In general, Ori is a mutation-based coverage-guided gray-box fuzzer, which means that it relies on detecting the target program to collect execution feedback to aid fuzzing. However, Ori has two key features that make it different from existing fuzzers.
The first feature is the add-on mode. When we fuzz with Ori, the fuzzer is attached to the process under test. In other words, we start the process under test first, then run the fuzzer to communicate with the process under test and fuzz. This differs from previous fuzzers where the fuzzer was responsible for launching the process under test and managing the lifecycle of the process under test. The whole process can be divided into two steps, namely, the fuzzification setting step and the multiple additional fuzzification steps. In the obfuscation setting step, the detected target program will fork out an obfuscation server under certain conditions. The obfuscation server is forked from the original process being instrumented and will wait in a loop for incoming obfuscation requests. Once setup is successful, we can run one or more front-end fuzzers. The front-end fuzzer will communicate with the fuzzing server and send additional requests. Once the obfuscation server receives a request, it forks an obfuscation target process, which completes all other obfuscation processes in conjunction with the front-end fuzzer. In general, append mode eliminates redundant execution of prologue code segments that load specific SOME/IP implementations. With this feature, Ori improves overall performance by focusing on the actual protocol logic, while also providing the ability to invoke multiple obfuscation instances for parallel obfuscation.