Program Analysis Guided LLM Agent for Proof-of-Concept Generation

TL;DR

This paper introduces PAGENT, a hybrid program analysis approach that significantly enhances the success rate of automated vulnerability proof-of-concept generation using LLMs.

Contribution

It combines static analysis and dynamic profiling to guide LLMs, improving PoC generation success rates over previous methods.

Findings

PAGENT outperforms prior approaches by 132% in success rate.

Hybrid static and dynamic analysis guides LLMs effectively.

The approach is scalable and reduces manual effort in PoC generation.

Abstract

Software developers frequently receive vulnerability reports that require them to reproduce the vulnerability in a reliable manner by generating a proof-of-concept (PoC) input that triggers it. Given the source code for a software project and a specific code location for a potential vulnerability, automatically generating a PoC for the given vulnerability has been a challenging research problem. Symbolic execution and fuzzing techniques require expert guidance and manual steps and face scalability challenges for PoC generation. Although recent advances in LLMs have increased the level of automation and scalability, the success rate of PoC generation with LLMs remains quite low. In this paper, we present a novel approach called Program Analysis Guided proof of concept generation agENT (PAGENT) that is scalable and significantly improves the success rate of automated PoC generation compared to prior results. PAGENT integrates lightweight and rule-based static analysis phases for providing static analysis guidance and sanitizer-based profiling and coverage information for providing dynamic analysis guidance with a PoC generation agent. Our experiments demonstrate that the resulting hybrid approach significantly outperforms the prior top-performing agentic approach by 132% for the PoC generation task.