Directed fuzzing faces challenges including deeply nested target states, vast search spaces, and poor generalizability of existing guidance mechanisms (e.g., branch distance or manually crafted constraints). This paper proposes a proxy-based predicate synthesis framework that automatically constructs semantically meaningful intermediate-state predicates—serving as verifiable milestones toward the target—via program analysis, symbolic execution, and dynamic feedback. An iterative optimization mechanism ensures predicates strictly relax the target condition without over-pruning inputs. The approach enables generic, cross-program and cross-target progress characterization. Evaluated on eight mainstream fuzzers, it achieves an average 41.6× speedup in reaching targets and successfully discovers eight previously unknown unpatched vulnerabilities, including one officially confirmed and under active patch development.

Directed fuzzing aims to find program inputs that lead to specified target program states. It has broad applications, such as debugging system crashes, confirming reported bugs, and generating exploits for potential vulnerabilities. This task is inherently challenging because target states are often deeply nested in the program, while the search space manifested by numerous possible program inputs is prohibitively large. Existing approaches rely on branch distances or manually-specified constraints to guide the search; however, the branches alone are often insufficient to precisely characterize progress toward reaching the target states, while the manually specified constraints are often tailored for specific bug types and thus difficult to generalize to diverse target states and programs. We present Locus, a novel framework to improve the efficiency of directed fuzzing. Our key insight is to synthesize predicates to capture fuzzing progress as semantically meaningful intermediate states, serving as milestones towards reaching the target states. When used to instrument the program under fuzzing, they can reject executions unlikely to reach the target states, while providing additional coverage guidance. To automate this task and generalize to diverse programs, Locus features an agentic framework with program analysis tools to synthesize and iteratively refine the candidate predicates, while ensuring the predicates strictly relax the target states to prevent false rejections via symbolic execution. Our evaluation shows that Locus substantially improves the efficiency of eight state-of-the-art fuzzers in discovering real-world vulnerabilities, achieving an average speedup of 41.6x. So far, Locus has found eight previously unpatched bugs, with one already acknowledged with a draft patch.