A Formal Control Plane for Fuzzing Campaigns: Leveraging Attribute Grammars for Dynamic Policy Selection

Pierciro Caliandro, Matteo Ciccaglione, and Alessandro Pellegrini

Abstract:
Fuzzing is an effective technique for software security testing, although the orchestration of fuzzing campaigns still largely relies on rigid, imperative control logic. Traditionally, this orchestration has been based on decision-making processes (such as when to mutate inputs, migrate seeds, or change scheduling policies) that are embedded directly into the execution engine. These monolithic architectures are difficult to adapt, extend, or formally verify. In this paper, we introduce a framework that decouples the control logic from the fuzzing mechanism by elevating the orchestration problem to a linguistic domain. We propose a formal control plane powered by Attribute Grammars, where the operational state of the fuzzing infrastructure is treated as a sentence in a formal language, and control policies are derived as semantic translations of this state. From this formal declarative specification, we automatically generate the source code of the fuzzer controller. This allows researchers to define complex, adaptive strategies, including backtracking-based recovery and epsilon-greedy exploration, in a more rigorous and maintainable way. We exercise our methodology by showcasing how to effectively orchestrate a distributed fuzzing campaign using a relatively-simple grammar.

BibTeX Entry: