agroce/universalmutator agroce/universalmutator

  • Stars
    star
    132
  • Rank 272,646 (Top 6 %)
  • Language
    Python
  • License
    Other
  • Created almost 7 years ago
  • Updated 2 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
agroce/universalmutator
github

agroce

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Regexp based tool for mutating generic source code across numerous languages

This is a tool based on source-based rewrite of code lines for mutation generation, including multi-language rules aided by special rules for languages or even projects. Originally, the approach used only regular expressions, treating code as text. However, there is also a mode that can use the Comby tool for more sophisticated mutation that produces fewer invalid mutants. Regular-expression based mutation works well, in our experience; comby-aided mutation works even better. The key advantage of either approach is that the tool can probably mutate approximately any interesting source code you have, and language changes don't force rewriting of the mutation tool. To use the comby mode, just make sure comby is installed and add --comby when you run mutate.

More information on this project can be found in our 2018 ICSE tool paper: https://agroce.github.io/icse18t.pdf

A guest blog post for Trail of Bits shows how to use the universalmutator to help improve a C/C++ API fuzzing effort using DeepState and libFuzzer.

The universalmutator has support for extracting coverage information to guide mutation from the TSTL testing tool for Python.

HOW TO USE IT

To use this, you should really just do:

pip install universalmutator

then

mutate --help

SIMPLE EXAMPLE USAGE

mutate foo.py

or

mutate foo.swift

should, if you have the appropriate compilers installed, generate a bunch of valid, non-trivially redundant, mutants.

A MORE COMPLEX EXAMPLE

Sometimes the mutated code needs to be built with a more complicated command than a simple compiler call, and of course you want help discovering which mutants are killed and not killed. For example, to mutate and test mutants for the mandelbrot plotting example included in the PROGRAMMING RUST book (http://shop.oreilly.com/product/0636920040385.do), just do this:

git clone https://github.com/ProgrammingRust/mandelbrot
cd mandelbrot
cargo build
target/debug/mandelbrot origmandel.png 1000x750 -1.20,0.35 -1,0.20
mkdir mutants
mutate src/main.rs --mutantDir mutants --noCheck
analyze_mutants src/main.rs "cargo clean; cargo build; rm mandel.png; target/debug/mandelbrot mandel.png 1000x750 -1.20,0.35 -1,0.20; diff mandel.png origmandel.png" --mutantDir mutants

(It will go faster if you edit main.rs to lower the maximum number of threads used to something like 8, not 90.) At the moment, this won't use any Trivial Compiler Equivalence, but still kills about 60% of the 1000+ mutants. The killed mutant filenames will be in killed.txt and the non-killed ones in not-killed.txt.

Working with something like maven is very similar, except you can probably edit the complicated build/clean stuff to just a 'mvn test' or similar.

CURRENTLY SUPPORTED LANGUAGES

The tool will likely mutate other things, if you tell it they are "c" or something, but there is auto-detection based on file ending and specific rule support for:

C
C++
Java
JavaScript
Python
Swift
Rust
Go
Lisp
Solidity
Vyper
Fe

(the last three are smart contract languages for the Ethereum blockchain).

All but C, C++, JavaScript, and Go will try, by default, to compile the mutated file and use TCE to detect redundancy. Of course, build dependencies may frustrate this process, in which case --noCheck will turn off TCE and just dump all the mutants in the directory, for pruning using a real build process. In the long run, we plan to integrate with standard build systems to avoid this problem, and with automated test generation systems such as TSTL (https://github.com/agroce/tstl) for Python or Echidna for Solidity (https://github.com/trailofbits/echidna). Even now, however, with analyze_mutants it is fairly easy to set up automatic evaluation of your automated test generator.

MUTATING SOLIDITY CODE

The universalmutator has been most frequently applied to smart contracts written in the Solidity language. It supports a few special features that are particularly useful in this context.

First, Solidity libraries are often written with only internal functions --- and the compiler will not emit code for such functions if you compile a library by itself, resulting in no non-redundant mutants. In order to handle this case, mutate can take a --compile option that specifies another file (a contract using the library, or the tests in question) that is used to check whether mutants are redundant.

Second, swapping adjacent lines of code is a seldom-used mutation operator that is unusually attractive in a Solidity context because swapping a state-changing operation and a requirement may reveal that testing is incapable of detecting some re-entrancy vulnerabilities. The testing may notice the absence of the check, but not a mis-ordering, and these mutants may reveal that. To add code swaps to your mutations, just add --swap to the mutate call. Note that swaps work in any language; they are just particularly appealing for smart contracts.

MORE INFORMATON

For much more information, again see https://agroce.github.io/icse18t.pdf -- demo/tool paper at ICSE 18.

The aim of this project is partly to see how quickly mutation can be applied to new languages, partly how much the work of a tool can be offloaded to the compiler / test analysis tools.

Authors: Alex Groce, Josie Holmes, Darko Marinov, August Shi, Lingming Zhang

More Repositories

1

afl-compiler-fuzzer

Variation of american fuzzy lop for testing compilers
C
114
star
2

tstl

Template Scripting Testing Language tool: automated test generation for Python
Python
103
star
3

cs362w16core

Class core for 362 W 16, OSU
C
14
star
4

naucs499sp20

Class on embedded systems testing
C++
13
star
5

cs362sp16core

Class repository for core material in CS362 Oregon State Spring 2016
C
8
star
6

muttfuzz

A tool for meta-fuzzing using program mutants
Python
8
star
7

testfs

DeepState testing for TestFS, a user level toy file system that is similar to ext3
C
6
star
8

cs362sp15core

362 class repo for spring 2015
C
6
star
9

testleveldb

DeepState testing for levelDB
C++
5
star
10

rb_tree_demo

DeepState version of code accompanying a blog post about fuzzing a red-black tree implementation: http://blog.regehr.org/archives/896
C
4
star
11

echidna-parade

Scripts to launch swarmed echidna instances (a parade is a group of echidna)
Python
4
star
12

cbmcmutate

mutation testing meets model checking
Python
4
star
13

naucs499sp18

CS 499: Software Security, Spring 2018
Python
4
star
14

cs569sp16

Class for CS 569 SP 16
Python
3
star
15

bug-transfer

Python
3
star
16

cc2022

CC paper on compiler fuzzing
TeX
3
star
17

slithermutate

some of the slither mutation testing
TeX
3
star
18

cs562w16

Class repo for CS562 Winter 2016
Python
2
star
19

swarmed_tools

Swarmed versions of random testing tools
JavaScript
2
star
20

agroce.github.io

New webpage hosted at github
TeX
2
star
21

cs569sp15

569 Class repo
C
2
star
22

echidna_demo_issta20

latex draft + data for a tool paper describing the Echidna fuzzer
TeX
1
star
23

fuzzing22report

Report draft for https://fuzzingworkshop.github.io/
1
star
24

bgganalysis

analyze bgg comments
Python
1
star
25

howtotestit

Testing book
TeX
1
star
26

bitcorpus

1
star
27

compilermutants

Mutants for GCC and SpiderMonkey used in ISSRE 2018 paper
C
1
star
28

icse18tool

ICSE 18 tool paper on universal mutator
TeX
1
star
29

paper-testlength

Data and text for paper on length of tests
TeX
1
star
30

mutantsnsfsmall

NSF proposal on mutation testing
TeX
1
star
31

echidna-parade-issta21-demo

paper for echidna-parade
TeX
1
star
32

fmitf-2024

fmitf-2024
TeX
1
star
33

deepstate-c-blosc2

DeepState harness to test CBlosc2 compression library
C++
1
star
34

bitcoin_fuzz_tools

Python
1
star