Fuzzing has proven to be very effective for discovering certain classes of software flaws, but less effective in helping developers process these discoveries. Conventional crash-based fuzzers lack enough information about failures to determine their root causes, or to differentiate between new or known crashes, forcing developers to manually process long, repetitious lists of crash reports. Also, conventional fuzzers typically cannot be configured to detect the variety of bugs developers care about, many of which are not easily converted into crashes. To address these limitations, we propose Pipe-Cleaner, a system for detecting and analyzing C code vulnerabilities using a refined fuzzing approach. Pipe-Cleaner is based on flexible developer-designed security policies enforced by a tag-based runtime reference monitor, which communicates with a policy-aware fuzzer. Developers are able to customize the types of faults the fuzzer detects and the level of detail in fault reports. Adding more detail helps the fuzzer to differentiate new bugs, discard duplicate bugs, and improve the clarity of results for bug triage. We demonstrate the potential of this approach on several heap-related security vulnerabilities, including classic memory safety violations and two novel non-crashing classes outside the reach of conventional fuzzers: leftover secret disclosure, and heap address leaks.

翻译：模糊测试已被证明在发现特定类别的软件缺陷方面非常有效，但在帮助开发者处理这些发现方面效果欠佳。传统的基于崩溃的模糊测试工具缺乏足够的故障信息来确定其根本原因，或区分新旧崩溃，迫使开发者手动处理冗长且重复的崩溃报告列表。此外，传统模糊测试工具通常无法配置以检测开发者关心的各类错误，其中许多错误不易转化为崩溃。为应对这些限制，我们提出了Pipe-Cleaner系统，该系统采用一种改进的模糊测试方法来检测和分析C代码漏洞。Pipe-Cleaner基于一种灵活的、由开发者设计的安全策略，该策略通过一个基于标签的运行时引用监视器强制执行，并与一个策略感知的模糊测试器进行通信。开发者能够自定义模糊测试器检测的故障类型以及故障报告的详细程度。增加更多细节有助于模糊测试器区分新错误、丢弃重复错误，并提高错误分类结果的清晰度。我们通过若干堆相关安全漏洞（包括经典的内存安全违规，以及两种传统模糊测试器无法触及的新型非崩溃类别：残留密钥泄露和堆地址泄露）展示了该方法的潜力。