playbooks

home / skills / plurigrid / asi / fuzzing-dictionary

fuzzing-dictionary skill

/skills/fuzzing-dictionary

This skill helps you build effective fuzzing dictionaries to boost fuzzer performance and uncover edge cases inputs.

npx playbooks add skill plurigrid/asi --skill fuzzing-dictionary

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
1.2 KB
---
name: fuzzing-dictionary
description: Building effective fuzzing dictionaries for improved fuzzer performance.
category: testing-handbook-skills
author: Trail of Bits
source: trailofbits/skills
license: AGPL-3.0
trit: -1
trit_label: MINUS
verified: true
featured: false
---

# Fuzzing Dictionary Skill

**Trit**: -1 (MINUS)
**Category**: testing-handbook-skills
**Author**: Trail of Bits
**Source**: trailofbits/skills
**License**: AGPL-3.0

## Description

Building effective fuzzing dictionaries for improved fuzzer performance.

## When to Use

This is a Trail of Bits security skill. Refer to the original repository for detailed usage guidelines and examples.

See: https://github.com/trailofbits/skills

## Related Skills

- audit-context-building
- codeql
- semgrep
- variant-analysis


## SDF Interleaving

This skill connects to **Software Design for Flexibility** (Hanson & Sussman, 2021):

### Primary Chapter: 3. Variations on an Arithmetic Theme

**Concepts**: generic arithmetic, coercion, symbolic, numeric

### GF(3) Balanced Triad

```
fuzzing-dictionary (+) + SDF.Ch3 (○) + [balancer] (−) = 0
```

**Skill Trit**: 1 (PLUS - generation)


### Connection Pattern

Generic arithmetic crosses type boundaries. This skill handles heterogeneous data.

Overview

This skill builds effective fuzzing dictionaries to improve coverage and bug-finding performance of input-based fuzzers. It focuses on generating, organizing, and prioritizing tokens and structured input fragments that target parser logic and common failure modes. The goal is to make fuzzers reach deeper program states faster and produce higher-quality crashes.

How this skill works

The skill analyzes target input formats and runtime feedback to generate candidate tokens and input fragments. It ranks and prunes entries based on frequency, uniqueness, and observed impact on coverage, and emits dictionaries compatible with common fuzzers. It can incorporate domain-specific patterns and type-aware mutations to increase the likelihood of exercising semantic checks.

When to use it

  • When you run a fuzzer and see slow coverage growth on parsers or structured inputs
  • When the target accepts complex or heterogeneous data (JSON, XML, protocols, file formats)
  • When you want to seed fuzzing campaigns with high-value tokens and field values
  • When crash minimization is inconsistent and seeds need better semantic scaffolding
  • When automated token discovery from corpora or grammars is feasible

Best practices

  • Start with small, high-impact tokens (keywords, delimiters, magic constants) before adding many long strings
  • Group entries by semantic role (headers, fields, delimiters, numeric ranges) so fuzzer can pick relevant tokens
  • Measure dictionary effectiveness with repeated coverage-guided runs and iterate on entries that produce new paths
  • Prefer diverse, type-aware entries (boundary numbers, valid/invalid encodings, nested structures) over many near-duplicates
  • Limit dictionary size by removing tokens that never influence coverage to reduce mutation noise

Example use cases

  • Generate a dictionary for a custom binary file format by extracting known header fields and magic values
  • Seed a JSON parser fuzz campaign with common keys, schema shapes, and boundary numeric values
  • Create protocol-specific tokens (commands, flags, version strings) to push state-machine transitions
  • Augment grammar-based fuzzing by supplying realistic field contents for semantic checks
  • Automate token extraction from a corpus of samples and prune by coverage impact before large-scale fuzzing

FAQ

Will a larger dictionary always improve fuzzing?

No. Larger dictionaries can add noise and slow useful mutations; prioritize impact and prune ineffective entries.

How do I measure dictionary effectiveness?

Compare coverage growth and unique crashes across runs with and without the dictionary, and track contribution per token.

Can this handle binary and text formats?

Yes. Use type-aware tokens (byte sequences, encodings, numeric ranges) and organize entries by format role.