IMF: Inferred Model-based Fuzzer

IMF is a kernel API fuzzer that leverages an automated API model inferrence techinque proposed in our paper at CCS. IMF currently only supports macOS. To see how to configure and run IMF, see the followings.



  • python2.7
  • pypy
  • clang

How to run

  1. Generate hooking library for APIs

$ ./gen-hook [output(hooking code) path]
$ clang  -Wall -dynamiclib -framework IOKit -framework CoreFoundation -arch i386\
         -arch x86_64 hook.c -o hook
  1. Collect logs

$ DYLD_INSERT_LIBRARIES=[hooking library path] [program path] [program args]
  1. Filter logs

$ ./filter-log [log dir] [output dir] [# of output(filtered log)] [# of core]
  1. Infer a model and generate a fuzzer.

$ ./gen-fuzz [filtered logs path] [output(fuzzer code) path] [# of core]
  1. Compile the fuzzer

$ clang -framework IOKit -framework CoreFoundation -arch i386 fuzz.c -o fuzz
  1. Run the fuzzer

$ ./fuzz -f [log path] -s [seed] -b [bitlen] -r [rate] -l [# of max loops]
  1. You may want to run the generated fuzzer within a while loop.


  • CVE-2017-7159


This research project has been conducted by SoftSec Lab at KAIST.

Citing IMF

To cite our paper ():

    author = {HyungSeok Han and Sang Kil Cha},
    title = {Inferred Model-based Fuzzing},
    booktitle = {Proceedings of the ACM Conference on Computer and Communications Security},
    year = {2017},
    pages = {2345--2358}


The work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIT).


GitHub - SoftSec-KAIST/IMF: Inferred Model-based Fuzzer
Inferred Model-based Fuzzer. Contribute to SoftSec-KAIST/IMF development by creating an account on GitHub.