Sagitta: Facilitating Post-Fuzzing Root Cause Analysis via Data Flow Differencing

Abstract

Fuzzing is an effective technique to discover software vulnerabilities by automatically generating large volumes of inputs that may trigger crashes. However, post-fuzzing root cause analysis (RCA) to identify the true problems of the crashes requires substantial manual efforts, leaving many crashes discovered through fuzzing unresolved. Previous studies based on statistical approaches assist human analysts by suggesting candidate root causes inferred from large volumes of fuzzing results, but they often fail to reveal the causal relationship between the root cause and the crash site, as the two are typically distant in the code and connected only indirectly. We propose Sagitta, an assistive tool to facilitate post-fuzzing RCA by highlighting highly probable root causes based on differences in data flow between crashing and non-crashing inputs. Sagitta uses dynamic taint analysis on a crashing input and its pre-mutation parent to identify diverging points in data flow as well as control flow, and visualizes the results as mph{localization graphs} enriched with lexical information to aid analyst comprehension. We evaluated Sagitta on 14 known vulnerabilities in large-scale software and found that it captures causal relationships with only 1 to 10 branches across five bug categories. The results demonstrate that visualizing data flow differences with Sagitta’s localization graphs significantly reduces manual effort in RCA.

Reference

Katsunori Aoki, Takahiro Shinagawa. Sagitta: Facilitating Post-Fuzzing Root Cause Analysis via Data Flow Differencing. In Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC 2025), Dec, 2025. .