Vub Oracle Work

We implemented three VUB oracles in a modified QEMU + LLVM Sanitizer framework, tested on 100 real-world programs with 45 known CVEs (15 crashing, 30 non-crashing).

VUB oracles transform the problem of vulnerability detection from "find a crash" to "find a behavioral deviation." While no oracle is perfect, the VUB framework systematically expands the detection envelope for non-crashing vulnerabilities. Our hybrid implementation demonstrates that a 28% runtime overhead is acceptable for security-critical fuzzing campaigns, catching 96.7% of latent vulnerabilities. vub oracle

| Class | Model Type | Example | Latency | False Positive Rate | |-------|------------|---------|---------|----------------------| | | Precomputed invariants | Control-flow graph, allowed syscalls | Low | Medium | | Dynamic VUB | Runtime history | Call stack depth, heap shape | Medium | Low | | Hybrid VUB | Static + dynamic | Taint tracking + policy | High | Very Low | | Learned VUB | ML on traces | LSTM of syscall sequences | Medium | Variable | We implemented three VUB oracles in a modified

A is an oracle that defines "interesting" behavior not as "crash" but as deviation from a safe behavioral envelope . The term "Vulnerability-Uncovering Behavior" emphasizes that the oracle does not directly detect vulnerabilities—it detects behaviors that are necessary conditions for many vulnerability classes. | Class | Model Type | Example |