From Coverage to Causes: Data-Centric Fuzzing for JavaScript Engines

TL;DR

<3-5 sentence high-level summary> The paper addresses the inefficiency of coverage-guided fuzzing for complex JavaScript engines and proposes a data-centric, LLM-augmented approach that learns from historical vulnerabilities to guide fuzzing toward high-risk inputs. By extracting a compact set of static and dynamic features (via iterative LLM prompts and V8 trace data) and training an XGBoost predictor, the authors demonstrate high precision (>85%) with very low false alarms, while showing that a small subset of features suffices for near-optimal performance. The study further integrates these features into a fuzzing loop (based on Fuzzilli), achieving faster discovery of real crashes and maintaining reasonable runtime overhead. The work contributes a reproducible, open science pipeline and highlights the potential of shifting fuzzing focus from maximizing coverage to modeling vulnerability likelihood using data-driven signals.

Abstract

Context: Exhaustive fuzzing of modern JavaScript engines is infeasible due to the vast number of program states and execution paths. Coverage-guided fuzzers waste effort on low-risk inputs, often ignoring vulnerability-triggering ones that do not increase coverage. Existing heuristics proposed to mitigate this require expert effort, are brittle, and hard to adapt. Objective: We propose a data-centric, LLM-boosted alternative that learns from historical vulnerabilities to automatically identify minimal static (code) and dynamic (runtime) features for detecting high-risk inputs. Method: Guided by historical V8 bugs, iterative prompting generated 115 static and 49 dynamic features, with the latter requiring only five trace flags, minimizing instrumentation cost. After feature selection, 41 features remained to train an XGBoost model to predict high-risk inputs during fuzzing. Results: Combining static and dynamic features yields over 85% precision and under 1% false alarms. Only 25% of these features are needed for comparable performance, showing that most of the search space is irrelevant. Conclusion: This work introduces feature-guided fuzzing, an automated data-driven approach that replaces coverage with data-directed inference, guiding fuzzers toward high-risk states for faster, targeted, and reproducible vulnerability discovery. To support open science, all scripts and data are available at https://github.com/KKGanguly/DataCentricFuzzJS .

Figures (6)

• Figure 1: UpSet plot of five research categories in JS engine fuzzing. Our paper is the right-most entry
• Figure 2: Overview of the Proposed Method
• Figure 3: Precision, recall, and false alarm rates over time-aware cross-validation folds. Precision remains consistently high, recall shows moderate variation, and false alarm rates are low, indicating strong predictive reliability of the guidance model.
• Figure 4: Comparative evaluation of model performance across three test folds for different top-ranked feature fractions. Precision, recall, and false alarm plateau for Top 25%–100% of features, with nearly overlapping means and low variance, indicating diminishing returns from including the remaining 75% of features.
• Figure 5: Mean rank of the top 25% features across different folds and runs. Features are categorized as either static or dynamic, providing insight into their relative importance for vulnerability prediction.