Fuzzing with Performance Monitoring and Tracing Hardware

Abstract

The field of fuzzing has brought about many new open-source tools, techniques, and insights to improve the state of the art of automated vulnerability discovery systems. How- ever, there are instances where the adoption of such new techniques and tools improves the state of the art of these systems while at the expense of portability, accessibility, and performance. Additionally, while many of the processor platforms used in the fuzzing com- munity already come built with components that observe program execution in the form of performance monitoring and tracing hardware, such hardware is not commonly used by fuzzers. On a similar note, there is currently a lack of evaluations for the usage of such hardware in the fuzzing literature. The most commonly used processor platforms in the fuzzing community are Intel processors. Our work seeks to evaluate the performance im- pact in using performance monitoring and tracing hardware (specifically Intel Last Record Branch sampling and Intel Branch Trace Store) for coverage feedback in coverage-guided fuzzers. In our evaluation, we seek to learn if the adoption of these specific performance monitoring and tracing hardware in coverage-guided fuzzers can improve the performance of binary-only fuzzing.