Nautilus - Fuzzing with Grammars
Nautilus
Authors: Cornelius Aschermann, Tommaso Frassetto, Thorsten Holz, Patrick Jauernig, Ahmad-Reza Sadeghi, Daniel Teuchert
Nautilus is a feedback fuzzer inspired by AFL. However it allows to specify a grammar. Using this grammar, the fuzzer generates and internally uses the abstract syntax tree of the input. This also allows for very complex mutations. Then it converts the tree to the actual input. Knowing the exact tree shape greatly improves the performance for highly structured input formats, such as many text formats and programming languages.
Nautilus helped find and report multiple bugs, including:
- https://github.com/Microsoft/ChakraCore/issues/5503
- https://github.com/mruby/mruby/issues/3995 (CVE-2018-10191)
- https://github.com/mruby/mruby/issues/4001 (CVE-2018-10199)
- https://github.com/mruby/mruby/issues/4038 (CVE-2018-12248)
- https://github.com/mruby/mruby/issues/4027 (CVE-2018-11743)
- https://github.com/mruby/mruby/issues/4036 (CVE-2018-12247)
- https://github.com/mruby/mruby/issues/4037 (CVE-2018-12249)
- https://bugs.php.net/bug.php?id=76410
- https://bugs.php.net/bug.php?id=76244
The paper describing Nautilus was published at NDSS 2019. A recording of the presentation and the slides can be found here:
Talk | Slides |
---|---|