Research on LLM-Based Fuzzing of Native Multimedia Libraries

doi:10.3969/j.issn.1671-1122.2025.03.004

Abstract

Abstract:

Multimedia native libraries written in C/C++ can efficiently process audio and video streams by directly accessing underlying system resources, while posing persistent memory threats. However, existing native library fuzzing research lacks specificity for multimedia libraries and faces difficulties in implementing runtime monitoring of closed-source binary programs. The article proposed MediaFuzzer, a fuzzing scheme of native multimedia libraries based on LLM. Through a self-heuristic LLM querying approach, MediaFuzzer could accurately extracted functional semantic information contained in function signatures and subsequently identified potential multimedia native library functions as execution entry points. Furthermore, MediaFuzzer designed and implemented an emulation-based fuzzing framework that built comprehensive runtime monitoring mechanisms at three different levels, including system dependencies, memory management, and code execution, enabling coverage-guided mutation and active memory anomaly detection during the fuzzing process. Experimental evaluation shows that MediaFuzzer identify 1557 multimedia functions across 7 categories from 500 mobile applications, successfully discovering one disclosed vulnerability in WhatsApp and three zero-day vulnerabilities, including one in WeChat.

Key words: native multimedia libraries, fuzzing, memory safety, large language model

CLC Number:

TP309

XIE Mengfei, FU Jianming, YAO Renyi. Research on LLM-Based Fuzzing of Native Multimedia Libraries[J]. Netinfo Security, 2025, 25(3): 403-414.

