Directed fuzzing faces a fundamental trade-off between efficiency and precision: gray-box approaches (e.g., AFLGo) offer high execution throughput but employ coarse-grained path guidance, leading to substantial computational waste; conversely, symbolic execution achieves high precision at prohibitive runtime cost. This paper introduces the first compiler-assisted, cooperative concolic white-box fuzzing framework for directed testing. It innovatively integrates compile-time concolic execution into directed fuzzing and proposes an incremental coloring mechanism that jointly leverages static reachability analysis and dynamic path feasibility validation to enable precise, low-overhead input generation and path exploration. The framework supports highly scalable deployment and, on real-world programs, achieves up to 100× faster target coverage and crash reproduction compared to AFLGo. It significantly enhances vulnerability detection and patch validation capabilities.

Directed fuzzing is a critical technique in cybersecurity, targeting specific sections of a program. This approach is essential in various security-related domains such as crash reproduction, patch testing, and vulnerability detection. Despite its importance, current directed fuzzing methods exhibit a trade-off between efficiency and effectiveness. For instance, directed grey-box fuzzing, while efficient in generating fuzzing inputs, lacks sufficient precision. The low precision causes time wasted on executing code that cannot help reach the target site. Conversely, interpreter- or observer-based directed symbolic execution can produce high-quality inputs while incurring non-negligible runtime overhead. These limitations undermine the feasibility of directed fuzzers in real-world scenarios. To kill the birds of efficiency and effectiveness with one stone, in this paper, we involve compilation-based concolic execution into directed fuzzing and present ColorGo, achieving high scalability while preserving the high precision from symbolic execution. ColorGo is a new directed whitebox fuzzer that concretely executes the instrumented program with constraint-solving capability on generated input. It guides the exploration by extit{incremental coloration}, including static reachability analysis and dynamic feasibility analysis. We evaluated ColorGo on diverse real-world programs and demonstrated that ColorGo outperforms AFLGo by up to extbf{100x} in reaching target sites and reproducing target crashes.