Fuzzers aware of the input grammar can explore deeper program
states using grammar-aware mutations. Existing grammar-aware
fuzzers are ineffective at synthesizing complex bug triggers due to:
(i) grammars introducing a sampling bias during input generation
due to their structure, and (ii) the current mutation operators for
parse trees performing localized small-scale changes.
Gramatron uses grammar automatons in conjunction with aggressive
mutation operators to synthesize complex bug triggers
faster. We build grammar automatons to address the sampling bias.
It restructures the grammar to allow for unbiased sampling from the
input state space. We redesign grammar-aware mutation operators
to be more aggressive, i.e., perform large-scale changes.
Gramatron can consistently generate complex bug triggers in
an efficient manner as compared to using conventional grammars
with parse trees. Inputs generated from scratch by Gramatron have
higher diversity as they achieve up to 24.2% more coverage relative
to existing fuzzers. Gramatron makes input generation 98% faster
and the input representations are 24% smaller. Our redesigned
mutation operators are 6.4× more aggressive while still being 68% faster
at performing these mutations. We evaluate Gramatron across three
interpreters with 10 known bugs consisting of three complex bug
triggers and seven simple bug triggers against two Nautilus variants.
Gramatron finds all the complex bug triggers reliably and faster. For
the simple bug triggers, Gramatron outperforms Nautilus four out
of seven times. To demonstrate Gramatron’s effectiveness in the
wild, we deployed Gramatron on three popular interpreters for a
10-day fuzzing campaign where it discovered 10 new vulnerabilities.