Figures/Tables 11

References 40

[1]	SANNA S L, SOI D, MAIORCA D, et al. A Risk Estimation Study of Native Code Vulnerabilities in Android Applications[EB/OL]. (2024-06-04)[2024-10-10]. https://doi.org/10.48550/arXiv.2406.02011.
[2]	VIENNOT N, GARCIA E, NIEH J. A Measurement Study of Google Play[C]// ACM. The 2014 ACM International Conference on Measurement and Modeling of Computer Systems. New York: ACM, 2014: 221-233.
[3]	ALORAINI B, NAGAPPAN M. Evaluating State-of-the-Art Free and Open Source Static Analysis Tools against Buffer Errors in Android Apps[C]// IEEE. 2017 IEEE International Conference on Software Maintenance and Evolution (ICSME). New York: IEEE, 2017: 295-306.
[4]	Google. Queue the Hardening Enhancements[EB/OL]. (2019-05-01)[2024-10-10]. https://security.googleblog.com/2019/05/queue-hardening-enhancements.html.
[5]	THANGARAJAH K, MATHEWS N, PU M, et al. Statically Detecting Buffer Overflow in Cross-Language Android Applications Written in Java and C/C++[EB/OL]. (2023-05-17)[2024-10-10]. https://arxiv.org/abs/2305.10233v2.
[6]	WEI Fengguo, LIN Xingwei, OU Xinming, et al. JN-SAF: Precise and Efficient NDK/JNI-Aware Inter-Language Static Analysis Framework for Security Vetting of Android Applications with Native Code[C]// ACM. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS). New York: ACM, 2018: 1137-1150.
[7]	SAMHI J, GAO Jun, DAOUDI N, et al. JuCify: A Step Towards Android Code Unification for Enhanced Static Analysis[C]// IEEE. 2022 IEEE/ACM 44th International Conference on Software Engineering (ICSE). New York: IEEE, 2022: 1232-1244.
[8]	HARZEVILI N S, SHIN J, WANG Junjie, et al. Automatic Static Vulnerability Detection for Machine Learning Libraries: Are We There Yet?[C]// IEEE. 2023 IEEE 34th International Symposium on Software Reliability Engineering (ISSRE). New York: IEEE, 2023: 795-806.
[9]	ZHANG Liqiang, LU Mengjun, YAN Fei. A Cross-Contract Fuzzing Scheme Based on Function Dependencies[J]. Netinfo Security, 2024, 24(7): 1038-1049.
	张立强, 路梦君, 严飞. 一种基于函数依赖的跨合约模糊测试方案[J]. 信息网络安全, 2024, 24(7): 1038-1049.
[10]	ZHANG Zihan, LAI Qingnan, ZHOU Changling. Survey on Fuzzing Test in Deep Learning Frameworks[J]. Netinfo Security, 2024, 24(10): 1528-1536.
	张子涵, 赖清楠, 周昌令. 深度学习框架模糊测试研究综述[J]. 信息网络安全, 2024, 24(10): 1528-1536.
[11]	ZHOU Hao, WU Shuohan, LUO Xiapu, et al. NCScope: Hardware-Assisted Analyzer for Native Code in Android Apps[C]// ACM. Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA). New York: ACM, 2022: 629-641.
[12]	Google. HWASan[EB/OL]. (2024-08-22)[2024-10-10]. https://developer.android.com/ndk/guides/hwasan.
[13]	XIONG Hao, DAI Qinming, CHANG Rui, et al. Atlas: Automating Cross-Language Fuzzing on Android Closed-Source Libraries[C]// ACM. Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis(ISSTA). New York: ACM, 2024: 350-362.
[14]	CLAUDIO R. Static Flow Analysis for Hybrid and Native Android Applications[D]. London: University of London, 2020.
[15]	CELADA P. Android Native Library Fuzzing[D]. Torino: Politecnico di Torino, 2022.
[16]	LI Yuanchun, YANG Ziyue, GUO Yao, et al. Humanoid: A Deep Learning-Based Approach to Automated Black-Box Android App Testing[C]// IEEE. 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). New York: IEEE, 2019: 1070-1073.
[17]	SZEKERES L, PAYER M, WEI Tao, et al. SoK: Eternal War in Memory[C]// IEEE. 2013 IEEE Symposium on Security and Privacy. New York: IEEE, 2013: 48-62.
[18]	DAWN S B. Vulnerability Chain that Breaks the Android Application Sandbox[EB/OL]. (2022-03-20)[2024-10-10]. https://www.secwest.net/csw22presentations/mystiquehits.
[19]	ATHANASOPOULOS E, KEMERLIS V P, PORTOKALIDIS G, et al. NaClDroid: Native Code Isolation for Android Applications[C]// Springer. 21st European Symposium on Research in Computer Security (ESORICS). Heidelberg: Springer, 2016: 422-439.
[20]	PAN Minxue, HUANG An, WANG Guoxin, et al. Reinforcement Learning Based Curiosity-Driven Testing of Android Applications[C]// ACM. Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis. New York: ACM, 2020: 153-164.
[21]	CAO Jianchao, GUO Fan, QU Yanwen. JNFuzz-Droid: A Lightweight Fuzzing and Taint Analysis Framework for Android Native Code[C]// IEEE. 2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). New York: IEEE, 2024: 255-266.
[22]	Google. GWP-ASan[EB/OL]. (2024-09-14)[2024-10-10]. https://developer.android.com/ndk/guides/gwp-asan.
[23]	ARM. MTE[EB/OL]. (2024-01-01)[2024-10-10]. https://developer.arm.com/documentation/ddi0487/latest.
[24]	FIORALDI A, MAIER D, EIßFELDT H, et al. AFL++: Combining Incremental Steps of Fuzzing Research[EB/OL]. (2020-08-11)[2024-10-10]. org/doi/10.5555/3488877.3488887.
[25]	FIORALDI A, D’ELIA D C, QUERZONI L. Fuzzing Binaries for Memory Safety Errors with QASan[C]// IEEE. 2020 IEEE Secure Development (SecDev). New York: IEEE, 2020: 23-30.
[26]	BELLARD F. QEMU, a Fast and Portable Dynamic Translator[C]// ACM. Proceedings of the Annual Conference on USENIX Annual Technical Conference. New York: ACM, 2005: 41-52.
[27]	LAU K J. Qiling: A True Instrumentable Binary Emulation Framework[EB/OL]. (2023-08-04)[2024-10-10]. https://github.com/qilingframework/qiling.
[28]	Unidbg. Unidbg: Allows You to Emulate an Android Native Library, and an Experimental iOS Emulation[EB/OL]. (2024-05-12)[2024-10-10]. https://github.com/zhkl0228/unidbg.
[29]	LLVM. LibFuzzer[EB/OL]. (2024-09-20)[2024-10-10]. https://llvm.org/docs/LibFuzzer.html.
[30]	Unicorn. The Ultimate CPU Emulator[EB/OL]. (2024-06-26)[2024-10-10]. https://www.unicorn-engine.org.
[31]	AppBrain. Google Play Ranking[EB/OL]. (2024-07-20)[2024-10-10]. https://www.appbrain.com/stats/google-play-rankings/top_free.
[32]	NIST. CVE-2019-11932[EB/OL]. (2023-03-01)[2024-10-10]. https://nvd.nist.gov/vuln/detail/CVE-2019-11932.
[33]	OpenAI. ChatGPT-4o[EB/OL]. (2024-05-13)[2024-10-10]. https://openai.com/index/hello-gpt-4o.
[34]	TEAM G, GEORGIEV P, LEI V I, et al. Gemini 1.5: Unlocking Multimodal Understanding Across Millions of Tokens of Context[EB/OL]. (2024-03-08)[2024-10-10]. https://arxiv.org/abs/2403.05530v5.
[35]	BAI Jinze, BAI Shuai, CHU Yunfei, et al. Qwen Technical Report[EB/OL]. (2023-09-28)[2024-10-10]. https://doi.org/10.48550/arXiv.2309.16609.
[36]	Baidu. Wenxin Yiyan[EB/OL]. (2024-01-20)[2024-10-10]. https://yiyan.baidu.com.
[37]	Soot. Soot: A Java Optimization Framework[EB/OL]. (2024-05-14)[2024-10-10]. https://github.com/soot-oss/soot.
[38]	Koral. Android-Gif-Drawable: Views and Drawable for Animated GIFs in Android[EB/OL]. (2024-07-10)[2024-10-10]. https://github.com/koral—/android-gif-drawable.
[39]	Awakened. How a Double-Free Bug in WhatsApp Turns to RCE[EB/OL]. (2024-10-02)[2024-10-10]. https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce.
[40]	BOLAND T, BLACK P E. Juliet 1.1 C/C++ and Java Test Suite[J]. Computer, 2012, 45(10): 88-90.

