2
How to Talk to Strange Programs and Find Bugs
Rahul Gopinath
https://rahul.gopinath.org [email protected]
@[email protected]
i.e., when the input speci
fi
cation is not known
Slide 3
Slide 3 text
3
We live in a world defined by
software
Slide 4
Slide 4 text
4
We have a crisis
We live in a world defined by
software
Slide 5
Slide 5 text
Bugs
5
Slide 6
Slide 6 text
6
Slide 7
Slide 7 text
The University of Sydney 7
https://www3.weforum.org/docs/WEF_Global_Risk_Report_2020.pdf
Interlinked Causes for Catastrophes
Slide 8
Slide 8 text
8
Input
✓
✘
Testing
@app.route('/admin')
def admin():
username = request.cookies.get("username")
if not username:
return {"Error": "Specify username in Cookie"}
username = urllib.quote(os.path.basename(username))
url = "http://permissions:5000/permissions/{}".format(username)
resp = requests.request(method="GET", url=url)
# "superadmin\ud888" will be simpli
fi
ed to "superadmin"
ret = ujson.loads(resp.text)
if resp.status_code == 200:
if "superadmin" in ret["roles"]:
return {"OK": "Superadmin Access granted"}
else:
e = u"Access denied. User has following roles:
{}".format(ret["roles"])
return {"Error": e}, 401
else:return {"Error": ret["Error"]}, 500
Slide 9
Slide 9 text
@app.route('/admin')
def admin():
username = request.cookies.get("username")
if not username:
return {"Error": "Specify username in Cookie"}
username = urllib.quote(os.path.basename(username))
url = "http://permissions:5000/permissions/{}".format(username)
resp = requests.request(method="GET", url=url)
# "superadmin\ud888" will be simpli
fi
ed to "superadmin"
ret = ujson.loads(resp.text)
if resp.status_code == 200:
if "superadmin" in ret["roles"]:
return {"OK": "Superadmin Access granted"}
else:
e = u"Access denied. User has following roles:
{}".format(ret["roles"])
return {"Error": e}, 401
else:return {"Error": ret["Error"]}, 500
[ ; x 1 - G P Z + w c c k c ] ; , N 9 J + ?
# 6 ^ 6 \ e ? ] 9 l u 2 _ % ' 4 G X " 0 V U B [ E / r
~ f A p u 6 b 8 < { % s i q 8 Z h . 6 { V , h r ? ;
{Ti.r3PIxMMMv6{xS^+'Hq!AxB"YXRS@!
Kd6;wtAMefFWM(`|J_<1~o}z3K(CCzRH
J I I v H z > _ * . \ > J r l U 3 2 ~ e G P ?
lR=bF3+;y$3lodQ & ] B S 6 R & j ?
# t P 7 i a V } - } ` \ ? [ _ [ Z ^ L B M P G -
FKj'\xwuZ1=Q`^`5,$N$Q@[!CuRzJ2D|vBy!
^ z k h d f 3 C 5 P A k R ? V ( ( - % > < h n |
3='i2Qx]D$qs4O`1@fevnG'2\11Vf3piU37@
5 : d f d 4 5 * ( 7 ^ % 5 a p \ z I y l " ' f ,
$ee,J4Gw:cgNKLie3nx9(`efSlg6#[K"@Wjh
Z}r[Scun&sBCS,T[/3]KAeEnQ7lU)3Pn,0)G/
6N-wyzj/MTd#A;r
Program
Automating Testing
9
https://www.fuzzingbook.org/html/Fuzzer.html
Fuzzing
Slide 10
Slide 10 text
@app.route('/admin')
def admin():
username = request.cookies.get("username")
if not username:
return {"Error": "Specify username in Cookie"}
username = urllib.quote(os.path.basename(username))
url = "http://permissions:5000/permissions/{}".format(username)
resp = requests.request(method="GET", url=url)
# "superadmin\ud888" will be simpli
fi
ed to "superadmin"
ret = ujson.loads(resp.text)
if resp.status_code == 200:
if "superadmin" in ret["roles"]:
return {"OK": "Superadmin Access granted"}
else:
e = u"Access denied. User has following roles:
{}".format(ret["roles"])
return {"Error": e}, 401
else:return {"Error": ret["Error"]}, 500
[ ; x 1 - G P Z + w c c k c ] ; , N 9 J + ?
# 6 ^ 6 \ e ? ] 9 l u 2 _ % ' 4 G X " 0 V U B [ E / r
~ f A p u 6 b 8 < { % s i q 8 Z h . 6 { V , h r ? ;
{Ti.r3PIxMMMv6{xS^+'Hq!AxB"YXRS@!
Kd6;wtAMefFWM(`|J_<1~o}z3K(CCzRH
J I I v H z > _ * . \ > J r l U 3 2 ~ e G P ?
lR=bF3+;y$3lodQ & ] B S 6 R & j ?
# t P 7 i a V } - } ` \ ? [ _ [ Z ^ L B M P G -
FKj'\xwuZ1=Q`^`5,$N$Q@[!CuRzJ2D|vBy!
