Contextualizing Sink Knowledge for Java Vulnerability Discovery

TL;DR

GONDAR is a sink-centric fuzzing framework that enhances Java vulnerability discovery by leveraging sink API semantics and combining static filtering with specialized agents for exploration and exploitation.

Contribution

It introduces a novel approach that systematically uses sink API semantics and collaborative agents to improve Java vulnerability detection over existing fuzzers.

Findings

GONDAR discovers four times more vulnerabilities than Jazzer.

An earlier version contributed to a first-place DARPA AI Cyber Challenge team.

It uncovered a zero-day vulnerability in open-source Java projects.

Abstract

Java applications are prone to vulnerabilities stemming from the insecure use of security-sensitive APIs, such as file operations enabling path traversal or deserialization routines allowing remote code execution. These sink APIs encode critical information for vulnerability discovery: the program-specific constraints required to reach them and the exploitation conditions necessary to trigger security flaws. Despite this, existing fuzzers largely overlook such vulnerability-specific knowledge, limiting their effectiveness. We present GONDAR, a sink-centric fuzzing framework that systematically leverages sink API semantics for targeted vulnerability discovery. GONDAR first identifies reachable and exploitable sink call sites through CWE-specific scanning combined with LLM-assisted static filtering. It then deploys two specialized agents that work collaboratively with a coverage-guided fuzzer: an exploration agent generates inputs to reach target call sites by iteratively solving path constraints, while an exploitation agent synthesizes proof-of-concept exploits by reasoning about and satisfying vulnerability-triggering conditions. The agents and fuzzer continuously exchange seeds and runtime feedback, complementing each other. We evaluated GONDAR on real-world Java benchmarks, where it discovers four times more vulnerabilities than Jazzer, the state-of-the-art Java fuzzer. Notably, an earlier GONDAR version contributed to Team Atlanta's first-place CRS in the DARPA AI Cyber Challenge, and is integrated into OSS-CRS, a sandbox project in The Linux Foundation's OpenSSF, to analyze open-source Java projects, where it has already uncovered a zero-day vulnerability.