{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,9]],"date-time":"2026-03-09T07:13:44Z","timestamp":1773040424274,"version":"3.50.1"},"reference-count":40,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2026,3,9]],"date-time":"2026-03-09T00:00:00Z","timestamp":1773014400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2026,3,9]],"date-time":"2026-03-09T00:00:00Z","timestamp":1773014400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/100007847","name":"Natural Science Foundation of Jilin Province","doi-asserted-by":"publisher","award":["62302508"],"award-info":[{"award-number":["62302508"]}],"id":[{"id":"10.13039\/100007847","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"Natural Science Foundation of China","doi-asserted-by":"crossref","award":["62372437"],"award-info":[{"award-number":["62372437"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/501100001809","name":"Natural Science Foundation of China","doi-asserted-by":"crossref","award":["62302506"],"award-info":[{"award-number":["62302506"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"crossref"}]},{"name":"Key Research Program of Frontier Sciences, CAS","award":["ZDBS-LY-7006"],"award-info":[{"award-number":["ZDBS-LY-7006"]}]},{"DOI":"10.13039\/501100004739","name":"Youth Innovation Promotion Association of the Chinese Academy of Sciences","doi-asserted-by":"crossref","award":["Y2021041"],"award-info":[{"award-number":["Y2021041"]}],"id":[{"id":"10.13039\/501100004739","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62232016"],"award-info":[{"award-number":["62232016"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Research Project of Institute of Software Chinese Academy of Sciences","award":["ISCAS-JCZD-202301, ISCAS-ZD-202402"],"award-info":[{"award-number":["ISCAS-JCZD-202301, ISCAS-ZD-202402"]}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>\n                    Program options provide flexible software functionality control but complicate fuzz testing, as triggering many behaviors require specific option combinations. Although existing option-aware fuzzing approaches attempt to mutate options as inputs or leverage AI technologies to extract option relationships from documentation, these methods have limitations. Documentation is often incomplete, and some option dependencies are embedded deeply within program logic via data or control flows, making these methods challenging to detect all possible dependencies. This paper introduces\n                    <jats:sc>OSmartPro<\/jats:sc>\n                    , an advanced option-fuzzing approach that directly extracts options and infers option dependencies from source code. Given LLM\u2019s capabilities to interpret program semantics,\n                    <jats:sc>OSmartPro<\/jats:sc>\n                    employs LLM-assisted static analysis to handle diverse option-parsing structures and extract comprehensive options. Through control and data dependency analysis, it constructs\n                    <jats:italic>option impact graph<\/jats:italic>\n                    , which it uses to guide fuzzing strategies. The tool successfully extracted complete options from all 59 programs in our test set, uncovering undocumented options in over 66% of them. Additionally,\n                    <jats:sc>OSmartPro<\/jats:sc>\n                    inferred 14,701 option combinations, identified 45.03% more execution paths compared to AFL++, and uncovered 54 zero-day vulnerabilities, of which 18 awarded CVE IDs. Lastly, in a benchmark comparison against four option-aware fuzzers,\n                    <jats:sc>OSmartPro<\/jats:sc>\n                    achieved higher line coverage in 66.7% (20 out of 30) of the programs.