Proof-of-Vulnerability (PoV) generation is a critical task in software security, serving as a cornerstone for vulnerability validation, false positive reduction, and patch verification. While directed fuzzing effectively drives path exploration, satisfying complex semantic constraints remains a persistent bottleneck in automated exploit generation. Large Language Models (LLMs) offer a promising alternative with their semantic reasoning capabilities; however, existing LLM-based approaches lack sufficient grounding in concrete execution behavior, limiting their ability to generate precise PoVs. In this paper, we present DrillAgent, an agentic framework that reformulates PoV generation as an iterative hypothesis-verification-refinement process. To bridge the gap between static reasoning and dynamic execution, DrillAgent synergizes LLM-based semantic inference with feedback from concrete program states. The agent analyzes the target code to hypothesize inputs, observes execution behavior, and employs a novel mechanism to translate low-level execution traces into source-level constraints. This closed-loop design enables the agent to incrementally align its input generation with the precise requirements of the vulnerability. We evaluate DrillAgent on SEC-bench, a large-scale benchmark of real-world C/C++ vulnerabilities. Experimental results show that DrillAgent substantially outperforms state-of-the-art LLM agent baselines under fixed budget constraints, solving up to 52.8% more CVE tasks than the best-performing baseline. These results highlight the necessity of execution-state-aware reasoning for reliable PoV generation in complex software systems.

翻译：漏洞证明生成是软件安全中的关键任务，作为漏洞验证、误报减少和补丁验证的基石。虽然定向模糊测试能有效驱动路径探索，但满足复杂的语义约束仍然是自动化漏洞利用生成中持续存在的瓶颈。大语言模型凭借其语义推理能力提供了一种有前景的替代方案；然而，现有基于大语言模型的方法缺乏对具体执行行为的充分基础，限制了其生成精确漏洞证明的能力。本文提出DrillAgent，一种智能体框架，将漏洞证明生成重新构建为迭代的假设-验证-优化过程。为弥合静态推理与动态执行之间的鸿沟，DrillAgent将基于大语言模型的语义推理与具体程序状态的反馈相协同。该智能体分析目标代码以假设输入，观察执行行为，并采用一种新颖机制将低级执行轨迹转换为源码级约束。这种闭环设计使智能体能够逐步将其输入生成与漏洞的精确要求对齐。我们在SEC-bench（一个大规模真实世界C/C++漏洞基准测试集）上评估DrillAgent。实验结果表明，在固定预算约束下，DrillAgent显著优于最先进的大语言模型智能体基线，比性能最佳的基线多解决高达52.8%的CVE任务。这些结果凸显了执行状态感知推理对于复杂软件系统中可靠漏洞证明生成的重要性。