基于LLM的多媒体原生库模糊测试研究

doi:10.3969/j.issn.1671-1122.2025.03.004

摘要/Abstract

摘要：

多媒体原生库通过C/C++语言直接操作底层系统资源，在显著提升音视频数据处理效率的同时，也引入了持久的内存安全威胁。然而，现有的原生库模糊测试研究不仅缺乏对多媒体库的针对性，还难以实现对闭源二进制程序的运行时监控机制。文章提出一种基于LLM的多媒体原生库模糊测试方案MediaFuzzer，通过自启发式的LLM问询方案，MediaFuzzer能够准确提取蕴含在函数签名中的功能语义信息，并进一步筛选出潜在的多媒体原生库函数作为执行入口。随后，MediaFuzzer设计并实现了基于模拟执行的模糊测试框架，能够在系统依赖、内存管控和代码执行3个层次构建完整的运行时监控机制，从而实现覆盖率导向的输入变异以及主动捕获内存异常行为。实验结果表明，MediaFuzzer从500个移动应用中识别出7类共1557个多媒体函数，成功挖掘到WhatsApp中的1个已公开漏洞以及包括微信在内的3个零日漏洞。

关键词: 多媒体原生库, 模糊测试, 内存安全, 大语言模型

Abstract:

Multimedia native libraries written in C/C++ can efficiently process audio and video streams by directly accessing underlying system resources, while posing persistent memory threats. However, existing native library fuzzing research lacks specificity for multimedia libraries and faces difficulties in implementing runtime monitoring of closed-source binary programs. The article proposed MediaFuzzer, a fuzzing scheme of native multimedia libraries based on LLM. Through a self-heuristic LLM querying approach, MediaFuzzer could accurately extracted functional semantic information contained in function signatures and subsequently identified potential multimedia native library functions as execution entry points. Furthermore, MediaFuzzer designed and implemented an emulation-based fuzzing framework that built comprehensive runtime monitoring mechanisms at three different levels, including system dependencies, memory management, and code execution, enabling coverage-guided mutation and active memory anomaly detection during the fuzzing process. Experimental evaluation shows that MediaFuzzer identify 1557 multimedia functions across 7 categories from 500 mobile applications, successfully discovering one disclosed vulnerability in WhatsApp and three zero-day vulnerabilities, including one in WeChat.

Key words: native multimedia libraries, fuzzing, memory safety, large language model

中图分类号:

TP309

解梦飞, 傅建明, 姚人懿. 基于LLM的多媒体原生库模糊测试研究[J]. 信息网络安全, 2025, 25(3): 403-414.

XIE Mengfei, FU Jianming, YAO Renyi. Research on LLM-Based Fuzzing of Native Multimedia Libraries[J]. Netinfo Security, 2025, 25(3): 403-414.

