Locus: Agentic Predicate Synthesis for Directed Fuzzing

• URL: http://arxiv.org/abs/2508.21302v2
• Date: Wed, 03 Sep 2025 03:33:23 GMT
• Title: Locus: Agentic Predicate Synthesis for Directed Fuzzing
• Authors: Jie Zhu, Chihao Shen, Ziyang Li, Jiahao Yu, Yizheng Chen, Kexin Pei,
• Abstract summary: directed fuzzing aims to find program inputs that lead to specified target program states.<n>Existing approaches rely on branch distances or manually-specified constraints to guide the search.<n>We present Locus, a novel framework to improve the efficiency of directed fuzzing.
• Score: 20.533963203761115
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Directed fuzzing aims to find program inputs that lead to specified target program states. It has broad applications, such as debugging system crashes, confirming reported bugs, and generating exploits for potential vulnerabilities. This task is inherently challenging because target states are often deeply nested in the program, while the search space manifested by numerous possible program inputs is prohibitively large. Existing approaches rely on branch distances or manually-specified constraints to guide the search; however, the branches alone are often insufficient to precisely characterize progress toward reaching the target states, while the manually specified constraints are often tailored for specific bug types and thus difficult to generalize to diverse target states and programs. We present Locus, a novel framework to improve the efficiency of directed fuzzing. Our key insight is to synthesize predicates to capture fuzzing progress as semantically meaningful intermediate states, serving as milestones towards reaching the target states. When used to instrument the program under fuzzing, they can reject executions unlikely to reach the target states, while providing additional coverage guidance. To automate this task and generalize to diverse programs, Locus features an agentic framework with program analysis tools to synthesize and iteratively refine the candidate predicates, while ensuring the predicates strictly relax the target states to prevent false rejections via symbolic execution. Our evaluation shows that Locus substantially improves the efficiency of eight state-of-the-art fuzzers in discovering real-world vulnerabilities, achieving an average speedup of 41.6x. So far, Locus has found eight previously unpatched bugs, with one already acknowledged with a draft patch.

