Mutational grammar fuzzing

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://projectzero.google/2026/03/mutational-grammar-fuzzing.html
• Blog Title: Mutational grammar fuzzing
• Suggested Section: 🤩 Generic Methodologies & Resources -> (add) Fuzzing / Coverage-guided fuzzing -> Grammar-based fuzzing (Jackalope) / Corpus management & diversity tricks

🎯 Content Summary

This post explains mutational grammar fuzzing (coverage-guided + structure-aware fuzzing), highlights two limitations that reduce bug-finding effectiveness (especially in language fuzzing targets like XSLT / JS engines), and presents a simple, reproducible workflow to improve corpus diversity and unique crash discovery rate using Google Project Zero’s Jackalope fuzzer.

Background: what mutational...

🔧 Technical Details

1. Coverage can’t represent semantic/dataflow progress in language targets: When a bug requires chaining operations (e.g., nested function calls where the output of one is the input to the next), intermediate “closer-to-bug” mutations may not increase code coverage and therefore won’t be retained in the corpus. This makes 3+ step dependency chains hard to reach with coverage-guided mutation alone; the fuzzer must be able to combine corpus fragments, but those combinations might still be dropped if they don’t add coverage.
   
   2) Greedy mutation causes low corpus diversity: Saving every coverage-increasing mutant tends to preserve large unchanged substrings, producing many near-duplicate samples over time. Minimization can help, but over-minimization may remove useful context; a compromise is token-threshold minimization (minimize until a minimum number of grammar tokens remains).
   
   3) Single-machine “multi-worker” diversity trick (delayed sync + restarts)</...

🤖 Agent Actions

Summary: Added a new fuzzing methodology page capturing mutational grammar fuzzing limitations, corpus diversity issues, and the Jackalope worker-restart strategy, and linked it in the main SUMMARY.

Files changed:

• src/generic-methodologies-and-resources/fuzzing.md
• src/SUMMARY.md

Tests: Not run.

If you want, I can also add a short cross-link from src/generic-methodologies-and-resources/pentesting-methodology.md to the new fuzzing page.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://projectzero.google/2026/03/mutational-grammar-fuzzing.html

Content Categories: Based on the analysis, this content was categorized under "🤩 Generic Methodologies & Resources -> (add) Fuzzing / Coverage-guided fuzzing -> Grammar-based fuzzing (Jackalope) / Corpus management & diversity tricks".

Repository Maintenance:

• MD Files Formatting: 955 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0