Abstract

Fuzz testing has emerged as a cornerstone technique in the discovery of software vulnerabilities, particularly in systems that process complex, structured inputs. However, traditional fuzzers often fall short when it comes to generating both valid and syntactically nuanced edge-case inputs—especially for programs that rely on strict input grammars. In this talk, I will present a hybrid approach to fuzzing that combines the strengths of grammar-based generation with the flexibility of mutation-based techniques.

Building on tools like Grammarinator, I introduce two complementary methods—Gmutator and G+M—which apply mutations to either the input grammar or the generated inputs themselves. These techniques are designed to uncover discrepancies between formal specifications and real-world parser behaviour, enabling the discovery of vulnerabilities that purely grammar-based methods would miss.

I will also introduce AFLRepair, a system that applies random byte-level mutations followed by syntax-aware repair, ensuring that mutated inputs remain structurally valid. This strategy increases input diversity while maintaining validity, allowing deeper exploration of execution paths and higher chances of uncovering hidden bugs. Preliminary experiments using these tools have led to the discovery of multiple bugs across different open-source interpreters, underscoring the practical effectiveness of hybrid fuzzing.

Talk @ King’s College London (KCL).