Systematic bug finding and fault localization enhanced with input data tracking

Fault localization (FL) is the process of debugging erroneous code and directing analysts to the root cause of the bug. With this in mind, we have developed a distributed, end-to-end fuzzing and analysis system that starts with a binary, identifies bugs, and subsequently localizes the bug's root cause. Our system does not require the test subject's source code, nor do we require a test suite. Our work focuses on an important class of bugs, memory corruption errors, which usually have software security implications. Thus, our approach appeals to software attack researchers as well. In addition to our bug hunting and analysis framework, we have enhanced code-coverage based fault localization by incorporating input data tainting and tracking using a light-weight binary instrumentation technique. By capturing code coverage and select input data usage, our new FL algorithm is able to better localize faults, and therefore better assist analysts. We report the application of our approach on large, real-world applications (Firefox and VLC), as well as the classic Siemens benchmark and other test programs.