Input Algebras

Input Algebras
Rahul Gopinath
Hamed Nemati
Andreas Zeller
CISPA Helmholtz Center for Information Security
for Taming Grammar Fuzzers

View Slide

3
{"a": ["key"]} ✓
Program

View Slide

4
{"a": ["key"]}
Program
{"": [1,2,"k"]} ✘

View Slide

5
{"a": ["key"]}
Program
{"": [1,2,"k"]}
✓
["A", "B", "C"]

View Slide

6
{"a": ["key"]}
Program
{"": [1,2,"k"]}
["A", "B", "C"]
[{"": [1,2,3,4]}]
✘

View Slide

7
{"a": ["key"]}
{"": [1,2,"k"]}
["A", "B", "C"]
[{"": [1,2,3,4]}]
if json.has_key(""):
raise Exception()
Program

View Slide

8
{"type":"PathNode","matrix":
{"m11":-0.6630394213564543,"m12":0,"m21":0,"m22":0.5236476835782672,"dx":565.5201
948628471,"dy":371.5686591257294},"children":
[],"strokeStyle":"#000000","fillStyle":"#e1e1e1","lineWidth":4,"smoothness":0.3,"sloppiness":
0.5,"startX":50,"startY":0,"closed":true,"segments":
[{"type":3,"x":100,"y":50,"x1":100,"y1":0,"r":
[-0.3779207859188318,0.07996635790914297,-0.47163885831832886,-0.0710031278431
4156]},{"type":3,"x":50,"y":100,"x1":100,"y1":100,"r":
[0.24857700895518064,0.030472169630229473,0.49844827968627214,0.1326016811653
9717]},{"type":3,"x":0,"y":50,"x1":0,"y1":100,"r":
[0.1751830680295825,-0.18606301862746477,-0.4092112798243761,-0.47907172795385
12]},{"type":3,"x":50,"y":0,"x1":0,"y1":0,"r":
[0.37117584701627493,0.3612578883767128,0.0462839687243104,-0.156406396068632
6]}],"shadow":false},{"type":"PathNode","matrix":
{"m11":-1.475090930376591,"m12":0,"m21":0,"m22":1.2306765694828008,"dx":700.13810
32855618,"dy":133.20628077515605},"children":
[],"strokeStyle":"#000000","fillStyle":"#ffffff","lineWidth":2,"smoothness":0.3,"sloppiness":0.5,"
startX":126.25,"startY":127.50445838342671,"closed":true,"segments":
[{"type":3,"x":146.01190476190476,"y":147.5936260519611,"x1":146.01190476190476,"y1":
127.50445838342671,"r":
[-0.1750196823850274,-0.05804965365678072,-0.3536788672208786,0.05322327278554
4395]},
{"type":3,"x":126.25,"y":167.6827937204955,"x1":146.01190476190476,"y1":167.68279372
04955,"r":
[-0.32906053867191076,-0.11536165233701468,0.35579121299088,0.3873158805072307
6]},{"type":3,"x":108,"y":147,"x1":106.48809523809524,"y1":167.6827937204955,"r":
[0.08825046103447676,0.011088204570114613,0.43411328736692667,-0.133069220930
3379]},
{"type":3,"x":126.25,"y":127.50445838342671,"x1":106.48809523809524,"y1":127.5044583
8342671,"r":
[0.42778260353952646,0.24726040940731764,0.3631806019693613,0.053255504928529
26]}],"shadow":false},{"type":"TextNode","matrix":
{"m11":1,"m12":0,"m21":0,"m22":1,"dx":543,"dy":225},"children":
[],"fillStyle":"#000000","text":"Y","fontName":"FG Virgil","fontSize":20},
{"type":"TextNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":559,"dy":144},"children":
[],"fillStyle":"#000000","text":"x","fontName":"FG Virgil","fontSize":20},
{"type":"ArrowNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":0,"dy":0},"children":
[],"arrowSize":10,"path":{"type":"PathNode","matrix":
Program ✘

