Skip to content

google/oss-fuzz-gen

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

453 Commits
.github
.github
 
 
agent
agent
 
 
benchmark-sets
benchmark-sets
 
 
ci
ci
 
 
common
common
 
 
data_prep
data_prep
 
 
experiment
experiment
 
 
experimental
experimental
 
 
fuzzer_build_script
fuzzer_build_script
 
 
helper
helper
 
 
images
images
 
 
llm_toolkit
llm_toolkit
 
 
prompts
prompts
 
 
report
report
 
 
scripts/run-new-oss-fuzz-project
scripts/run-new-oss-fuzz-project
 
 
stage
stage
 
 
tool
tool
 
 
.dockerignore
.dockerignore
 
 
.gitignore
.gitignore
 
 
.isort.cfg
.isort.cfg
 
 
.pylintrc
.pylintrc
 
 
.pyrightconfig.json
.pyrightconfig.json
 
 
.style.yapf
.style.yapf
 
 
CITATION.cff
CITATION.cff
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
Dockerfile
Dockerfile
 
 
Dockerfile.cloudbuild-agent
Dockerfile.cloudbuild-agent
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
USAGE.md
USAGE.md
 
 
__init__.py
__init__.py
 
 
logger.py
logger.py
 
 
pipeline.py
pipeline.py
 
 
requirements.in
requirements.in
 
 
requirements.txt
requirements.txt
 
 
results.py
results.py
 
 
run_all_experiments.py
run_all_experiments.py
 
 
run_one_experiment.py
run_one_experiment.py
 
 
utils.py
utils.py
 
 

Repository files navigation

A Framework for Fuzz Target Generation and Evaluation

This framework generates fuzz targets for real-world C/C++/Java/Python projects with various Large Language Models (LLM) and benchmarks them via the OSS-Fuzz platform.

More details available in AI-Powered Fuzzing: Breaking the Bug Hunting Barrier: Alt text

Current supported models are:

  • Vertex AI code-bison
  • Vertex AI code-bison-32k
  • Gemini Pro
  • Gemini Ultra
  • Gemini Experimental
  • Gemini 1.5
  • OpenAI GPT-3.5-turbo
  • OpenAI GPT-4
  • OpenAI GPT-4o
  • OpenAI GPT-4o-mini
  • OpenAI GPT-4-turbo
  • OpenAI GPT-3.5-turbo (Azure)
  • OpenAI GPT-4 (Azure)
  • OpenAI GPT-4o (Azure)

Generated fuzz targets are evaluated with four metrics against the most up-to-date data from production environment:

  • Compilability
  • Runtime crashes
  • Runtime coverage
  • Runtime line coverage diff against existing human-written fuzz targets in OSS-Fuzz.

Here is a sample experiment result from 2024 Jan 31. The experiment included 1300+ benchmarks from 297 open-source projects.

image

Overall, this framework manages to successfully leverage LLMs to generate valid fuzz targets (which generate non-zero coverage increase) for 160 C/C++ projects. The maximum line coverage increase is 29% from the existing human-written targets.

Note that these reports are not public as they may contain undisclosed vulnerabilities.

Usage

Check our detailed usage guide for instructions on how to run this framework and generate reports based on the results.

Collaborations

Interested in research or open-source community collaborations? Please feel free to create an issue or email us: oss-fuzz-team@google.com.

Bugs Discovered

So far, we have reported 26 new bugs/vulnerabilities found by automatically generated targets built by this framework:

Project Bug LLM Prompt Builder Target oracle
cJSON OOB read Vertex AI Default Far reach, low coverage
libplist OOB read Vertex AI Default Far reach, low coverage
hunspell OOB read Vertex AI default Far reach, low coverage
zstd OOB write Vertex AI default Far reach, low coverage
gdbm Stack buffer underflow Vertex AI default Far reach, low coverage
hoextdown Use of uninitialised memory Vertex AI default Far reach, low coverage
pjsip OOB read Vertex AI Default Low coverage with fuzz keyword + easy params far reach
pjsip OOB read Vertex AI Default Low coverage with fuzz keyword + easy params far reach
gpac OOB read Vertex AI Default Low coverage with fuzz keyword + easy params far reach
gpac OOB read/write Vertex AI Default All
gpac OOB read Vertex AI Default All
gpac OOB read Vertex AI Default All
sqlite3 OOB read Vertex AI Default All
htslib OOB read Vertex AI Default All
libical OOB read Vertex AI Default All
croaring OOB read Vertex AI Test-to-harness All
openssl CVE-2024-9143 - OOB read/write Vertex AI Default All
Undisclosed Java RCE (pending maintainer triage) Vertex AI Default Far reach, low coverage
Undisclosed Regexp DoS (pending maintainer triage) Vertex AI Default Far reach, low coverage
Undisclosed Use of uninitialised memory Vertex AI Test-to-harness Test identifier
Undisclosed OOB read Vertex AI Default Low coverage with fuzz keyword + easy params far reach
Undisclosed Use after free Vertex AI Default Low coverage with fuzz keyword + easy params far reach
Undisclosed OOB read Vertex AI Default All
Undisclosed OOB read Vertex AI Default All
Undisclosed OOB read Vertex AI Default All
Undisclosed OOB read Vertex AI Test-to-harness Test identifier

These bugs could only have been discovered with newly generated targets. They were not reachable with existing OSS-Fuzz targets.

Current top coverage improvements by project

Project Coverage increase % *
tinyxml2 29.84
inih 29.67
lodepng 26.21
libarchive 23.39
cmark 21.61
fribidi 18.20
lighttpd 17.56
libmodbus 16.59
valijson 16.21
libiec61850 13.53
hiredis 13.50
cmake 12.62
pugixml 12.43
meshoptimizer 12.23
libusb 11.12
json 10.84

* Percentage coverage is calculated using a denominator of the total lines of source code compiled during the OSS-Fuzz build process for the entire project.

Citing This Work

Please click on the 'Cite this repository' button located on the right-hand side of this GitHub page for citation details.

About

LLM powered fuzzing via OSS-Fuzz.

Topics

security ai fuzzing llm

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

923 stars

Watchers

14 watching

Forks

103 forks
Report repository

Releases

1 tags

Contributors 20

+ 6 contributors

Languages