Mutational grammar fuzzing is a fuzzing technique in which the fuzzer uses a predefined grammar that describes the structure of the samples. When a sample ge...

Project Zero is Google's security research team dedicated to finding and fixing zero-day vulnerabilities in software and hardware, aiming to improve the security of the broader internet ecosystem. Security researchers can learn about vulnerability research, exploit development, and responsible disclosure practices to contribute to making the internet safer for everyone.

Project Zero

Mutational grammar fuzzing is effective but has two key flaws: coverage metrics don't reliably correlate with bug discovery (especially when bugs require chaining multiple function calls), and mutational fuzzing tends to produce low-diversity corpora due to its greedy nature. A practical mitigation is periodically restarting fuzzing workers with empty corpora while keeping a central server, so each worker independently builds fresh samples before syncing with the server's accumulated coverage. Experiments on libxslt showed this periodic-restart approach found more unique crashes faster than a single long-running session, with the optimal restart interval being target-dependent.

On the Effectiveness of Mutational Grammar Fuzzing

Issue #1: More coverage does not mean more bugs

Issue #2: Mutational grammar fuzzing tends to produce samples that are very similar