Low-Cost and Comprehensive Non-textual Input Fuzzing with LLM-Synthesized Input Generators

TL;DR

This paper introduces G2FUZZ, a hybrid fuzzing approach that leverages large language models to synthesize and mutate input generators for non-textual data, significantly improving bug detection and code coverage.

Contribution

The paper presents a novel hybrid fuzzing method combining LLM-driven generator synthesis with traditional mutation-based fuzzing for non-textual inputs.

Findings

G2FUZZ outperforms state-of-the-art tools in code coverage.

G2FUZZ finds more bugs across diverse formats.

LLM-assisted generator mutation enhances fuzzing effectiveness.

Abstract

Modern software often accepts inputs with highly complex grammars. Recent advances in large language models (LLMs) have shown that they can be used to synthesize high-quality natural language text and code that conforms to the grammar of a given input format. Nevertheless, LLMs are often incapable or too costly to generate non-textual outputs, such as images, videos, and PDF files. This limitation hinders the application of LLMs in grammar-aware fuzzing. We present a novel approach to enabling grammar-aware fuzzing over non-textual inputs. We employ LLMs to synthesize and also mutate input generators, in the form of Python scripts, that generate data conforming to the grammar of a given input format. Then, non-textual data yielded by the input generators are further mutated by traditional fuzzers (AFL++) to explore the software input space effectively. Our approach, namely G2FUZZ, features a hybrid strategy that combines a holistic search driven by LLMs and a local search driven by industrial quality fuzzers. Two key advantages are: (1) LLMs are good at synthesizing and mutating input generators and enabling jumping out of local optima, thus achieving a synergistic effect when combined with mutation-based fuzzers; (2) LLMs are less frequently invoked unless really needed, thus significantly reducing the cost of LLM usage. We have evaluated G2FUZZ on a variety of input formats, including TIFF images, MP4 audios, and PDF files. The results show that G2FUZZ outperforms SOTA tools such as AFL++, Fuzztruction, and FormatFuzzer in terms of code coverage and bug finding across most programs tested on three platforms: UNIFUZZ, FuzzBench, and MAGMA.