Go to OpenReview Archive homepageLocus: Agentic Predicate Synthesis for Directed Fuzzing
Abstract: Directed fuzzing aims to find program inputs that lead to specified
target program states. It has broad applications, such as debugging
system crashes, confirming reported bugs, and generating exploits
for potential vulnerabilities. This task is inherently challenging
because target states are often deeply nested in the program, while
the search space manifested by numerous possible program inputs
is prohibitively large. Existing approaches rely on branch distances
or manually-specified constraints to guide the search; however,
the branches alone are often insufficient to precisely characterize
progress toward reaching the target states, while the manually
specified constraints are often tailored for specific bug types and
thus difficult to generalize to diverse target states and programs.
We present Locus, a novel framework to improve the efficiency
of directed fuzzing. Our key insight is to synthesize predicates to
capture fuzzing progress as semantically meaningful intermediate
states, serving as milestones towards reaching the target states.
When used to instrument the program under fuzzing, they can reject executions unlikely to reach the target states, while providing
additional coverage guidance. To automate this task and generalize to diverse programs, Locus features an agentic framework
with program analysis tools to synthesize and iteratively refine the
candidate predicates, while ensuring the predicates strictly relax
the target states to prevent false rejections via symbolic execution.
Our evaluation shows that Locus substantially improves the efficiency of eight state-of-the-art fuzzers in discovering real-world
vulnerabilities, achieving an average speedup of 41.6×. So far, Locus has found nine previously unpatched bugs, with three already
acknowledged with draft patches.
Loading