notes

Orion.md (3815B)

---

 # Orion
 
 **Source:** Orion: Fuzzing Workflow Automation
 
 ## Notes
 
 This is an approach to fuzzing automation presented in the 'Orion: Fuzzing Workflow Automation' paper by employees of Nvidia. 
 
 ## Process
 
 - Harness generation and execution
     - Takes target project source code as input
     - Constructs a codebase index
         - The codebase is chunked on the basis of functions
     - Select interfaces for fuzzing by ranking non-static functions by how likely it thinks fuzzing will trigger bugs
         - This ranking is done by computing a few metrics:
             - Cyclomatic complexity
                 - Number of independent paths paths through a function
             - Internal function calls
                 - How frequently a function is called by others
             - Lines of code
             - Callgraph size
                 - Number of functions reachable from the given function
                     - This seems to be an attempt to place more weight on more important functionallity which might be misguided.
                         - If there is a part of the codebase that is very integral, it seems likely that is more well tested.
             - Dangerous expressions
                 - Constructs like pointer arithmetic, memory maangement, bit operations (detected by the LLM...)
                     - Honestly, I'd just use regex...
             - Sink functions
                 - Functions associated with vulnerabilities
                     - Again... why are you using LLMs!? Just use regex
             - Parsing functions
                 - Functions that parse structured inputs
                     - fair play for LLM usage.
     - Generates seed inputs for each selected function
     - Generate harness
         - A dependency analysis agent identifies setup and teardown processes and header file dependencies
         - Constructs compilable fuzz drivers compatible with generated seeds
     - The resulting harnesses and seeds are then sent to the fuzzing infra which executes the fuzzer, monitors for errors, and records the results
 - Crash handling
     - The triage agent filters out harness-related issues
     - Triage agent root causes issues and creates minimal repros
 - Patching
     - Patching agent patches the issue
     - Minimal repros are validated as fixed from the prior step
         - If the issue still exists, patching agent tries again
 
 ## Questions During Reading
 
 - How do they ensure the bug triaging / patching doesn't result in further regressions?
     - It seems likely they are finding real issues, but the patches would be dubious, even if they result in the problem being resolved for a given byte buffer input to the harness.
     - Towards the end of the paper they say basically a human reviews at the end and they ensure it passes minimal tests
         - This seems like basically they just validate it compiles and passes the fuzz repros
 - Why does parsing the source code to create call grpahs and type indexes improve performance?
     - Agentic models should be able to request this information themselves with tool use without the need for preprocessing. 
         - This paper was put on ArXiv on Sep. 18th so they clearly had access to tool using agentic models that could easily do this.
     - Also, I don't see ablations so I don't know if it does.
 - How did they choose the target identification metrics?
 
 ## Interesting Questions to Explore
 
 - Does generating call graphs improve model performance?
     - What about other forms of codebase processing for context generation?
 - What are the most important metrics for deterministic risk identification?
 
 ## Important Takeaways
 
 - They define seeds prior to their harnesses.
     - Their rationale seems to be if they constrain the input and output spaces, LLMs will be better at generating harnesses.