentially negating the benefit of using a sanitizer in the first place. Recent research attributes this to extra overheads to additional page faults that are generated when the disjoint sanitizer metadata is accessed at runtime. In this paper, we present a new design that can detect memory errors without a proliferation of page faults. The basic idea is to track memory validity using randomized tokens that are stored directly in the memory itself, rather than in disjoint metadata. All read/write operations are instrumented to check for the token, and if present, a memory error will be detected. We implement our design in the form of the ReZZan – a sanitizer specifically optimized for fuzz testing. Since there is no disjoint metadata access, no additional page faults are generated, minimizing the performance overhead to around 1.14-1.27x (depending on the configuration).
READ FULL TEXT