Ivan Fratric shares some tips and tricks for grammar fuzzing

projectzero.google/2026/03/muta...

Over the past decade, the automated generation of test inputs has made significant advances. Modern fuzzers and test generators easily produce complex input formats that do systematically cover the input and execution space. Testing protocols, though, has remained a frontier for automated testing, as a test generator has to interact with the program under test, producing messages that conform to the current state of the system. In this paper, we introduce language-based protocol testing, the first approach to specify, automatically test, and systematically cover the full state and input space of protocol implementations. We specify protocols as interaction grammars—an extension of context-free grammars that tag each message element with the communication party that is in charge of producing it. Interaction grammars embed classical state models by unifying states, messages, and transitions all into nonterminals, and can be used for producing interactions as well as parsing them, making them ideally suited for testing protocols. Additional constraints over grammar elements allow us to specify and test semantic features such as binary message formats, checksums, encodings, and the many ways that message features induce states and vice versa. To evaluate the effectiveness of language-based protocol testing, we have implemented it as part of the FANDANGO test generator. We specify several protocols as interaction grammars, including features such as human-readable interactions (SMTP), bit-level encodings (DNS), and dynamic port assignments (FTP), and use them to test the corresponding protocol implementations. By systematically covering the interaction grammar and solving the associated constraints, FANDANGO achieves comprehensive coverage of the protocol interactions, resulting in high code coverage and a thorough assessment of the program under test.

With more and more AI-generated code, comprehensive system testing becomes more important than ever. Our new paper "Language-Based Protocol Testing" (with Alexander Liggesmeyer and Pepe Zamudio), shows how to specify and test all details of how programs interact: arxiv.org/abs/2509.20308

Which is better? Asking your distant Uncle Barry for the Top10 restaurants in NY or consulting the Michelin Guide? Well, turns out that bug-based fuzzer benchmarking is much like Uncle Barry. Random and noisy.

Accepted at #FSE26. Led by Ardi Madadi, @is-eqv.bsky.social, and @nimgnoeseel.bsky.social

?I wonder how you would feel and respond, as a reviewer, if you saw 3–4 papers submitted to the same conference that target the same problem from slightly different angles, with slightly varied problem statements, but ultimately use almost identical solutions (e.g., using LLMs as a magic wand)?

✨️ Now that #ICSE25 is over, it's time to get your papers ready for #ASE25 (30th May)!

📢 Here is what's new:
* Major Revision v2.0
* Review criteria for tech. & experience papers
* Policy on LLM-assisted Reviews
* Auto-bidding (TPMS)
* Rapid Response Reliable Reviewers

👇 For more details, read on.

I think Atropos is built on the key ideas from Redqueen & kAFL/Nyx in which the "spec" is quite different from OpenAPI spec. Moreover, the way that TrailBlazer supports generation & mutation-based fuzzing is quite different too. Hopefully, they, along with other tools, give developers more options.

TrailBlazer infers OpenAPI spec and leverage the spec together with the captured traffic, which is *attached* to the inferred spec, to do both generation & mutation based fuzzing. Moreover, current version of TrailBlazer is black-box so it is not language dependent. Feedback guided is our next step.

🎉 Excited to share our paper "Trailblazer: Practical End-to-End Web API Fuzzing (Registered Report)" was accepted to the Fuzzing Workshop 2025! It's the final piece from Lianglu Pan's thesis, co-advised by @shaananc.bsky.social , @tobycmurray.bsky.social, and me. See you in Trondheim this June! 🇳🇴

Using Agentic AI to create smarter solutions with multiple LLMs (step-by-step process) YouTube video by Don Woodlock

This is the best explanation of agentic AI that I have ever seen. Simple but to the point. Highly recommended: youtu.be/O0GNrvO7wD0?...

An iPad with the QUIC-Fuzz paper

Saturday morning read: “QUIC-Fuzz: An Effective Greybox Fuzzer For The QUIC Protocol”

arxiv.org/abs/2503.19402

Re-sharing to keep bluesky rolling

go.bsky.app/EhGFSVj

We reflect on the 5-year impact of our protocol fuzzer #AFLNet on research & practice in this journal extension *just accepted* at the Transactions on Software Engineering.

📝https://mpi-softsec.github.io/papers/TSE25-aflnet.pdf
🧑‍💻https://github.com/aflnet/aflnet

Led by Ruijie and Thuan, w/ Abhik

futures.cs.utah.edu/papers/25ICS... by @snagycs.bsky.social and @gabriel-sherman.bsky.social Seems like a very sensible approach to harness generation with some impressive results. I'm looking forward to seeing more discussion about this approach :) (sorry for blatantly copying the twitter thing).