Rust-based Path Coverage-Guided Fuzzing

Abstract

Coverage-guided fuzzing is one of the most effective approaches for library testing. While edge coverage has proven successful in finding many bugs, security-critical projects often require higher granularity to thoroughly examine complex execution paths. Path coverage offers a promising alternative, but it is hindered by path explosion and the overhead of path handling. In this thesis, we propose Bounded Path coverage, an advanced coverage metric that mitigates path explosion by leveraging a configurable loop unrolling parameter. For that we propose two algorithms: DAGification and Path reduction. To balance thorough path exploration with resource efficiency, we use the Rust compiler toolchain’s MIRI component with minimal instrumentation overhead for both static and runtime analyses. Our prototype fuzzer successfully generated bounded path coverage, uncovered one unknown bug and one discrepancy from real-world Rust projects, and showcase the potential of superior path exploration compared to traditional edge coverage.