OverrideFuzz: Semantic-Aware Grammar Fuzzing for Script-Runtime Vulnerabilities
For developers and security researchers of script-language runtimes, OverrideFuzz addresses the challenge of testing semantic correctness beyond syntax and interface reachability, but its impact is incremental as it does not discover new vulnerabilities.
OverrideFuzz introduces a semantic-aware grammar fuzzer for script-language runtimes (Python, Lua, JavaScript) that models override hooks and dynamic rebinding to trigger script-native boundary bugs. Evaluation shows consistent coverage growth across all targets, with Lua benefiting most, and corpus analysis confirms reconstruction of known vulnerability patterns, though no novel vulnerabilities were found during the evaluation period.
Script-language runtimes such as Python, Lua, and JavaScript are widely deployed in security sensitive contexts, yet they remain difficult to test because valid inputs must satisfy syntax, dynamic type constraints, and object-level semantics. Existing grammar and reflection-based fuzzers improve syntactic validity and interface reachability, but they rarely model override hooks, dynamic rebinding, and attribute-resolution behavior that can redirect built-in operations across the script-native boundary and trigger use-after-free or type-confusion bugs. We present OverrideFuzz, a two-phase, semantic-aware grammar fuzzer for script-language runtimes. Its declaration phase constructs objects with overriding methods, while its execution phase generates operations that route through those hooks. Active reflection tracks runtime types, and passive reflection learns from error messages to remove invalid operation shapes, allowing generation to approach semantic correctness without manual API specification. We evaluate OverrideFuzz on CPython, Lua, and QuickJS. All three targets show consistent coverage growth, with rapid early expansion followed by slower incremental gains, and Lua benefits most from its pervasive metamethod dispatch mechanism. Although OverrideFuzz did not discover novel vulnerabilities during the bounded evaluation period, corpus analysis shows that it reconstructs inputs matching known vulnerability patterns, which suggests that semantic-aware generation reaches the intended script-native boundary behaviors.