-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Greybox fuzzer #1344
Open
DaniilStepanov
wants to merge
30
commits into
UnitTestBot:main
Choose a base branch
from
DaniilStepanov:greyboxfuzzer
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Greybox fuzzer #1344
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
DaniilStepanov
force-pushed
the
greyboxfuzzer
branch
from
December 6, 2022 13:49
5f14d4e
to
d723901
Compare
DaniilStepanov
force-pushed
the
greyboxfuzzer
branch
from
December 19, 2022 14:27
5227aff
to
949c3f5
Compare
DaniilStepanov
force-pushed
the
greyboxfuzzer
branch
from
December 28, 2022 16:34
e6accca
to
a7a1f39
Compare
DaniilStepanov
force-pushed
the
greyboxfuzzer
branch
from
January 24, 2023 16:19
f6d9667
to
7392e6d
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Greybox fuzzer
This document describes principles and capabilities of the implemented fuzzing module.
For what?
Any symbolic execution engine has its drawbacks and limitations:
Based on these problems, a fuzzing module without symbolic execution is required for full-fledged testing of programs. Also, modern research shows that the most effective is the hybrid mode, when symbolic and concrete executions help each other. The most effective way of fuzzing without symbolic execution is greybox fuzzing, which is proposed in this PR.
How it works?
You can read about how greybox fuzzing works here.
Fuzzing process can be divided into 2 stages: exploration and exploitation. In the exploration phase, seeds are generated to test the target function, in the exploitation phase, mutations are applied to the best seeds. Why we need exploitation phase? Consider an example of a simple Java program:
The probability that we initially generate an array that finds a bug is 0%. It is much more likely to generate an array whose first element is 0, and then through mutations to get data that will find a bug.
Exploration phase
To implement the exploration phase, junit-quickcheck was used, which contains built-in configurable generators for many java library types. Initially, the library generated objects that were converted to UtModel using UtModelConstructor. But this approach has shown its inoperability due to the impossibility of converting complex objects containing a large number of fields into UtModel (
java.lang.Thread
for example). Therefore, it was decided to rewrite the library (packageorg.utbot.quickcheck
) to generate UtModels instead of objects. Also in theorg.utbot.engine.greyboxfuzzer.generator.GeneratorConfigurator
class it is possible to configure generators by limiting the range of generated values and the size of collections.In addition to generators for many types from the standard library, a generator for user-defined classes has been implemented, which has the following capabilities:
The biggest difficulty in generating user classes is the processing of type parameters. For this, the libraries javaruntype (70 kB) and generics-resolver (77 kB) were used. In the implemented module, it is possible to replace type parameters with values suitable for bound, for example, in the function
The T parameter can be replaced by random inheritor of the Number class.
The algorithm for object generation works as follows:
ParameterTypeContext
is built containing the necessary information for resolving type parametersorg.utbot.engine.greyboxfuzzer.generator.userclasses.generator
packageThe result of the exploration phase is a sorted set of seeds. Seeds are ranked according to the new coverage it opens.
Exploitation phase
This phase is designed to mutate seeds from the exploration phase.
Exploitation phase has the following features:
During the work of this phase, the ranking of seeds is also carried out, the preference is given to "more successful".
Experiments
Experiments are carried out on projects from the SBST competition
TODO()
Current status
The exploration phase is currently being tested and work in progress with exploitation phase.