{"id":23934016,"url":"https://github.com/NASP-THU/ProphetFuzz","last_synced_at":"2025-09-11T16:33:30.327Z","repository":{"id":259383497,"uuid":"848578387","full_name":"NASP-THU/ProphetFuzz","owner":"NASP-THU","description":"[CCS'24] An LLM-based, fully automated fuzzing tool for option combination testing.","archived":false,"fork":false,"pushed_at":"2025-04-17T03:11:29.000Z","size":931,"stargazers_count":73,"open_issues_count":1,"forks_count":11,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-04-17T16:29:26.374Z","etag":null,"topics":["fuzzing"],"latest_commit_sha":null,"homepage":"","language":"Roff","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NASP-THU.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-08-28T02:45:16.000Z","updated_at":"2025-04-17T03:11:33.000Z","dependencies_parsed_at":"2024-10-25T01:29:00.704Z","dependency_job_id":"d1e80ad4-a74d-4b8c-b36d-2cf5dfee8d7f","html_url":"https://github.com/NASP-THU/ProphetFuzz","commit_stats":null,"previous_names":["nasp-thu/prophetfuzz"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/NASP-THU/ProphetFuzz","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NASP-THU%2FProphetFuzz","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NASP-THU%2FProphetFuzz/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NASP-THU%2FProphetFuzz/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NASP-THU%2FProphetFuzz/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NASP-THU","download_url":"https://codeload.github.com/NASP-THU/ProphetFuzz/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NASP-THU%2FProphetFuzz/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":274670561,"owners_count":25328263,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-11T02:00:13.660Z","response_time":74,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["fuzzing"],"created_at":"2025-01-06T00:30:02.962Z","updated_at":"2025-09-11T16:33:30.305Z","avatar_url":"https://github.com/NASP-THU.png","language":"Roff","funding_links":[],"categories":["Building"],"sub_categories":["Tools"],"readme":"# ProphetFuzz\n\n\u003cp\u003e\u003ca href=\"https://dl.acm.org/doi/10.1145/3658644.3690231\"\u003e\u003cimg alt=\"ProphetFuzz thumbnail\" align=\"right\" width=\"200\" src=\"assets/images/thumbnail.png\"\u003e\u003c/a\u003e\u003c/p\u003e\n\nThe implementation of the paper titled **\"ProphetFuzz: Fully Automated Prediction and Fuzzing of High-Risk Option Combinations with Only Documentation via Large Language Model\"**\n\nProphetFuzz is an LLM- based, fully automated fuzzing tool for option combination testing. ProphetFuzz can predict and conduct fuzzing on high-risk option combinations 1 with only documentation, and the entire process operates without manual intervention. \n\nFor more details, please refer to [our paper](https://dl.acm.org/doi/10.1145/3658644.3690231) from ACM CCS'24.\n\nDue to page limitations, the Appendix of the paper could not be included within the main text. Please refer to [Appendix](Appendix.md).\n\n## Structure\n\n```\n.\n├── Dockerfile\n├── README.md\n├── assets\n│   ├──  dataset\n│   │   ├── groundtruth_for_20_programs.json\n│   │   └── precision.json\n│   └── images\n├── fuzzing_handler\n│   ├── cmd_fixer.py\n│   ├── code_checker.py\n│   ├── config.json\n│   ├── run_cmin.py\n│   ├── run_fuzzing.sh\n│   └── utils\n│       ├── analysis_util.py\n│       ├── code_utils.py\n│       └── execution_util.py\n├── llm_interface\n│   ├── assemble.py\n│   ├── config\n│   │   └── .env\n│   ├── constraint.py\n│   ├── few-shot\n│   │   ├── manpage_htmldoc.json\n│   │   ├── manpage_jbig2.json\n│   │   ├── manpage_jhead.json\n│   │   ├── manpage_makeswf.json\n│   │   ├── manpage_mp4box.json\n│   │   ├── manpage_opj_compress.json\n│   │   ├── manpage_pdf2swf.json\n│   │   └── manpage_yasm.json\n│   ├── few-shot_generate.py\n│   ├── input\n│   ├── output\n│   ├── predict.py\n│   ├── restruct_manpage.py\n│   └── utils\n│       ├── gpt_utils.py\n│       └── opt_utils.py\n├── manpage_parser\n│   ├── input\n│   ├── output\n│   ├── parser.py\n│   └── utils\n│       └── groff_utils.py\n└── run_all_in_one.sh\n```\n\n1. manpage_parser: Scripts for parsing documentation\n2. llm_interface: Scripts for extracting constraints, predicting high-risk option combinations, and assembling commands.\n3. fuzzing_handler: Scripts for preparing and conducting fuzzing.\n4. assets/dataset: Dataset for eveluating constraint extraction module.\n5. run_all_in_one.sh: Scripts for completing everything with one script.