Papers
Topics
Authors
Recent
Search
2000 character limit reached

PDFuzz: Evasion & Fuzzing Techniques

Updated 7 July 2026
  • PDFuzz is a polysemous research topic applied to both evasion attacks on AI text detectors and ML-driven PDF fuzzing methods.
  • It leverages PDF’s low-level structure by reordering text commands or modeling execution paths to boost code coverage and uncover vulnerabilities.
  • The techniques preserve visual fidelity in evasion or deliberately perturb file structures in fuzzing, achieving significant impacts on detection rates and crash findings.

Searching arXiv for papers on PDFuzz and closely related PDF fuzzing / PDF-based attack literature. PDFuzz is a name associated with multiple research threads centered on the Portable Document Format. In one usage, it denotes a PDF-based evasion attack on AI-generated-text detectors that preserves exact textual content while manipulating character positioning to scramble extraction sequences (Creo, 3 Aug 2025). In another, it denotes a machine-learning framework for optimizing PDF seed inputs in fuzzing by learning correlations between PDF files and program execution and then generating new, high-value seeds (Cheng et al., 2019). A related line of work, described in one consolidated summary as the PDFuzz approach but published as IUST-DeepFuzz, treats PDF fuzzing as a format-aware neural test-data generation problem (Nasrabadi et al., 2018). These usages are distinct in objective, threat model, and evaluation, but they share an emphasis on PDF as a structured, low-level programmatic representation rather than merely a rendered document.

1. Terminological scope and disambiguation

The term “PDFuzz” is not unique to a single system. It has been used for both detector evasion and software fuzzing, and it is therefore best understood as a polysemous label rather than a single canonical framework.

Usage Primary objective Core mechanism
"Complete Evasion, Zero Modification: PDF Attacks on AI Text Detection" (Creo, 3 Aug 2025) Evasion of AI-generated-text detection Permute or interleave text-positioning commands so extraction order is scrambled while visual appearance is preserved
"PDFuzz – An ML-Driven Framework for Optimizing PDF Seed Inputs in Fuzzing" (Cheng et al., 2019) Improve seed inputs for fuzzing programs that take PDF files as input Learn the correlation between PDF inputs and execution, sample novel execution paths, and translate them into new PDF seeds
"Format-aware Learn&Fuzz: Deep Test Data Generation for Efficient Fuzzing" (Nasrabadi et al., 2018) Format-aware PDF fuzzing Train a neural LLM over tokenized PDF structure and apply DataNeuralFuzz and MetadataNeuralFuzz

A recurrent source of confusion is the assumption that PDFuzz always refers to a fuzzing framework. The 2025 work instead uses the name for an evasion attack on AI text detection. Conversely, the 2019 and related 2017–2018 work use PDF-specific machine learning to improve dynamic software testing rather than to defeat text classifiers.

2. PDF as a substrate: visual layout and logical order

The detector-evasion formulation of PDFuzz depends on a basic property of PDF internals: a PDF page is fundamentally a sequence of low-level drawing and text-positioning commands, and the order in which text-extractors emit characters need not coincide with the natural reading order perceived by humans (Creo, 3 Aug 2025). The relevant primitives include Tm (set text matrix), Td (move text position), Tj (show text), and TJ (show array of strings and position adjustments). Human readers see glyphs placed by absolute (x,y)(x,y) coordinates, whereas a naïve extractor reads the content stream in byte order.

A representative content stream is:

π0(i)=i\pi_0(i)=i7

A visual renderer interprets coordinates and shows “Hello, world!” correctly. A naïve extractor, however, emits the characters in stream order. If those commands are permuted or interleaved in the file, the extractor can output a scrambled sequence even though the viewer still draws the glyphs in the intended place.

This visual–logical ordering gap is also relevant to PDF fuzzing. The fuzzing papers treat PDF as a structured object stream whose syntactic and semantic regularities can be modeled statistically. In both lines of work, the decisive leverage comes from internal representation rather than from visible page appearance.

