Info
Motivation
- Programs must be long to increase fuzzing throughput.
- Programs must be complex to increase the probability of triggering a bug.
- The fuzzer must reliably and efficiently detect bugs once triggered.
Pitfalls of existing fuzzers
- Programs are short by design with trivial control flows.
- The executed portion of the programs is short because the control flow is poorly managed.
- Most instructions are not randomized and correspond to initialization and finalization.
- Only a small part of the ISA is covered.
- The CPU state is checked at instruction granularity, significantly impacting the fuzzing performance.
- Bugs have a high chance of being shadowed because their expression is eventually overwritten in the control flow.
Cascade
- generates valid, long, and complex programs
- cascade-effect termination for bug detection
- complex data and control flows → intermediate program
- golden model → data flow feedback
- oracle: non-terminations → bugs
Insights
- non-termination → bug in control flow → bug in data flow
- entangle the data flow into the control flow: golden model (spike for RISC-V) → dependent register values generated by critical points
- bug programs reduction