View Slide

{"m11":-0.6630394213564543,"m12":0,"m21":0,"m22":0.5236476835782672,"dx":565.5201
948628471,"dy":371.5686591257294},"children":
[{"type":3,"x":100,"y":50,"x1":100,"y1":0,"r":
[-0.3779207859188318,0.07996635790914297,-0.47163885831832886,-0.0710031278431
4156]},{"type":3,"x":50,"y":100,"x1":100,"y1":100,"r":
[0.24857700895518064,0.030472169630229473,0.49844827968627214,0.1326016811653
9717]},{"type":3,"x":0,"y":50,"x1":0,"y1":100,"r":
[0.1751830680295825,-0.18606301862746477,-0.4092112798243761,-0.47907172795385
12]},{"type":3,"x":50,"y":0,"x1":0,"y1":0,"r":
[0.37117584701627493,0.3612578883767128,0.0462839687243104,-0.156406396068632
{"m11":-1.475090930376591,"m12":0,"m21":0,"m22":1.2306765694828008,"dx":700.13810
32855618,"dy":133.20628077515605},"children":
[{"type":3,"x":146.01190476190476,"y":147.5936260519611,"x1":146.01190476190476,"y1":
127.50445838342671,"r":
[-0.1750196823850274,-0.05804965365678072,-0.3536788672208786,0.05322327278554
4395]},
{"type":3,"x":126.25,"y":167.6827937204955,"x1":146.01190476190476,"y1":167.68279372
04955,"r":
[-0.32906053867191076,-0.11536165233701468,0.35579121299088,0.3873158805072307
6]},{"type":3,"x":108,"y":147,"x1":106.48809523809524,"y1":167.6827937204955,"r":
[0.08825046103447676,0.011088204570114613,0.43411328736692667,-0.133069220930
3379]},
{"type":3,"x":126.25,"y":127.50445838342671,"x1":106.48809523809524,"y1":127.5044583
8342671,"r":
[0.42778260353952646,0.24726040940731764,0.3631806019693613,0.053255504928529
What is the smallest failure inducing input?
Hierarchical Delta Debugging

View Slide

{"m11":-0.6630394213564543,"m12":0,"m21":0,"m22":0.5236476835782672,"dx":565.5201
948628471,"dy":371.5686591257294},"children":
[{"type":3,"x":100,"y":50,"x1":100,"y1":0,"r":
[-0.3779207859188318,0.07996635790914297,-0.47163885831832886,-0.0710031278431
4156]},{"type":3,"x":50,"y":100,"x1":100,"y1":100,"r":
[0.24857700895518064,0.030472169630229473,0.49844827968627214,0.1326016811653
9717]},{"type":3,"x":0,"y":50,"x1":0,"y1":100,"r":
[0.1751830680295825,-0.18606301862746477,-0.4092112798243761,-0.47907172795385
12]},{"type":3,"x":50,"y":0,"x1":0,"y1":0,"r":
[0.37117584701627493,0.3612578883767128,0.0462839687243104,-0.156406396068632
{"m11":-1.475090930376591,"m12":0,"m21":0,"m22":1.2306765694828008,"dx":700.13810
32855618,"dy":133.20628077515605},"children":
[{"type":3,"x":146.01190476190476,"y":147.5936260519611,"x1":146.01190476190476,"y1":
127.50445838342671,"r":
[-0.1750196823850274,-0.05804965365678072,-0.3536788672208786,0.05322327278554
4395]},
{"type":3,"x":126.25,"y":167.6827937204955,"x1":146.01190476190476,"y1":167.68279372
04955,"r":
[-0.32906053867191076,-0.11536165233701468,0.35579121299088,0.3873158805072307
6]},{"type":3,"x":108,"y":147,"x1":106.48809523809524,"y1":167.6827937204955,"r":
[0.08825046103447676,0.011088204570114613,0.43411328736692667,-0.133069220930
3379]},
{"type":3,"x":126.25,"y":127.50445838342671,"x1":106.48809523809524,"y1":127.5044583
8342671,"r":
[0.42778260353952646,0.24726040940731764,0.3631806019693613,0.053255504928529
::=  
::=  
|
|  
|  
| `true` | `false` | `null` 
::= `{``}` | `{}` 
::= |`,` 
::= `:` 
::= `[``]` | `[]` 
::= | `,` 
::= `"` `"` | `""` 
::=  
::= [A-Za-z0-9] 
::=  
::= | 
::= [0-9]
JSON Grammar

