def createNextGeneration2(fit, gn):
''' this funtion generates new generation. This is the implemntation of standard ilitism approach.'''
files = os.listdir(config.INPUTD)
ga = operators.GAoperator(random.Random(), config.ALLSTRINGS)
sfit = sorted(fit.items(), key=itemgetter(1), reverse=True)
fitnames = [k for k, v in sfit]
# as our selection policy requires that each input that trigerred a new BB must go to the next generation, we need to find a set of BEST BBs and merge it with this set of inputs.
best = set(fitnames[:config.BESTP]).union(set(config.SPECIALENTRY))
#print "best",best, len(best)
if len(best) % 2 != 0:
for nm in fitnames:
if nm not in best:
best.add(nm)
break
if config.GOTSTUCK == True:
heavyMutate(config.INPUTD, ga, best)
i = 0
bn, ext = splitFilename(sfit[i][0])
#limit=config.POPSIZE - config.BESTP
limit = config.POPSIZE - len(best)
while i < limit:
cutp = int(random.uniform(0.4, 1.0) * len(fitnames))
#we are going to use crossover s.t. we want to choose best parents frequently, but giving chance to less fit parents also to breed. the above cut gives us an offset to choose parents from.
#print "crossover"
par = random.sample(fitnames[:cutp], 2)
fp1 = os.path.join(config.INPUTD, par[0])
fp2 = os.path.join(config.INPUTD, par[1])
p1 = readFile(fp1)
p2 = readFile(fp2)
ch1, ch2 = ga.crossover(p1, p2)
np1 = os.path.join(config.INPUTD, "new-%d-g%d.%s" % (i, gn, ext))
np2 = os.path.join(config.INPUTD, "new-%d-g%d.%s" % (i + 1, gn, ext))
#now we do mutation on these children, one by one
if random.uniform(0.1, 1.0) > (1.0 - config.PROBMUT):
mch1 = ga.mutate(ch1)
writeFile(np1, mch1)
else:
writeFile(np1, ch1)
if random.uniform(0.1, 1.0) > (1.0 - config.PROBMUT):
mch2 = ga.mutate(ch2)
writeFile(np2, mch2)
else:
writeFile(np2, ch2)
i += 2
# now we need to delete last generation inputs from INPUTD dir, preserving BEST inputs.
#best=[k for k,v in sfit][:config.BESTP]
for fl in files:
if fl in best:
continue
os.remove(os.path.join(config.INPUTD, fl))
#lets check if everything went well!!!
if len(os.listdir(config.INPUTD)) != config.POPSIZE:
die("Something went wrong while creating next gen inputs.. check it!")
return 0
def create_files_dry(num):
''' This function creates num number of files in the input directory. This is called if we do not have enough initial population.'''
files = os.listdir(config.INITIALD)
ga = operators.GAoperator(random.Random(), [set(), set()])
fl = random.choice(files)
bn, ext = splitFilename(fl)
while (num != 0):
fl = random.choice(files)
fp = os.path.join(config.INITIALD, fl)
p1 = readFile(fp)
#ch1= ga.mutate(p1)
ch1 = ga.totally_random(p1, fl)
np1 = os.path.join(config.INPUTD, "ex-%d.%s" % (num, ext))
writeFile(np1, ch1)
num -= 1
# files.extend(os.listdir(config.INPUTD))
return 0
def createNextGeneration(fit, gn):
''' this funtion generates new generation. This is a variation of standard ilitism approach s.t. we either perform crossover or mutation, but noth both as done in standard approach. see createNextGeneration2() for standard implementation. '''
files = os.listdir(config.INPUTD)
ga = operators.GAoperator(random.Random(), config.ALLSTRINGS)
sfit = sorted(fit.items(), key=itemgetter(1), reverse=True)
i = 0
bn, ext = splitFilename(sfit[i][0])
limit = config.POPSIZE - config.BESTP
while i < limit:
if random.uniform(0.1, 1.0) > (1.0 - config.PROBCROSS) and (i <
limit - 2):
#we are going to use crossover, so we get two parents.