\n                  <\/jats:p>","DOI":"10.1186\/s42400-026-00557-8","type":"journal-article","created":{"date-parts":[[2026,3,9]],"date-time":"2026-03-09T06:16:26Z","timestamp":1773036986000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["OSmartPro: a large language model-assisted option fuzzing approach"],"prefix":"10.1186","volume":"9","author":[{"ORCID":"https:\/\/orcid.org\/0009-0000-3617-3913","authenticated-orcid":false,"given":"Kelin","family":"Wang","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Mengda","family":"Chen","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Liang","family":"He","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yanhao","family":"Wang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Purui","family":"Su","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"JiongYi","family":"Chen","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yan","family":"Cai","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Bin","family":"Zhang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Chao","family":"Feng","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Chaojing","family":"Tang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Guojun","family":"Peng","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2026,3,9]]},"reference":[{"key":"557_CR1","unstructured":"AFL (2024) AFL-argvfuzz. https:\/\/github.com\/google\/AFL\/tree\/master\/experimental\/argv_fuzzing"},{"key":"557_CR2","unstructured":"AFLplusplus (2024a) AFLplusplus. https:\/\/github.com\/AFLplusplus\/AFLplusplus"},{"key":"557_CR3","unstructured":"AFLplusplus (2024b) AFLplusplus-argvfuzz. https:\/\/github.com\/AFLplusplus\/AFLplusplus\/tree\/stable\/utils\/argv_fuzzing"},{"key":"557_CR4","unstructured":"american fuzzy\u00a0lop (2.52b) (2024) American Fuzzy Lop. http:\/\/lcamtuf.coredump.cx\/afl\/"},{"key":"557_CR5","volume-title":"The Graph Traversal Pattern","author":"MA Rodriguez","year":"2011","unstructured":"Rodriguez MA, Neubauer P (2011) The Graph Traversal Pattern. Techniques and Applications, In Graph Data Management"},{"key":"557_CR6","doi-asserted-by":"crossref","unstructured":"Aschermann C, Schumilo S, Blazytko T, Gawlik R, Holz T (2019) REDQUEEN: Fuzzing with Input-to-State Correspondence. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24-27, 2019. The Internet Society. https:\/\/www.ndss-symposium.org\/ndss-paper\/redqueen-fuzzing-with-input-to-state-correspondence\/","DOI":"10.14722\/ndss.2019.23371"},{"key":"557_CR7","doi-asserted-by":"crossref","unstructured":"Backes M, Rieck K, Skoruppa M, Stock B, Yamaguchi F (2017) Efficient and flexible discovery of php application vulnerabilities. In IEEE European Symposium on Security and Privacy","DOI":"10.1109\/EuroSP.2017.14"},{"issue":"2","key":"557_CR8","doi-asserted-by":"publisher","first-page":"82","DOI":"10.1145\/2408776.2408795","volume":"56","author":"C Cadar","year":"2013","unstructured":"Cadar C, Sen K (2013) Symbolic execution for software testing: three decades later. Commun ACM 56(2):82\u201390. https:\/\/doi.org\/10.1145\/2408776.2408795","journal-title":"Commun ACM"},{"key":"557_CR9","doi-asserted-by":"publisher","unstructured":"Chen P, Chen H (2018) Angora: Efficient Fuzzing by Principled Search. In 2018 IEEE Symposium on Security and Privacy, SP 2018, Proceedings, 21-23 May 2018, San Francisco, California, USA. IEEE Computer Society, 711\u2013725. https:\/\/doi.org\/10.1109\/SP.2018.00046","DOI":"10.1109\/SP.2018.00046"},{"key":"557_CR10","doi-asserted-by":"publisher","unstructured":"Deng Y, Xia CS, Peng H, Yang C, Zhang L (2023) Large Language Models Are Zero-Shot Fuzzers: Fuzzing Deep-Learning Libraries via Large Language Models. In Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis (Seattle, WA, USA) (ISSTA 2023). Association for Computing Machinery, New York, NY, USA, 423\u2013435. https:\/\/doi.org\/10.1145\/3597926.3598067","DOI":"10.1145\/3597926.3598067"},{"key":"557_CR11","doi-asserted-by":"publisher","unstructured":"Deng Y, Xia CS, Yang C, Zhang SD, Yang S, Zhang L (2024) Large Language Models are Edge-Case Generators: Crafting Unusual Programs for Fuzzing Deep Learning Libraries. In Proceedings of the IEEE\/ACM 46th International Conference on Software Engineering (Lisbon, Portugal) (ICSE \u201924). Association for Computing Machinery, New York, NY, USA, Article 70, 13\u00a0pages. https:\/\/doi.org\/10.1145\/3597503.3623343","DOI":"10.1145\/3597503.3623343"},{"key":"557_CR12","unstructured":"LLVM Developers. (2024) The LLVM Compiler Infrastructure. https:\/\/www.llvm.org"},{"key":"557_CR13","unstructured":"Fabian Y, Nico G, Daniel