Related papers

• SkillJect: Automating Stealthy Skill-Based Prompt Injection for Coding Agents with Trace-Driven Closed-Loop Refinement [120.52289344734415]
  We propose an automated framework for stealthy prompt injection tailored to agent skills.<n>The framework forms a closed loop with three agents: an Attack Agent that synthesizes injection skills under explicit stealth constraints, a Code Agent that executes tasks using the injected skills and an Evaluate Agent that logs action traces.<n>Our method consistently achieves high attack success rates under realistic settings.
  arXiv  Detail & Related papers  (2026-02-15T16:09:48Z)
• VIRO: Robust and Efficient Neuro-Symbolic Reasoning with Verification for Referring Expression Comprehension [51.76841625486355]
  Referring Expression (REC) aims to localize the image region corresponding to a natural-language query.<n>Recent neuro-symbolic REC approaches leverage large language models (LLMs) and vision-language models (VLMs) to perform compositional reasoning.<n>We introduce VIRO, a neuro-symbolic framework that embeds lightweight operator-level verifiers within reasoning steps.
  arXiv  Detail & Related papers  (2026-01-19T07:21:19Z)
• On the Limits of Innate Planning in Large Language Models [13.604285158704466]
  Large language models (LLMs) achieve impressive results on many benchmarks, yet their capacity for planning and stateful reasoning remains unclear.<n>We study these abilities directly, without code execution or other tools, using the 8-puzzle: a classic task that requires state tracking and goal-directed planning.
  arXiv  Detail & Related papers  (2025-11-26T17:08:13Z)
• Beyond Imprecise Distance Metrics: LLM-Predicted Target Call Stacks for Directed Greybox Fuzzing [11.825548125173022]
  Directed greybox fuzzing (DGF) aims to efficiently trigger bugs at specific target locations.<n>Existing DGF approaches suffer from imprecise probability calculations.<n>We propose to replace static analysis-based distance metrics with precise call stack representations.
  arXiv  Detail & Related papers  (2025-10-27T08:17:03Z)
• Foundation Models for Logistics: Toward Certifiable, Conversational Planning Interfaces [59.80143393787701]
  Large language models (LLMs) can handle uncertainty and promise to accelerate replanning while lowering the barrier to entry.<n>We introduce a neurosymbolic framework that pairs the accessibility of natural-language dialogue with verifiable guarantees on goal interpretation.<n>A lightweight model, fine-tuned on just 100 uncertainty-filtered examples, surpasses the zero-shot performance of GPT-4.1 while cutting inference latency by nearly 50%.
  arXiv  Detail & Related papers  (2025-07-15T14:24:01Z)
• Specification-Guided Repair of Arithmetic Errors in Dafny Programs using LLMs [84.30534714651093]
  We present an innovative APR tool for Dafny, a verification-aware programming language.<n>We localize faults through a series of steps, which include using Hoare Logic to determine the state of each statement within the program.<n>We evaluate our approach using DafnyBench, a benchmark of real-world Dafny programs.
  arXiv  Detail & Related papers  (2025-07-04T15:36:12Z)
• ColorGo: Directed Concolic Execution [40.91007243855959]
  directed fuzzing is a critical technique in cybersecurity, targeting specific sections of a program.<n>Current directed fuzzing methods exhibit a trade-off between efficiency and effectiveness.<n>We present ColorGo, a new directed whitebox fuzzer that concretely executes the instrumented program with constraint-solving capability.
  arXiv  Detail & Related papers  (2025-05-27T12:46:11Z)
• Directed Greybox Fuzzing via Large Language Model [5.667013605202579]
  HGFuzzer is an automatic framework that transforms path constraint problems into targeted code generation tasks.<n>We evaluate HGFuzzer on 20 real-world vulnerabilities, successfully triggering 17, including 11 within the first minute.<n>HGFuzzer discovered 9 previously unknown vulnerabilities, all of which were assigned CVE IDs.
  arXiv  Detail & Related papers  (2025-05-06T11:04:07Z)
• Automatically Refining Assertions for Efficient Debugging of Quantum Programs [4.704614749567071]
  It is key to properly place assertions in quantum programs.<n>This usually requires a deep understanding of the program's underlying mathematical properties.<n>This work proposes methods for automatically refining assertions in quantum programs.
  arXiv  Detail & Related papers  (2024-12-18T19:00:03Z)
• FOX: Coverage-guided Fuzzing as Online Stochastic Control [13.3158115776899]
  Fuzzing is an effective technique for discovering software vulnerabilities by generating random test inputs executing them against the target program. This paper addresses the limitations of existing coverage-guided fuzzers, focusing on the scheduler and mutator components. We present FOX, a proof-of-concept implementation of our control-theoretic approach, and compare it to industry-standard fuzzers.
  arXiv  Detail & Related papers  (2024-06-06T21:21:05Z)
• Automated Static Warning Identification via Path-based Semantic Representation [37.70518599085676]
  This paper employs deep neural networks' powerful feature extraction and representation abilities to generate code semantics from control flow graph paths for warning identification. We fine-tune the pre-trained language model to encode the path sequences and capture the semantic representations for model building.
  arXiv  Detail & Related papers  (2023-06-27T15:46:45Z)
• BigIssue: A Realistic Bug Localization Benchmark [89.8240118116093]
  BigIssue is a benchmark for realistic bug localization. We provide a general benchmark with a diversity of real and synthetic Java bugs. We hope to advance the state of the art in bug localization, in turn improving APR performance and increasing its applicability to the modern development cycle.
  arXiv  Detail & Related papers  (2022-07-21T20:17:53Z)
• Searching for More Efficient Dynamic Programs [61.79535031840558]
  We describe a set of program transformations, a simple metric for assessing the efficiency of a transformed program, and a search procedure to improve this metric. We show that in practice, automated search can find substantial improvements to the initial program.
  arXiv  Detail & Related papers  (2021-09-14T20:52:55Z)
• Enforcing Consistency in Weakly Supervised Semantic Parsing [68.2211621631765]
  We explore the use of consistency between the output programs for related inputs to reduce the impact of spurious programs. We find that a more consistent formalism leads to improved model performance even without consistency-based training.
  arXiv  Detail & Related papers  (2021-07-13T03:48:04Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.