JOSÉ ANTONIO ZAMUDIO AMAYA – PHD

Tag: fuzzing

  • Fandango Goes Protocol

    When we released Fandango, the most common question we got was: can it test protocols? It’s a fair ask. A lot of the most interesting and security-critical software out there doesn’t just read a file — it talks. FTP servers, DNS resolvers, custom binary protocols — these systems communicate through structured, stateful exchanges where every…

  • Fandango is Live

    After months of building, testing, and a few too many late nights debugging evolutionary algorithms, Fandango is officially out. Fandango is an open-source fuzzer I’ve been developing as part of my PhD at CISPA Helmholtz Center for Information Security. The core idea came from a simple frustration: most fuzzers are either too dumb or too…

  • FANDANGO: Evolving Language-Based Testing — ISSTA 2025

    Our paper “FANDANGO: Evolving Language-Based Testing” was published in the Proceedings of the ACM on Software Engineering at ISSTA 2025, co-authored with Marius Smytzek and Andreas Zeller. This is the main research paper behind the Fandango fuzzer. Language-based fuzzers work by combining a formal grammar — which defines what valid inputs look like structurally —…

  • Personalized Fuzzing: Testing a GNSS Module with Fandango — ISSTA 2025

    Our paper “Personalized Fuzzing: A Case Study with the FANDANGO Fuzzer on a GNSS Module” was published at the 34th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2025), co-authored with Stephan Neuhaus and Andreas Zeller. GNSS modules — the hardware components responsible for satellite-based positioning in devices like phones, drones, and vehicles…

  • XAVIER: Grammar-Based Testing for XML Injection Attacks — ISSTA 2025

    Our paper “XAVIER: Grammar-Based Testing for XML Injection Attacks” was published at the 34th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2025), co-authored with Paul Kalbitzer and Andreas Zeller. Web services handle some of the most sensitive operations on the internet — banking, e-commerce, authentication — and they are also prime targets…

  • Shaping Test Inputs in Grammar-Based Fuzzing — ISSTA 2024

    My paper “Shaping Test Inputs in Grammar-Based Fuzzing” was published at the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2024), one of the top venues for software testing research. The paper starts from a problem that anyone who has used grammar-based fuzzing will recognize: existing fuzzers are biased. When you define…

  • Better-Distributed Grammar-Based Fuzzing

    UniFuzz is a grammar-based fuzzing tool that generates test suites with better input distribution. Instead of randomly sampling from a grammar (which tends to produce short, repetitive inputs), UniFuzz lets you specify how values should be distributed — uniform, normal, or custom — and generates a population that actually covers the input space. You define…

  • Accepted to the Fuzzing and Software Security Summer School 2024

    Greetings, fellow adventurers of the digital frontier! Today, I am thrilled to share with you that I have been accepted to attend the Fuzzing and Software Security Summer School 2024. Set to debut on the week of the 27th-31st May 2024, this event promises to be a gathering of some of the brightest minds in…