动态分析方案	相关研究	测试入口	运行环境	Native行为监控		分析目标
动态分析方案	相关研究	测试入口	运行环境	覆盖率导向	内存异常	分析目标
基于GUI的模糊测试	Humanoid^[16]	Java	移动设备	—	—	APP稳定性
	Q-Testing^[20]	Java	移动设备	—	—	APP稳定性
	JNFuzz-Droid^[21]	JNI	移动设备	—	—	隐私泄露
运行时内存异常检测	NCScope^[11]	Java	移动设备	—	离线分析	内存漏洞
	HWASan^[12]	Java	移动设备	—	Tag-Based	内存漏洞
	MTE^[23]	Java	移动设备	—	Tag-Based	内存漏洞
基于JNI直接执行的模糊测试	JniFuzzer^[14]	JNI	移动设备	—	—	内存漏洞
	Harness^[15]	JNI	移动设备	—	—	内存漏洞
	Altas^[13]	JNI	QEMU	基本块覆盖率导向	Redzone-Based	内存漏洞
	MediaFuzzer	JNI	Unicorn	基本块覆盖率导向	Tag-Based	多媒体内存漏洞

来源	应用类别	数量/个
Google Play	49个应用大类	490
国内应用市场	微信、抖音等	9
CVE漏洞库	WhatsApp	1

LLM	准确率	精确率	召回率	F1值
ChatGPT-4o	99.8%	81.0%	92.5%	86.4%
Gemini-1.5-pro	99.8%	95.2%	73.9%	83.2%
通义千问-2.5	99.7%	82.2%	72.4%	77.0%
文心一言-4.0	99.6%	66.0%	75.4%	70.3%

漏洞应用	版本号	漏洞函数	漏洞类型	多媒体格式
WhatsApp	2.19.230	<Java_pl_droidsonroids_gif_GifInfoHandle_openByteArray>	CWE-415	GIF
微信	8.0.21	<Java_com_tencent_mm_plugin_gif_MMGIFJNI_openByFilePath>	CWE-789	GIF
FitPro	2.4.2	<Java_xfkj_fitpro_jni_BmpConvertTools_Bmp24ConvertBmp16>	CWE-122	BMP24
Striker	2.20.1	<Java_com_snowcorp_scv_webP_WebP_convertGifToWebP>	CWE-789	GIF

漏洞应用	不同引导机制下的平均输入变异轮次/次
漏洞应用	格式化+ 覆盖率反馈	格式化 (J/H)	覆盖率反馈	无变异引导
WhatsApp	95530	N	N	N
微信	158	1273	35845	N
FitPro	411	2847	701067	N
Sticker	129	5626	N	N