Table of Contents
Fetching ...

Directed Greybox Fuzzing via Large Language Model

Hanxiang Xu, Yanjie Zhao, Haoyu Wang

TL;DR

This paper tackles the efficiency gap in directed greybox fuzzing by introducing HGFuzzer, an automatic framework that leverages a large language model to transform path constraint analysis into code-generation tasks. It combines call-chain analysis, execution-condition extraction, harness generation, reachable-input construction, and target-specific mutator design to tightly guide exploration and reduce randomness in exploitation. Empirical evaluations on 20 real-world CVEs show that HGFuzzer triggers 17 vulnerabilities (11 within the first minute) with at least a 24.8× speedup over state-of-the-art baselines and uncovers 9 new CVEs, underscoring the practical impact of LLM-powered fuzzing. The work demonstrates the viability of integrating LLM reasoning and code generation into fuzzing workflows to improve precision, efficiency, and vulnerability discovery in real-world libraries.

Abstract

Directed greybox fuzzing (DGF) focuses on efficiently reaching specific program locations or triggering particular behaviors, making it essential for tasks like vulnerability detection and crash reproduction. However, existing methods often suffer from path explosion and randomness in input mutation, leading to inefficiencies in exploring and exploiting target paths. In this paper, we propose HGFuzzer, an automatic framework that leverages the large language model (LLM) to address these challenges. HGFuzzer transforms path constraint problems into targeted code generation tasks, systematically generating test harnesses and reachable inputs to reduce unnecessary exploration paths significantly. Additionally, we implement custom mutators designed specifically for target functions, minimizing randomness and improving the precision of directed fuzzing. We evaluated HGFuzzer on 20 real-world vulnerabilities, successfully triggering 17, including 11 within the first minute, achieving a speedup of at least 24.8x compared to state-of-the-art directed fuzzers. Furthermore, HGFuzzer discovered 9 previously unknown vulnerabilities, all of which were assigned CVE IDs, demonstrating the effectiveness of our approach in identifying real-world vulnerabilities.

Directed Greybox Fuzzing via Large Language Model

TL;DR

This paper tackles the efficiency gap in directed greybox fuzzing by introducing HGFuzzer, an automatic framework that leverages a large language model to transform path constraint analysis into code-generation tasks. It combines call-chain analysis, execution-condition extraction, harness generation, reachable-input construction, and target-specific mutator design to tightly guide exploration and reduce randomness in exploitation. Empirical evaluations on 20 real-world CVEs show that HGFuzzer triggers 17 vulnerabilities (11 within the first minute) with at least a 24.8× speedup over state-of-the-art baselines and uncovers 9 new CVEs, underscoring the practical impact of LLM-powered fuzzing. The work demonstrates the viability of integrating LLM reasoning and code generation into fuzzing workflows to improve precision, efficiency, and vulnerability discovery in real-world libraries.

Abstract

Directed greybox fuzzing (DGF) focuses on efficiently reaching specific program locations or triggering particular behaviors, making it essential for tasks like vulnerability detection and crash reproduction. However, existing methods often suffer from path explosion and randomness in input mutation, leading to inefficiencies in exploring and exploiting target paths. In this paper, we propose HGFuzzer, an automatic framework that leverages the large language model (LLM) to address these challenges. HGFuzzer transforms path constraint problems into targeted code generation tasks, systematically generating test harnesses and reachable inputs to reduce unnecessary exploration paths significantly. Additionally, we implement custom mutators designed specifically for target functions, minimizing randomness and improving the precision of directed fuzzing. We evaluated HGFuzzer on 20 real-world vulnerabilities, successfully triggering 17, including 11 within the first minute, achieving a speedup of at least 24.8x compared to state-of-the-art directed fuzzers. Furthermore, HGFuzzer discovered 9 previously unknown vulnerabilities, all of which were assigned CVE IDs, demonstrating the effectiveness of our approach in identifying real-world vulnerabilities.
Paper Structure (22 sections, 8 figures, 4 tables, 2 algorithms)

This paper contains 22 sections, 8 figures, 4 tables, 2 algorithms.

Figures (8)

  • Figure 1: A motivating example from CVE-2017-2897, where the red blocks indicate a reachable path to the vulnerable target function read_MAST.
  • Figure 2: A motivating example from CVE-2020-13790.
  • Figure 3: Overview of HGFuzzer .
  • Figure 4: An example of the response from the LLM in execution conditions analysis.
  • Figure 5: Prompt template for target harness generation.
  • ...and 3 more figures