Following Dragons: Code Review-Guided Fuzzing

TL;DR

EyeQ enhances fuzzing by integrating developer insights from code reviews, enabling it to target fragile and security-critical program states more effectively, leading to the discovery of numerous previously unknown bugs.

Contribution

This paper introduces EyeQ, a novel system that leverages code review discussions to guide fuzzing, improving vulnerability detection without altering program semantics or workflows.

Findings

EyeQ uncovers over 40 new security bugs in PHP codebase.

Review-guided fuzzing outperforms standard fuzzing configurations.

Automated workflow using large language models is effective for guiding fuzzing.

Abstract

Modern fuzzers scale to large, real-world software but often fail to exercise the program states developers consider most fragile or security-critical. Such states are typically deep in the execution space, gated by preconditions, or overshadowed by lower-value paths that consume limited fuzzing budgets. Meanwhile, developers routinely surface risk-relevant insights during code review, yet this information is largely ignored by automated testing tools. We present EyeQ, a system that leverages developer intelligence from code reviews to guide fuzzing. EyeQ extracts security-relevant signals from review discussions, localizes the implicated program regions, and translates these insights into annotation-based guidance for fuzzing. The approach operates atop existing annotation-aware fuzzing, requiring no changes to program semantics or developer workflows. We first validate EyeQ through a human-guided feasibility study on a security-focused dataset of PHP code reviews, establishing a strong baseline for review-guided fuzzing. We then automate the workflow using a large language model with carefully designed prompts. EyeQ significantly improves vulnerability discovery over standard fuzzing configurations, uncovering more than 40 previously unknown bugs in the security-critical PHP codebase.