following-dragons-code-review-guided

Installation
SKILL.md

This skill enables Claude to apply the EyeQ technique from "Following Dragons: Code Review-Guided Fuzzing" (Luu et al., 2026). EyeQ bridges the gap between developer intelligence expressed in code review discussions and automated fuzz testing. It extracts implicit security signals from review comments, classifies them against CWE-699 weakness categories, localizes the implicated code regions, and generates IJON annotations that steer AFL++ toward the program states developers flagged as fragile or security-critical. The technique found 40+ previously unknown bugs in the PHP interpreter, outperforming unguided fuzzing by 2.7x.

When to Use

  • When the user asks to analyze code review comments or PR discussions for security-relevant signals
  • When the user wants to generate fuzzer annotations (IJON macros) from developer concerns expressed in reviews
  • When the user has a codebase with AFL++ or libFuzzer and wants to prioritize fuzzing of developer-flagged risky regions
  • When the user asks to classify code review comments against CWE categories
  • When the user wants to map review-discussed concerns to specific functions and variables for targeted testing
  • When the user asks to instrument C/C++ code with IJON annotations for annotation-aware fuzzing
  • When the user is triaging a backlog of review comments to identify which warrant deeper security testing

Key Technique

Standard fuzzers maximize code coverage but are blind to which paths developers consider most dangerous. Code reviewers routinely express security-relevant reasoning -- concerns about buffer boundaries, integer overflow, input validation gaps, resource exhaustion -- but this intelligence is trapped in natural language comments that testing tools ignore. EyeQ systematically harvests this intelligence and converts it into machine-consumable fuzzing guidance.

The core insight is a four-stage pipeline: (1) Review Classification uses a two-phase LLM approach -- coarse filtering identifies candidate CWE-699 categories, then fine-grained classification selects the most specific matching CWE. (2) Code Localization maps security-relevant comments to concrete functions via candidate ranking followed by diff-based verification against actual code changes. (3) Code Instrumentation identifies the specific variables or expressions within those functions that expose the security-critical state and wraps them in IJON annotation macros (IJON_SET, IJON_MAX, IJON_MIN). (4) Fuzzing Execution runs AFL++ with the IJON bitmap, treating annotations as first-class feedback signals that reward semantically meaningful executions even when coverage does not increase.

The annotation macros are lightweight and non-invasive. IJON_SET(x) reports a numeric program state to the fuzzer. IJON_MAX(x) and IJON_MIN(x) reward monotonic progress toward extreme values. IJON_STATE() captures discrete execution phases. All annotations are guarded with #ifdef _USE_IJON so they compile away in production builds. This means the technique requires no changes to program semantics or developer workflows.

Installs
1
GitHub Stars
6
First Seen
Jun 21, 2026
following-dragons-code-review-guided — ndpvt-web/arxiv-claude-skills