^ z k h d f 3 C 5 P A k R ? V h n |
3='i2Qx]D$qs4O`1@fevnG'2\11Vf3piU37@
5 5 a p \ z I y l " ' f ,
$ee,J4Gw:cgNKLie3nx9(`efSlg6#[K"@Wjh
Z}r[Scun&sBCS,T[/3]KAeEnQ7lU)3Pn,0)G/
6N-wyzj/MTd#A;r
Structured Inputs
SYNTAX ERROR
✘
10
Slide 11
Slide 11 text
def process_input(input):
try:
val = parse(input)
res = process(val)
return res
except SyntaxError:
return Error
def process_input(input):
try:
✘val = parse(input)
res = process(val)
return res
except SyntaxError:
return Error
SYNTAX ERROR
11
Parser
✘
Slide 12
Slide 12 text
SYNTAX ERROR
def process_input(input):
try:
✘val = parse(input)
res = process(val)
return res
except SyntaxError:
return Error
12
The Core
✘
Slide 13
Slide 13 text
13
Overcoming Parsers
Slide 14
Slide 14 text
14
def process_input(input):
try:
val = parse(input)
res = process(val)
return res
except SyntaxError:
return Error
14
{
'' : [['']],
'' : [[''],
[''],
[''],
[''],
['true'], ['false'], ['null']],
'' : [['{', '','}'],
['{}']],
'' : [[',',','],
['']],
'' : [['',':', '']],
'' : [['[', '', ']'],
['[]']],
'' : [[',',','],
['']],
'' : [['"', '', '"'],
['""']],
'' : [['',''],
['']],
'' : [['']],
'' : [['',''],
['']],
'' : [[c] for c in string.characters]
'' : [[c] for c in string.digits]
}
Fix: Input Grammar
"Be liberal in what you accept, and conservative in what you send"
Postel's Law
The Specification
The Implementation
Extra "Features"
Where to Get the Grammar From?
40
Bugs
Slide 41
Slide 41 text
No content
Slide 42
Slide 42 text
42
Grammar Mining : Whitebox extraction of grammar
Grammar Inference: Blackbox extraction of grammar
Slide 43
Slide 43 text
43
Where to Get the Grammar From?
Handwritten parsers contain the parse structure
key value key value
scheme
parse_scheme parse_hostpath parse_querystring parse_fragment
domain TLD
subdomain
parse_host
subdirectory
parse_fslocation
binary
parse_binaryname
parameters
parse_parameters
parse_url
Slide 44
Slide 44 text
44
Where to Get the Grammar From?
Mining Grammar from a hand-written parser
https://www.example.com/forum/questions/cgi?tag=networking&order=newwest#top
key value key value
split
scheme
parse_scheme
host path
parse_hostpath
query string
parse_querystring
fragment
parse_fragment
domain TLD
subdomain
parse_host
subdirectory
parse_fslocation
binary
parse_binaryname
parameters
parse_parameters
With Dynamic Data Flow Analysis
parseurl
49
1. Extract the input string accesses
2. Attach control
fl
ow information
Hand-written parsers already encode the grammar
Mining with Dynamic Control Flow Analysis
Slide 50
Slide 50 text
50
• Inputs + control
fl
ow -> Dynamic Control Dependence Trees
• DCD Trees -> Parse Tree
Mining with Dynamic Control Flow Analysis
Slide 51
Slide 51 text
51
Control Dependence Graph
Statement B is control dependent on A if A determines whether B executes.
def parse_csv(s,i):
while s[i:]:
if is_digit(s[i]):
n,j = num(s[i:])
i = i+j
else:
comma(s[i])
i += 1
CDG for parse_csv
while: determines
whether
if: executes
Slide 52
Slide 52 text
52
def parse_csv(s,i):
while s[i:]:
if is_digit(s[i]):
n,j = num(s[i:])
i = i+j
else:
comma(s[i])
i += 1
CDG for parse_csv
Dynamic Control Dependence Tree
Each statement execution is represented as a separate node
DCD Tree for call parse_csv()
Slide 53
Slide 53 text
53
def parse_csv(s,i):
while s[i:]:
if is_digit(s[i]):
n,j = num(s[i:])
i = i+j
else:
comma(s[i])
i += 1
'1' '2' ','
DCD Tree ~ Parse Tree
•No tracking beyond input bu
ff
er
•Characters are attached to nodes where they are accessed last
"12,"
"12,"
Slide 54
Slide 54 text
54
def is_digit(i): return i in '0123456789'
def parse_num(s,i):
n = ''
while s[i:] and is_digit(s[i]):
n += s[i]
i = i +1
return i,n
def parse_paren(s, i):
assert s[i] == '('
