🤖 AI Summary
Directed greybox fuzzing struggles to effectively trigger target vulnerabilities due to incomplete indirect call analysis and the absence of semantic guidance regarding crash preconditions. This work proposes SeedSmith, the first LLM-agent-based directed seed synthesis framework that emulates the workflow of security analysts by iteratively parsing code from the target function, resolving indirect calls, inferring crash preconditions, and generating concrete input seeds satisfying semantic constraints. By integrating path exploration with deep semantic understanding, SeedSmith overcomes the limitations of conventional static analysis and seed generation techniques. Experimental results demonstrate that SeedSmith accelerates crash discovery by 11.51× and 14.66× on average over AFL++ and AFLGo, respectively, on the Magma benchmark, and successfully triggers 16 previously unreachable vulnerabilities across 10 projects in the ARVO benchmark.
📝 Abstract
Directed fuzzing steers fuzzers toward user-defined sink functions to identify vulnerabilities, but it frequently fails to trigger crashes even after long campaigns. We identify two challenges that prevent directed fuzzers from exposing crashes: incomplete static analysis of indirect calls, which leaves reachable paths invisible to distance-based guidance, and lack of semantic guidance for crash preconditions, which blind mutation cannot satisfy within practical time budgets. A natural intervention point is the initial seed corpus: seeds that encode the right control-flow path and satisfy key crash preconditions shift fuzzing from blind exploration to local refinement. Existing seed generation approaches address neither: grammar-based and format-driven methods produce structurally valid inputs with no sink awareness, while LLM-based methods either lack sink targeting or inherit static analysis limitations through one-shot prompting. We present SeedSmith, an agentic LLM pipeline that replicates a security analyst's workflow: starting from a sink, it iteratively explores the codebase, resolves indirect calls, identifies crash preconditions, and synthesizes concrete inputs that satisfy them. Because SeedSmith operates as a seed generation front-end, its seeds are fuzzer-agnostic and improve any downstream mutation-based fuzzer without modification. On Magma, fuzzers using SeedSmith seeds achieve geometric mean crash-time speedups of 11.51 times (AFL++) to 14.66 times (AFLGo) over default seeds. On ARVO, SeedSmith enables fuzzers to trigger 16 previously unreachable bugs spanning 10 projects with diverse input formats.