This repository contains the source code of the replication package of the paper "ELFuzz: Efficient Input Generation via LLM-driven Synthesis Over Fuzzer Space."
The experiment data are published on Zenodo.
The code and environment to replicate the experiments are published as a Docker image. Run the following command to pull it:
docker pull ghcr.io/osuseclab/elfuzz:25.08.0Before launching docker, set up core_patterns for the host machine, which is required by AFL++ later:
echo core > /proc/sys/kernel/core_patternInstead, if you download the Docker image as a tarball from Zenodo, you can import it using the following commands:
zstd -d "elfuzz_docker_<timetag>.tar.zst"
docker load --input "elfuzz_docker_<timetag>.tar"After pulling/importing the image, run the following command to start the container:
mkdir -p /tmp/host
docker run --storage-opt size=100G --cpus 30 -it --add-host=host.docker.internal:host-gateway -v /tmp/host:/tmp/host -v /var/run/docker.sock:/var/run/docker.sock --name elfuzz ghcr.io/osuseclab/elfuzz:25.08.0Explanation of the command is as follows:
--storage-opt size=100G: Allocates 100 GB of disk space to the container. We need this as some files generated/downloaded during the experiments are large, such as the models pulls from Hugging Face and the seed test cases generated by ELFuzz fuzzers.--cpus 32: Allocates 32 CPU cores to the container. This is to speed up operations such as minimizing seed test cases via parallelization.-it: Runs the container in interactive mode with a terminal.--add-host=host.docker.internal:host-gateway: Adds a host entry to the container so that it can access the host machine. This is needed for query the LLM served in a sibling container.-v /tmp/host:/tmp/host: Mounts the/tmp/hostdirectory on the host machine into the container as a shared temporary directory with sibling containers.-v "/var/run/docker.sock:/var/run/docker.sock": Mounts the Docker socket into the container, allowing it to run sibling containers.--name elfuzz: Names the containerelfuzz.ghcr.io/osuseclab/elfuzz:25.08.0: Specifies the Docker image to use.
This will enter a shell into the container. Then, following the instructions in /elfuzz/README.md (which is a symlink to docker_readme.md in this repository) to replicate the experiments.
The Docker image has only been tested on X86-64 machines.
Before building the Docker image, you should cd to the root of the ELFuzz source code and put elfuzz_baselines.tar.zst (downloaded from Zenodo) into tmp/.
The Docker image is built by the following command:
docker build -t ghcr.io/osuseclab/elfuzz:25.08.0 -f .devcontainer/Dockerfile --target publish .First, I'm sorry that the codebase is messy. It is hard to keep it clean while rushing towards the paper deadline.
TODO
- The Docker version at the time that the image was built is 28.2.2.
- There is a PDF (
misc/sibling_container.pdf) in the data tarball (elfuzz_data_<timestamp>.tar.zst) downloaded from the Zenodo repository. It is a persistent version of the Stack Overflow post referenced above, in case that the link to the post is broken in the future.
- [2025-06-19] I tried my best to preserve the environment in the Docker image, keeping the replication package usable for as long as possible. However, there may be some aspects that I have not considered. If you encounter any issues that prevent you from using the package, please open an issue or launch a pull request.
@inproceedings{chen2025elfuzz,
title = {{ELFuzz}: {Efficient} Input Generation via LLM-driven Synthesis Over
Fuzzer Space},
booktitle = {Proceedings of the 34th {USENIX Security Symposium} ({USENIX} {Security} 2025)},
author = {Chen, Chuyang and Dolan-Gavitt, Brendan and Lin, Zhiqiang},
year = {2025},
pages = {6279--6298},
month = {8},
publisher = {USENIX Association},
address = {Seattle, WA, USA},
copyright = {All rights reserved},
doi = {10.5555/3766078.3766401},
}