#print "crossover"
#par=random.sample(files, 2)
fp1 = os.path.join(config.INPUTD, sfit[i][0])
fp2 = os.path.join(config.INPUTD, sfit[i + 1][0])
p1 = readFile(fp1)
p2 = readFile(fp2)
ch1, ch2 = ga.crossover(p1, p2)
np1 = os.path.join(config.INPUTD, "new-%d-g%d.%s" % (i, gn, ext))
np2 = os.path.join(config.INPUTD,
"new-%d-g%d.%s" % (i + 1, gn, ext))
writeFile(np1, ch1)
writeFile(np2, ch2)
i += 2
else:
#print "mutation"
#fl=random.choice(files)
#bn, ext = splitFilename(fl)
fp = os.path.join(config.INPUTD, sfit[i][0])
p1 = readFile(fp)
ch1 = ga.mutate(p1, sfit[i][0])
np1 = os.path.join(config.INPUTD, "new-%d-g%d.%s" % (i, gn, ext))
writeFile(np1, ch1)
i += 1
# now we need to delete last generation inputs from INPUTD dir, preserving BEST inputs.
best = [k for k, v in sfit][:config.BESTP]
for fl in files:
if fl in best:
continue
os.remove(os.path.join(config.INPUTD, fl))
#lets check if everything went well!!!
if len(os.listdir(config.INPUTD)) != config.POPSIZE:
die("Something went wrong while creating next gen inputs.. check it!")
return 0
def createBufferOverflowinputs(input_list):
num = 1
ga=operators.GAoperator(random.Random(),config.ALLSTRINGS)
string_add = [100*"A",1000*"A",10000*"A",100*"%s",10*"%s"]
add_size = [100,1000,10000,2000,5000]
print input_list
#raw_input()
ma = {}
fname = ""
for inp in input_list:
if inp in config.ANALYSIS_MAP:
#ch1= ga.mutate(p1)
arrs = config.ANALYSIS_MAP[inp][1]
if len(arrs) > len(ma) and inp not in config.used_buf and (inp not in config.err_in):
ma = arrs
fname = inp
config.used_buf.append(fname)
done = []
ma = random.sample(ma, min(config.NEWINT, len(ma)))
for a in ma:
bn, ext = splitFilename(fname)
fp=os.path.join(config.SPECIAL,fname)
p1=readFile(fp)
if (a[0], a[1]) in done:
continue
done.append((a[0], a[1]))
# for v in string_add:
for v in add_size:
config.NUMINPUTS += 1
config.fname = fname
#ch1=ga.add_random_string_mutate(p1, fname,a, v)
ch1=ga.add_random_string_mutate_2(p1, fname,a, v)
#ch1=taint_based_change(ch1,inp)
np1=os.path.join(config.BUGD,"extra-%d.%s"%(config.NUMINPUTS,ext))
#print "extra-%d.%s"%(num,ext)
#raw_input()
writeFile(np1,ch1)
num += 1
print done
#raw_input()
return num
def create_files_dry(num):
''' This function creates num number of files in the input directory. This is called if we do not have enough initial population.
'''
#files=os.listdir(config.INPUTD)
files = os.listdir(config.INITIALD)
#files=random.sample(filef, 2)
ga = operators.GAoperator(random.Random(), [set(), set()])
fl = random.choice(files)
bn, ext = splitFilename(fl)
while (num != 0):
#if random.uniform(0.1,1.0)>(1.0 - config.PROBCROSS) and (num >1):
# #we are going to use crossover, so we get two parents.
# par=random.sample(files, 2)
# bn, ext = splitFilename(par[0])
# #fp1=os.path.join(config.INPUTD,par[0])
# #fp2=os.path.join(config.INPUTD,par[1])
# fp1=os.path.join(config.INITIALD,par[0])
# fp2=os.path.join(config.INITIALD,par[1])
# p1=readFile(fp1)
# p2=readFile(fp2)
# ch1,ch2 = ga.crossover(p1,p2)
# np1=os.path.join(config.INPUTD,"ex-%d.%s"%(num,ext))
# np2=os.path.join(config.INPUTD,"ex-%d.%s"%(num-1,ext))
# writeFile(np1,ch1)
# writeFile(np2,ch2)
# num -= 2
#else:
fl = random.choice(files)
#bn, ext = splitFilename(fl)
#fp=os.path.join(config.INPUTD,fl)
fp = os.path.join(config.INITIALD, fl)
p1 = readFile(fp)
#ch1= ga.mutate(p1)
ch1 = ga.totally_random(p1, fl)
np1 = os.path.join(config.INPUTD, "ex-%d.%s" % (num, ext))
writeFile(np1, ch1)
num -= 1
#files.extend(os.listdir(config.INPUTD))
return 0
def create_files(num):
''' This function creates num number of files in the input directory. This is called if we do not have enough initial population.
Addition: once a new file is created by mutation/cossover, we query MOSTCOMMON dict to find offsets that replace values at those offsets in the new files. Int he case of mutation, we also use taintmap of the parent input to get other offsets that are used in CMP and change them. For crossover, as there are two parents invlived, we cannot query just one, so we do a random change on those offsets from any of the parents in resulting children.
