FUSE: Single-Pass Binary Co-Instrumentation for Accurate Vulnerability Detection
| dc.contributor.author | Kumar, Pranav | en |
| dc.contributor.committeechair | Ravindran, Binoy | en |
| dc.contributor.committeemember | Giles, Kendall Everett | en |
| dc.contributor.committeemember | Verbeek, Freek | en |
| dc.contributor.department | Electrical and Computer Engineering | en |
| dc.date.accessioned | 2026-06-09T08:01:24Z | en |
| dc.date.available | 2026-06-09T08:01:24Z | en |
| dc.date.issued | 2026-06-08 | en |
| dc.description.abstract | Binary software deployed without source code remains vulnerable to memory safety er- rors that compilers detect via AddressSanitizer (ASAN). Existing binary-level ASAN tools rely on heuristic disassembly that fails on complex programs and produces false positives. We present FUSE, a static binary instrumentation tool that combines ASAN memory-safety checks with AFL++ coverage-guided fuzzing counters in a single pass. Built on FoxDec, a formally verified disassembler, FUSE produces zero spurious ASAN error reports across 19,350 NIST Juliet test cases—every ASAN-flagged error corresponds to a genuine memory-safety violation—and achieves 89.5% rewriting success across 315 binaries from four benchmark suites. In comparison, RetroWrite achieves 46.3% success and produces two genuine ASAN false positives. A register liveness analysis reduces instrumentation overhead by eliminating push/pop pairs at 61% of instrumentation sites, enabling FUSE to match 99.3% of native ASAN throughput on real-world fuzzing targets including zlib, libjpeg-turbo, and libpng. FUSE discovers 3.29× more coverage edges than source-level AFL instrumentation, demon- strating the practical value of combined ASAN+AFL binary instrumentation. | en |
| dc.description.abstractgeneral | Binary software deployed without source code remains vulnerable to memory safety er- rors that compilers detect via AddressSanitizer (ASAN). Existing binary-level ASAN tools rely on heuristic disassembly that fails on complex programs and produces false positives. We present FUSE, a static binary instrumentation tool that combines ASAN memory-safety checks with AFL++ coverage-guided fuzzing counters in a single pass. Built on FoxDec, a formally verified disassembler, FUSE produces zero spurious ASAN error reports across 19,350 NIST Juliet test cases—every ASAN-flagged error corresponds to a genuine memory-safety violation—and achieves 89.5% rewriting success across 315 binaries from four benchmark suites. In comparison, RetroWrite achieves 46.3% success and produces two genuine ASAN false positives. A register liveness analysis reduces instrumentation overhead by eliminating push/pop pairs at 61% of instrumentation sites, enabling FUSE to match 99.3% of native ASAN throughput on real-world fuzzing targets including zlib, libjpeg-turbo, and libpng. FUSE discovers 3.29× more coverage edges than source-level AFL instrumentation, demon- strating the practical value of combined ASAN+AFL binary instrumentation. | en |
| dc.description.degree | Master of Science | en |
| dc.format.medium | ETD | en |
| dc.identifier.other | vt_gsexam:47044 | en |
| dc.identifier.uri | https://hdl.handle.net/10919/143288 | en |
| dc.language.iso | en | en |
| dc.publisher | Virginia Tech | en |
| dc.rights | Creative Commons Attribution-NonCommercial 4.0 International | en |
| dc.rights.uri | http://creativecommons.org/licenses/by-nc/4.0/ | en |
| dc.subject | • Security and privacy →Software and application security; Fuzzing; • Software and its engineering →Compilers. | en |
| dc.title | FUSE: Single-Pass Binary Co-Instrumentation for Accurate Vulnerability Detection | en |
| dc.type | Thesis | en |
| thesis.degree.discipline | Computer Engineering | en |
| thesis.degree.grantor | Virginia Polytechnic Institute and State University | en |
| thesis.degree.level | masters | en |
| thesis.degree.name | Master of Science | en |
Files
Original bundle
1 - 1 of 1