As machine learning gains prominence in various sectors of society for automated decision-making, concerns have risen regarding potential vulnerabilities in machine learning (ML) frameworks. Nevertheless, testing these frameworks is a daunting task due to their intricate implementation. Previous research on fuzzing ML frameworks has struggled to effectively extract input constraints and generate valid inputs, leading to extended fuzzing durations for deep execution or revealing the target crash. In this paper, we propose ConFL, a constraint-guided fuzzer for ML frameworks. ConFL automatically extracting constraints from kernel codes without the need for any prior knowledge. Guided by the constraints, ConFL is able to generate valid inputs that can pass the verification and explore deeper paths of kernel codes. In addition, we design a grouping technique to boost the fuzzing efficiency. To demonstrate the effectiveness of ConFL, we evaluated its performance mainly on Tensorflow. We find that ConFL is able to cover more code lines, and generate more valid inputs than state-of-the-art (SOTA) fuzzers. More importantly, ConFL found 84 previously unknown vulnerabilities in different versions of Tensorflow, all of which were assigned with new CVE ids, of which 3 were critical-severity and 13 were high-severity. We also extended ConFL to test PyTorch and Paddle, 7 vulnerabilities are found to date.

翻译：随着机器学习在社会各领域自动化决策中日益凸显其重要性，机器学习框架的潜在漏洞问题引发广泛关注。然而，由于框架实现的复杂性，对其进行测试极具挑战性。现有针对机器学习框架的模糊测试研究难以有效提取输入约束并生成合法输入，导致深度执行或目标崩溃的模糊测试耗时较长。本文提出ConFL——一种面向机器学习框架的约束引导式模糊测试工具。ConFL无需任何先验知识即可从内核代码中自动提取约束。在约束引导下，ConFL能够生成可通过验证并探索内核代码更深路径的合法输入。此外，我们设计了一种分组技术来提升模糊测试效率。为验证ConFL的有效性，我们主要在TensorFlow上评估其性能。实验表明，与现有最优模糊测试工具相比，ConFL能够覆盖更多代码行并生成更多合法输入。更重要的是，ConFL在TensorFlow不同版本中发现了84个先前未知的漏洞，所有漏洞均被分配新的CVE编号，其中3个为严重级别，13个为高级别。我们还将ConFL扩展至PyTorch和PaddlePaddle框架，迄今已发现7个漏洞。