Table of Contents
Fetching ...

Poster: Machine Learning for Vulnerability Detection as Target Oracle in Automated Fuzz Driver Generation

Gianpietro Castiglione, Marcello Maugeri, Giampaolo Bella

TL;DR

The paper tackles the high false-positive rate in ML-based vulnerability detection and the labor-intensive process of fuzz driver creation in vulnerability discovery. It proposes a hybrid workflow that uses ML4VD as a target oracle to rank functions and then applies Automated Fuzz Driver Generation (AFDG) to synthesize fuzz drivers, followed by dynamic fuzzing to verify vulnerabilities. The authors validate the approach on a libgd vulnerability (CVE-2016-6912) by targeting gdImageWebpPtr and generating a new fuzz driver that accesses previously uncovered code paths. They report that initial LLM-based fuzz-driver generation required prompt adjustments (e.g., removing input caps) to locate the vulnerability, highlighting practical challenges in coupling language models with fuzzing. The work lays out a plan for large-scale evaluation across OSS-Fuzz and DiverseVul to quantify improvements in vulnerability confirmation and false-positive mitigation.

Abstract

In vulnerability detection, machine learning has been used as an effective static analysis technique, although it suffers from a significant rate of false positives. Contextually, in vulnerability discovery, fuzzing has been used as an effective dynamic analysis technique, although it requires manually writing fuzz drivers. Fuzz drivers usually target a limited subset of functions in a library that must be chosen according to certain criteria, e.g., the depth of a function, the number of paths. These criteria are verified by components called target oracles. In this work, we propose an automated fuzz driver generation workflow composed of: (1) identifying a likely vulnerable function by leveraging a machine learning for vulnerability detection model as a target oracle, (2) automatically generating fuzz drivers, (3) fuzzing the target function to find bugs which could confirm the vulnerability inferred by the target oracle. We show our method on an existing vulnerability in libgd, with a plan for large-scale evaluation.

Poster: Machine Learning for Vulnerability Detection as Target Oracle in Automated Fuzz Driver Generation

TL;DR

The paper tackles the high false-positive rate in ML-based vulnerability detection and the labor-intensive process of fuzz driver creation in vulnerability discovery. It proposes a hybrid workflow that uses ML4VD as a target oracle to rank functions and then applies Automated Fuzz Driver Generation (AFDG) to synthesize fuzz drivers, followed by dynamic fuzzing to verify vulnerabilities. The authors validate the approach on a libgd vulnerability (CVE-2016-6912) by targeting gdImageWebpPtr and generating a new fuzz driver that accesses previously uncovered code paths. They report that initial LLM-based fuzz-driver generation required prompt adjustments (e.g., removing input caps) to locate the vulnerability, highlighting practical challenges in coupling language models with fuzzing. The work lays out a plan for large-scale evaluation across OSS-Fuzz and DiverseVul to quantify improvements in vulnerability confirmation and false-positive mitigation.

Abstract

In vulnerability detection, machine learning has been used as an effective static analysis technique, although it suffers from a significant rate of false positives. Contextually, in vulnerability discovery, fuzzing has been used as an effective dynamic analysis technique, although it requires manually writing fuzz drivers. Fuzz drivers usually target a limited subset of functions in a library that must be chosen according to certain criteria, e.g., the depth of a function, the number of paths. These criteria are verified by components called target oracles. In this work, we propose an automated fuzz driver generation workflow composed of: (1) identifying a likely vulnerable function by leveraging a machine learning for vulnerability detection model as a target oracle, (2) automatically generating fuzz drivers, (3) fuzzing the target function to find bugs which could confirm the vulnerability inferred by the target oracle. We show our method on an existing vulnerability in libgd, with a plan for large-scale evaluation.
Paper Structure (13 sections, 3 figures)

This paper contains 13 sections, 3 figures.

Figures (3)

  • Figure 1: Workflow of the proposed method
  • Figure 2: Function Signature of gdImageWebpPtr
  • Figure 3: OSS-Fuzz-Gen prompt