View Slide

{"m11":-0.6630394213564543,"m12":0,"m21":0,"m22":0.5236476835782672,"dx":565.5201948628471,"dy":371.568659125
7294},"children":
[],"strokeStyle":"#000000","fillStyle":"#e1e1e1","lineWidth":4,"smoothness":0.3,"sloppiness":0.5,"startX":50,"startY":0,"closed
":true,"segments":[{"type":3,"x":100,"y":50,"x1":100,"y1":0,"r":
[-0.3779207859188318,0.07996635790914297,-0.47163885831832886,-0.07100312784314156]},
{"type":3,"x":50,"y":100,"x1":100,"y1":100,"r":
[0.24857700895518064,0.030472169630229473,0.49844827968627214,0.13260168116539717]},
{"type":3,"x":0,"y":50,"x1":0,"y1":100,"r":
[0.1751830680295825,-0.18606301862746477,-0.4092112798243761,-0.4790717279538512]},
{"type":3,"x":50,"y":0,"x1":0,"y1":0,"r":
[0.37117584701627493,0.3612578883767128,0.0462839687243104,-0.1564063960686326]}],"shadow":false},
{"":-1.475090930376591,"m12":0,"m21":0,"m22":1.2306765694828008,"dx":700.1381032855618,"dy":133.2062807751560
5},"children":
[],"strokeStyle":"#000000","fillStyle":"#ffffff","lineWidth":2,"smoothness":0.3,"sloppiness":0.5,"startX":126.25,"startY":127.504
45838342671,"closed":true,"segments":
[{"type":3,"x":146.01190476190476,"y":147.5936260519611,"x1":146.01190476190476,"y1":127.50445838342671,"r":
[-0.1750196823850274,-0.05804965365678072,-0.3536788672208786,0.053223272785544395]},
{"type":3,"x":126.25,"y":167.6827937204955,"x1":146.01190476190476,"y1":167.6827937204955,"r":
[-0.32906053867191076,-0.11536165233701468,0.35579121299088,0.38731588050723076]},
{"type":3,"x":108,"y":147,"x1":106.48809523809524,"y1":167.6827937204955,"r":
[0.08825046103447676,0.011088204570114613,0.43411328736692667,-0.1330692209303379]},
{"type":3,"x":126.25,"y":127.50445838342671,"x1":106.48809523809524,"y1":127.50445838342671,"r":
[0.42778260353952646,0.24726040940731764,0.3631806019693613,0.05325550492852926]}],"shadow":false},
[],"fillStyle":"#000000","text":"Y","fontName":"FG Virgil","fontSize":20},{"type":"TextNode","matrix":
{"m11":1,"m12":0,"m21":0,"m22":1,"dx":559,"dy":144},"children":[],"fillStyle":"#000000","text":"x","fontName":"FG
Virgil","fontSize":20},{"type":"ArrowNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":0,"dy":0},"children":
[],"arrowSize":10,"path":{"type":"PathNode","matrix":{"m11":1,"m12":0,"m21":0,"m22":1,"dx":464,"dy":-3},"children":
[],"strokeStyle":"#000000","fillStyle":"#ffffff","lineWidth":2,"smoothness":0.3,"
{"": []}
Hierarchical Delta Debugging
✘

View Slide

Why did my program fail?
DDSET
Gopinath, Kampmann, Havrikov, Soremekun, and Zeller. Abstracting Failure Inducing Inputs. ISSTA 2020.

View Slide

13
::=  
::=  
|
|  
|  
::= `{``}` | `{}` 
::= | `,` 
::= `:` 
::= `[``]` | `[]` 
::= | `,` 
::= `"` `"` | `""` 
::=  
::= [A-Za-z0-9] 
::=  
::= |  
::= [0-9]
{"": []}
DDSET:

View Slide

14
::=  
::=  
|
|  
|  
::= `{``}` | `{}` 
::= | `,` 
::= `:` 
::= `[``]` | `[]` 
::= | `,` 
::= `"` `"` | `""` 
::=  
::= [A-Za-z0-9] 
::=  
::= |  
::= [0-9]
{"": []}
DDSET:
122489
{"A":{}, {"23": {"P":[]}}]
[[], [[[]],[]],{"A":{}, {"23": {"P":[]}}]

