Automatic, Expressive, and Scalable Fuzzing with Stitching

TL;DR

This paper introduces STITCH, a scalable fuzzing technique that dynamically assembles API usage constraints at runtime, enabling more expressive and effective bug discovery in software libraries.

Contribution

It proposes a novel stitching approach that encodes API constraints with static and dynamic type systems, enhancing fuzzing expressiveness and scalability, and integrates LLMs for automation.

Findings

Achieved highest code coverage on 21 out of 33 benchmarks.

Found 30 true-positive bugs, outperforming other tools.

Discovered 131 new bugs in open-source projects, with many already patched.

Abstract

Fuzzing is a powerful technique for finding bugs in software libraries, but scaling it remains difficult. Automated harness generation commits to fixed API sequences at synthesis time, limiting the behaviors each harness can test. Approaches that instead explore new sequences dynamically lack the expressiveness to model real-world usage constraints leading to false positives from straightforward API misuse. We propose stitching, a technique that encodes API usage constraints in pieces that a fuzzer dynamically assembles at runtime. A static type system governs how objects flow between blocks, while a dynamically-checked extrinsic typestate tracks arbitrary metadata across blocks, enabling specifications to express rich semantic constraints such as object state dependencies and cross-function preconditions. This allows a single specification to describe an open-ended space of valid API interactions that the fuzzer explores guided by coverage feedback. We implement stitching in STITCH, using LLMs to automatically configure projects for fuzzing, synthesize a specification, triage crashes, and repair the specification itself. We evaluated STITCH against four state-of-the-art tools on 33 benchmarks, where it achieved the highest code coverage on 21 and found 30 true-positive bugs compared to 10 by all other tools combined, with substantially higher precision (70% vs. 12% for the next-best LLM-based tool). Deployed automatically on 1365 widely used open-source projects, STITCH discovered 131 new bugs across 102 projects, 73 of which have already been patched.