# Locus: Agentic Predicate Synthesis for Directed Fuzzing

**Authors:** Jie Zhu, Chihao Shen, Ziyang Li, Jiahao Yu, Yizheng Chen, Kexin Pei

arXiv: 2508.21302 · 2025-12-10

## TL;DR

Locus introduces an agentic predicate synthesis framework that enhances directed fuzzing efficiency by generating meaningful progress milestones, leading to significant speedups and discovery of new vulnerabilities.

## Contribution

Locus's novel predicate synthesis approach automates progress characterization, improving fuzzing efficiency across diverse programs and target states.

## Key findings

- Achieved an average speedup of 41.6x over state-of-the-art fuzzers.
- Discovered nine previously unpatched bugs, three of which are acknowledged.
- Enhanced fuzzing effectiveness across multiple real-world vulnerabilities.

## Abstract

Directed fuzzing aims to find program inputs that lead to specified target program states. It has broad applications, such as debugging system crashes, confirming reported bugs, and generating exploits for potential vulnerabilities. This task is inherently challenging because target states are often deeply nested in the program, while the search space manifested by numerous possible program inputs is prohibitively large. Existing approaches rely on branch distances or manually-specified constraints to guide the search; however, the branches alone are often insufficient to precisely characterize progress toward reaching the target states, while the manually specified constraints are often tailored for specific bug types and thus difficult to generalize to diverse target states and programs.   We present Locus, a novel framework to improve the efficiency of directed fuzzing. Our key insight is to synthesize predicates to capture fuzzing progress as semantically meaningful intermediate states, serving as milestones towards reaching the target states. When used to instrument the program under fuzzing, they can reject executions unlikely to reach the target states, while providing additional coverage guidance. To automate this task and generalize to diverse programs, Locus features an agentic framework with program analysis tools to synthesize and iteratively refine the candidate predicates, while ensuring the predicates strictly relax the target states to prevent false rejections via symbolic execution. Our evaluation shows that Locus substantially improves the efficiency of eight state-of-the-art fuzzers in discovering real-world vulnerabilities, achieving an average speedup of 41.6x. So far, Locus has found nine previously unpatched bugs, with three already acknowledged with draft patches.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/2508.21302/full.md

## Figures

7 figures with captions in the complete paper: https://tomesphere.com/paper/2508.21302/full.md

## References

112 references — full list in the complete paper: https://tomesphere.com/paper/2508.21302/full.md

---
Source: https://tomesphere.com/paper/2508.21302