i, v = parse_expr(s, i+1)
if s[i:] == '': raise Ex(s, i)
assert s[i] == ')'
return i+1, v
def parse_expr(s, i = 0):
expr, is_op = [], True
while s[i:]:
c = s[i]
if isdigit(c):
if not is_op: raise Ex(s,i)
i,num = parse_num(s,i)
expr.append(num)
is_op = False
elif c in ['+', '-', '*', '/']:
if is_op: raise Ex(s,i)
expr.append(c)
is_op, i = True, i + 1
elif c == '(':
if not is_op: raise Ex(s,i)
i, cexpr = parse_paren(s, i)
expr.append(cexpr)
is_op = False
elif c == ')': break
else: raise Ex(s,i)
if is_op: raise Ex(s,i)
return i, expr
9+3/4
Parse tree for parse_expr('9+3/4')
Slide 55
Slide 55 text
55
def is_digit(i): return i in '0123456789'
def parse_num(s,i):
n = ''
while s[i:] and is_digit(s[i]):
n += s[i]
i = i +1
return i,n
def parse_paren(s, i):
assert s[i] == '('
i, v = parse_expr(s, i+1)
if s[i:] == '': raise Ex(s, i)
assert s[i] == ')'
return i+1, v
def parse_expr(s, i = 0):
expr, is_op = [], True
while s[i:]:
c = s[i]
if isdigit(c):
if not is_op: raise Ex(s,i)
i,num = parse_num(s,i)
expr.append(num)
is_op = False
elif c in ['+', '-', '*', '/']:
if is_op: raise Ex(s,i)
expr.append(c)
is_op, i = True, i + 1
elif c == '(':
if not is_op: raise Ex(s,i)
i, cexpr = parse_paren(s, i)
expr.append(cexpr)
is_op = False
elif c == ')': break
else: raise Ex(s,i)
if is_op: raise Ex(s,i)
return i, expr
9+3/4
Identifying Compatible Nodes
Which nodes correspond to the same nonterminal
Service topology map of Uber
showing hundreds of microservices
(Source: Uber Engineering)
Instrumentation ability or source code
access is not always guaranteed
Slide 70
Slide 70 text
Grammar Inference
Slide 71
Slide 71 text
Grammar Inference
Problem: Exponential Search Space
2n possibilities for n length string
Slide 72
Slide 72 text
Grammar Inference
Problem: Exponential Search Space
2n possibilities for n length string
Slide 73
Slide 73 text
Grammar Inference (with examples)
Glade Arvada
With good examples, the problem is tractable
Slide 74
Slide 74 text
Finding Good Examples
Example corpus?
(Blind spots)
74
88
L* Teacher with PAC Guarantees
Probably Approximately Correct (Valiant'84)
Pr(L(A)≢X ≤ ϵ) ≥ 1−δ 1-∈: accuracy
1-δ: confidence
Equivalence Query = Multiple Membership Checks
Checks come from some sampling distribution D over A*
We only get a PAC guarantee based on D
qi = [1/ϵ (ln(1/δ) + i ln(2))]
Checks made in place of ith equivalence query:
Slide 89
Slide 89 text
89
Grammar Inference (PAC-L*)
Learner Pre
fi
x Oracle
w
Random Sampler (D)
Blackbox Hypothesis
w ∈ D
L(*)
Substituting Equivalence Queries
ab ✓
✓
abb
✘ ✘
bb ✓
✓
aaaa ✓
✓
bbb ✓
✘
Slide 90
Slide 90 text
90
Grammar Inference (PAC-L*)
Learner Pre
fi
x Oracle
w
Random Sampler (D)
w ∈ D
L(*)
Substituting Equivalence Queries
Search Space
Slide 91
Slide 91 text
91
Positive and Negative Examples
with Pre
fi
x Queries
a
[ 5
1
b
,
}
4 ]
a ∉ [,],{,},",0,1,2,3,4,5,.,.
b ∉ [,],0,1,2,3,4,5,6,7,8,9,,
} ∉ [,],0,1,2,3,4,5,6,7,8,9,0,,
[51,4]
91
Slide 92
Slide 92 text
92
Grammar Inference (PL*)
Learner Pre
fi
x Oracle
w
Blackbox Hypothesis
w ∈ B
Yes/No
Yes/No
PL(*)
w ∈ H
Substituting Equivalence Queries
Slide 93
Slide 93 text
93
Grammar Inference (PL*)
Pr(L(A)≢X ≤ ϵ) ≥ 1−δ
Relation between D,ϵ,δ and F1 score On Arithmetic (depth limited)
L(*)
Eq = Pre
fi
x Sampler Eq = Pre
fi
x Sampler)
(p=0.05) (p=0.5)
Eq = Pre
fi
x Sampler)
(p=1.0)
Red is good, Blue is bad
PL(*) PL(*) PL(*)
1-δ: confidence
1-∈: accuracy
Slide 94
Slide 94 text
94
Grammar Inference (PL*)
Pr(L(A)≢X ≤ ϵ) ≥ 1−δ
Relation between D,ϵ,δ and F1 score On JSON (depth limited)
L(*)
Eq = Pre
fi
x Sampler
(p=0.05)
Eq = Pre
fi
x Sampler)
(p=0.5)
Eq = Pre
fi
x Sampler)
(p=1.0)
Red is good, Blue is bad
1-δ: confidence
1-∈: accuracy
PL(*)
PL(*) PL(*)