Table of Contents
Fetching ...

Beyond Imprecise Distance Metrics: LLM-Predicted Target Call Stacks for Directed Greybox Fuzzing

Yifan Zhang, Xin Zhang

TL;DR

Directed greybox fuzzing suffers from imprecise static analysis based distance metrics that misrank seeds. The paper introduces Staczzer, which uses LLM predicted vulnerability triggering call stacks to guide seed prioritization, replacing imprecise distance metrics with a precise call stack representation. Evaluations across 41 real vulnerabilities show Staczzer achieves average speedups of 1.86× to 3.09× over baselines and finds 10 new vulnerabilities plus 2 incomplete fixes, validating practical impact for vulnerability discovery and patch testing. This work demonstrates how integrating LLMs into the seed prioritization core of directed fuzzing can substantially improve effectiveness on real-world software.

Abstract

Directed greybox fuzzing (DGF) aims to efficiently trigger bugs at specific target locations by prioritizing seeds whose execution paths are more likely to mutate into triggering target bugs. However, existing DGF approaches suffer from imprecise probability calculations due to their reliance on complex distance metrics derived from static analysis. The over-approximations inherent in static analysis cause a large number of irrelevant execution paths to be mistakenly considered to potentially mutate into triggering target bugs, significantly reducing fuzzing efficiency. We propose to replace static analysis-based distance metrics with precise call stack representations. Call stacks represent precise control flows, thereby avoiding false information in static analysis. We leverage large language models (LLMs) to predict vulnerability-triggering call stacks for guiding seed prioritization. Our approach constructs call graphs through static analysis to identify methods that can potentially reach target locations, then utilizes LLMs to predict the most likely call stack sequence that triggers the vulnerability. Seeds whose execution paths have higher overlap with the predicted call stack are prioritized for mutation. This is the first work to integrate LLMs into the core seed prioritization mechanism of DGF. We implement our approach and evaluate it against several state-of-the-art fuzzers. On a suite of real-world programs, our approach triggers vulnerabilities $1.86\times$ to $3.09\times$ faster compared to baselines. In addition, our approach identifies 10 new vulnerabilities and 2 incomplete fixes in the latest versions of programs used in our controlled experiments through directed patch testing, with 10 assigned CVE IDs.

Beyond Imprecise Distance Metrics: LLM-Predicted Target Call Stacks for Directed Greybox Fuzzing

TL;DR

Directed greybox fuzzing suffers from imprecise static analysis based distance metrics that misrank seeds. The paper introduces Staczzer, which uses LLM predicted vulnerability triggering call stacks to guide seed prioritization, replacing imprecise distance metrics with a precise call stack representation. Evaluations across 41 real vulnerabilities show Staczzer achieves average speedups of 1.86× to 3.09× over baselines and finds 10 new vulnerabilities plus 2 incomplete fixes, validating practical impact for vulnerability discovery and patch testing. This work demonstrates how integrating LLMs into the seed prioritization core of directed fuzzing can substantially improve effectiveness on real-world software.

Abstract

Directed greybox fuzzing (DGF) aims to efficiently trigger bugs at specific target locations by prioritizing seeds whose execution paths are more likely to mutate into triggering target bugs. However, existing DGF approaches suffer from imprecise probability calculations due to their reliance on complex distance metrics derived from static analysis. The over-approximations inherent in static analysis cause a large number of irrelevant execution paths to be mistakenly considered to potentially mutate into triggering target bugs, significantly reducing fuzzing efficiency. We propose to replace static analysis-based distance metrics with precise call stack representations. Call stacks represent precise control flows, thereby avoiding false information in static analysis. We leverage large language models (LLMs) to predict vulnerability-triggering call stacks for guiding seed prioritization. Our approach constructs call graphs through static analysis to identify methods that can potentially reach target locations, then utilizes LLMs to predict the most likely call stack sequence that triggers the vulnerability. Seeds whose execution paths have higher overlap with the predicted call stack are prioritized for mutation. This is the first work to integrate LLMs into the core seed prioritization mechanism of DGF. We implement our approach and evaluate it against several state-of-the-art fuzzers. On a suite of real-world programs, our approach triggers vulnerabilities to faster compared to baselines. In addition, our approach identifies 10 new vulnerabilities and 2 incomplete fixes in the latest versions of programs used in our controlled experiments through directed patch testing, with 10 assigned CVE IDs.
Paper Structure (19 sections, 9 equations, 7 figures, 7 tables, 4 algorithms)

This paper contains 19 sections, 9 equations, 7 figures, 7 tables, 4 algorithms.

Figures (7)

  • Figure 1: Simplified code fragment from cxxfilt containing CVE-2016-4489.
  • Figure 2: CFG corresponding to the code fragment in \ref{['code-cxxfilt']} and the nodes traversed by the execution paths of seeds $s_0$ and $s_1$. The numbers within each node represent the line numbers in \ref{['code-cxxfilt']}, while the numbers in the small circles to the right of each node indicate their shortest distances to the target node. Nodes with gray backgrounds represent the nodes traversed by the seed's execution path. Nodes with double borders represent deviation basic blocks (DBBs) as defined in WindRanger, which can reach the target node themselves but point to a node that cannot reach the target node. Nodes with bold borders represent target nodes. Bold edges represent the control flows present in the actual vulnerability-triggering execution.
  • Figure 3: VFG corresponding to the code fragment in \ref{['code-cxxfilt']} and the nodes traversed by the execution paths of seeds $s_0$ and $s_1$. The numbers within each node represent the line numbers in \ref{['code-cxxfilt']}, while the numbers in the small circles to the right of each node indicate their shortest distances to the target node. Nodes with gray backgrounds represent the nodes traversed by the seed's execution path. Nodes with bold borders represent target nodes. Bold edges represent the value flows present in the actual vulnerability-triggering execution.
  • Figure 4: Call stack backtrace generated by AddressSanitizer after triggering vulnerability CVE-2017-8398.
  • Figure 5: Call stack corresponding to the code fragment when triggering the target vulnerability in \ref{['code-cxxfilt']} and the nodes traversed by the execution paths of seeds $s_0$ and $s_1$. The numbers within each node represent the line numbers in \ref{['code-cxxfilt']}. Nodes with gray backgrounds represent the nodes traversed by the seed's execution path. Nodes with bold borders represent the target code line. Nodes without bold borders represent call sites in vulnerability-triggering execution.
  • ...and 2 more figures

Theorems & Definitions (6)

  • definition 1: program input
  • definition 2: program location
  • definition 3: crashing input
  • definition 4: execution trace
  • definition 5: goal of directed greybox fuzzing
  • definition 6: call graph