Grimoire

Authors: Tim Blazytko, Cornelius Aschermann, Ali Abbasi, Sergej Schumilo, Simon Wörner, Thorsten Holz

Grimoire is a fast binary only fuzzer, that infers structural information during the fuzzing process itself. To produce better test coverage, it it observes how chunks from the learned inputs can be recombined in a weak form of grammar. This process piggybacks on the usual fuzzing process. It only uses the information obtained from a AFL-style feedback bitmap. As a consequence it is very cheap and greatly improves the performance of fuzzers when fuzzing structured formats.

Grimoire helped to find and report multiple bugs, including:

  • gnuplot (CVE-2018-19490)
  • gnuplot (CVE-2018-19491)
  • gnuplot (CVE-2018-19492)
  • tcc (CVE-2018-20376)
  • tcc (CVE-2018-20375)
  • tcc (CVE-2018-20374)
  • tinyCC (CVE-2019-9754)
  • tinyCC (CVE-2019-12495)
  • Boolector (CVE-2019-7559)
  • Boolector (CVE-2019-7560)
  • NASM (CVE-2019-8343