A, Konrad R (2014) Modeling and Discovering Vulnerabilities with Code Property Graph.. In Proceedings IEEE Symposium on Security and Privacy"},{"issue":"3","key":"557_CR14","doi-asserted-by":"publisher","first-page":"319","DOI":"10.1145\/24039.24041","volume":"9","author":"J Ferrante","year":"1987","unstructured":"Ferrante J, Ottenstein KJ, Warren JD (1987) The Program Dependence Graph and Its Use in Optimization. ACM Trans Prog Lang Syst 9(3):319\u2013349. https:\/\/doi.org\/10.1145\/24039.24041","journal-title":"ACM Trans Prog Lang Syst"},{"key":"557_CR15","unstructured":"AI2 Allen\u00a0Institute for AI. (2024) AllenNLP. https:\/\/allenai.org\/allennlp"},{"key":"557_CR16","unstructured":"Joern (2023) JOERN-The Bug Hunter\u2019s Workbench. https:\/\/joern.io"},{"issue":"11","key":"557_CR17","doi-asserted-by":"publisher","first-page":"558","DOI":"10.1145\/368996.369025","volume":"5","author":"AB Kahn","year":"1962","unstructured":"Kahn AB (1962) Topological sorting of large networks. Commun ACM 5(11):558\u2013562. https:\/\/doi.org\/10.1145\/368996.369025","journal-title":"Commun ACM"},{"key":"557_CR18","doi-asserted-by":"crossref","unstructured":"Lee A, Ariq I, Kim Y, Kim M (2022) POWER: Program option-aware fuzzer for high bug detection ability. In 2022 IEEE Conference on Software Testing, Verification and Validation","DOI":"10.1109\/ICST53961.2022.00032"},{"key":"557_CR19","unstructured":"LemmInflect (2022) Lemminflect. https:\/\/github.com\/bjascob\/LemmInflect"},{"key":"557_CR20","unstructured":"Li S, Kang M, Hou J, Cao Y (2022) Mining node. js vulnerabilities via object dependence graph and query. In Proceedings of the USENIX Security Symposium"},{"key":"557_CR21","doi-asserted-by":"crossref","unstructured":"Lu K, Hu H (2019) Where Does It Go? Refining Indirect-Call Targets with Multi-Layer Type Analysis.. In Proceedings of the 26th ACM Conference on Computer and Communications Security","DOI":"10.1145\/3319535.3354244"},{"key":"557_CR22","unstructured":"Lyu C, Ji S, Zhang C, Li Y, Lee W-H, Song Y, Beyah R (2019) $$\\{$$MOPT$$\\}$$: Optimized mutation scheduling for fuzzers. In 28th USENIX Security Symposium (USENIX Security 19). 1949\u20131966"},{"key":"557_CR23","doi-asserted-by":"publisher","unstructured":"Lyu Y, Xie Y, Chen P, Chen H (2024) Prompt Fuzzing for Fuzz Driver Generation. In Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security (Salt Lake City, UT, USA) (CCS \u201924). Association for Computing Machinery, New York, NY, USA, 3793\u20133807. https:\/\/doi.org\/10.1145\/3658644.3670396","DOI":"10.1145\/3658644.3670396"},{"key":"557_CR24","unstructured":"NLTK (2024) Natural Language Toolkit. https:\/\/www.nltk.org"},{"key":"557_CR25","doi-asserted-by":"publisher","unstructured":"OpenAI (2023) GPT-4 Technical Report. CoRR abs\/2303.08774 (2023). [arXiv]2303.08774 https:\/\/doi.org\/10.48550\/ARXIV.2303.08774","DOI":"10.48550\/ARXIV.2303.08774"},{"key":"557_CR26","unstructured":"phpjoern (2024) Parser utility to generate asts from php source code suitable to be processed by joern. https:\/\/github.com\/malteskoruppa\/phpjoern"},{"key":"557_CR27","doi-asserted-by":"crossref","unstructured":"Rawat S, Jain V, Kumar A, Cojocar L, Giuffrida C (2017) and Herbert Bos. VUzzer, Application-aware Evolutionary Fuzzing (In NDSS)","DOI":"10.14722\/ndss.2017.23404"},{"key":"557_CR28","unstructured":"Rebert A, Cha SK, Avgerinos T, Foote J, Warren D, Grieco G, Brumley D (2014) Optimizing seed selection for fuzzing. In 23rd USENIX Security Symposium. 861\u2013875"},{"key":"557_CR29","doi-asserted-by":"publisher","unstructured":"Schwartz EJ, Avgerinos T, Brumley D (2010) All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask). In 31st IEEE Symposium on Security and Privacy, SP 2010, 16-19 May 2010, Berleley\/Oakland, California, USA. IEEE Computer Society, 317\u2013331. https:\/\/doi.org\/10.1109\/SP.2010.26","DOI":"10.1109\/SP.2010.26"},{"key":"557_CR30","doi-asserted-by":"crossref","unstructured":"Song S, Song C, Jang Y, Lee B (2020) CrFuzz: Fuzzing Multi-purpose Programs through Input Validation. In Proceedings of the 2020 