Atlantis-Java

In the AIxCC competition, while fully committing to the challenge of leveraging Large Language Models (LLMs), we also integrated traditional techniques to create a more robust bug-finding system with fewer blind spots. The competition provided a baseline fuzzer (Jazzer for Java projects), but coverage-guided fuzzing in general often struggles with the complex validation logic that guards deep code paths. To address this, concolic execution is a well-known solution for exploring these paths by solving their input conditions. Our main challenge, therefore, was how to effectively leverage this powerful technique for the competition’s bug-finding goals.

Sinkpoint-focused Directed Fuzzing

Fabian Fleischer

Atlantis java

Traditional coverage-based fuzzers excel at code exploration. When testing Java code, however, most vulnerabilities require the invocation of a certain Java API, such as creating an SQL statement (java.sql.Statement) for an SQL injection bug. Thus, we target such security-critical APIs with our modified, directed Jazzer to reach and exploit critical code locations faster. This blog post gives an overview over our directed fuzzing setup for Java challenge problems. Calculating a distance metric for directed fuzzing requires static analysis to identify critical code locations (aka sinkpoints) and compute distances. This static analysis happens mostly offline, independent of the modified Jazzer, to reduce the computational overhead in the fuzzer. However, we still compute the CFG (and, thus, basic block-level distances) in Jazzer to maintain a precise distance metric and allow the update of seed distances during fuzzing.

Jazzer+LibAFL: Insights into Java Fuzzing

Ammar Askar

Atlantis java

AIxCC involved finding bugs in software written in two languages: C++ and Java. The focus of the competition was on the use of LLMs and AI, however, our teams approach was to balance ambitious strategies alongside proven traditional bug-finding techniques like fuzzing. While our team was deeply familiar with fuzzing C++ from decades of academic research and industry work, Java was uncharted territory for us. In part of our Java fuzzing development we created a fork of Jazzer that uses LibAFL as the fuzzing backend and it is available as part of our open source release. This post details some of the lessons we learned about Java fuzzing and the creation of this fork.

Atlantis-Java: A Sink-Centered Approach to Java Vulnerability Detection

Cen Zhang

Atlantis java

Atlantis-Java is a specialized bug-finding subsystem within the Atlantis CRS framework, specifically designed for Java CPV detection in the AIxCC competition. It integrates fuzzing, program analysis, and LLM capabilities, with a particular focus on security-sensitive APIs (also known as sinks). Many Java Vulnerabilities Are Sink-Centered Fig.1 Example CPV from AIxCC Semifinal Jenkins CP This vulnerability contains a backdoor that enables OS command injection when specific conditions are met. The ProcessBuilder constructor serves as a sink API, where an attacker-controllable first argument can lead to arbitrary command execution. The sinkpoint (line 20) refers to the location in the target CP where this sink API is called.

Atlantis-Java

Our GraalVM Executor: How We Achieved Compatibility, Scale, and Speed

Sinkpoint-focused Directed Fuzzing

Jazzer+LibAFL: Insights into Java Fuzzing

Atlantis-Java: A Sink-Centered Approach to Java Vulnerability Detection

Our GraalVM Executor: How We Achieved Compatibility, Scale, and Speed

Sinkpoint-focused Directed Fuzzing

Jazzer+LibAFL: Insights into Java Fuzzing

Atlantis-Java: A Sink-Centered Approach to Java Vulnerability Detection

Categories

Tags