Improving AFLGo's Directed Fuzzing by Considering Indirect Function Calls

Directed fuzzing is a sophisticated security testing technique that aims to find vulnerabilities in specific locations of a software system. It is thus used in cases where targeting a pre-defined section of a system under test (SUT) is required. The directed fuzzer AFLGo utilizes abstract representations, such as call graphs and control-flow graphs, of the SUT to accomplish directedness. These representations however do not consider indirect function calls, more specifically function pointers. This might distort AFLGo's process of guiding the testing towards the desired locations. In the worst case, it might even break the dirpctpilnpss altogether, This paper introduces Marauder's Map, an extension for AFLGo that rectifies this problem. Its implementation is discussed and experiments with various SUTs are conducted to investigate how AFLGo's directed fuzzing benefits from the consideration of indirect function calls. It shows that Marauder's Map is able to expose vulnerabilities up to five times faster than the unaltered version of AFLGo.