This article explores the limitations of mutational coverage-guided grammar fuzzing, a technique often used for complex targets like JIT engines and language parsers. The author highlights two primary issues: the disconnect between code coverage and actual bug triggering—where complex vulnerabilities require specific data flows not captured by standard coverage—and the lack of sample diversity in corpora due to the greedy nature of mutational algorithms.
To address these flaws, the author proposes a hybrid strategy that combines generative and mutational fuzzing by periodically restarting fuzzing workers with empty corpora while maintaining a central synchronization server. This method ensures that workers generate fresh, diverse samples while still benefiting from the global coverage discovered by previous runs. Experimental results on libxslt demonstrate that this approach finds unique crashes more quickly and effectively than standard uninterrupted sessions.
Top comments (0)