FuzzRDUCC: Fuzzing with Reconstructed Def-Use Chain Coverage

Abstract: Binary-only fuzzing often struggles with achieving thorough code coverage and uncovering hidden vulnerabilities due to limited insight into a program's internal dataflows. Traditional grey-box fuzzers guide test case generation primarily using control flow edge coverage, which can overlook bugs not easily exposed through control flow analysis alone. We argue that integrating dataflow analysis into the fuzzing process can enhance its effectiveness by revealing how data propagates through the program, thereby enabling the exploration of execution paths that control flow-based methods might miss. In this context, we introduce FuzzRDUCC, a novel fuzzing framework that employs symbolic execution to reconstruct definition-use (def-use) chains directly from binary executables. FuzzRDUCC identifies crucial dataflow paths and exposes security vulnerabilities without incurring excessive computational overhead, due to a novel heuristic algorithm that selects relevant def-use chains without affecting the thoroughness of the fuzzing process. We evaluate FuzzRDUCC using the binutils benchmark and demonstrate that it can identify unique crashes not found by state-of-the-art fuzzers. Hence, establishing FuzzRDUCC as a feasible solution for next generation vulnerability detection and discovery mechanisms.