图/表 11

表1

图1

图2

图3

表2

表3

图4

图5

表4

表5

图6

参考文献 40

[1]	SANNA S L, SOI D, MAIORCA D, et al. A Risk Estimation Study of Native Code Vulnerabilities in Android Applications[EB/OL]. (2024-06-04)[2024-10-10]. https://doi.org/10.48550/arXiv.2406.02011.
[2]	VIENNOT N, GARCIA E, NIEH J. A Measurement Study of Google Play[C]// ACM. The 2014 ACM International Conference on Measurement and Modeling of Computer Systems. New York: ACM, 2014: 221-233.
[3]	ALORAINI B, NAGAPPAN M. Evaluating State-of-the-Art Free and Open Source Static Analysis Tools against Buffer Errors in Android Apps[C]// IEEE. 2017 IEEE International Conference on Software Maintenance and Evolution (ICSME). New York: IEEE, 2017: 295-306.
[4]	Google. Queue the Hardening Enhancements[EB/OL]. (2019-05-01)[2024-10-10]. https://security.googleblog.com/2019/05/queue-hardening-enhancements.html.
[5]	THANGARAJAH K, MATHEWS N, PU M, et al. Statically Detecting Buffer Overflow in Cross-Language Android Applications Written in Java and C/C++[EB/OL]. (2023-05-17)[2024-10-10]. https://arxiv.org/abs/2305.10233v2.
[6]	WEI Fengguo, LIN Xingwei, OU Xinming, et al. JN-SAF: Precise and Efficient NDK/JNI-Aware Inter-Language Static Analysis Framework for Security Vetting of Android Applications with Native Code[C]// ACM. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS). New York: ACM, 2018: 1137-1150.
[7]	SAMHI J, GAO Jun, DAOUDI N, et al. JuCify: A Step Towards Android Code Unification for Enhanced Static Analysis[C]// IEEE. 2022 IEEE/ACM 44th International Conference on Software Engineering (ICSE). New York: IEEE, 2022: 1232-1244.
[8]	HARZEVILI N S, SHIN J, WANG Junjie, et al. Automatic Static Vulnerability Detection for Machine Learning Libraries: Are We There Yet?[C]// IEEE. 2023 IEEE 34th International Symposium on Software Reliability Engineering (ISSRE). New York: IEEE, 2023: 795-806.
[9]	ZHANG Liqiang, LU Mengjun, YAN Fei. A Cross-Contract Fuzzing Scheme Based on Function Dependencies[J]. Netinfo Security, 2024, 24(7): 1038-1049.
	张立强, 路梦君, 严飞. 一种基于函数依赖的跨合约模糊测试方案[J]. 信息网络安全, 2024, 24(7): 1038-1049.
[10]	ZHANG Zihan, LAI Qingnan, ZHOU Changling. Survey on Fuzzing Test in Deep Learning Frameworks[J]. Netinfo Security, 2024, 24(10): 1528-1536.
	张子涵, 赖清楠, 周昌令. 深度学习框架模糊测试研究综述[J]. 信息网络安全, 2024, 24(10): 1528-1536.
[11]	ZHOU Hao, WU Shuohan, LUO Xiapu, et al. NCScope: Hardware-Assisted Analyzer for Native Code in Android Apps[C]// ACM. Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA). New York: ACM, 2022: 629-641.
[12]	Google. HWASan[EB/OL]. (2024-08-22)[2024-10-10]. https://developer.android.com/ndk/guides/hwasan.
[13]	XIONG Hao, DAI Qinming, CHANG Rui, et al. Atlas: Automating Cross-Language Fuzzing on Android Closed-Source Libraries[C]// ACM. Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis(ISSTA). New York: ACM, 2024: 350-362.
[14]	CLAUDIO R. Static Flow Analysis for Hybrid and Native Android Applications[D]. London: University of London, 2020.
[15]	CELADA P. Android Native Library Fuzzing[D]. Torino: Politecnico di Torino, 2022.
[16]	LI Yuanchun, YANG Ziyue, GUO Yao, et al. Humanoid: A Deep Learning-Based Approach to Automated Black-Box Android App Testing[C]// IEEE. 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). New York: IEEE, 2019: 1070-1073.
[17]	SZEKERES L, PAYER M, WEI Tao, et al. SoK: Eternal War in Memory[C]// IEEE. 2013 IEEE Symposium on Security and Privacy. New York: IEEE, 2013: 48-62.
[18]	DAWN S B. Vulnerability Chain that Breaks the Android Application Sandbox[EB/OL]. (2022-03-20)[2024-10-10]. https://www.secwest.net/csw22presentations/mystiquehits.
[19]	ATHANASOPOULOS E, KEMERLIS V P, PORTOKALIDIS G, et al. NaClDroid: Native Code Isolation for Android Applications[C]// Springer. 21st European Symposium on Research in Computer Security (ESORICS). Heidelberg: Springer, 2016: 422-439.
[20]	PAN Minxue, HUANG An, WANG Guoxin, et al. Reinforcement Learning Based Curiosity-Driven Testing of Android Applications[C]// ACM. Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis. New York: ACM, 2020: 153-164.
[21]	CAO Jianchao, GUO Fan, QU Yanwen. JNFuzz-Droid: A Lightweight Fuzzing and Taint Analysis Framework for Android Native Code[C]// IEEE. 2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). New York: IEEE, 2024: 255-266.
[22]	Google. GWP-ASan[EB/OL]. (2024-09-14)[2024-10-10]. https://developer.android.com/ndk/guides/gwp-asan.
[23]	ARM. MTE[EB/OL]. (2024-01-01)[2024-10-10]. https://developer.arm.com/documentation/ddi0487/latest.
[24]	FIORALDI A, MAIER D, EIßFELDT H, et al. AFL++: Combining Incremental Steps of Fuzzing Research[EB/OL]. (2020-08-11)[2024-10-10]. org/doi/10.5555/3488877.3488887.
[25]	FIORALDI A, D’ELIA D C, QUERZONI L. Fuzzing Binaries for Memory Safety Errors with QASan[C]// IEEE. 2020 IEEE Secure Development (SecDev). New York: IEEE, 2020: 23-30.
[26]	BELLARD F. QEMU, a Fast and Portable Dynamic Translator[C]// ACM. Proceedings of the Annual Conference on USENIX Annual Technical Conference. New York: ACM, 2005: 41-52.
[27]	LAU K J. Qiling: A True Instrumentable Binary Emulation Framework[EB/OL]. (2023-08-04)[2024-10-10]. https://github.com/qilingframework/qiling.
[28]	Unidbg. Unidbg: Allows You to Emulate an Android Native Library, and an Experimental iOS Emulation[EB/OL]. (2024-05-12)[2024-10-10]. https://github.com/zhkl0228/unidbg.
[29]	LLVM. LibFuzzer[EB/OL]. (2024-09-20)[2024-10-10]. https://llvm.org/docs/LibFuzzer.html.
[30]	Unicorn. The Ultimate CPU Emulator[EB/OL]. (2024-06-26)[2024-10-10]. https://www.unicorn-engine.org.
[31]	AppBrain. Google Play Ranking[EB/OL]. (2024-07-20)[2024-10-10]. https://www.appbrain.com/stats/google-play-rankings/top_free.
[32]	NIST. CVE-2019-11932[EB/OL]. (2023-03-01)[2024-10-10]. https://nvd.nist.gov/vuln/detail/CVE-2019-11932.
[33]	OpenAI. ChatGPT-4o[EB/OL]. (2024-05-13)[2024-10-10]. https://openai.com/index/hello-gpt-4o.
[34]	TEAM G, GEORGIEV P, LEI V I, et al. Gemini 1.5: Unlocking Multimodal Understanding Across Millions of Tokens of Context[EB/OL]. (2024-03-08)[2024-10-10]. https://arxiv.org/abs/2403.05530v5.
[35]	BAI Jinze, BAI Shuai, CHU Yunfei, et al. Qwen Technical Report[EB/OL]. (2023-09-28)[2024-10-10]. https://doi.org/10.48550/arXiv.2309.16609.
[36]	Baidu. Wenxin Yiyan[EB/OL]. (2024-01-20)[2024-10-10]. https://yiyan.baidu.com.
[37]	Soot. Soot: A Java Optimization Framework[EB/OL]. (2024-05-14)[2024-10-10]. https://github.com/soot-oss/soot.
[38]	Koral. Android-Gif-Drawable: Views and Drawable for Animated GIFs in Android[EB/OL]. (2024-07-10)[2024-10-10]. https://github.com/koral—/android-gif-drawable.
[39]	Awakened. How a Double-Free Bug in WhatsApp Turns to RCE[EB/OL]. (2024-10-02)[2024-10-10]. https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce.
[40]	BOLAND T, BLACK P E. Juliet 1.1 C/C++ and Java Test Suite[J]. Computer, 2012, 45(10): 88-90.

