PBFuzz: Agentic Directed Fuzzing for PoV Generation

TL;DR

PBFuzz is an automated agentic fuzzing framework that efficiently generates proof-of-vulnerability inputs by mimicking expert reasoning, significantly outperforming existing methods in speed and vulnerability detection.

Contribution

This work introduces PBFuzz, a novel agentic directed fuzzing approach that automates expert-like reasoning for PoV generation, achieving faster and more effective vulnerability discovery.

Findings

Triggered 57 vulnerabilities, surpassing all baselines.

Uniquely triggered 17 vulnerabilities not exposed by existing fuzzers.

Achieved 25.6x efficiency improvement over conventional approaches.

Abstract

Proof-of-Vulnerability (PoV) input generation is a critical task in software security and supports downstream applications such as path generation and validation. Generating a PoV input requires solving two sets of constraints: (1) reachability constraints for reaching vulnerable code locations, and (2) triggering constraints for activating the target vulnerability. Existing approaches, including directed greybox fuzzing and LLM-assisted fuzzing, struggle to efficiently satisfy these constraints. This work presents an agentic method that mimics human experts. Human analysts iteratively study code to extract semantic reachability and triggering constraints, form hypotheses about PoV triggering strategies, encode them as test inputs, and refine their understanding using debugging feedback. We automate this process with an agentic directed fuzzing framework called PBFuzz. PBFuzz tackles four challenges in agentic PoV generation: autonomous code reasoning for semantic constraint extraction, custom program-analysis tools for targeted inference, persistent memory to avoid hypothesis drift, and property-based testing for efficient constraint solving while preserving input structure. Experiments on the Magma benchmark show strong results. PBFuzz triggered 57 vulnerabilities, surpassing all baselines, and uniquely triggered 17 vulnerabilities not exposed by existing fuzzers. PBFuzz achieved this within a 30-minute budget per target, while conventional approaches use 24 hours. Median time-to-exposure was 339 seconds for PBFuzz versus 8680 seconds for AFL++ with CmpLog, giving a 25.6x efficiency improvement with an API cost of 1.83 USD per vulnerability.