TUM Logo

Sanitizer Crash Bucketing for Fuzzing

Sanitizer Crash Bucketing for Fuzzing

Supervisor(s): Julian Horsch, Dieter Schuster
Status: inprogress
Topic: Others
Author: Sandro Bauer
Submission: 2021-02-15
Type of Thesis: Masterthesis
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching


Lehrstuhl für Sicherheit in der Informatik Prof. Dr. Claudia Eckert

Master’s thesis in collaboration with Fraunhofer Research Institute AISEC

Sanitizer Crash Bucketing for Fuzzing


Fuzzing is a method widely used for automated testing of software. Fuzzing frameworks, such as AFL1 and LLVM libfuzzer2, are able to find various bugs by generating more or less random input for the program under test. Bugs are normally detected as crashes of the tested program. A typical fuzz campaign can produce a vast amount of crashing inputs, many of which are caused by the same bug.

Crash bucketing tries to bucket crashing inputs with the same root cause, in order to reduce the effort for the analyst. Current approaches typically rely on comparing stack traces or paths of execution and often still create buckets for crashes caused by the same bug or, even worse, conflate crash inputs for different bugs.

In this work, a crash bucketing approach should be developed that uses information generated by different sanitizers to determine, or at least approximate, the cause of the crash and use it for a more precise bucketing of crashes. Different combinations of widely used sanitizers, such as ASAN3 and UBSAN4, and research approaches, such as Softbound5, should be identified, adapted for bucketing if necessary, and evaluated against each other.


Ability to work independently and accurately
Basic knowledge of exploit techniques, fuzzing and C++
Strong interest in compiler-based security, sanitizers, LLVM Strong interest in fuzzing


Julian Horsch,  Dieter Schuster

E-Mail: julian.horsch@aisec.fraunhofer.de, E-Mail: dieter.schuster@aisec.fraunhofer.de

Fraunhofer-Institut  für Angewandte und Integrierte Sicherheit (AISEC) Lichtenbergstr. 11, 85748 Garching (near Munich), Germany http://www.aisec.fraunhofer.de

1 https://github.com/google/AFL
2 http://llvm.org/docs/LibFuzzer.html
3 https://github.com/google/sanitizers/wiki/AddressSanitizer

4 https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html

5 https://www.cs.rutgers.edu/~santosh.nagarakatte/softbound/