Java applications are prone to vulnerabilities stemming from the insecure use of security-sensitive APIs, such as file operations enabling path traversal or deserialization routines allowing remote code execution. These sink APIs encode critical information for vulnerability discovery: the program-specific constraints required to reach them and the exploitation conditions necessary to trigger security flaws. Despite this, existing fuzzers largely overlook such vulnerability-specific knowledge, limiting their effectiveness. We present GONDAR, a sink-centric fuzzing framework that systematically leverages sink API semantics for targeted vulnerability discovery. GONDAR first identifies reachable and exploitable sink call sites through CWE-specific scanning combined with LLM-assisted static filtering. It then deploys two specialized agents that work collaboratively with a coverage-guided fuzzer: an exploration agent generates inputs to reach target call sites by iteratively solving path constraints, while an exploitation agent synthesizes proof-of-concept exploits by reasoning about and satisfying vulnerability-triggering conditions. The agents and fuzzer continuously exchange seeds and runtime feedback, complementing each other. We evaluated GONDAR on real-world Java benchmarks, where it discovers four times more vulnerabilities than Jazzer, the state-of-the-art Java fuzzer. Notably, GONDAR also demonstrated strong performance in the DARPA AI Cyber Challenge, and is integrated into OSS-CRS, a sandbox project in The Linux Foundation's OpenSSF, to improve the security of open-source software.

翻译：Java 应用程序容易因不安全地使用安全敏感性 API 而出现漏洞，例如启用路径遍历的文件操作或允许远程代码执行的反序列化例程。这些接收点（sink）API 编码了用于漏洞发现的关键信息：到达它们所需的程序特定约束条件，以及触发安全缺陷所必需的利用条件。尽管如此，现有的模糊测试工具在很大程度上忽略了此类针对漏洞的知识，限制了其有效性。我们提出了 GONDAR，一个以接收点为中心的模糊测试框架，该系统性地利用接收点 API 语义进行有针对性的漏洞发现。GONDAR 首先通过结合 CWE 特定扫描与 LLM 辅助的静态过滤来识别可到达且可利用的接收点调用点。然后，它部署两个专门的代理，它们与一个基于覆盖率引导的模糊测试器协同工作：一个探索代理通过迭代求解路径约束来生成输入以到达目标调用点，而一个利用代理通过推理并满足漏洞触发条件来合成概念验证漏洞利用代码。代理与模糊测试器持续交换种子和运行时反馈，相互补充。我们在真实的 Java 基准测试上评估了 GONDAR，其发现的漏洞数量是最先进的 Java 模糊测试工具 Jazzer 的四倍。值得注意的是，GONDAR 还在 DARPA AI 网络挑战赛中表现出色，并已被集成到 Linux 基金会 OpenSSF 中的沙盒项目 OSS-CRS 中，以提升开源软件的安全性。