ASE 2025
Sun 16 - Thu 20 November 2025 Seoul, South Korea

Directed grey-box fuzzing (DGF) steers testing toward high-value targets, but developing effective DGF for commercial off-the-shelf (COTS) binaries is challenging due to the lack of accurate structural information (e.g., control-flow and call graphs), which causes control flows to deviate and misguide DGF’s reachability analysis. In this paper, we introduce BinGo, a tailored binary-level directed grey-box fuzzer, which can accommodate the flawed CFGs of COTS binaries and realize accurate and efficient reachability analysis. First, to quantify the inevitable inaccuracies of unexecuted indirect edges and analyze their impact on the reachability of basic blocks, we propose a Bayesian-based method. This method combines prior knowledge from static analysis with dynamic observations from fuzzing to estimate the confidence in correctly recovering indirect edges. Then, we present a new concept called \textit{region}, which redefines granularity for efficient reachability analysis by transforming the control-flow graph (CFG) into a region graph. Using the Bayesian results and region graph, we propose a custom fitness metric for binary-level DGF, termed \textit{probabilistic reachability}. This metric, based on a dynamically updated region graph and reachability scores, is adaptive, lightweight, and accommodates the inaccurate binary-level CFG. We implemented a prototype tool, BinGo, and evaluated it in the CGC dataset, CVE-Benchmark, and UniBench benchmark. Experimental results show that BinGo surpasses baseline fuzzers (AFL++, AFLGo, PDGF, UAFuzz, and 1dVul) in reaching target locations and triggering known vulnerabilities. Additionally, BinGo uncovered three new vulnerabilities in the real-world application cscope-15.9.