Mutational Grammar Fuzzing Technique Enhances Vulnerability Detection

Mutational grammar fuzzing is a coverage-guided fuzzing technique that maintains sample structure by adhering to predefined grammar rules during mutations, successfully identifying complex vulnerabilities in XSLT implementations and JIT engine bugs. Two key flaws were identified: coverage feedback fails to correlate with bug discovery, particularly in language fuzzing where chained function calls (e.g., document() and generate-id() in libxslt) are required, and mutational fuzzing produces highly similar samples due to greedy corpus updates. A proposed solution involves periodically restarting fuzzing workers with independent corpora while syncing with a central server, improving sample diversity and crash discovery rates. Experiments on libxslt (commit 2ee18b3517ca7144949858e40caf0bbf9ab274e5) showed this method uncovered more unique crashes faster than uninterrupted sessions, with optimal performance at a 3600-second (1-hour) sync interval. The approach was implemented in the Jackalope fuzzer using delayed worker synchronization and the -skip_initial_server_sync flag. No specific CVEs or exact dates beyond the 2026 publication year were mentioned.