Fuzz testing is a popular method for finding security critical bugs in
increasingly complex software. Fuzzers aim to detect as many crashes as
possible in the target software. Multiple detected crashes can be caused
by a single bug. Therefore, state of the art fuzzers use code coverage
profiles to reduce the amount of duplicated crashes. These profiles tend
to overcount the number of existing bugs, resulting in different
uniquely labeled crash files which correspond to the same ground truth
bug. After fuzzing concludes, the crash files have to be manually
evaluated by an expert. In this master thesis we evaluate, whether the
use of compile-time sanitization can aid in the automatic deduplication
of these crash files without the need of extensive domain expertise. In
order to achieve our goal, we analyze outputs of different sanitizers to
determine features which are fit for uniquely identifying a ground
truth bug. Based on these features we create buckets of similar crash
inputs resembling one ground truth bug per bucket. When compared to
existing work for automatic deduplication, we show that sanitizers can
not only improve deduplication, but also help in detecting previously
undetected errors in the target program, adding value to the original
fuzzing goal of finding program errors. Additionally, we are able to
create these results 80% faster than the compared approach.
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching