not username: return {"Error": "Specify username in Cookie"} username = urllib.quote(os.path.basename(username)) url = "http://permissions:5000/permissions/{}".format(username) resp = requests.request(method="GET", url=url) # "superadmin\ud888" will be simpli fi ed to "superadmin" ret = ujson.loads(resp.text) if resp.status_code == 200: if "superadmin" in ret["roles"]: return {"OK": "Superadmin Access granted"} else: e = u"Access denied. User has following roles: {}".format(ret["roles"]) return {"Error": e}, 401 else:return {"Error": ret["Error"]}, 500 usernam e=adm in
not username: return {"Error": "Specify username in Cookie"} username = urllib.quote(os.path.basename(username)) url = "http://permissions:5000/permissions/{}".format(username) resp = requests.request(method="GET", url=url) # "superadmin\ud888" will be simpli fi ed to "superadmin" ret = ujson.loads(resp.text) if resp.status_code == 200: if "superadmin" in ret["roles"]: return {"OK": "Superadmin Access granted"} else: e = u"Access denied. User has following roles: {}".format(ret["roles"]) return {"Error": e}, 401 else:return {"Error": ret["Error"]}, 500 username=guest
not username: return {"Error": "Specify username in Cookie"} username = urllib.quote(os.path.basename(username)) url = "http://permissions:5000/permissions/{}".format(username) resp = requests.request(method="GET", url=url) # "superadmin\ud888" will be simpli fi ed to "superadmin" ret = ujson.loads(resp.text) if resp.status_code == 200: if "superadmin" in ret["roles"]: return {"OK": "Superadmin Access granted"} else: e = u"Access denied. User has following roles: {}".format(ret["roles"]) return {"Error": e}, 401 else:return {"Error": ret["Error"]}, 500 username=a;pass
if not username: return {"Error": "Specify username in Cookie"} username = urllib.quote(os.path.basename(username)) url = "http://permissions:5000/permissions/{}".format(username) resp = requests.request(method="GET", url=url) # "superadmin\ud888" will be simpli fi ed to "superadmin" ret = ujson.loads(resp.text) if resp.status_code == 200: if "superadmin" in ret["roles"]: return {"OK": "Superadmin Access granted"} else: e = u"Access denied. User has following roles: {}".format(ret["roles"]) return {"Error": e}, 401 else:return {"Error": ret["Error"]}, 500 Synopsis: Open Source Security and Risk Analysis Report 2024 •Average 500 external OSS components per software •50% of the OSS components were unmaintained •84% of code bases contained vulnerabilities
if not username: return {"Error": "Specify username in Cookie"} username = urllib.quote(os.path.basename(username)) url = "http://permissions:5000/permissions/{}".format(username) resp = requests.request(method="GET", url=url) # "superadmin\ud888" will be simpli fi ed to "superadmin" ret = ujson.loads(resp.text) if resp.status_code == 200: if "superadmin" in ret["roles"]: return {"OK": "Superadmin Access granted"} else: e = u"Access denied. User has following roles: {}".format(ret["roles"]) return {"Error": e}, 401 else:return {"Error": ret["Error"]}, 500 import random def fuzzer(max_length=100,chars=[chr(i) for i in range(32, 64)]): return ''.join([random.choice(chars) for i in range(random.randint(0,max_length))]) $ fuzz.py | myprogram
C 5 P A k R ? V ( ( - % > < h n | 3='i2Qx]D$qs4O`1@fevnG'2\11Vf3piU37@5:dfd45*(7^% 5ap\zIyl"'f,$ee,J4Gw:cgNKLie3nx9(`efSlg6#[K"@WjhZ} r[Scun&sBCS,T[/3]KAeEnQ7lU)3Pn,0)G/6N-wyzj/ MTd#A;r 11 Fuzzing @app.route('/admin') def admin(): username = request.cookies.get("username") if not username: return {"Error": "Specify username in Cookie"} username = urllib.quote(os.path.basename(username)) url = "http://permissions:5000/permissions/{}".format(username) resp = requests.request(method="GET", url=url) # "superadmin\ud888" will be simpli fi ed to "superadmin" ret = ujson.loads(resp.text) if resp.status_code == 200: if "superadmin" in ret["roles"]: return {"OK": "Superadmin Access granted"} else: e = u"Access denied. User has following roles: {}".format(ret["roles"]) return {"Error": e}, 401 else:return {"Error": ret["Error"]}, 500 [;x1-GPZ+wcckc];,N9J+?#6^6\e?]9lu2_%'4GX"0VUB[E/ r ~fApu6b8<{%siq8Zh.6{V,hr?;{Ti.r3PIxMMMv6{xS^+'Hq! AxB"YXRS@!Kd6;wtAMefFWM(`|J_<1~o}z3K(CCzRH JIIvHz>_*.\>JrlU32~eGP?lR=bF3+;y$3lodQ<B89! 5 " W 2 f K * v E 7 v { ' ) K C - i , c { < [ ~ m ! ] o ; { . ' } G j \ ( X } EtYetrpbY@aGZ1{P!AZU7x#4(Rtn!q4nCwqol^y6}0| JIIvHz>_*.\>JrlU32~eGP?lR=bF3+;y$3lodQ<B89! 5"W2fK*vE7v{')KC-i,c{<[~m!]o;{.'}Gj\(X} EtYetrpbY@aGZ1{P!AZU7x#4(Rtn!q4nCwqol^y6}0| Ko=*JK~;zMKV=9Nai:wxu{J&UV#HaU)*BiC<),`+t*gka<W =Z.%T5WGHZpI30D<Pq>&]BS6R&j?#tP7iaV}-}`\? [_[Z^LBMPG-FKj'\xwuZ1=Q`^`5,$N$Q@[!CuRzJ2D|vBy! ^zkhdf3C5PAkR?V((-%><hn| 3='i2Qx]D$qs4O`1@fevnG'2\11Vf3piU37@5:dfd45*(7^% 5ap\zIyl"'f,$ee,J4Gw:cgNKLie3nx9(`efSlg6#[K"@WjhZ} r[Scun&sBCS,T[/3]KAeEnQ7lU)3Pn,0)G/6N-wyzj/ MTd#A;r import random def fuzzer(max_length=100,chars=[chr(i) for i in range(32, 64)]): return ''.join([random.choice(chars) for i in range(random.randint(0,max_length))]) $ fuzz.py | myprogram zsh: exit 139 Segmentation Fault: 11
C 5 P A k R ? V ( ( - % > < h n | 3='i2Qx]D$qs4O`1@fevnG'2\11Vf3piU37@5:dfd45*(7^% 5ap\zIyl"'f,$ee,J4Gw:cgNKLie3nx9(`efSlg6#[K"@WjhZ} r[Scun&sBCS,T[/3]KAeEnQ7lU)3Pn,0)G/6N-wyzj/ MTd#A;r 12 Fuzzing @app.route('/admin') def admin(): username = request.cookies.get("username") if not username: return {"Error": "Specify username in Cookie"} username = urllib.quote(os.path.basename(username)) url = "http://permissions:5000/permissions/{}".format(username) resp = requests.request(method="GET", url=url) # "superadmin\ud888" will be simpli fi ed to "superadmin" ret = ujson.loads(resp.text) if resp.status_code == 200: if "superadmin" in ret["roles"]: return {"OK": "Superadmin Access granted"} else: e = u"Access denied. User has following roles: {}".format(ret["roles"]) return {"Error": e}, 401 else:return {"Error": ret["Error"]}, 500 Syntax Error [;x1-GPZ+wcckc];,N9J+?#6^6\e?]9lu2_%'4GX"0VUB[E/ r Syntax Error Syntax Error Syntax Error Syntax Error Syntax Error Syntax Error Syntax Error ~fApu6b8<{%siq8Zh.6{V,hr?;{Ti.r3PIxMMMv6{xS^+'Hq! AxB"YXRS@!Kd6;wtAMefFWM(`|J_<1~o}z3K(CCzRH JIIvHz>_*.\>JrlU32~eGP?lR=bF3+;y$3lodQ<B89! 5 " W 2 f K * v E 7 v { ' ) K C - i , c { < [ ~ m ! ] o ; { . ' } G j \ ( X } EtYetrpbY@aGZ1{P!AZU7x#4(Rtn!q4nCwqol^y6}0| JIIvHz>_*.\>JrlU32~eGP?lR=bF3+;y$3lodQ<B89! 5"W2fK*vE7v{')KC-i,c{<[~m!]o;{.'}Gj\(X} EtYetrpbY@aGZ1{P!AZU7x#4(Rtn!q4nCwqol^y6}0| Ko=*JK~;zMKV=9Nai:wxu{J&UV#HaU)*BiC<),`+t*gka<W =Z.%T5WGHZpI30D<Pq>&]BS6R&j?#tP7iaV}-}`\? [_[Z^LBMPG-FKj'\xwuZ1=Q`^`5,$N$Q@[!CuRzJ2D|vBy! ^zkhdf3C5PAkR?V((-%><hn| 3='i2Qx]D$qs4O`1@fevnG'2\11Vf3piU37@5:dfd45*(7^% 5ap\zIyl"'f,$ee,J4Gw:cgNKLie3nx9(`efSlg6#[K"@WjhZ} r[Scun&sBCS,T[/3]KAeEnQ7lU)3Pn,0)G/6N-wyzj/ MTd#A;r import random def fuzzer(max_length=100,chars=[chr(i) for i in range(32, 64)]): return ''.join([random.choice(chars) for i in range(random.randint(0,max_length))]) $ fuzz.py | myprogram zsh: exit 1 Syntax Error
Pre fi xes 27 • Complete with one of the compared characters [ 3 , 1 ] Mathis, Gopinath, Mera, Kampmann, Höschele, and Zeller. Parser Directed Fuzzing. PLDI 2019. Mathis, Gopinath and Zeller Learning Input Tokens for Effective Fuzzing. ISSTA 2020.
Speci fi cation Mining Model Extraction Grammar Inference: Blackbox extraction of grammar Grammar Induction Language Learning Automata Learning Model Inference
<Fs> := <B> <Fs> | <empty> Structured Control Flow to Grammar Sequence A B C [F] Selection cond A B [F] F T Iteration cond B [F] 51 Function [F] <F> := ...
A if A determines whether B executes. def parse_csv(s,i): while s[i:]: if is_digit(s[i]): n,j = num(s[i:]) i = i+j else: comma(s[i]) i += 1 CDG for parse_csv while: determines whether if: executes
i = i+j else: comma(s[i]) i += 1 CDG for parse_csv Dynamic Control Dependence Tree Each statement execution is represented as a separate node DCD Tree for call parse_csv()
i = i+j else: comma(s[i]) i += 1 '1' '2' ',' DCD Tree ~ Parse Tree •No tracking beyond input bu ff er •Characters are attached to nodes where they are accessed last "12," "12,"
= '' while s[i:] and is_digit(s[i]): n += s[i] i = i +1 return i,n def parse_paren(s, i): assert s[i] == '(' i, v = parse_expr(s, i+1) if s[i:] == '': raise Ex(s, i) assert s[i] == ')' return i+1, v def parse_expr(s, i = 0): expr, is_op = [], True while s[i:]: c = s[i] if isdigit(c): if not is_op: raise Ex(s,i) i,num = parse_num(s,i) expr.append(num) is_op = False elif c in ['+', '-', '*', '/']: if is_op: raise Ex(s,i) expr.append(c) is_op, i = True, i + 1 elif c == '(': if not is_op: raise Ex(s,i) i, cexpr = parse_paren(s, i) expr.append(cexpr) is_op = False elif c == ')': break else: raise Ex(s,i) if is_op: raise Ex(s,i) return i, expr 9+3/4 Parse tree for parse_expr('9+3/4')
= '' while s[i:] and is_digit(s[i]): n += s[i] i = i +1 return i,n def parse_paren(s, i): assert s[i] == '(' i, v = parse_expr(s, i+1) if s[i:] == '': raise Ex(s, i) assert s[i] == ')' return i+1, v def parse_expr(s, i = 0): expr, is_op = [], True while s[i:]: c = s[i] if isdigit(c): if not is_op: raise Ex(s,i) i,num = parse_num(s,i) expr.append(num) is_op = False elif c in ['+', '-', '*', '/']: if is_op: raise Ex(s,i) expr.append(c) is_op, i = True, i + 1 elif c == '(': if not is_op: raise Ex(s,i) i, cexpr = parse_paren(s, i) expr.append(cexpr) is_op = False elif c == ')': break else: raise Ex(s,i) if is_op: raise Ex(s,i) return i, expr 9+3/4 Identifying Compatible Nodes Which nodes correspond to the same nonterminal
Pr(L(A)≢X ≤ ϵ) ≥ 1−δ 1-∈: accuracy 1-δ: confidence Equivalence Query = Multiple Membership Checks Checks come from some sampling distribution D over A* We only get a PAC guarantee based on D qi = [1/ϵ (ln(1/δ) + i ln(2))] Checks made in place of ith equivalence query:
] a ∉ [,],{,},",0,1,2,3,4,5,.,. b ∉ [,],0,1,2,3,4,5,6,7,8,9,, } ∉ [,],0,1,2,3,4,5,6,7,8,9,0,, 91 [51,4] 👍 [51,4x 👎 [51,4 👎 [51,4- 👎 Example Generator With Pre fi x Queries
CSV 65.7 68.3 68.5 JSON 13.8 9.2 22.5 TinyC 86.8 47.9 81.6 MJS 28.0 19.0 29.9 Branch Coverage Obtained C programs Even compared with grey-box AFL, blackbox pre fi x queries are competitive Quality of Examples with Pre fi x Queries
between p,ϵ,δ and F1 score On Arithmetic (depth limited) L(*) Eq = Pre fi x Sampler Eq = Pre fi x Sampler) (p=0.05) (p=0.5) Eq = Pre fi x Sampler) (p=1.0) Red is good, Blue is bad PL(*) PL(*) PL(*) 1-δ: confidence 1-∈: accuracy
between p,ϵ,δ and F1 score On JSON (depth limited) L(*) Eq = Pre fi x Sampler (p=0.05) Eq = Pre fi x Sampler) (p=0.5) Eq = Pre fi x Sampler) (p=1.0) Red is good, Blue is bad 1-δ: confidence 1-∈: accuracy PL(*) PL(*) PL(*)
through some testing • Program behaviour can be considered partitions on some space Implications: • Programmers will find all big partitions • Programmers will find some small partitions • Programmers wont find all small partitions Idea: Learn the language of system behaviour • Identify partitions (and corresponding inputs), largest first
data to fi le: /path/to/ fi le.txt 2023-06-10 09:01:30 INFO [NetworkConnectionManager] com.example.NetworkConnector.openConnection Opening network connection to 2023-06-10 09:02:15 INFO [DatabaseConnectionPool-1] com.example.DatabaseConnector.getConnection Acquired database connection fro 2023-06-10 09:05:45 INFO [DatabaseConnectionPool-1] com.example.DatabaseConnector.releaseConnection Released database connectio 2023-06-10 09:10:00 INFO [NetworkConnectionManager] com.example.NetworkConnector.closeConnection Closing network connection to 1 2023-06-10 09:15:30 INFO [FileWriterThread-2] com.example.FileWriter.writeToFile Writing data to fi le: /path/to/another_ fi le.txt 2023-06-10 09:20:00 INFO [UserAuthenticationService] com.example.auth.LoginHandler.handleLogin User 'john_doe' logged in successfully 2023-06-10 09:22:30 WARN [CacheManager] com.example.cache.CacheEvictionPolicy.evictEntries Cache size exceeded maximum limit. Evi 2023-06-10 09:25:15 ERROR [PaymentProcessingWorker-3] com.example.payments.PaymentProcessor.processPayment Payment processin 2023-06-10 09:30:45 INFO [EmailNoti fi cationService] com.example.noti fi cations.EmailSender.sendEmail Sent email noti fi cation to user@exam 2023-06-10 09:35:00 INFO [FileReaderThread-1] com.example. fi le.FileReader.readFromFile Reading data from fi le: /path/to/input.csv 2023-06-10 09:40:30 INFO [DatabaseBackupJob] com.example.db.DatabaseBackupService.performBackup Database backup completed su 2023-06-10 09:45:15 WARN [APIRequestHandler] com.example.api.RequestThrottler.handleRequest API request rate limit exceeded for clien 2023-06-10 09:50:45 INFO [FileUploadService] com.example.upload.FileUploadHandler.handleUpload File 'document.pdf' uploaded success 2023-06-10 09:55:00 ERROR [ImageProcessingWorker-2] com.example.image.ImageResizer.resizeImage Failed to resize image: image_001.jp 2023-06-10 10:00:30 INFO [JobScheduler] com.example.jobs.ScheduledJob.executeJob Executing scheduled job: Daily Sales Report Gener A typical log of events
inputs with the input grammar G - Look for a speci fi c event A in the event log - Collect the inputs that cause it A RA POST...AB POST...A; POST...B;A POST..A .*;.*
inputs with the input grammar G - Look for a speci fi c event A in the event log - Collect the inputs that cause it - Abstract all such inputs into a grammar RA - Any inputs from G /\ RA will cause the event A - Same for event B, event C etc. B POST...C$ab POST...x$ POST...$$ POST...$ POST...A$ .*$.*
using grammar G /\ (RA /\ RB) will produce events A and B consistently A+B Behaviour Algebra POST...C$a;b POST...;$ POST...A$B;C; POST...C;$x$ POST...$; .*(;|$).*
) - Fuzzer using grammar G /\ (RA /\ RB) will produce events A and B consistently - Fuzzer using G /\ (RA /\ RB - RC) will produce events A and B consistently without C (if it is possible to produce such sequences) A+B \ C POST...;$ POST...$;
inputs - Use input algebras to combine input patterns inducing atomic events - For checking the event sequence A.B.C fuzz with G (RA /\ RB /\ Rc ) - If A.B.C is not found, either A.B.C is impossible or it is rare Fuzzer G /\ (RA /\ RB /\ RC ) (B) (A) (C) Input pattern inducing event A Input pattern inducing event B Input pattern inducing event C
rahulgopinath
masatoto
masakat0
ksudoh
kuri8ive
trafficbrain
miso2024
.png){kind=avatar}
elith
wata909
tomzimmermann
sgk
stephaniewalter
chriscoyier
trallard
mclloyd
denniskardys
jacobian
eileencodes
afnizarnur
holman
dougneiner
jrom
moore
![Ko=*JK~;zMKV=9Nai:wxu{J&UV#HaU)*BiC<),`+t*gka<W =Z.%T5WGHZpI30D<Pq>&]BS6R&j?#tP7iaV}-}`\? [_[Z^LBMPG-FKj'\xwuZ1=Q`^`5,$N$Q@[!CuRzJ2D|vBy! ^ z k h d f 3](https://files.speakerdeck.com/presentations/03fb56a564444f3e817407ac501a0ba7/slide_10.jpg){kind=link}
![Ko=*JK~;zMKV=9Nai:wxu{J&UV#HaU)*BiC<),`+t*gka<W =Z.%T5WGHZpI30D<Pq>&]BS6R&j?#tP7iaV}-}`\? [_[Z^LBMPG-FKj'\xwuZ1=Q`^`5,$N$Q@[!CuRzJ2D|vBy! ^ z k h d f 3](https://files.speakerdeck.com/presentations/03fb56a564444f3e817407ac501a0ba7/slide_11.jpg){kind=link}
![48 http://user:[email protected]:80/?q=path#ref urlparse:url = 'http://user:[email protected]:80/?q=path#ref' urlsplit:scheme = 'http' urlsplit:netloc =](https://files.speakerdeck.com/presentations/03fb56a564444f3e817407ac501a0ba7/slide_47.jpg){kind=link}
![{ '<urlparse:url>': [ ['<urlsplit:scheme>', '://', '<urlsplit:netloc>', '/?', '<urlsplit:query>', '#', '<urlsplit:fragment>'],](https://files.speakerdeck.com/presentations/03fb56a564444f3e817407ac501a0ba7/slide_49.jpg){kind=link}
![55 def parse_csv(s,i): while s[i:]: if is_digit(s[i]): n,j = num(s[i:])](https://files.speakerdeck.com/presentations/03fb56a564444f3e817407ac501a0ba7/slide_54.jpg){kind=link}
![56 def parse_csv(s,i): while s[i:]: if is_digit(s[i]): n,j = num(s[i:])](https://files.speakerdeck.com/presentations/03fb56a564444f3e817407ac501a0ba7/slide_55.jpg){kind=link}
![91 [51,4] a [ 5 1 b , } 4](https://files.speakerdeck.com/presentations/03fb56a564444f3e817407ac501a0ba7/slide_90.jpg){kind=link}
![94 Crash: ]9xdy[zSf$\theta{f!;} ;i\nonfrenchspacing !$$\prec q;7O/, $\downbrace fi ll @Pz](https://files.speakerdeck.com/presentations/03fb56a564444f3e817407ac501a0ba7/slide_93.jpg){kind=link}
![106 Isolating Program Behaviour 2023-06-10 09:00:00 INFO [FileWriterThread-1] com.example.FileWriter.writeToFile Writing](https://files.speakerdeck.com/presentations/03fb56a564444f3e817407ac501a0ba7/slide_105.jpg){kind=link}