3. Detector-evasion PDFuzz

In the detector-evasion setting, PDFuzz preserves the exact same character–position pairs but changes the order in which they are written into the PDF content stream (Creo, 3 Aug 2025). Let T=[c1,c2,,cn]T = [c_1, c_2, \dots, c_n] be the original character sequence and P=[p1,p2,,pn]P = [p_1, p_2, \dots, p_n] the corresponding 2D positions. Normal extraction corresponds to the identity permutation π0(i)=i\pi_0(i)=i. PDFuzz selects a nontrivial permutation πSn\pi \in S_n and emits the same (ci,pi)(c_i, p_i) pairs in the order π(1),π(2),,π(n)\pi(1), \pi(2), \dots, \pi(n). The character-level version computes positions pkp_k, draws a random permutation, and repeatedly writes TM(p_i) and (c_i) Tj for the permuted index ii. A chunk-based version instead partitions text into fixed-size chunks of 8–15 characters, permutes the chunks, and preserves the original order within each chunk.

The reported evaluation uses 1,000 argumentative essays from the SilverSpeak benchmark, half human-written and half AI-generated by GPT-variants. The detector is ArguGPT, described as a RoBERTa-large fine-tuned classifier from Liu et al. 2023 operating on extracted plain text. The attack pipeline compares a normal PDF with identity ordering against a PDFuzz PDF with character-level scrambling, in both cases followed by a standard PDF extractor and then ArguGPT. The metrics are TP, TN, FP, FN, together with accuracy, precision, recall, and F1 (Creo, 3 Aug 2025).

Metric Baseline (normal PDF) After PDFuzz
Accuracy 93.6% ± 1.4% (95% CI) 50.4% ± 3.2% (95% CI)
F1 0.938 ± 0.014 0.0
TPR@FPR=1% 73.4% 0.2%

The paper characterizes this as complete evasion without changing a single character visually or semantically. A common misconception is that evasion of AI-generated-text detectors requires paraphrasing, content editing, or visible corruption. PDFuzz instead preserves exact textual content while manipulating character positioning to scramble extraction sequences.

The stated failure mode is that detectors such as ArguGPT rely on the statistical regularities of natural text. When extraction yields a random permuted sequence, perplexity skyrockets, token-transition statistics break down, and the model is effectively fooled into classifying the text as human-written, summarized in the paper as “high entropy = ‘human’ in Figure 1.” The paper identifies the root cause as the mismatch between how humans see text and how many detectors process text as flat sequential streams. Proposed defenses are format-aware preprocessing that re-sorts extracted tokens back to natural reading order, signature-based detection of unusual ordering in the raw content stream, and hybrid extraction that compares a PDF-native extractor with visual OCR. Each defense is explicitly described as carrying trade-offs in complexity, runtime, and possible new evasion avenues (Creo, 3 Aug 2025).

4. PDFuzz as ML-driven seed optimization for fuzzing

In the fuzzing literature, PDFuzz denotes an end-to-end machine-learning framework that learns the statistical relationship between PDF inputs and program execution, generates novel execution paths, and translates those paths back into new PDF seeds (Cheng et al., 2019). The framework has three major components: data preparation, path generation, and seed generation.

The path generator is a two-layer RNN with LSTM cells and hidden size H=256H=256 in each layer. The first layer models the distribution of basic blocks within functions, and the second models the distribution of functions within full execution paths. An execution path is represented as a sequence of basic-block identifiers,

T=[c1,c2,,cn]T = [c_1, c_2, \dots, c_n]0

with a compression step that merges frequently co-occurring short subsequences into “super-blocks,” enforcing T=[c1,c2,,cn]T = [c_1, c_2, \dots, c_n]1. The generative model is

T=[c1,c2,,cn]T = [c_1, c_2, \dots, c_n]2

and the training loss is token-level cross-entropy.

The input generator is a Seq2Seq model with an encoder RNN and decoder RNN, both LSTM with hidden size T=[c1,c2,,cn]T = [c_1, c_2, \dots, c_n]3; the encoder uses dropout T=[c1,c2,,cn]T = [c_1, c_2, \dots, c_n]4 and the decoder dropout T=[c1,c2,,cn]T = [c_1, c_2, \dots, c_n]5. For each original PDF T=[c1,c2,,cn]T = [c_1, c_2, \dots, c_n]6, an Object Extractor parses internal object streams into a token sequence

T=[c1,c2,,cn]T = [c_1, c_2, \dots, c_n]7

paired with a compressed execution path T=[c1,c2,,cn]T = [c_1, c_2, \dots, c_n]8. The encoder–decoder mapping is

T=[c1,c2,,cn]T = [c_1, c_2, \dots, c_n]9

The paper also presents compact notation:

P=[p1,p2,,pn]P = [p_1, p_2, \dots, p_n]0

with the overall translation model written as P=[p1,p2,,pn]P = [p_1, p_2, \dots, p_n]1.

