BlendFuzz: A Model-Based Framework for Fuzz Testing Programs with Grammatical Inputs

Fuzz testing has been widely used in practice to detect software vulnerabilities. Traditional fuzzing tools typically use blocks to model program input. Despite the demonstrated success of this approach, its effectiveness is inherently limited when applied to test programs that process grammatical inputs, where the input data are mainly human-readable text with complex structures that are specified by a formal grammar. In this paper we present BlendFuzz, a fuzz testing framework that is grammar-aware. It works by breaking a set of existing test cases into units of grammar components, then using these units as variants to restructure existent test data, resulting in a wider range of test cases that have the potential to explore previously uncovered corner cases when used in testing. We´ve implemented this framework along with two language fuzzers on top of it. Experiments with these fuzzers have shown improved code coverage, and field testing has revealed over two dozens of previously unreported bugs in real-world applications, with seven of them being medium or high risk zero-day vulnerabilities.