Low-Cost and Comprehensive Non-textual Input Fuzzing with LLM-Synthesized Input Generators
Kunpeng Zhang, Zongjie Li, Daoyuan Wu, Shuai Wang, Xin Xia
TL;DR
The paper tackles the challenge of fuzzing software that accepts complex, non-textual inputs by proposing G2Fuzz, a hybrid framework that uses LLMs to synthesize and mutate Python input generators and then leverages AFL++ for local mutation. This combination leverages the strengths of LLMs in grasping format features and the efficiency of traditional fuzzers in exploring the input space, yielding improved code coverage and bug detection across a wide range of formats with moderate LLM cost. Extensive evaluation across UNIFUZZ, FuzzBench, and MAGMA demonstrates that G2Fuzz outperforms state-of-the-art mutation-based and structure-aware fuzzers, discovering real-world bugs and CVEs (e.g., several in MP4, TIFF, PDF pipelines). The approach is generalizable across multiple LLMs, supports numerous file formats through generator-based synthesis, and emphasizes open science and responsible disclosure, making it a practical and scalable solution for grammar-aware fuzzing of non-textual inputs.
Abstract
Modern software often accepts inputs with highly complex grammars. Recent advances in large language models (LLMs) have shown that they can be used to synthesize high-quality natural language text and code that conforms to the grammar of a given input format. Nevertheless, LLMs are often incapable or too costly to generate non-textual outputs, such as images, videos, and PDF files. This limitation hinders the application of LLMs in grammar-aware fuzzing. We present a novel approach to enabling grammar-aware fuzzing over non-textual inputs. We employ LLMs to synthesize and also mutate input generators, in the form of Python scripts, that generate data conforming to the grammar of a given input format. Then, non-textual data yielded by the input generators are further mutated by traditional fuzzers (AFL++) to explore the software input space effectively. Our approach, namely G2FUZZ, features a hybrid strategy that combines a holistic search driven by LLMs and a local search driven by industrial quality fuzzers. Two key advantages are: (1) LLMs are good at synthesizing and mutating input generators and enabling jumping out of local optima, thus achieving a synergistic effect when combined with mutation-based fuzzers; (2) LLMs are less frequently invoked unless really needed, thus significantly reducing the cost of LLM usage. We have evaluated G2FUZZ on a variety of input formats, including TIFF images, MP4 audios, and PDF files. The results show that G2FUZZ outperforms SOTA tools such as AFL++, Fuzztruction, and FormatFuzzer in terms of code coverage and bug finding across most programs tested on three platforms: UNIFUZZ, FuzzBench, and MAGMA.