Directed fuzzing aims to find program inputs that lead to specified target states, which has broad applications, such as debugging system crashes, confirming reported bugs, and generating exploits for potential vulnerabilities. This task is inherently challenging because target states are often deeply nested in the program, while the search space manifested by numerous possible program inputs and their corresponding execution paths is prohibitively large. Existing approaches rely on branch distances or manually-specified constraints to guide the search; however, the branches alone are often insufficient to precisely characterize progress toward reaching the target states, while the manually specified constraints are often tailored for specific bug types and thus difficult to generalize to diverse target states and programs.
We present Locus, a novel framework to improve the efficiency of directed fuzzing. Our key insight is to represent the fuzzing progress as reaching semantically meaningful states — the synthetic intermediate milestones before reaching the target states. The predicates capturing these states, when used to instrument the program under fuzz, can early reject executions impossible to reach the target states, while providing additional coverage guidance. Generating these predicates requires sophisticated reasoning about the target states and an expert-level understanding of program behaviors. To automate this task and generalize to diverse programs, Locus features an agentic framework equipped with various program analysis tools to synthesize and iteratively refine the candidate predicates, while ensuring the predicates strictly relax the target states to prevent false rejection via symbolic execution. Our evaluation shows that Locus substantially improves the efficiency of eight state-of-the-art fuzzers in discovering real-world vulnerabilities, including six previously unknown bugs, achieving an average speedup of 50.4$\times$. So far, Locus has found six previously unpatched bugs, with one already acknowledged with a draft patch.
Fri 17 AprDisplayed time zone: Brasilia, Distrito Federal, Brazil change
16:00 - 17:30 | AI for Software Engineering 29Journal-first Papers / Research Track at Oceania IX Chair(s): Tien N. Nguyen University of Texas at Dallas | ||
16:00 15mTalk | Learning Program Behavioral Models from Synthesized Input-Output Pairs Journal-first Papers Tural Mammadov CISPA Helmholtz Center for Information Security, Dietrich Klakow Saarland University, Alexander Koller Saarland University, Andreas Zeller CISPA Helmholtz Center for Information Security | ||
16:15 15mTalk | MeDeT: Medical Device Digital Twins Creation with Few-shot Meta-learning Journal-first Papers Hassan Sartaj Simula Research Laboratory, Shaukat Ali Simula Research Laboratory and Oslo Metropolitan University, Julie Marie Gjøby Welfare Technologies Section, Oslo Kommune Helseetaten | ||
16:30 15mTalk | Change And Cover: Last-Mile, Pull Request-Based Regression Test Augmentation Research Track Zitong Zhou UCLA, Matteo Paltenghi University of Stuttgart, Miryung Kim UCLA and Amazon Web Services, Michael Pradel CISPA Helmholtz Center for Information Security Link to publication Media Attached | ||
16:45 15mTalk | HarnessLLM: Rust Verification Harness Generation with Large Language Models Research Track | ||
17:00 15mTalk | Agentic Predicates Reasoning for Directed Fuzzing Research Track Jie Zhu University of Chicago, Chihao Shen University of Maryland, Ziyang Li Johns Hopkins University, Jiahao Yu Northwestern University, Yizheng Chen University of Maryland, Kexin Pei The University of Chicago Pre-print | ||
17:15 15mTalk | Relax with Capybaras Research Track Media Attached | ||