View Slide

15
::=  
::=  
|
|  
|  
::= `{``}` | `{}` 
::= | `,` 
::= `:` 
::= `[``]` | `[]` 
::= | `,` 
::= `"` `"` | `""` 
::=  
::= [A-Za-z0-9] 
::=  
::= |  
::= [0-9]
{"": []}
DDSET:
"XYZR389"
{"A":{}, {"23": {"P":[]}}}
[[], [[[]],[]],{"A":{}, {"23": {"P":[]}}]

View Slide

16
::=  
::=  
|
|  
|  
::= `{``}` | `{}` 
::= | `,` 
::= `:` 
::= `[``]` | `[]` 
::= | `,` 
::= `"` `"` | `""` 
::=  
::= [A-Za-z0-9] 
::=  
::= |  
::= [0-9]
{"": []}
DDSET:
[true, null]
{"A":{}, {"23": {"P":[]}}}
[[], [[[]],[]],{"A":{}, {"23": {"P":[]}}]

View Slide

17
::=  
::=  
|
|  
|  
::= `{``}` | `{}` 
::= | `,` 
::= `:` 
::= `[``]` | `[]` 
::= | `,` 
::= `"` `"` | `""` 
::=  
::= [A-Za-z0-9] 
::=  
::= |  
::= [0-9]
{"": []}
DDSET:
{"__": [[]]}
{"?P":[{}], {"|": {"":[]}}}
{"X":[[],[]],{"A":{}, {"2": {"R":[]}}}

View Slide

18
::=  
::=  
|
|  
|  
::= `{``}` | `{}` 
::= | `,` 
::= `:` 
::= `[``]` | `[]` 
::= | `,` 
::= `"` `"` | `""` 
::=  
::= [A-Za-z0-9] 
::=  
::= |  
::= [0-9]
{"": []}
DDSET:
{"": [[]]}
{"?P":[{}], {"|": {"P":[]}}}
{"X":[[],[]],{"A":{}, {"2": {"R":[]}}}

View Slide

19
::=  
::=  
|
|  
|  
::= `{``}` | `{}` 
::= | `,` 
::= `:` 
::= `[``]` | `[]` 
::= | `,` 
::= `"` `"` | `""` 
::=  
::= [A-Za-z0-9] 
::=  
::= |  
::= [0-9]
{"": []}
DDSET:
{"7897A": []}
{"klnm,.qer;dfs?P":[]}
{"123KOUIJ!qR30578950":[]}

View Slide

20
::=  
::=  
|
|  
|  
::= `{``}` | `{}` 
::= | `,` 
::= `:` 
::= `[``]` | `[]` 
::= | `,` 
::= `"` `"` | `""` 
::=  
::= [A-Za-z0-9] 
::=  
::= |  
::= [0-9]
{"": []}
DDSET:
{"": true}
{"":[1,2,445,"x"]}
{"":{"PQ":[true, false, 223,"a"]}}

View Slide

21
::=  
::=  
|
|  
|  
::= `{``}` | `{}` 
::= | `,` 
::= `:` 
::= `[``]` | `[]` 
::= | `,` 
::= `"` `"` | `""` 
::=  
::= [A-Za-z0-9] 
::=  
::= |  
::= [0-9]
{"": []}
DDSET:
Abstraction
{"": }
Abstract Input

View Slide

• Eﬀectively abstracts a minimized input

• The abstraction identiﬁes where the problem lies

• Decompose complex program behaviors
DDSET
Gopinath, Kampmann, Havrikov, Soremekun, and Zeller. Abstracting Failure Inducing Inputs. ISSTA 2020.
ISSTA 2020 Distinguished Award
{"": }
Abstract Input
{"": []}
Minimized Input

View Slide

{"": }
Abstract Input
{"": []}
Minimized Input
How do we generate more failure inducing inputs?

