Testing a program's capability to effectively handling errors is a significant challenge, given that program errors are relatively uncommon. To solve this, Software Fault Injection (SFI)-based fuzzing integrates SFI and traditional fuzzing, injecting and triggering errors for testing (error handling) code. However, we observe that current SFI-based fuzzing approaches have overlooked the correlation between paths housing error points. In fact, the execution paths of error points often share common paths. Nonetheless, Fuzzers usually generate test cases repeatedly to test error points on commonly traversed paths. This practice can compromise the efficiency of the fuzzer(s). Thus, this paper introduces HuntFUZZ, a novel SFI-based fuzzing framework that addresses the issue of redundant testing of error points with correlated paths. Specifically, HuntFUZZ clusters these correlated error points and utilizes concolic execution to compute constraints only for common paths within each cluster. By doing so, we provide the fuzzer with efficient test cases to explore related error points with minimal redundancy. We evaluate HuntFUZZ on a diverse set of 42 applications, and HuntFUZZ successfully reveals 162 known bugs, with 62 of them being related to error handling. Additionally, due to its efficient error point detection method, HuntFUZZ discovers 7 unique zero-day bugs, which are all missed by existing fuzzers. Furthermore, we compare HuntFUZZ with 4 existing fuzzing approaches, including AFL, AFL++, AFLGo, and EH-FUZZ. Our evaluation confirms that HuntFUZZ can cover a broader range of error points, and it exhibits better performance in terms of bug finding speed.

翻译：测试程序有效处理错误的能力是一项重大挑战，因为程序错误相对罕见。为解决此问题，基于软件故障注入（SFI）的模糊测试将SFI与传统模糊测试相结合，通过注入并触发错误来测试（错误处理）代码。然而，我们观察到当前基于SFI的模糊测试方法忽略了包含错误点的路径之间的相关性。实际上，错误点的执行路径通常共享共同路径。尽管如此，模糊测试器通常会重复生成测试用例来测试这些共同路径上的错误点。这种做法会降低模糊测试器的效率。因此，本文提出HuntFUZZ，一种新颖的基于SFI的模糊测试框架，旨在解决具有相关路径的错误点的冗余测试问题。具体而言，HuntFUZZ对这些相关的错误点进行聚类，并利用符号执行仅计算每个聚类内共同路径的约束条件。通过这种方式，我们为模糊测试器提供高效的测试用例，以最小的冗余探索相关的错误点。我们在42个不同类型的应用程序上评估HuntFUZZ，该框架成功揭示了162个已知错误，其中62个与错误处理相关。此外，得益于其高效的错误点检测方法，HuntFUZZ发现了7个独特的零日漏洞，这些漏洞均被现有模糊测试器遗漏。同时，我们将HuntFUZZ与4种现有模糊测试方法（包括AFL、AFL++、AFLGo和EH-FUZZ）进行比较。评估结果证实，HuntFUZZ能够覆盖更广泛的错误点，并且在错误发现速度方面表现出更优的性能。