FUSE: Single-Pass Binary Co-Instrumentation for Accurate Vulnerability Detection

Abstract

Binary software deployed without source code remains vulnerable to memory safety er- rors that compilers detect via AddressSanitizer (ASAN). Existing binary-level ASAN tools rely on heuristic disassembly that fails on complex programs and produces false positives. We present FUSE, a static binary instrumentation tool that combines ASAN memory-safety checks with AFL++ coverage-guided fuzzing counters in a single pass. Built on FoxDec, a formally verified disassembler, FUSE produces zero spurious ASAN error reports across 19,350 NIST Juliet test cases—every ASAN-flagged error corresponds to a genuine memory-safety violation—and achieves 89.5% rewriting success across 315 binaries from four benchmark suites. In comparison, RetroWrite achieves 46.3% success and produces two genuine ASAN false positives. A register liveness analysis reduces instrumentation overhead by eliminating push/pop pairs at 61% of instrumentation sites, enabling FUSE to match 99.3% of native ASAN throughput on real-world fuzzing targets including zlib, libjpeg-turbo, and libpng. FUSE discovers 3.29× more coverage edges than source-level AFL instrumentation, demon- strating the practical value of combined ASAN+AFL binary instrumentation.