Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

CovRL: Fuzzing JavaScript Engines with Coverage-Guided Reinforcement Learning for LLM-based Mutation

Jueon Eom, Seyeon Jeong, Taekyoung Kwon

TL;DR

This paper tackles the challenge of fuzzing complex JavaScript engines by enabling coverage-guided reinforcement learning to steer an LLM-based mutator. It introduces CovRL-Fuzz, which uses a TF-IDF based coverage map to produce a coverage-weighted reward and finetunes the mutator and a rewarder via PPO, thereby increasing new coverage while reducing syntax and semantic errors. Empirical results show CovRL-Fuzz outperforms state-of-the-art fuzzers on multiple engines and uncovers 48 real-world bugs, including 11 CVEs (39 previously unknown). The approach demonstrates the practicality of integrating internal coverage signals with Code-LLMs for robust, scalable fuzzing, with potential applicability to other language runtimes and broader software testing tasks.

Abstract

Fuzzing is an effective bug-finding technique but it struggles with complex systems like JavaScript engines that demand precise grammatical input. Recently, researchers have adopted language models for context-aware mutation in fuzzing to address this problem. However, existing techniques are limited in utilizing coverage guidance for fuzzing, which is rather performed in a black-box manner. This paper presents a novel technique called CovRL (Coverage-guided Reinforcement Learning) that combines Large Language Models (LLMs) with reinforcement learning from coverage feedback. Our fuzzer, CovRL-Fuzz, integrates coverage feedback directly into the LLM by leveraging the Term Frequency-Inverse Document Frequency (TF-IDF) method to construct a weighted coverage map. This map is key in calculating the fuzzing reward, which is then applied to the LLM-based mutator through reinforcement learning. CovRL-Fuzz, through this approach, enables the generation of test cases that are more likely to discover new coverage areas, thus improving vulnerability detection while minimizing syntax and semantic errors, all without needing extra post-processing. Our evaluation results indicate that CovRL-Fuzz outperforms the state-of-the-art fuzzers in terms of code coverage and bug-finding capabilities: CovRL-Fuzz identified 48 real-world security-related bugs in the latest JavaScript engines, including 39 previously unknown vulnerabilities and 11 CVEs.

CovRL: Fuzzing JavaScript Engines with Coverage-Guided Reinforcement Learning for LLM-based Mutation

TL;DR

This paper tackles the challenge of fuzzing complex JavaScript engines by enabling coverage-guided reinforcement learning to steer an LLM-based mutator. It introduces CovRL-Fuzz, which uses a TF-IDF based coverage map to produce a coverage-weighted reward and finetunes the mutator and a rewarder via PPO, thereby increasing new coverage while reducing syntax and semantic errors. Empirical results show CovRL-Fuzz outperforms state-of-the-art fuzzers on multiple engines and uncovers 48 real-world bugs, including 11 CVEs (39 previously unknown). The approach demonstrates the practicality of integrating internal coverage signals with Code-LLMs for robust, scalable fuzzing, with potential applicability to other language runtimes and broader software testing tasks.

Abstract

Fuzzing is an effective bug-finding technique but it struggles with complex systems like JavaScript engines that demand precise grammatical input. Recently, researchers have adopted language models for context-aware mutation in fuzzing to address this problem. However, existing techniques are limited in utilizing coverage guidance for fuzzing, which is rather performed in a black-box manner. This paper presents a novel technique called CovRL (Coverage-guided Reinforcement Learning) that combines Large Language Models (LLMs) with reinforcement learning from coverage feedback. Our fuzzer, CovRL-Fuzz, integrates coverage feedback directly into the LLM by leveraging the Term Frequency-Inverse Document Frequency (TF-IDF) method to construct a weighted coverage map. This map is key in calculating the fuzzing reward, which is then applied to the LLM-based mutator through reinforcement learning. CovRL-Fuzz, through this approach, enables the generation of test cases that are more likely to discover new coverage areas, thus improving vulnerability detection while minimizing syntax and semantic errors, all without needing extra post-processing. Our evaluation results indicate that CovRL-Fuzz outperforms the state-of-the-art fuzzers in terms of code coverage and bug-finding capabilities: CovRL-Fuzz identified 48 real-world security-related bugs in the latest JavaScript engines, including 39 previously unknown vulnerabilities and 11 CVEs.
Paper Structure (16 sections, 9 equations, 4 figures, 9 tables, 3 algorithms)

This paper contains 16 sections, 9 equations, 4 figures, 9 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. JS Engine Fuzzing
  4. Finetuning LLMs for code
  5. Design
  6. Phase 1. Mask Mutation
  7. Phase 2. Coverage-Weighted Rewarding
  8. Phase 3. CovRL-based Finetuning
  9. Implementation
  10. Evaluation
  11. Experimental Design
  12. RQ1. Comparison against existing fuzzers
  13. RQ2. Ablation study
  14. RQ3. Real-World Bugs
  15. Discussion
  16. ...and 1 more sections

Figures (4)

  • Figure 1: Overview: CovRL is a pioneering approach in integrating an LLM-based mutator into coverage-guided fuzzing.
  • Figure 2: Workflow of CovRL-Fuzz: The gray-shaded area illustrates the operation of CovRL.
  • Figure 3: Number of edge coverage between CovRL-Fuzz and other JS engine fuzzers. The solid line represents the average coverage, while the shaded region depicts the range between the lowest and highest values five times.
  • Figure 4: The error rate of generated test cases on V8. The four error types, excluding Syntax Error, are classified as Semantic Errors.