\n6. Dockerfile: Building our experiment environment (Tested on Ubuntu 20.04)\n\nThe implementations for various components of ProphetFuzz can be found in the following functions,\n\n| Section | Component | File | Function |\n|----|----|----|----|\n| 3.2 | Constraint Extraction | [llm_interface/constraint.py](llm_interface/constraint.py) | extractRelationships |\n| 3.2 | Self Check | [llm_interface/constraint.py](llm_interface/constraint.py) |  checkRelationships |\n| 3.3 | AutoCoT | [llm_interface/few-shot_generate.py](llm_interface/few-shot_generate.py) | generatePrompt |\n| 3.3 | High-Risk Combination Prediction | [llm_interface/predict.py](llm_interface/predict.py)| predictCombinations |\n| 3.4 | Command Assembly | [llm_interface/assembly.py](llm_interface/assembly.py) | generateCommands |\n| 3.5 | File Generation | [fuzzing_handler/generate_combination.py](scripts/generate_combination.py) | main |\n| 3.5 | Corpus Minimization | [fuzzing_handler/run_cmin.py](scripts/run_cmin.py) | runCMinCommands |\n| 3.5 | Fuzzing | [fuzzing_handler/run_fuzzing.sh](fuzzing_handler/run_fuzzing.sh) | runFuzzing |\n\n## Usage Example\n\n1. **Using Docker to Configure the Running Environment**\n\n   - If you only want to complete the part that interacts with the LLM, you can directly use our pre-installed image (4GB):\n\n   ```\n   docker run -it 4ugustus/prophetfuzz_base bash\n   ```\n\n   - If you want to complete the entire process, including seed generation, command repair, and fuzzing, please build the full image based on the pre-installed image:\n\n   ```\n   docker build -t prophetfuzz:latest .\n   docker run -it --privileged=true prophetfuzz bash\n   # 'privileged' is used for setting up the fuzzing environment\n   ```\n\n2. **Set Up Your API Key**:\n   Set your OpenAI API key in the `llm_interface/config/.env` file:\n   ```bash\n   OPENAI_API_KEY=\"[Input Your API Key Here]\"\n   ```\n\n2. **Run the Script**:\n   Execute the script to start the automated fuzzing process:\n   \n   ```bash\n   bash run_all_in_one.sh bison\n   ```\n\n   **Note**: If you are not within our Docker environment, you might need to manually install dependencies and adjust the `fuzzing_handler/config.json` file to specify the path to the program under test.\n\n   If you prefer to start fuzzing manually, use the following command:\n\n   ```bash\n   fuzzer/afl-fuzz -i fuzzing_handler/input/bison -o fuzzing_handler/output/bison_prophet_1 -m none -K fuzzing_handler/argvs/argvs_bison.txt -- path/to/bison/bin/bison @@\n   ```\n\n## CVEs Assigned ##\n\nWe employ ProphetFuzz to perform persistent fuzzing on the latest versions of the programs in our dataset. To date, ProphetFuzz has uncovered 140 zero-day or half-day vulnerabilities, 93 of which have been confirmed by the developers, earning 22 CVE numbers.\n\n| CVE            | Program   | Type                     |\n| -------------- | --------- | ------------------------ |\n| CVE-2024-3248  | xpdf      | stack-buffer-overflow    |\n| CVE-2024-4853  | editcap   | heap-buffer-overflow     |\n| CVE-2024-4855  | editcap   | bad free                 |\n| CVE-2024-31743 | ffmpeg    | segmentation violation   |\n| CVE-2024-31744 | jasper    | assertion failure        |\n| CVE-2024-31745 | dwarfdump | use-after-free           |\n| CVE-2024-31746 | objdump   | heap-buffer-overflow     |\n| CVE-2024-32154 | ffmpeg    | segmentation violation   |\n| CVE-2024-32157 | mupdf     | segmentation violation   |\n| CVE-2024-32158 | mupdf     | negative-size-param      |\n| CVE-2024-34960 | ffmpeg    | floating point exception |\n| CVE-2024-34961 | pspp      | segmentation violation   |\n| CVE-2024-34962 | pspp      | segmentation violation   |\n| CVE-2024-34963 | pspp      | assertion failure        |\n| CVE-2024-34965 | pspp      | assertion failure        |\n| CVE-2024-34966 | pspp      | assertion failure        |\n| CVE-2024-34967 | pspp      | assertion failure        |\n| CVE-2024-34968 | pspp      | assertion failure        |\n| CVE-2024-34969 | pspp      | segmentation violation   |\n| CVE-2024-34971 | pspp      | segmentation violation   |\n| CVE-2024-34972 | pspp      | assertion failure        |\n| CVE-2024-35316 | ffmpeg    | segmentation violation   |\n\n## Credit ##\n\nThanks to Dawei Wang ([@4ugustus](https://github.com/waugustus)) and Geng Zhou ([@Arbusz](https://github.com/Arbusz)) for their valuable contributions to this project.\n\n## Citing This Paper ##\n\nIn case you would like to cite ProphetFuzz, you may use the following BibTex entry:\n\n```\n@inproceedings {wang2024prophet,\n  title = {ProphetFuzz: Fully Automated Prediction and Fuzzing of High-Risk Option Combinations with Only Documentation via Large Language Model},\n  author = {Wang, Dawei and Zhou, Geng and Chen, Li and Li, Dan and Miao, Yukai},\n  booktitle = {Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security},\n  publisher = {Association for Computing Machinery},\n  address = {Salt Lake City, UT, USA},\n  pages = {735–749},\n  year = {2024}\n}\n```\n\n## Star History ##\n\n[![Stargazers over time](https://starchart.cc/NASP-THU/ProphetFuzz.svg?variant=adaptive)](https://starchart.cc/NASP-THU/ProphetFuzz)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FNASP-THU%2FProphetFuzz","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FNASP-THU%2FProphetFuzz","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FNASP-THU%2FProphetFuzz/lists"}