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering","DOI":"10.1145\/3368089.3409769"},{"key":"557_CR31","doi-asserted-by":"publisher","unstructured":"Sui Y, Xue J (2016) SVF: interprocedural static value-flow analysis in LLVM. In Proceedings of the 25th International Conference on Compiler Construction, CC 2016, Barcelona, Spain, March 12-18, 2016, Ayal Zaks and Manuel\u00a0V. Hermenegildo (Eds.). ACM, 265\u2013266. https:\/\/doi.org\/10.1145\/2892208.2892235","DOI":"10.1145\/2892208.2892235"},{"key":"557_CR32","unstructured":"syzkaller (2024) Syzkaller. https:\/\/github.com\/google\/syzkaller\/"},{"key":"557_CR33","doi-asserted-by":"publisher","unstructured":"Touvron H, Martin L, Stone K, Albert P, Almahairi A, et.al (2023) Llama 2: Open Foundation and Fine-Tuned Chat Models. CoRR abs\/2307.09288 (2023). [arXiv]2307.09288 https:\/\/doi.org\/10.48550\/ARXIV.2307.09288","DOI":"10.48550\/ARXIV.2307.09288"},{"key":"557_CR34","unstructured":"Wang D, Li Y, Zhang Z, Chen K (2023) CarpetFuzz: Automatic Program Option Constraint Extraction from Documentation for Fuzzing. In Proceedings of the USENIX Security Symposium"},{"key":"557_CR35","doi-asserted-by":"publisher","unstructured":"Wang D, Zhou G, Chen L, Li D, Miao Y (2024b) ProphetFuzz: Fully Automated Prediction and Fuzzing of High-Risk Option Combinations with Only Documentation via Large Language Model. In Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, CCS 2024, Salt Lake City, UT, USA, October 14-18, 2024, Bo\u00a0Luo, Xiaojing Liao, Jun Xu, Engin Kirda, and David Lie (Eds.). ACM, 735\u2013749. https:\/\/doi.org\/10.1145\/3658644.3690231","DOI":"10.1145\/3658644.3690231"},{"key":"557_CR36","doi-asserted-by":"publisher","unstructured":"Wang K, Chen M, He L, Su P, Cai Y, Chen J, Zhang B, Feng C, Tang C (2024a). OSmart: Whitebox Program Option Fuzzing. In Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, CCS 2024, Salt Lake City, UT, USA, October 14-18, 2024, Bo\u00a0Luo, Xiaojing Liao, Jun Xu, Engin Kirda, and David Lie (Eds.). ACM, 705\u2013719. https:\/\/doi.org\/10.1145\/3658644.3690228","DOI":"10.1145\/3658644.3690228"},{"key":"557_CR37","doi-asserted-by":"crossref","unstructured":"Wang Y, Jia X, Liu Y, Zeng K, Bao T, Wu D, Su P (2020) Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization.. In NDSS","DOI":"10.14722\/ndss.2020.24422"},{"key":"557_CR38","unstructured":"Yang C, Zhao Z, Zhang L (2023) KernelGPT: Enhanced Kernel Fuzzing via Large Language Models. [arxiv]2401.00563\u00a0[cs.CR] https:\/\/arxiv.org\/abs\/2401.00563"},{"issue":"2","key":"557_CR39","doi-asserted-by":"publisher","first-page":"21","DOI":"10.1145\/3580597","volume":"32","author":"Z Zenong","year":"2023","unstructured":"Zenong Z, George K, Eric W, Michael H, Shiyi W (2023) Fuzzing configurations of program options. ACM Trans Softw Eng Methodol 32(2):21. https:\/\/doi.org\/10.1145\/3580597","journal-title":"ACM Trans Softw Eng Methodol"},{"key":"557_CR40","doi-asserted-by":"crossref","unstructured":"Zhang Z, Klees G, Wang E, Hicks M, Wei S (2022) Registered Report: Fuzzing Configurations of Program Options. In International Fuzzing Workshop (FUZZING)","DOI":"10.14722\/fuzzing.2022.23008"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-026-00557-8.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-026-00557-8","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-026-00557-8.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,3,9]],"date-time":"2026-03-09T06:16:35Z","timestamp":1773036995000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1186\/s42400-026-00557-8"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,3,9]]},"references-count":40,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,12]]}},"alternative-id":["557"],"URL":"https:\/\/doi.org\/10.1186\/s42400-026-00557-8","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,3,9]]},"assertion":[{"value":"11 December 2025","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"26 January 2026","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"9 March 2026","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"The authors declare that they have no competing interests","order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"133"}}