Advanced Grammar-Based Fuzzing

This article presents novel method for efficient fuzzing of programs accepting complex structured data. It generates input data based on formal grammar description. Data generator is periodically autoconfigured based on target programs code coverage. It means that the type of generated programs is dynamically changed to increase code coverage. Data generator uses descriptions of BNF (Backus-Naur Form) rules in ANTLR (ANother Tool for Language Recognition) platform. More than 250 languages and data formats are supported. Every rule of grammar is designed as universal pushdown automata, which allows automatically generate BNF compatible data by traversing automata. We added weights for each transition of automata to provide priority of highly efficient paths (sequence of transitions). These weights are automatically changed by fuzzing engine, which provides data generator adaptation based on the coverage of the target programs. According to experimental results, we were able to increase code coverage significantly for several widely used programs including compilers.