Existing approaches to exposing exploitable vulnerabilities in third-party libraries rely heavily on proof-of-concept (PoC) exploits, which are often unavailable. To address this limitation, this work proposes LiveFuzz, a directed gray-box fuzzing technique that operates without PoCs. LiveFuzz extends directed fuzzing to cross-program scenarios by introducing target tuples and incorporates an abstract path mapping mechanism to mitigate the short-path bias commonly observed in fuzzing. Furthermore, it employs a risk-based adaptive mutation strategy to enhance exploration efficiency. Evaluated on a new dataset comprising 61 vulnerabilities, LiveFuzz substantially improves target path coverage and accelerates vulnerability exposure, successfully triggering three previously unexploited vulnerabilities for the first time.

Developers utilize third-party libraries to improve productivity, which also introduces potential security risks. Existing approaches generate tests for public functions to trigger library vulnerabilities from client programs, yet they depend on proof-of-concepts (PoCs), which are often unavailable. In this paper, we propose a new approach, LiveFuzz, based on directed greybox fuzzing (DGF) to detect the exploitability of library vulnerabilities from client programs without PoCs. LiveFuzz exploits a target tuple to extend existing DGF techniques to cross-program scenarios. Based on the target tuple, LiveFuzz introduces a novel Abstract Path Mapping mechanism to project execution paths, mitigating the preference for shorter paths. LiveFuzz also proposes a risk-based adaptive mutation to mitigate excessive mutation. To evaluate LiveFuzz, we construct a new dataset including 61 cases of library vulnerabilities exploited from client programs. Results show that LiveFuzz increases the number of target-reachable paths compared with all baselines and improves the average speed of vulnerability exposure. Three vulnerabilities are triggered exclusively by LiveFuzz.