Info

Cascade: CPU Fuzzing via Intricate Program Generation

USENIX Security’24 pdf slides website artifacts GitHub

COMSEC, ETH Zurich

Motivation

  • Programs must be long to increase fuzzing throughput.
  • Programs must be complex to increase the probability of triggering a bug.
  • The fuzzer must reliably and efficiently detect bugs once triggered.

Pitfalls of existing fuzzers

  • Programs are short by design with trivial control flows.
  • The executed portion of the programs is short because the control flow is poorly managed.
  • Most instructions are not randomized and correspond to initialization and finalization.
  • Only a small part of the ISA is covered.
  • The CPU state is checked at instruction granularity, significantly impacting the fuzzing performance.
  • Bugs have a high chance of being shadowed because their expression is eventually overwritten in the control flow.

Cascade

Overview