Directed Greybox Fuzzing via Large Language Model
Hanxiang Xu, Yanjie Zhao, Haoyu Wang
TL;DR
This paper tackles the efficiency gap in directed greybox fuzzing by introducing HGFuzzer, an automatic framework that leverages a large language model to transform path constraint analysis into code-generation tasks. It combines call-chain analysis, execution-condition extraction, harness generation, reachable-input construction, and target-specific mutator design to tightly guide exploration and reduce randomness in exploitation. Empirical evaluations on 20 real-world CVEs show that HGFuzzer triggers 17 vulnerabilities (11 within the first minute) with at least a 24.8× speedup over state-of-the-art baselines and uncovers 9 new CVEs, underscoring the practical impact of LLM-powered fuzzing. The work demonstrates the viability of integrating LLM reasoning and code generation into fuzzing workflows to improve precision, efficiency, and vulnerability discovery in real-world libraries.
Abstract
Directed greybox fuzzing (DGF) focuses on efficiently reaching specific program locations or triggering particular behaviors, making it essential for tasks like vulnerability detection and crash reproduction. However, existing methods often suffer from path explosion and randomness in input mutation, leading to inefficiencies in exploring and exploiting target paths. In this paper, we propose HGFuzzer, an automatic framework that leverages the large language model (LLM) to address these challenges. HGFuzzer transforms path constraint problems into targeted code generation tasks, systematically generating test harnesses and reachable inputs to reduce unnecessary exploration paths significantly. Additionally, we implement custom mutators designed specifically for target functions, minimizing randomness and improving the precision of directed fuzzing. We evaluated HGFuzzer on 20 real-world vulnerabilities, successfully triggering 17, including 11 within the first minute, achieving a speedup of at least 24.8x compared to state-of-the-art directed fuzzers. Furthermore, HGFuzzer discovered 9 previously unknown vulnerabilities, all of which were assigned CVE IDs, demonstrating the effectiveness of our approach in identifying real-world vulnerabilities.
