Coverage-based fuzzers are all the rage these days, but while usually achieving excellent results,they can get stuck on some problematic code parts like large constant comparisons or checksum calculations. Patching out the problematic code or manually auditing the code fuzzer cannot reach slightly alleviates the problem of code not being covered during audit, but the problem of finding those problematic points in the code remains.
We have developed a tool that combines code coverage information and code property graph analysis to help pinpoint those locations during fuzzing. Bug hunter can then analyze the problematic part of the code and decide to patch it to remove the problem, augment the fuzzer to get past the block, manually audit the unreached code or write a different fuzzing harness that exercises unreached code specifically.
In this talk, we will present the motivation behind this work, the methodology that utilizes the developed tool, implementation of the tool, experimental results and demonstrations as well as public release of the tool.