As software systems continue to grow in scale and complexity, fuzzing has become an indispensable automated technique for vulnerability discovery. Compared with coverage-guided fuzzing, directed greybox fuzzing (DGF) focuses execution toward specific basic blocks or functions, making it widely used in scenarios such as patch testing and vulnerability reproduction. Recent studies have combined fuzzing with symbolic execution (SE) to generate inputs that are difficult to obtain through mutation alone. However, applying SE to all branch conditions along an execution path may explore many paths unrelated to the target, leading to substantial overhead in directed fuzzing. Meanwhile, existing distance metrics still have limitations in guiding seeds toward targets: AFLGo relies on structural control-flow distances, which may not precisely reflect target reachability, while existing probability-based metrics often simplify complex control-flow structures such as loops and back-edges. To address these limitations, we propose TriFuzz, a probabilistic distance-guided hybrid directed fuzzing framework that integrates a loop-aware reachability distance model, target-related selective symbolic instrumentation, and a tightly coupled AFLGo–SymCC coordination mechanism. TriFuzz uses the probability-based distance model as the primary guidance signal and applies selective symbolic instrumentation to prune irrelevant basic blocks and concentrate exploration on target-relevant code regions. Our evaluation on the AFLGo testsuite and UniBench shows that TriFuzz improves both time-to-target and time-to-exposure on most evaluated benchmarks, demonstrating the effectiveness of combining fine-grained probabilistic distance guidance with selective symbolic reasoning and tightly integrated hybrid execution.
Li et al. (Mon,) studied this question.