No Source, No Problem! High Speed Binary Fuzzing

Explore high-speed binary fuzzing techniques for finding bugs in complex code bases without source code access in this 59-minute conference talk. Learn about Retrowrite, a binary rewriting framework enabling direct static instrumentation for user-mode binaries and Linux kernel modules. Discover how static binary rewriting achieves low-overhead instrumentation comparable to compile-time methods. Examine techniques like reassembleable assembly, symbolization, and RIP-relative addressing. Understand the implementation of binary versions of Address Sanitizer (ASan) and AFL coverage tracking. Investigate kRetrowrite for instrumenting binary kernel modules with kCov-based coverage tracking and KASan. Gain insights into effective fuzzing, coverage-guided techniques, and crash handling. Compare different approaches to binary instrumentation and explore real-world applications in both userspace and kernel environments.

Introduction
What we discovered
Effective fuzzing 101
Using existing mechanisms
Source code for everything
Why static rewriting is challenging
Instrumenting binaries in the kernel
Static binary instrumentation
Position independent code
Symbolization
Jump Not Zero
Material
Coverage guided fuzzing
Address sanitizer
Aysen in the kernel
Crash handling
TSM
Other approaches
Approach Li
Coverage
Implementation in the kernel
Userspace
Userspace results
Kernel results
Kernel demo
Kernel issues
Wrap up
Questions
Why compile
Stack canaries