The high-level algorithm instruments the target, records and compresses execution paths, trains the path generator, trains the Seq2Seq input generator on P=[p1,p2,,pn]P = [p_1, p_2, \dots, p_n]2 pairs, samples a novel path P=[p1,p2,,pn]P = [p_1, p_2, \dots, p_n]3, decodes it into a new PDF seed P=[p1,p2,,pn]P = [p_1, p_2, \dots, p_n]4, validates the output, and adds valid seeds to the corpus. Two sampling strategies are specified: Sample, which samples the next basic block at every time step, and SampleFunction, which only resamples at function boundaries to trade off depth versus breadth of exploration.

The reported evaluation uses MuPDF as the primary target fuzzed with AFL, with additional PDF viewers pdfium, podofo, and poppler. The initial seed corpus contains 43,684 real-world PDF files totaling 5.2 GB, and training takes 24 h on a 4-core Intel i7-7700 plus GTX1080 Ti. In MuPDF, original seeds trigger 4,548 basic blocks and 14,522 execution paths, whereas PDFuzz seeds yield 4,661 basic blocks and 15,530 execution paths with Sample, and 4,657 basic blocks and 18,050 execution paths with SampleFunction. Across four PDF viewers over 24 h, the averages are +23.21 % more basic blocks and +31.69 % more execution paths. Crash findings increase from 32 crashes with original seeds to 67 crashes with PDFuzz seeds, including 2 known CVEs. The same framework is also reported on libpng and freetype, with +53.90 % more paths and +22.38 % more edges in freetype after 24 h (Cheng et al., 2019).

The paper’s discussion attributes these gains to directly modeling the input-to-execution mapping, avoiding redundant mutations, and leveraging a large initial corpus to learn both low-level and high-level correlations. Its stated limitations are training overhead, dependence on corpus diversity, and the need for bespoke compression or hierarchical models for extremely deep or highly stateful targets.

5. Format-aware neural PDF fuzzing and its lineage

A closely related line predates the 2019 framework. “Learn&Fuzz: Machine Learning for Input Fuzzing” trains a character-level Seq2Seq RNN to model PDF objects and uses the learned probability distribution to guide mutations (Godefroid et al., 2017). The architecture is an encoder–decoder with two hidden layers in both encoder and decoder and 128 LSTM hidden units per layer. Training is unsupervised over about 63 k extracted text objects from 534 seed-minimized real-world PDF files. The model induces an implicit probabilistic grammar over character sequences,

P=[p1,p2,,pn]P = [p_1, p_2, \dots, p_n]5

and the paper studies several generation strategies: NoSample, Sample, SampleSpace, and SampleFuzz. SampleFuzz selectively replaces high-confidence characters with low-probability alternatives. In the Edge PDF parser case study, six configurations are evaluated over 30,000 files; SampleFuzz attains the highest coverage at 567,634 instructions with a 68.24% pass rate, and a longer 300,000-file run using Sample+Random uncovers a stack-overflow bug later fixed by the Edge team (Godefroid et al., 2017).

The 2018 work “Format-aware Learn&Fuzz: Deep Test Data Generation for Efficient Fuzzing” extends this direction through a modular file-format fuzzer called IUST-DeepFuzz, described in one consolidated summary as the PDFuzz approach (Nasrabadi et al., 2018). It trains a neural LLM over tokenized PDF files, replacing binary streams with a special token BT, appending an explicit ET token if needed, and concatenating objects into a single sequence. The vocabulary is approximately 100–200 tokens. Four RNN variants are explored: Uni-LSTM#1, Uni-LSTM#2, Uni-LSTM#3, and Bi-LSTM#4. Training uses prefixes of length P=[p1,p2,,pn]P = [p_1, p_2, \dots, p_n]6, Adam with learning rate from P=[p1,p2,,pn]P = [p_1, p_2, \dots, p_n]7 to P=[p1,p2,,pn]P = [p_1, p_2, \dots, p_n]8, categorical cross-entropy, 50 epochs, and batch size approximately 128. Validation includes perplexity,

P=[p1,p2,,pn]P = [p_1, p_2, \dots, p_n]9

with all four models achieving π0(i)=i\pi_0(i)=i0 after 50 epochs, compared with approximately 64 for an untrained model.

