ZTaint-Havoc: From Havoc Mode to Zero-Execution Fuzzing-Driven Taint Inference

ZTaint-Havoc presents a lightweight fuzzing-driven taint inference method based on havoc mode. The current prototype is built on top of AFL++.

This project is accepted at ISSTA 2025. Check out our paper for more technical details.

The project has two branches:

• normal: Uses havoc mode as the mutator
• solver: Uses a gradient descent-based branch solver as the mutator

Usage

Compilation Guide

The compilation process is similar to AFL++. Here are the detailed steps:

1. Environment Preparation

First, clean up the environment by removing all contents in the shared memory folder:

rm -rf /dev/shm/*

2. Target Compilation

Compile the target program similarly to AFL++. For example, use the following commands to compile the program and libraries:

CC=/path/to/afl-clang-fast CXX=/path/to/afl-clang-fast++ ./configure --disable-shared
make clean all

3. File Organization

Copy the compiled binary and related metadata files to a clean folder:

cp [BIN_NAME] /path/to/clean/folder
cp /dev/shm/instrument_meta_data /path/to/clean/folder

4. Metadata Extraction

Use the Python script to extract metadata embedded in the compiled binary:

cd /path/to/clean/folder
python gen_graph_no_gllvm_15.py [BIN_NAME] [instrument_meta_data]

This script will generate several metadata files required for the fuzzing process.

5. Start Fuzzing

In the prepared folder, start ZTaint-Havoc fuzzing:

/path/to/afl-fuzz -i /path/to/seed -o /path/to/output -- [BIN_NAME] [BIN_PARAMETERS]

Notes:

• [BIN_NAME] is the name of your target program
• [BIN_PARAMETERS] are the parameters needed to run your target program
• /path/to/seed is the directory containing seed files
• /path/to/output is the directory for fuzzing results

Concrete Example: Compiling FFmpeg

AFL++ Compilation

# Navigate to FFmpeg source directory
cd ffmpeg-6.1

# Set necessary environment variables
export ASAN_OPTIONS=detect_leaks=0
export AFL_USE_ASAN=1
export CC=/workspace/AFLplusplus/afl-clang-fast
export CXX=/workspace/AFLplusplus/afl-clang-fast++

# Create build directory
mkdir -p ../binaries/aflpp_build

# Configure and compile
./configure --pkg-config-flags="--static" --cc=$CC --cxx=$CXX --disable-stripping
make -j$(nproc) clean
make -j$(nproc)

# Copy the compiled binary
cp ffmpeg ../binaries/aflpp_build

ZTaint-Havoc Compilation

# Navigate to FFmpeg source directory
cd ffmpeg-6.1

# Set necessary environment variables
export AFL_USE_ASAN=1
export ASAN_OPTIONS=detect_leaks=0
export CC=/workspace/ZTaint-Havoc/afl-clang-fast
export CXX=/workspace/ZTaint-Havoc/afl-clang-fast++

# Prepare build directory and clean shared memory
rm -rf ../binaries/ztaint_havoc_build
mkdir -p ../binaries/ztaint_havoc_build
rm -f /dev/shm/*

# Configure and compile
./configure --pkg-config-flags="--static" --cc=$CC --cxx=$CXX --disable-stripping
make -j clean
make -j$(nproc)

# Copy necessary files
cp ffmpeg ../binaries/ztaint_havoc_build
cp /dev/shm/instrument_meta_data ../binaries/ztaint_havoc_build

# Generate auxiliary files
cd ../binaries/ztaint_havoc_build/
python /workspace/ZTaint-Havoc/gen_graph_no_gllvm_15.py $BIN_NAME $PWD/instrument_meta_data

Additional Dependency

pip3 install pyelftools==0.30

🔔 IMPORTANT NOTE: Unlike traditional approaches, our solution DOES NOT require GLLVM or WLLVM to obtain compilation-time information. This makes our tool more versatile and widely applicable across different compilation environments!

The above dependency is required for our Python scripts to parse and analyze ELF binaries.

Contact

If you have any questions about ZTaint-Havoc, please feel free to send me emails on any questions about ZTaint-Havoc:
📧 yxiece@cse.ust.hk

Cite

@inproceedings{xie2025ztaint,
  title={ZTaint-Havoc: From Havoc Mode to Zero-Execution Fuzzing-Driven Taint Inference},
  author={Xie, Yuchong and Zhang, Wenhui and She, Dongdong},
  booktitle={Proceedings of the 2025 International Symposium on Software Testing and Analysis},
  year={2025}
}