Sanitizers provide robust test oracles for various software vulnerabilities. Fuzzing on sanitizer-enabled programs has been the best practice to find software bugs. Since sanitizers need to heavily instrument a target program to insert run-time checks, sanitizer-enabled programs have much higher overhead compared to normally built programs. In this paper, we present SAND, a new fuzzing framework that decouples sanitization from the fuzzing loop. SAND performs fuzzing on a normally built program and only invokes sanitizer-enabled programs when input is shown to be interesting. Since most of the generated inputs are not interesting, i.e., not bug-triggering, SAND allows most of the fuzzing time to be spent on the normally built program. To identify interesting inputs, we introduce execution pattern for a practical execution analysis on the normally built program. We realize SAND on top of AFL++ and evaluate it on 12 real-world programs. Our extensive evaluation highlights its effectiveness: on a period of 24 hours, compared to fuzzing on ASan/UBSan-enabled and MSan-enabled programs, SAND respectively achieves 2.6x and 15x throughput and detects 51% and 242% more bugs.

翻译：消毒器为各类软件漏洞提供了鲁棒的测试判官。对启用消毒器的程序进行模糊测试已成为发现软件缺陷的最佳实践。由于消毒器需要对目标程序进行大量插桩以插入运行时检查，与正常构建的程序相比，启用消毒器的程序会产生更高的开销。本文提出SAND——一种新颖的模糊测试框架，它将消毒与模糊测试循环解耦。SAND对正常构建的程序执行模糊测试，仅在输入被判定为有趣时才调用启用消毒器的程序。由于绝大多数生成输入并不有趣（即不会触发缺陷），SAND使得大部分模糊测试时间可用于正常构建的程序。为识别有趣输入，我们引入执行模式以对正常构建的程序进行实用化的执行分析。我们在AFL++之上实现SAND，并在12个真实世界程序上对其进行评估。广泛的评估凸显了其有效性：在24小时内，相较于对启用ASan/UBSan和启用MSan的程序进行模糊测试，SAND分别实现了2.6倍和15倍的吞吐量提升，并检测出多51%和242%的缺陷。