View Slide

{"": }
Abstract Input
{"": [343,{},44998]}
{"": {"xxy":44998, {"b":[1,2,3]}}}
{"": {"ket":[], {"x":[],"y",[[],[1,2,3,455,6]]}}}
{"":[{3243435656:"xy,zzzpqiu"},[{"c":[112]},{"d":[[]]},{}]]}
✘
✘
✘
✘
Failure Inducing Inputs

View Slide

{"": }
Abstract Input
Need Contextualization!
Failure Inducing Inputs
[{"": [1,2,3,4]}]
{"pqr": {"": [1,2,3,4]}, "abc":[]}
[{"xr": {"": [4]}, "abc":[[],[],[1243], true, false]}
✘
✘
✘

View Slide

{"": }
Abstract Input
Language of Evocative Inputs

View Slide

{"": }
Abstract Input
Evocative Subtree

View Slide

{"": }
Abstract Input
Evocative Fragment

View Slide

{"": }
Abstract Input
Evocative Subtree is "":
Root node of the tree fragment
String representation of the tree fragment
Evocative Fragment

View Slide

Evocative Subtree
::= `:`
::= `""`
Evocative Pattern Grammar
generate() = "":

View Slide

Identify Reachable Nodes
Evocative Subtree
::=  
::=  
|
|  
|  
::= `{``}` | `{}` 
::= | `,` 
::= `:` 
::= `[``]` | `[]` 
::= | `,` 
::= `"` `"` | `""` 
::=  
::= [A-Za-z0-9] 
::=  
::= |  
::= [0-9]
::= `:`
::= `""`

View Slide

Identify Reachable Nodes
::=  
::=  
|
|  
|  
::= `{``}` | `{}` 
::= | `,` 
::= `:` 
::= `[``]` | `[]` 
::= | `,` 
::= `"` `"` | `""` 
::=  
::= [A-Za-z0-9] 
::=  
::= |  
::= [0-9]
Basic idea:

(1) Collect all rules that can reach the root node of abstract tree (here )
Evocative Subtree
::= `:`
::= `""`

View Slide

Identify Insertion Positions
::=  
::=  
|
|  
|  
::= `{``}` 
::=
| `,`
 
::= `:` 
::= `[``]` 
::=
| `,`
Basic idea:

(1) Insert one Nonterminal at a time.
Evocative Subtree
::= `:`
::= `""`

View Slide

::=  
::=  
|
|  
|  
::= `{``}` 
::=
| `,`
| `,`
| `,` 
::= `:` 
::= `[``]` 
::=
| `,`
Basic idea:

Evocative Subtree
::= `:`
::= `""`

View Slide

::=  
::=  
|
|  
|  
::= `{``}` 
::=
| `,`
| `,`
| `,` 
::= `:` 
::= `[``]` 
::=
| `,`
| `,`
| `,`
Basic idea:

Evocative Subtree
::= `:`
::= `""`

View Slide

Reachable Grammar
::=  
::=  
|
|  
|  
::= `{``}` 
::=
| `,`
| `,` 
::= `:` 
::= `[``]` 
::=
| `,`
| `,`
Basic idea:

Evocative Subtree
::= `:`
::= `""`

View Slide

Connect Reachable Grammar and Pattern Grammar
::=  
::=  
|
|  
|  
::= `{``}` 
::=
| `,`
| `,` 
::= `:`
| `:`  
::= `[``]` 
::=
| `,`
| `,`
::= `""`
::=  
::=  
|
|  
|  
::= `{``}` 
::=
| `,`
| `,` 
::= `:` 
::= `[``]` 
::=
| `,`
| `,`
::= `:`
::= `""`
is "":

View Slide

Evocative Grammar
::=  
::=  
|
|  
|  
::= `{``}` 
::=
| `,`
| `,` 
::= `:`
| `:` 
::= `[``]` 
::=
| `,`
| `,`
::= `""`
::=  
::=  
|
|  
|  
::= `{``}` | `{}` 
::= | `,` 
::= `:` 
::= `[``]` | `[]` 
::= | `,` 
::= `"` `"` | `""` 
::=  
::= [A-Za-z0-9] 
::=  
::= |  
::= [0-9]
{"": 100}
{"": [343,{},44998]}
[{"": {"xxy":44998, {"b":[1,2,3]}}},[],[]]
{"_": {"ket":[], {"":[],"y",[[],[1,2,3,455,6]]}}}
{".":[{3243435656:"xy,zzzpqiu"},[{"":[112]},{"d":[[]]},{}]]}
[{"": [1,2,3,4]}]
{"pqr": {"": [1,2,3,4]}, "abc":[]}
[[1132],{"xx":[{6:"dafjli;y,zzzdfaiu"},[{"__":[1{}{}]},{"":[[444456]]},{}]]}
generate()
✘
✘
✘
✘
✘
✘
✘
✘

