Table of Contents
Fetching ...

Attention Distance: A Novel Metric for Directed Fuzzing with Large Language Models

Wang Bin, Ao Yang, Kedan Li, Aofan Liu, Hui Li, Guibo Luo, Weixiang Huang, Yan Zhuang

TL;DR

Attention Distance introduces a semantic augmentation to directed grey-box fuzzing by using a lightweight, vulnerability-tuned LLM to assign token- and line-level attention scores that reflect code semantics. These scores are aggregated and used to compute an attention distance $db_{att}$ that replaces AFLGo's traditional $db_{phys}$, yielding a significant acceleration in vulnerability reproduction across 38 CVEs and outperforming state-of-the-art fuzzers DAFL and WindRanger. The approach is implemented as a drop-in replacement within AFLGo and extended to DAFL and WindRanger, with a CodeBERT/LineVul-based model trained on the Code Vulnerability dataset and integrated via LLVM-Pass modifications. Empirical results show reduced distance clustering, improved vulnerability localization at function/block/line granularity, and robust performance across multiple targets, though challenges such as spurious attention peaks are discussed. The work demonstrates a practical path to combining LLM-derived semantic guidance with traditional fuzzing pipelines, offering real-world benefits and a foundation for further enhancements in seed guidance and path prioritization.

Abstract

In the domain of software security testing, Directed Grey-Box Fuzzing (DGF) has garnered widespread attention for its efficient target localization and excellent detection performance. However, existing approaches measure only the physical distance between seed execution paths and target locations, overlooking logical relationships among code segments. This omission can yield redundant or misleading guidance in complex binaries, weakening DGF's real-world effectiveness. To address this, we introduce \textbf{attention distance}, a novel metric that leverages a large language model's contextual analysis to compute attention scores between code elements and reveal their intrinsic connections. Under the same AFLGo configuration -- without altering any fuzzing components other than the distance metric -- replacing physical distances with attention distances across 38 real vulnerability reproduction experiments delivers a \textbf{3.43$\times$} average increase in testing efficiency over the traditional method. Compared to state-of-the-art directed fuzzers DAFL and WindRanger, our approach achieves \textbf{2.89$\times$} and \textbf{7.13$\times$} improvements, respectively. To further validate the generalizability of attention distance, we integrate it into DAFL and WindRanger, where it also consistently enhances their original performance. All related code and datasets are publicly available at https://github.com/TheBinKing/Attention\_Distance.git.

Attention Distance: A Novel Metric for Directed Fuzzing with Large Language Models

TL;DR

Attention Distance introduces a semantic augmentation to directed grey-box fuzzing by using a lightweight, vulnerability-tuned LLM to assign token- and line-level attention scores that reflect code semantics. These scores are aggregated and used to compute an attention distance that replaces AFLGo's traditional , yielding a significant acceleration in vulnerability reproduction across 38 CVEs and outperforming state-of-the-art fuzzers DAFL and WindRanger. The approach is implemented as a drop-in replacement within AFLGo and extended to DAFL and WindRanger, with a CodeBERT/LineVul-based model trained on the Code Vulnerability dataset and integrated via LLVM-Pass modifications. Empirical results show reduced distance clustering, improved vulnerability localization at function/block/line granularity, and robust performance across multiple targets, though challenges such as spurious attention peaks are discussed. The work demonstrates a practical path to combining LLM-derived semantic guidance with traditional fuzzing pipelines, offering real-world benefits and a foundation for further enhancements in seed guidance and path prioritization.

Abstract

In the domain of software security testing, Directed Grey-Box Fuzzing (DGF) has garnered widespread attention for its efficient target localization and excellent detection performance. However, existing approaches measure only the physical distance between seed execution paths and target locations, overlooking logical relationships among code segments. This omission can yield redundant or misleading guidance in complex binaries, weakening DGF's real-world effectiveness. To address this, we introduce \textbf{attention distance}, a novel metric that leverages a large language model's contextual analysis to compute attention scores between code elements and reveal their intrinsic connections. Under the same AFLGo configuration -- without altering any fuzzing components other than the distance metric -- replacing physical distances with attention distances across 38 real vulnerability reproduction experiments delivers a \textbf{3.43} average increase in testing efficiency over the traditional method. Compared to state-of-the-art directed fuzzers DAFL and WindRanger, our approach achieves \textbf{2.89} and \textbf{7.13} improvements, respectively. To further validate the generalizability of attention distance, we integrate it into DAFL and WindRanger, where it also consistently enhances their original performance. All related code and datasets are publicly available at https://github.com/TheBinKing/Attention\_Distance.git.
Paper Structure (24 sections, 9 equations, 6 figures, 3 tables)

This paper contains 24 sections, 9 equations, 6 figures, 3 tables.

Figures (6)

  • Figure 1: Maze Effect of distance calculation. Knowing the target and distance still cannot guarantee that a shorter distance means a closer exploration path. The red square represents the target point, and the green and purple squares represent two starting points with different distances.
  • Figure 2: Pie charts depicting the distribution of distance values for bugs identified as CVE-2016-9827, binutils-2.29, and CVE-2017-11728. Each pie chart illustrates the proportion of the top three distances relative to the total distances observed for each bug.
  • Figure 3: Motivational Example. We analyzed the CVE-2016-4487 example code using both AFLGo’s physical distances and our attention distances to compute metrics for critical code segments.Each node label follows the format “BlockID:Distance”, where the first number denotes the basic block identifier (corresponding to a specific code line), and the second indicates its computed distance to the target. From these metrics, we built the call-graph views shown in Figures (a-2) and (b-2), then abstracted the code-location relationships in Figures (a-3) and (b-3). Within the same code hierarchy, the attention method assigns noticeably higher scores to the critical segments, yielding more significant distance optimization. This advantage is clearly visible in the distance-relationship graphs, where the target segments stand out relative to other code units at the same level.
  • Figure 4: Architecture of the attention distance method. (a) Core LLM workflow: the model is trained on annotated vulnerability samples and, at inference, assigns attention scores to code segments. (b) Program processing: source code is split into basic-block pairs, which the LLM scores to derive attention distances. (c) Fuzzing workflow: the fuzzing engine leverages attention distances to guide directed fuzz testing.
  • Figure 5: Basic‐block‐level distance distributions for physical distance and attention distance across different projects. In each subplot, the y-axis shows distance values via box plots with overlaid scatter points for the two metrics, while the bar chart on the right indicates the percentage frequency of each distance value. Only a portion of the binary is shown here; full results and supporting data are provided in the supplementary materials.
  • ...and 1 more figures