Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

ISC4DGF: Enhancing Directed Grey-box Fuzzing with LLM-Driven Initial Seed Corpus Generation

Yijiang Xu, Hongrui Jia, Liguo Chen, Xin Wang, Zhengran Zeng, Yidong Wang, Qing Gao, Jindong Wang, Wei Ye, Shikun Zhang, Zhonghai Wu

TL;DR

This work targets the inefficiency of seed selection in directed grey-box fuzzing by introducing ISC4DGF, an LLM-driven approach to generate and curate an optimized initial seed corpus tailored to specific CVEs. The system uses a refinement LLM to distill user-provided project and vulnerability context into concise prompts, and a generation LLM to produce executable seeds in the required input formats, which are then filtered and adopted by AFL-based fuzzing. On the Magma benchmark, ISC4DGF achieves a 35.63x speedup in vulnerability reproduction and 616.10x fewer target reaches than AFLGo, while focusing the fuzzer on target areas with reduced code coverage. These results demonstrate the potential of prompting-based seed design to enhance directed fuzzing efficiency and precision, suggesting promising directions for integrating LLMs into other phases of fuzz testing.

Abstract

Fuzz testing is crucial for identifying software vulnerabilities, with coverage-guided grey-box fuzzers like AFL and Angora excelling in broad detection. However, as the need for targeted detection grows, directed grey-box fuzzing (DGF) has become essential, focusing on specific vulnerabilities. The initial seed corpus, which consists of carefully selected input samples that the fuzzer uses as a starting point, is fundamental in determining the paths that the fuzzer explores. A well-designed seed corpus can guide the fuzzer more effectively towards critical areas of the code, improving the efficiency and success of the fuzzing process. Even with its importance, many works concentrate on refining guidance mechanisms while paying less attention to optimizing the initial seed corpus. In this paper, we introduce ISC4DGF, a novel approach to generating optimized initial seed corpus for DGF using Large Language Models (LLMs). By leveraging LLMs' deep software understanding and refined user inputs, ISC4DGF creates precise seed corpus that efficiently trigger specific vulnerabilities. Implemented on AFL and tested against state-of-the-art fuzzers like AFLGo, FairFuzz, and Entropic using the Magma benchmark, ISC4DGF achieved a 35.63x speedup and 616.10x fewer target reaches. Moreover, ISC4DGF focused on more effectively detecting target vulnerabilities, enhancing efficiency while operating with reduced code coverage.

ISC4DGF: Enhancing Directed Grey-box Fuzzing with LLM-Driven Initial Seed Corpus Generation

TL;DR

This work targets the inefficiency of seed selection in directed grey-box fuzzing by introducing ISC4DGF, an LLM-driven approach to generate and curate an optimized initial seed corpus tailored to specific CVEs. The system uses a refinement LLM to distill user-provided project and vulnerability context into concise prompts, and a generation LLM to produce executable seeds in the required input formats, which are then filtered and adopted by AFL-based fuzzing. On the Magma benchmark, ISC4DGF achieves a 35.63x speedup in vulnerability reproduction and 616.10x fewer target reaches than AFLGo, while focusing the fuzzer on target areas with reduced code coverage. These results demonstrate the potential of prompting-based seed design to enhance directed fuzzing efficiency and precision, suggesting promising directions for integrating LLMs into other phases of fuzz testing.

Abstract

Fuzz testing is crucial for identifying software vulnerabilities, with coverage-guided grey-box fuzzers like AFL and Angora excelling in broad detection. However, as the need for targeted detection grows, directed grey-box fuzzing (DGF) has become essential, focusing on specific vulnerabilities. The initial seed corpus, which consists of carefully selected input samples that the fuzzer uses as a starting point, is fundamental in determining the paths that the fuzzer explores. A well-designed seed corpus can guide the fuzzer more effectively towards critical areas of the code, improving the efficiency and success of the fuzzing process. Even with its importance, many works concentrate on refining guidance mechanisms while paying less attention to optimizing the initial seed corpus. In this paper, we introduce ISC4DGF, a novel approach to generating optimized initial seed corpus for DGF using Large Language Models (LLMs). By leveraging LLMs' deep software understanding and refined user inputs, ISC4DGF creates precise seed corpus that efficiently trigger specific vulnerabilities. Implemented on AFL and tested against state-of-the-art fuzzers like AFLGo, FairFuzz, and Entropic using the Magma benchmark, ISC4DGF achieved a 35.63x speedup and 616.10x fewer target reaches. Moreover, ISC4DGF focused on more effectively detecting target vulnerabilities, enhancing efficiency while operating with reduced code coverage.
Paper Structure (16 sections, 2 figures, 4 tables)

This paper contains 16 sections, 2 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Large Language Models
  4. Fuzzing and Testing
  5. Motivation
  6. Approach
  7. Overview
  8. Refining Prompts
  9. Seeds Generation and Selection
  10. Evaluation
  11. Efficiency in Reproducing Vulnerabilities
  12. Fast-tracking Exploits
  13. Coverage Focus on Target Areas
  14. Discussion
  15. Related Work
  16. ...and 1 more sections

Figures (2)

  • Figure 1: Overview of ISC4DGF. Illustrates the process of refining user inputs through a refinement LLM, followed by the use of a generation LLM to create and select the optimized initial seed corpus for directed grey-box fuzzing.
  • Figure 2: Comparison of Code Coverage and Target Reach Efficiency. Figure (a) illustrates the code coverage, while Figure (b) compares the number of target reaches, both for ISC4DGF and AFL.