Glossary

Generation-Based Fuzzing

A fuzzing approach that synthesizes inputs from scratch using a grammar or format specification.

Generation-based fuzzing constructs inputs from a formal model of the target's expected input format — a grammar, a protocol specification, or a type schema. Rather than mutating existing samples, the fuzzer synthesizes structurally valid inputs according to the model and then introduces controlled deviations or random terminal values. Tools like Peach, Boofuzz, and grammar-aware AFL++ custom mutators implement this approach. Generation-based fuzzing excels where mutation-based fuzzers stall: protocol state machines, deeply nested data formats with length fields and checksums, and targets that reject malformed inputs at the outermost parsing layer without coverage gain. The main cost is the model itself — writing an accurate grammar is manual work and becomes outdated as the protocol evolves. Hybrid approaches combine a grammar-guided generator with a coverage-guided mutation engine.

Mutation-Based Fuzzing

A fuzzing approach that generates new inputs by systematically modifying existing corpus entries.

Blackbox Fuzzing

Fuzzing that generates inputs with no visibility into the target program's code or execution state.

Corpus

The evolving collection of test inputs a fuzzer maintains, used as the base for generating new mutations.

Seed Corpus

The initial set of valid, well-structured inputs provided to a fuzzer before it begins mutation.

Dictionary

A file of format-specific tokens or magic bytes provided to the fuzzer to help it construct semantically meaningful mutations.

Generation-Based Fuzzing

Related