View Slide

Evocative Grammar
::=  
::=  
|
|  
|  
::= `{``}` 
::=
| `,`
| `,` 
::= `:`
| `:` 
::= `[``]` 
::=
| `,`
| `,`
::= `""`
::=  
::=  
|
|  
|  
::= `{``}` | `{}` 
::= | `,` 
::= `:` 
::= `[``]` | `[]` 
::= | `,` 
::= `"` `"` | `""` 
::=  
::= [A-Za-z0-9] 
::=  
::= |  
::= [0-9]
generate()
Properties:

- Generator: All generated inputs guaranteed to have 
at least one fragment inducing the given behavior

- Validator: Will recognize all inputs with at least 
one fragment that can induce the given behavior

- Produced grammar is context-free: Consumable 
by any grammar fuzzer.

View Slide

What if there are more failure inducing patterns?

where is "":
if json.has_key_value(null):
raise Exception()
raise Exception()

where is : null

View Slide

if json.has_key("") and json.has_key_value(null):
raise Exception()

where is "":
is : null

View Slide

if json.has_key("") and not json.has_key_value(null):
raise Exception()

where is "":
is : null

View Slide

raise Exception()
if json.has_key_value(null):
raise Exception()

where is "":
is : null

View Slide

{ }
Input Algebras: Patterns to Grammar

where is "":
is : null
:=
:= ...
:=
:= ...
& =
:= and

...
:=
...
{ }
:=
| &
:=
| =
:= and |||
|||
:=
|

View Slide

:=
:=
|
:= '[' ']'
:= '{' '}'
:=
| ','
| ','
:=
| ','
| ','
:= ':'
| ':'
:=
:= 'false' | 'true'
| |
|
:= '[]' | '[' ']'
:= '{}' | '{' '}'
:=
| ','
:=
| ','
:= ':'
:= 'false' | 'true'
| |
| |

where is "":
is : null
{"": 100}
{"": [343,{},44998]}
[{"": {"xxy":44998, {"b":[1,2,3]}}},[],[]]
{"_": {"ket":[], {"":[],"y",[[],[1,2,3,455,6]]}}}
{".":[{3243435656:"xy,zzzpqiu"},[{"":[112]},{"d":[[]]},{}]]}
[{"": [1,2,3,4]}]
{"pqr": {"": [1,2,3,4]}, "abc":[]}
[[1132],{"xx":[{6:"dafjli;y,zzzdfaiu"},[{"__":[1{}{}]},{"":[[444456]]},{}]]}
generate()
✘
✘
✘
✘
✘
✘
✘
✘

View Slide

where
is "":
is :null

where
is (())
is / 0

where
is "0"
is "0x"

where
is ";;"
is "()"
is "()"

View Slide

Issue 386 from Rhino
var A = class extends (class {}){};
Issue 2937 from Closure
const [y,y] = [];
var {baz:{} = baz => {}} = baz => {};
Issue 385 from Rhino
{while ((l_0)){ if ((l_0)) {break;;var l_0; continue }0}}
Issue 2842 from Closure
= class extends (class {}){}
var {<$Id1>:{} = <$Id1> => {}} ;
const [<$Id1>,<$Id1>] = []
{while ((<$Id1>)){ if ((<$Id1>)) {break;;var <$Id1>; continue }0}}

View Slide

where
is = class extends (class {}){}
is {while ((<$Id1>)){ if ((<$Id1>)) {break;;var <$Id1>; continue }0}}
is var {<$Id2>:{} = <$Id2> => {}} ;
is const [<$Id3>,<$Id3>] = []
Input Algebras

View Slide

Input Algebras: Beyond fuzzing
• Validating inputs

• Supercharged recognizers (alternative to regex)

• Semantic code search

• Generating data structures

• Easily specified access control lists

View Slide

https://rahul.gopinath.org
DOI:10.5281/zenodo.4456296

View Slide

Input Algebras

Input Algebras

Rahul Gopinath

More Decks by Rahul Gopinath

Other Decks in Research

Featured

Transcript