skip to main content
10.1145/3649329.3655946acmconferencesArticle/Chapter ViewAbstractPublication PagesdacConference Proceedingsconference-collections
research-article
Open access

TATOO: A Flexible Hardware Platform for Binary-Only Fuzzing

Published: 07 November 2024 Publication History

Abstract

Hardware-based tracing, being efficient, can be a good alternative to the computationally-expensive software-based instrumentation in binary-only greybox fuzzing. However, it only records all branches within a specified address range, lacking the flexibility to re-filter them. To overcome these limitations, this paper introduces Tatoo, a hardware platform that employs tagged architectures and hardware tracing to enable users to perform instruction-level tagging, which can significantly reduce the volume of traced data and improve fuzzing efficiency. Tatoo also supports recording the dataflow information for smart mutations. Implemented on a real hardware FPGA platform, Tatoo demonstrates a mere 8.7% performance overhead.

References

[1]
Arm 2016. Arm coresight soc-400 technical reference manual. Arm. https://developer.arm.com/documentation/100536/latest/
[2]
A. Cornelius et al. 2019. REDQUEEN: Fuzzing with Input-to-State Correspondence. In Proc. NDSS' 19, Vol. 19. 1--15.
[3]
A. Fioraldi et al. 2020. AFL++: Combining Incremental Steps of Fuzzing Research. In Proc. USENIX WOOT' 20.
[4]
C. Hsu et al. 2018. Instrim: Lightweight instrumentation for coverage-guided fuzzing. In Proc. NDSS' 18, Workshop on Binary Analysis Research.
[5]
G. Zhang et al. 2018. PTfuzz: Guided Fuzzing With Processor Trace Feedback. IEEE Access 6 (2018), 37302--37313.
[6]
H. Kannan et al. 2009. Decoupling dynamic information flow tracking with a dedicated coprocessor. In IEEE/IFIP DSN' 09. IEEE, 105--114.
[7]
H. Liang et al. 2018. Fuzzing: State of the Art. IEEE Transactions on Reliability 67, 3 (2018), 1199--1218.
[8]
H. Xia et al. 2019. CHERIvoke: Characterising Pointer Revocation Using CHERI Capabilities for Temporal Memory Safety. In Proc. MICRO' 52. 545--557.
[9]
J. Jung et al. 2019. Fuzzification:{Anti-Fuzzing} Techniques. In Proc. USENIX Security' 19). 1913--1930.
[10]
J. Kim et al. 2014. Survey of dynamic taint analysis. In Proc. IEEE IC-NIDC' 14. IEEE, 269--272.
[11]
J. Shin et al. 2016. A hardware-based technique for efficient implicit information flow tracking. In Proc. IEEE/ACM ICCAD' 16. 1--7.
[12]
L. Delshadtehrani et al. 2020. PHMon: A Programmable Hardware Monitor and Its Security Use Cases. In Proc. USENIX Security' 20. 807--824.
[13]
N. Stephens et al. 2016. Driller: Augmenting fuzzing through selective symbolic execution. In Proc. NDSS' 16, Vol. 16. 1--16.
[14]
R. Ding et al. 2021. Hardware Support to Improve Fuzzing Performance and Precision (to appear). In Proc. ACM CCS' 21. Seoul, South Korea.
[15]
S. Canakci et al. 2021. DirectFuzz: Automated Test Generation for RTL Designs using Directed Graybox Fuzzing. In Proc. ACM/IEEE DAC' 21. 529--534.
[16]
S. Dinesh et al. 2020. Retrowrite: Statically instrumenting cots binaries for fuzzing and sanitization. In Proc. IEEE S&P' 20. IEEE, 1497--1511.
[17]
S. Gan et al. 2020. GREYONE: Data Flow Sensitive Fuzzing. In Proc. USENIX Security' 20. USENIX Association, 2577--2594.
[18]
S. Nagy et al. 2021. Breaking Through Binaries: Compiler-quality Instrumentation for Better Binary-only Fuzzing. In Proc. USENIX Security' 21. 1683--1700.
[19]
S. Schumilo et al. 2017. kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels. In Proc. USENIX Security' 17. 167--182.
[20]
S. Weiser et al. 2019. Timber-v: Tag-isolated memory bringing fine-grained enclaves to risc-v. In Proc. NDSS' 19.
[21]
W. Li et al. 2022. μAFL: Non-Intrusive Feedback-Driven Fuzzing for Microcontroller Firmware. In Proc. ICSE'22. 1--12.
[22]
Y. Bradbury et al. 2014. Tagged memory and minion cores in the lowRISC SoC. Memo, University of Cambridge (2014).
[23]
Y. Chen et al. 2019. Ptrix: Efficient hardware-assisted fuzzing for cots binary. In Proc. ACM Asia CCS' 19. 633--645.
[24]
Z. Chua et al. 2019. One Engine To Serve'em All: Inferring Taint Rules Without Architectural Semantics. In Proc. NDSS' 19.
[25]
Z. Zhang et al. 2021. Stochfuzz: Sound and cost-effective fuzzing of stripped binaries by incremental and stochastic rewriting. In Proc. IEEE S&P' 21. IEEE, 659--676.
[26]
Z. Zheng et al. 2022. Detecting Process Hijacking and Software Supply Chain Attacks Using Intel® Threat Detection Technology. (2022).
[27]
Andi Kleen and Beeman Strong. 2015. Intel processor trace on linux. Tracing Summit 2015 (2015).

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
DAC '24: Proceedings of the 61st ACM/IEEE Design Automation Conference
June 2024
2159 pages
ISBN:9798400706011
DOI:10.1145/3649329
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 November 2024

Check for updates

Qualifiers

  • Research-article

Funding Sources

  • National Natural Science Foundation of China

Conference

DAC '24
Sponsor:
DAC '24: 61st ACM/IEEE Design Automation Conference
June 23 - 27, 2024
CA, San Francisco, USA

Acceptance Rates

Overall Acceptance Rate 1,770 of 5,499 submissions, 32%

Upcoming Conference

DAC '25
62nd ACM/IEEE Design Automation Conference
June 22 - 26, 2025
San Francisco , CA , USA

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • 0
    Total Citations
  • 67
    Total Downloads
  • Downloads (Last 12 months)67
  • Downloads (Last 6 weeks)18
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media