# Copyright 2016 The Chromium Authors
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
import base64
import functools
import itertools
import os
import random
import re
import string
import sys
import textwrap
from . import utils
def FuzzyInt(n):
"""Returns an integer derived from the input by one of several mutations."""
int_sizes = [8, 16, 32, 64, 128]
mutations = [
lambda n: utils.UniformExpoInteger(0,
sys.maxsize.bit_length() + 1),
lambda n: -utils.UniformExpoInteger(0, sys.maxsize.bit_length()),
lambda n: 2**random.choice(int_sizes) - 1,
lambda n: 2**random.choice(int_sizes),
lambda n: 0,
lambda n: -n,
lambda n: n + 1,
lambda n: n - 1,
lambda n: n + random.randint(-1024, 1024),
]
return random.choice(mutations)(n)
def FuzzyString(s):
"""Returns a string derived from the input by one of several mutations."""
# First try some mutations that try to recognize certain types of strings
assert isinstance(s, str)
chained_mutations = [
FuzzIntsInString,
FuzzBase64InString,
FuzzListInString,
]
original = s
for mutation in chained_mutations:
s = mutation(s)
# Stop if we've modified the string and our coin comes up heads
if s != original and random.getrandbits(1):
return s
# If we're still here, apply a more generic mutation
mutations = [
lambda _: ''.join(
random.choice(string.printable)
for _ in range(utils.UniformExpoInteger(0, 14))),
# We let through the surrogate. The decode exception is handled at caller.
lambda _: ''.join(
chr(random.randint(0, sys.maxunicode))
for _ in range(utils.UniformExpoInteger(0, 14))).encode(
'utf-8', 'surrogatepass'),
lambda _: os.urandom(utils.UniformExpoInteger(0, 14)),
lambda s: s * utils.UniformExpoInteger(1, 5),
lambda s: s + 'A' * utils.UniformExpoInteger(0, 14),
lambda s: 'A' * utils.UniformExpoInteger(0, 14) + s,
lambda s: s[:-random.randint(1, max(1,
len(s) - 1))],
lambda s: textwrap.fill(s, random.randint(1, max(1,
len(s) - 1))),
lambda _: '',
]
return random.choice(mutations)(s)
def FuzzIntsInString(s):
"""Returns a string where some integers have been fuzzed with FuzzyInt."""
def ReplaceInt(m):
val = m.group()
if random.getrandbits(1): # Flip a coin to decide whether to fuzz
return val
if not random.getrandbits(4): # Delete the integer 1/16th of the time
return ''
decimal = val.isdigit() # Assume decimal digits means a decimal number
n = FuzzyInt(int(val) if decimal else int(val, 16))
return str(n) if decimal else '%x' % n
return re.sub(r'\b[a-fA-F]*\d[0-9a-fA-F]*\b', ReplaceInt, s)
def FuzzBase64InString(s):
"""Returns a string where Base64 components are fuzzed with FuzzyBuffer."""
def ReplaceBase64(m):
fb = FuzzyBuffer(base64.b64decode(m.group()))
fb.RandomMutation()
return base64.b64encode(fb)
# This only matches obvious Base64 words with trailing equals signs
return re.sub(
r'(?<![A-Za-z0-9+/])'
r'(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)'
r'(?![A-Za-z0-9+/])', ReplaceBase64, s)
def FuzzListInString(s, separators=r', |,|; |;|\r\n|\s'):
"""Tries to interpret the string as a list, and fuzzes it if successful."""
seps = re.findall(separators, s)
if not seps:
return s
sep = random.choice(seps) # Ones that appear often are more likely
items = FuzzyList(s.split(sep))
items.RandomMutation()
return sep.join(items)
# Pylint doesn't recognize that in this case 'self' is some mutable sequence,
# so the unsupoorted-assignment-operation and unsupported-delete-operation
# warnings have been disabled here.
# pylint: disable=unsupported-assignment-operation,unsupported-delete-operation
class FuzzySequence(object): #pylint: disable=useless-object-inheritance
"""A helpful mixin for writing fuzzy mutable sequence types.
If a method parameter is left at its default value of None, an appropriate
random value will be chosen.
"""
def Overwrite(self, value, location=None, amount=None):
"""Overwrite amount elements starting at location with value.
Value can be a function of no arguments, in which case it will be called
every time a new value is needed.
"""
if location is None:
location = random.randint(0, max(0, len(self) - 1))
if amount is None:
amount = utils.RandomLowInteger(min(1, len(self)), len(self) - location)
if hasattr(value, '__call__'):
new_elements = (value() for i in range(amount))
else:
new_elements = itertools.repeat(value, amount)
self[location:location + amount] = new_elements
def Insert(self, value, location=None, amount=None, max_exponent=14):
"""Insert amount elements starting at location.
Value can be a function of no arguments, in which case it will be called
every time a new value is needed.
"""
if location is None:
location = random.randint(0, max(0, len(self) - 1))
if amount is None:
amount = utils.UniformExpoInteger(0, max_exponent)
if hasattr(value, '__call__'):
new_elements = (value() for i in range(amount))
else:
new_elements = itertools.repeat(value, amount)
self[location:location] = new_elements
def Delete(self, location=None, amount=None):
"""Delete amount elements starting at location."""
if location is None:
location = random.randint(0, max(0, len(self) - 1))
if amount is None:
amount = utils.RandomLowInteger(min(1, len(self)), len(self) - location)
del self[location:location + amount]
# pylint: enable=unsupported-assignment-operation,unsupported-delete-operation
class FuzzyList(list, FuzzySequence):
"""A list with additional methods for fuzzing."""
def RandomMutation(self, count=None, new_element=''):
"""Apply count random mutations chosen from a list."""
random_items = lambda: random.choice(self) if self else new_element
mutations = [
lambda: random.shuffle(self),
self.reverse,
functools.partial(self.Overwrite, new_element),
functools.partial(self.Overwrite, random_items),
functools.partial(self.Insert, new_element, max_exponent=10),
functools.partial(self.Insert, random_items, max_exponent=10),
self.Delete,
]
if count is None:
count = utils.RandomLowInteger(1, 5, beta=3.0)
for _ in range(count):
random.choice(mutations)()
class FuzzyBuffer(bytearray, FuzzySequence):
"""A bytearray with additional methods for mutating the sequence of bytes."""
def __repr__(self):
return '%s(%r)' % (self.__class__.__name__, str(self))
def FlipBits(self, num_bits=None):
"""Flip num_bits bits in the buffer at random."""
if num_bits is None:
num_bits = utils.RandomLowInteger(min(1, len(self)), len(self) * 8)
for bit in random.sample(range(len(self) * 8), num_bits):
self[bit / 8] ^= 1 << (bit % 8)
def RandomMutation(self, count=None):
"""Apply count random mutations chosen from a weighted list."""
random_bytes = lambda: random.randint(0x00, 0xFF)
mutations = [
(self.FlipBits, 1),
(functools.partial(self.Overwrite, random_bytes), 1 / 3.0),
(functools.partial(self.Overwrite, 0xFF), 1 / 3.0),
(functools.partial(self.Overwrite, 0x00), 1 / 3.0),
(functools.partial(self.Insert, random_bytes), 1 / 3.0),
(functools.partial(self.Insert, 0xFF), 1 / 3.0),
(functools.partial(self.Insert, 0x00), 1 / 3.0),
(self.Delete, 1),
]
if count is None:
count = utils.RandomLowInteger(1, 5, beta=3.0)
for _ in range(count):
utils.WeightedChoice(mutations)()
Codebase Browser
chromium