Efficient Fuzzing Infrastructure for Pointer-to-Object Association

Runtime feedback is at the heart of efficient greybox fuzzing, and the collection of runtime feedback is the most important infrastructure for greybox fuzzing. However, existing fuzzers have difficulty collecting runtime feedback for the memory, which is the most important and vulnerable components of a running program. The operating system does not support associative queries between arbitrary pointers and runtime objects. Therefore, existing works only capture aggregate statistics (e.g., memory usage) or random quantities (e.g., the random addresses stored in pointers) to provide low-precision memory-related feedback.
This paper presents SPINEL, a greybox fuzzer equipped with a brand-new infrastructure for memory feedback collection. It introduces an almost zero-overhead runtime system for associating arbitrary pointers with the corresponding runtime objects and offers spatial distance information as memory-related fuzzing feedback. To avoid introducing accumulated overhead upon silent error detectors (e.g., sanitizers that are used to detect memory safety violations), we introduce the post-execution validation technique to remove the expensive runtime safety checks while maintaining the same error detection ability. Our experiments on 33 real-world programs show that SPINEL detects 1.30x—2.33x unique bugs compared to state-of-the-art fuzzers. Furthermore, according to the restricted mean survival time, SPINEL achieves 1.56x-8.21x speed up in triggering ground-truth bugs collected by the Magma benchmark. © 2025 Copyright held by the owner/author(s).