The fuzzing algorithms distinguish parsing-targeted metadata perturbation from rendering-targeted data perturbation. DataNeuralFuzz replaces a predicted token by the least-likely token when π0(i)=i\pi_0(i)=i1, with π0(i)=i\pi_0(i)=i2, a fuzzing rate FR, and propagation of the fuzzed token into the next prefix. MetadataNeuralFuzz instead fuzzes high-probability tokens when π0(i)=i\pi_0(i)=i3, with π0(i)=i\pi_0(i)=i4, and does not propagate the corruption into the prefix so that more of the file parses before malformed metadata causes failure. Both enforce MaxLen∼Uniform(a,b) with π0(i)=i\pi_0(i)=i5 and π0(i)=i\pi_0(i)=i6, and any BT token is later replaced by a real binary blob that is randomly mutated. In evaluation on MuPDF v2017-04-11, using 10,000 files each, DataNeuralFuzz reaches 23,719 basic-block coverage and 18,673 line coverage, MetadataNeuralFuzz reaches 22,583 basic-block coverage and 17,894 line coverage, SampleFuzz (Seq2Seq) reaches 20,957 basic-block coverage and 16,793 line coverage, and RandomFuzz (FileFuzz) reaches 7,563 basic-block coverage and 5,002 line coverage (Nasrabadi et al., 2018).

Across the 2017–2019 fuzzing papers, a stable theme is the tension between learning well-formed PDF structure and deliberately breaking it to maximize coverage. The 2017 paper states this explicitly as a tension between learning and fuzzing goals; the 2018 paper reports that simpler deep learning models can produce higher coverage despite worse language-model metrics; and the 2019 framework addresses the same problem by moving from direct object generation to explicit modeling of execution paths.

6. Comparative significance, misconceptions, and open problems

The most important encyclopedic point about PDFuzz is that it is not a single technique. One branch attacks AI-generated-text detection by exploiting the decoupling of visual placement and extraction order in PDF documents; another branch improves dynamic software testing by learning how PDF structure correlates with parser or renderer execution. Confusing these branches can lead to category errors about goals, baselines, and evaluation metrics.

A second misconception is that PDF-based manipulation necessarily changes what a reader sees. The detector-evasion PDFuzz is explicitly a zero-modification, zero-artifact attack that preserves exact textual content and perfect visual fidelity while collapsing detector performance from over 93% to random chance (Creo, 3 Aug 2025). Conversely, the fuzzing variants intentionally seek malformed or semi-malformed inputs, and their success is measured by coverage, execution paths, pass rate, and crash findings rather than by semantic preservation (Cheng et al., 2019).

This suggests a broader unifying theme: PDF’s internal object model is sufficiently decoupled from rendered appearance and sufficiently rich in low-level structure that it can be exploited in two very different ways. In the evasion setting, low-level command ordering defeats text extraction. In the fuzzing setting, object streams, execution traces, and token distributions can be learned or perturbed to reach new code regions.

The open problems stated across the papers are correspondingly different. For detector evasion, resisting PDFuzz requires format-aware preprocessing, signature-based detection, or hybrid extraction, each with trade-offs in complexity, runtime, and possible new evasion avenues (Creo, 3 Aug 2025). For fuzzing, the reported limitations include training overhead, dependence on diverse seed corpora, naïvely random binary-blob mutation, lack of a real-time feedback loop, and the difficulty of exercising user-interaction paths or extremely deep stateful targets (Cheng et al., 2019). A plausible implication is that future work will continue to move away from naïve linear treatment of PDF files—whether as plain text for classifiers or as undifferentiated byte streams for fuzzers—and toward pipelines that model layout, object structure, and execution semantics explicitly.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to PDFuzz.