Execution-State-Aware LLM Reasoning for Automated Proof-of-Vulnerability Generation

TL;DR

This paper introduces DrillAgent, an execution-state-aware framework that enhances automated proof-of-vulnerability generation by integrating LLM reasoning with concrete execution feedback, significantly improving success rates.

Contribution

The paper presents a novel iterative hypothesis-verification-refinement approach that combines LLM semantic inference with execution state feedback for more accurate PoV generation.

Findings

DrillAgent outperforms existing LLM baselines by solving up to 52.8% more CVE tasks.

The framework effectively bridges static reasoning and dynamic execution for vulnerability proof generation.

Experimental results demonstrate the importance of execution-state-awareness in complex software security tasks.

Abstract

Proof-of-Vulnerability (PoV) generation is a critical task in software security, serving as a cornerstone for vulnerability validation, false positive reduction, and patch verification. While directed fuzzing effectively drives path exploration, satisfying complex semantic constraints remains a persistent bottleneck in automated exploit generation. Large Language Models (LLMs) offer a promising alternative with their semantic reasoning capabilities; however, existing LLM-based approaches lack sufficient grounding in concrete execution behavior, limiting their ability to generate precise PoVs. In this paper, we present DrillAgent, an agentic framework that reformulates PoV generation as an iterative hypothesis-verification-refinement process. To bridge the gap between static reasoning and dynamic execution, DrillAgent synergizes LLM-based semantic inference with feedback from concrete program states. The agent analyzes the target code to hypothesize inputs, observes execution behavior, and employs a novel mechanism to translate low-level execution traces into source-level constraints. This closed-loop design enables the agent to incrementally align its input generation with the precise requirements of the vulnerability. We evaluate DrillAgent on SEC-bench, a large-scale benchmark of real-world C/C++ vulnerabilities. Experimental results show that DrillAgent substantially outperforms state-of-the-art LLM agent baselines under fixed budget constraints, solving up to 52.8% more CVE tasks than the best-performing baseline. These results highlight the necessity of execution-state-aware reasoning for reliable PoV generation in complex software systems.