OverrideFuzz: Semantic-Aware Grammar Fuzzing for Script-Runtime Vulnerabilities

TL;DR

OverrideFuzz is a semantic-aware grammar fuzzer designed for script-language runtimes, improving testing by modeling dynamic behaviors and hooks to better identify runtime vulnerabilities.

Contribution

It introduces a two-phase approach that constructs objects with override methods and generates operations through hooks, enhancing semantic correctness without manual API specifications.

Findings

Coverage growth observed across CPython, Lua, and QuickJS.

Lua benefits most from metamethod dispatch mechanism.

Reconstructs inputs matching known vulnerability patterns.

Abstract

Script-language runtimes such as Python, Lua, and JavaScript are widely deployed in security sensitive contexts, yet they remain difficult to test because valid inputs must satisfy syntax, dynamic type constraints, and object-level semantics. Existing grammar and reflection-based fuzzers improve syntactic validity and interface reachability, but they rarely model override hooks, dynamic rebinding, and attribute-resolution behavior that can redirect built-in operations across the script-native boundary and trigger use-after-free or type-confusion bugs. We present OverrideFuzz, a two-phase, semantic-aware grammar fuzzer for script-language runtimes. Its declaration phase constructs objects with overriding methods, while its execution phase generates operations that route through those hooks. Active reflection tracks runtime types, and passive reflection learns from error messages to remove invalid operation shapes, allowing generation to approach semantic correctness without manual API specification. We evaluate OverrideFuzz on CPython, Lua, and QuickJS. All three targets show consistent coverage growth, with rapid early expansion followed by slower incremental gains, and Lua benefits most from its pervasive metamethod dispatch mechanism. Although OverrideFuzz did not discover novel vulnerabilities during the bounded evaluation period, corpus analysis shows that it reconstructs inputs matching known vulnerability patterns, which suggests that semantic-aware generation reaches the intended script-native boundary behaviors.