By monitoring the execution of the program under test, fuzzers can gather feedback on how different inputs affect the program’s behavior and detect crashes and other abnormal behaviors. To achieve these objectives, fuzzers typically rely on a static instrumentation phase, which can be cumbersome to extend and experiment with. In this paper, we explore a different strategy: By compiling to a common high-level compilation target, we can retain most of the instrumentation opportunities with the potential for dynamic instrumentation. Compiling to an intermediate target disentangles instrumentation from the harness build process and produces fuzzer-independent harness artifacts. More specifically, we propose to use WebAssembly (WASM) as a suitable target due to its widespread language support, deterministic and isolated nature, and simple and easy-to-JIT instruction set. To explore this approach, we present and discuss WasmFuzz, a fuzzer for WebAssembly binaries that bridges the gap between native and WASM fuzzing. To enable meaningful WebAssembly fuzzer comparisons, we demonstrate a generic way to retrofit WASM modules into source-based fuzzers through wasm2c. This approach already raises the performance baseline of WebAssembly fuzzing significantly. In our preliminary evaluation, WasmFuzz achieves, on average, more basic blocks per target compared to other WebAssembly fuzzers and seems competitive with native setups like cargo-fuzz (LibFuzzer).
International Fuzzing Workshop (FUZZING)
2024-09-13
2024-10-09