Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

ColorGo: Directed Concolic Execution

Jia Li, Jiacheng Shen, Yuxin Su, Michael R. Lyu

TL;DR

ColorGo introduces a directed whitebox fuzzing approach that fuses compilation-based concolic execution with incremental coloration to achieve high precision and scalability. By performing static coloration at compile time and dynamic feasibility checks at runtime, ColorGo confines exploration to a colored iCFG and uses a fast deviation-based search (FDFS) to reach target sites rapidly. Ablation studies and empirical evaluations on real-world programs show substantial improvements over state-of-the-art directed graybox fuzzing, including up to 50–100× reductions in time to reach targets and reproduce vulnerabilities, with manageable instrumentation overhead. This work demonstrates that combining static program structure with runtime concolic analysis can overcome the limitations of both graybox and traditional whitebox approaches, enabling practical, efficient directed fuzzing for crash reproduction and vulnerability discovery.

Abstract

Directed fuzzing is a critical technique in cybersecurity, targeting specific sections of a program. This approach is essential in various security-related domains such as crash reproduction, patch testing, and vulnerability detection. Despite its importance, current directed fuzzing methods exhibit a trade-off between efficiency and effectiveness. For instance, directed grey-box fuzzing, while efficient in generating fuzzing inputs, lacks sufficient precision. The low precision causes time wasted on executing code that cannot help reach the target site. Conversely, interpreter- or observer-based directed symbolic execution can produce high-quality inputs while incurring non-negligible runtime overhead. These limitations undermine the feasibility of directed fuzzers in real-world scenarios. To kill the birds of efficiency and effectiveness with one stone, in this paper, we involve compilation-based concolic execution into directed fuzzing and present ColorGo, achieving high scalability while preserving the high precision from symbolic execution. ColorGo is a new directed whitebox fuzzer that concretely executes the instrumented program with constraint-solving capability on generated input. It guides the exploration by \textit{incremental coloration}, including static reachability analysis and dynamic feasibility analysis. We evaluated ColorGo on diverse real-world programs and demonstrated that ColorGo outperforms AFLGo by up to \textbf{100x} in reaching target sites and reproducing target crashes.

ColorGo: Directed Concolic Execution

TL;DR

ColorGo introduces a directed whitebox fuzzing approach that fuses compilation-based concolic execution with incremental coloration to achieve high precision and scalability. By performing static coloration at compile time and dynamic feasibility checks at runtime, ColorGo confines exploration to a colored iCFG and uses a fast deviation-based search (FDFS) to reach target sites rapidly. Ablation studies and empirical evaluations on real-world programs show substantial improvements over state-of-the-art directed graybox fuzzing, including up to 50–100× reductions in time to reach targets and reproduce vulnerabilities, with manageable instrumentation overhead. This work demonstrates that combining static program structure with runtime concolic analysis can overcome the limitations of both graybox and traditional whitebox approaches, enabling practical, efficient directed fuzzing for crash reproduction and vulnerability discovery.

Abstract

Directed fuzzing is a critical technique in cybersecurity, targeting specific sections of a program. This approach is essential in various security-related domains such as crash reproduction, patch testing, and vulnerability detection. Despite its importance, current directed fuzzing methods exhibit a trade-off between efficiency and effectiveness. For instance, directed grey-box fuzzing, while efficient in generating fuzzing inputs, lacks sufficient precision. The low precision causes time wasted on executing code that cannot help reach the target site. Conversely, interpreter- or observer-based directed symbolic execution can produce high-quality inputs while incurring non-negligible runtime overhead. These limitations undermine the feasibility of directed fuzzers in real-world scenarios. To kill the birds of efficiency and effectiveness with one stone, in this paper, we involve compilation-based concolic execution into directed fuzzing and present ColorGo, achieving high scalability while preserving the high precision from symbolic execution. ColorGo is a new directed whitebox fuzzer that concretely executes the instrumented program with constraint-solving capability on generated input. It guides the exploration by \textit{incremental coloration}, including static reachability analysis and dynamic feasibility analysis. We evaluated ColorGo on diverse real-world programs and demonstrated that ColorGo outperforms AFLGo by up to \textbf{100x} in reaching target sites and reproducing target crashes.

Paper Structure

This paper contains 29 sections, 4 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Background and Motivation
  3. Backgroud
  4. Motivation
  5. Directed Concolic Execution
  6. Problem statement
  7. ColorGo
  8. Overview
  9. Incremental Coloration
  10. Compilation-based Concolic Execution
  11. Interprocedural Analysis
  12. Implementation
  13. Instrument at compilation time
  14. The Placement of the instrumentation in the Compiler Pipeline
  15. Explore at runtime
  16. ...and 14 more sections

Figures (4)

  • Figure 1: A indirect call example.
  • Figure 2: A function call example.
  • Figure 3: Control-flow graph of the loop example.
  • Figure 4: Architecture of ColorGo.