Enhancing Coverage-Guided Fuzzing via Phantom Program

For coverage-guided fuzzers, many of their adopted seeds are usually ineffective by exploring limited program states since essentially all their executions have to abide by rigorous dependencies between program branches while only limited seeds are capable of accessing such dependencies. Moreover, even when iteratively executing such limited seeds, the fuzzers have to repeatedly access the covered program states before uncovering new states. Such facts indicate that exploration power on program states of seeds has not been sufficiently leveraged by the existing coverage-guided fuzzing strategies. To tackle these issues, we propose a coverageguided fuzzer, namely MirageFuzz, to mitigate the dependencies between program branches when executing seeds for enhancing their exploration power on program states. Specifically, MirageFuzz first creates a "phantom" program of the target program by reducing its dependencies corresponding to conditional statements while retaining their original semantics. Accordingly, MirageFuzz performs dual fuzzing, i.e., the source fuzzing to fuzz the original program and the phantom fuzzing to fuzz the phantom program simultaneously. Then, MirageFuzz generates a new seed for the source fuzzing via a taint-based mutation mechanism, i.e., updating the target conditional statement of a given seed from the source fuzzing with its corresponding condition value derived by the phantom fuzzing. To evaluate the effectiveness of MirageFuzz, we build a benchmark suite with 18 projects commonly adopted by recent fuzzing papers, and select nine open-source fuzzers as baselines for performance comparison with MirageFuzz. The experiment results suggest that MirageFuzz outperforms our baseline fuzzers from 13.42% to 77.96% averagely. Furthermore, MirageFuzz exposes 29 previously unknown bugs where 7 of them have been confirmed and 6 have been fixed by the corresponding developers.