| 引用本文: |
-
程怡然,司帅宗,董超鹏,吕世超,陈永乐,石志强,孙利民.大语言模型赋能的模糊测试技术:现状、挑战与展望[J].信息安全学报,已采用 [点击复制]
- Cheng Yiran,Si Shuaizong,Dong Chaopeng,Lv Shichao,Chen Yongle,Shi Zhiqiang,Sun Limin.Large Language Model-Augmented Fuzzing: Landscape, Challenges, and Future Prospects[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| 随着信息技术的快速发展,软件系统的功能日益复杂,模块化与产业化趋势愈加显著,导致软件构建的复杂性持续攀升。这不仅增加了系统内部的潜在漏洞数量,更引发了对软件安全和漏洞发现效率的严峻挑战。传统的漏洞发现技术,特别是模糊测试,尽管在实践中被广泛应用,但在面对复杂结构化输入、深度逻辑约束以及高成本驱动程序编写等难题时,其效率和深度探索能力面临瓶颈。本文聚焦于大语言模型赋能模糊测试技术这一前沿研究方向,旨在系统性地研究和综述如何利用大模型的代码理解、语义推理与结构化生成能力,突破传统模糊测试的局限,着重探讨了大模型在模糊测试关键环节中的应用研究。通过系统梳理和分析现有研究成果,分别从模糊测试驱动程序自动化生成和高质量测试种子智能生成与变异两个维度,介绍了大模型赋能模糊测试技术的研究现状。在此基础上,重点分析了大模型在提高自动化水平、理解复杂约束以及降低人工依赖方面的显著优势和应用潜力。最后,结合对当前研究现状的调研分析,本文总结了大模型赋能模糊测试技术中面临的高成本与效率矛盾、模型生成结果的可靠性与幻觉问题以及测试用例多样性不足等现实挑战。并据此提出了未来可能的研究方向,包括构建多模型协作的混合智能体架构和增强生成结果可验证性的技术,为推动该领域的持续发展,构建下一代高智能化、高效率的漏洞挖掘系统提供有益的参考和启示。 |
| 关键词: 大语言模型 模糊测试 软件安全 |
| DOI: |
| 投稿时间:2026-01-28修订日期:2026-05-14 |
| 基金项目:国家自然科学基金项目(面上项目,重点项目,重大项目) |
|
| Large Language Model-Augmented Fuzzing: Landscape, Challenges, and Future Prospects |
|
Cheng Yiran1, Si Shuaizong1, Dong Chaopeng2, Lv Shichao1, Chen Yongle3, Shi Zhiqiang1, Sun Limin1
|
| (1.Institute of Information Engineering, Chinese Academy of Sciences;2.Hangzhou Dianzi University;3.Taiyuan University of Technology) |
| Abstract: |
| With the rapid advancement of information technology, the functionality of software systems is becoming increasingly complex, and the trend toward modularization and industrialization is increasingly pronounced, leading to a continuous rise in the complexity of software construction. This not only increases the number of potential vulnerabilities within the system but also poses severe challenges to software security and the efficiency of vulnerability discovery. Traditional vulnerability discovery techniques, particularly fuzz testing (fuzzing), despite being widely applied in practice, face bottlenecks in efficiency and deep exploration when confronted with challenges such as complex structured inputs, deep logical constraints, and the high cost associated with writing test drivers. This paper focuses on the cutting-edge research direction of Large Language Models (LLMs) empowering fuzzing technology. It aims to systematically study and review how to leverage LLMs"" capabilities in code comprehension, semantic reasoning, and structured generation to overcome the limitations of traditional fuzzing, with a specific focus on the application research of LLMs in critical fuzzing stages. By systematically reviewing and analyzing existing research achievements, the paper introduces the current state of LLM-empowered fuzzing technology from two dimensions: the automated generation of fuzz drivers and the intelligent generation and mutation of high-quality test seeds. Based on this, it highlights the significant advantages and application potential of LLMs in improving automation levels, understanding complex constraints, and reducing manual dependency. Finally, combining the survey and analysis of the current research landscape, this paper summarizes the practical challenges faced by LLM-empowered fuzzing, such as the contradiction between high cost and efficiency, the reliability and hallucination issues of model-generated results, and the lack of test case diversity. Accordingly, it proposes potential future research directions, including the construction of multi-model collaborative hybrid agent architectures and techniques for enhancing the verifiability of generated results, offering valuable references and insights for promoting the sustainable development of this field and building the next generation of highly intelligent and efficient vulnerability mining systems. |
| Key words: language model fuzzing software security |