编辑推荐 0

Metrics

阅读次数

全文

HTML			PDF

最新录用	在线预览	正式出版	最新录用	在线预览	正式出版
0	0	6	0	0	34

来源	本网站	其他网站

次数	40	0
比例	100%	0%

摘要

最新录用	在线预览	正式出版

0	0	45

	来源	本网站

	次数	45
	比例	100%

动态分析方案	相关研究	测试入口	运行环境	Native行为监控		分析目标
动态分析方案	相关研究	测试入口	运行环境	覆盖率导向	内存异常	分析目标
基于GUI的模糊测试	Humanoid^[16]	Java	移动设备	—	—	APP稳定性
	Q-Testing^[20]	Java	移动设备	—	—	APP稳定性
	JNFuzz-Droid^[21]	JNI	移动设备	—	—	隐私泄露
运行时内存异常检测	NCScope^[11]	Java	移动设备	—	离线分析	内存漏洞
	HWASan^[12]	Java	移动设备	—	Tag-Based	内存漏洞
	MTE^[23]	Java	移动设备	—	Tag-Based	内存漏洞
基于JNI直接执行的模糊测试	JniFuzzer^[14]	JNI	移动设备	—	—	内存漏洞
	Harness^[15]	JNI	移动设备	—	—	内存漏洞
	Altas^[13]	JNI	QEMU	基本块覆盖率导向	Redzone-Based	内存漏洞
	MediaFuzzer	JNI	Unicorn	基本块覆盖率导向	Tag-Based	多媒体内存漏洞

来源	应用类别	数量/个
Google Play	49个应用大类	490
国内应用市场	微信、抖音等	9
CVE漏洞库	WhatsApp	1

LLM	准确率	精确率	召回率	F1值
ChatGPT-4o	99.8%	81.0%	92.5%	86.4%
Gemini-1.5-pro	99.8%	95.2%	73.9%	83.2%
通义千问-2.5	99.7%	82.2%	72.4%	77.0%
文心一言-4.0	99.6%	66.0%	75.4%	70.3%

漏洞应用	版本号	漏洞函数	漏洞类型	多媒体格式
WhatsApp	2.19.230	<Java_pl_droidsonroids_gif_GifInfoHandle_openByteArray>	CWE-415	GIF
微信	8.0.21	<Java_com_tencent_mm_plugin_gif_MMGIFJNI_openByFilePath>	CWE-789	GIF
FitPro	2.4.2	<Java_xfkj_fitpro_jni_BmpConvertTools_Bmp24ConvertBmp16>	CWE-122	BMP24
Striker	2.20.1	<Java_com_snowcorp_scv_webP_WebP_convertGifToWebP>	CWE-789	GIF

漏洞应用	不同引导机制下的平均输入变异轮次/次
漏洞应用	格式化+ 覆盖率反馈	格式化 (J/H)	覆盖率反馈	无变异引导
WhatsApp	95530	N	N	N
微信	158	1273	35845	N
FitPro	411	2847	701067	N
Sticker	129	5626	N	N