Fuzzing Program Logic Deeply Hidden in Binary Program Stages

Fuzzing is an effective method to identify bugs and security vulnerabilities in software. One particular difficulty faced by fuzzing is how to effectively generate inputs to cover program paths, especially for programs with complex logic. We observe that complex programs are often composed of components, which is a natural result of software engineering principles. The components interface with each other using memory buffers, forming stages of processing in the program logic. Program logic in later stages is difficult to reach by fuzzers. In this paper, we develop a novel solution to fuzz such program logic, called STAGEFUZZER. It identifies the stages and memory interfaces from program binaries, and fuzzes later stages of the program effectively. In our evaluation with a suite of typical binaries, STAGEFUZZER correctly identifies the program structure and effectively increases the coverage of program logic compared to AFL fuzzer.