Fuzzwise: Intelligent Initial Corpus Generation for Fuzzing

TL;DR

Fuzzwise uses large language models within a multi-agent framework to generate and evaluate initial seed corpora for fuzzing, improving efficiency and coverage without executing test cases.

Contribution

It introduces an integrated LLM-based approach that combines seed generation and coverage prediction into one process, reducing resource use and increasing effectiveness.

Findings

Fuzzwise generates fewer test cases but achieves higher code coverage.

It triggers more runtime errors than baseline methods.

It is more time- and coverage-efficient in initial corpus generation.

Abstract

In mutation-based greybox fuzzing, generating high-quality input seeds for the initial corpus is essential for effective fuzzing. Rather than conducting separate phases for generating a large corpus and subsequently minimizing it, we propose FuzzWise which integrates them into one process to generate the optimal initial corpus of seeds (ICS). FuzzWise leverages a multi-agent framework based on Large Language Models (LLMs). The first LLM agent generates test cases for the target program. The second LLM agent, which functions as a predictive code coverage module, assesses whether each generated test case will enhance the overall coverage of the current corpus. The streamlined process allows each newly generated test seed to be immediately evaluated for its contribution to the overall coverage. FuzzWise employs a predictive approach using an LLM and eliminates the need for actual execution, saving computational resources and time, particularly in scenarios where the execution is not desirable or even impossible. Our empirical evaluation demonstrates that FuzzWise generates significantly fewer test cases than baseline methods. Despite the lower number of test cases, FuzzWise achieves high code coverage and triggers more runtime errors compared to the baselines. Moreover, it is more time-efficient and coverage-efficient in producing an initial corpus catching more errors.