'''
#files=os.listdir(config.INPUTD)
files = os.listdir(config.INITIALD)
ga = operators.GAoperator(random.Random(), config.ALLSTRINGS)
while (num != 0):
if random.uniform(0.1, 1.0) > (1.0 - config.PROBCROSS) and (num > 1):
#we are going to use crossover, so we get two parents.
par = random.sample(files, 2)
bn, ext = splitFilename(par[0])
#fp1=os.path.join(config.INPUTD,par[0])
#fp2=os.path.join(config.INPUTD,par[1])
fp1 = os.path.join(config.INITIALD, par[0])
fp2 = os.path.join(config.INITIALD, par[1])
p1 = readFile(fp1)
p2 = readFile(fp2)
ch1, ch2 = ga.crossover(p1, p2)
# now we make changes according to taintflow info.
ch1 = taint_based_change(ch1, par[0])
ch2 = taint_based_change(ch2, par[1])
np1 = os.path.join(config.INPUTD, "ex-%d.%s" % (num, ext))
np2 = os.path.join(config.INPUTD, "ex-%d.%s" % (num - 1, ext))
writeFile(np1, ch1)
writeFile(np2, ch2)
num -= 2
else:
fl = random.choice(files)
bn, ext = splitFilename(fl)
#fp=os.path.join(config.INPUTD,fl)
fp = os.path.join(config.INITIALD, fl)
p1 = readFile(fp)
ch1 = ga.mutate(p1, fl)
ch1 = taint_based_change(ch1, fl)
np1 = os.path.join(config.INPUTD, "ex-%d.%s" % (num, ext))
writeFile(np1, ch1)
num -= 1
return 0
def createNextGeneration3(fit, gn):
''' this funtion generates new generation. This is the implemntation of standard ilitism approach. We are also addressing "input bloating" issue by selecting inputs based on its length. the idea is to select inputs for crossover their lenths is less than the best input's length. Oterwise, such inputs directly go for mutation whereby having a chance to reduce their lengths.'''
files = os.listdir(config.INPUTD)
ga = operators.GAoperator(random.Random(), config.ALLSTRINGS)
sfit = sorted(fit.items(), key=itemgetter(1), reverse=True)
bfp = os.path.join(config.INPUTD, sfit[0][0])
bestLen = os.path.getsize(bfp)
fitnames = [k for k, v in sfit]
# as our selection policy requires that each input that trigerred a new BB must go to the next generation, we need to find a set of BEST BBs and merge it with this set of inputs.
best = set(fitnames[:config.BESTP]) #.union(set(config.SPECIALENTRY))
#best.update(config.CRASHIN)
#print "best",best, len(best)
if len(best) % 2 != 0:
for nm in fitnames:
if nm not in best:
best.add(nm)
break
if config.GOTSTUCK == True:
heavyMutate(config.INPUTD, ga, best)
#here we check for file length and see if we can reduce lengths of some.
if gn % config.skipGen == 0:
mn, mx, avg = getFileMinMax(config.INPUTD)
filesTrim(config.INPUTD, avg, bestLen, config.minLength, ga, best)
i = 0
bn, ext = splitFilename(sfit[i][0])
#limit=config.POPSIZE - config.BESTP
limit = config.POPSIZE - len(best)
#print "nextgen length %d - %d\n"%(limit, len(best))
#raw_input("enter key")
crashnum = 0 #this variable is used to count new inputs generated with crashing inputs.
emptyDir(config.INTER)
copyd2d(config.SPECIAL, config.INTER)
if config.ERRORBBON == True:
copyd2d(config.INITIALD, config.INTER)
while i < limit:
cutp = int(random.uniform(0.4, 0.8) * len(fitnames))
#we are going to use crossover s.t. we want to choose best parents frequently, but giving chance to less fit parents also to breed. the above cut gives us an offset to choose parents from. Note that last 10% never get a chance to breed.
#print "crossover"
par = random.sample(fitnames[:cutp], 2)
fp1 = os.path.join(config.INPUTD, par[0])
fp2 = os.path.join(config.INPUTD, par[1])
inpsp = os.listdir(config.INTER)
#if len(config.SPECIALENTRY)>0 and random.randint(0,9) >6:
# fp1=os.path.join(config.INPUTD,random.choice(config.SPECIALENTRY))
#if len(config.CRASHIN)>0 and random.randint(0,9) >4 and crashnum<5:
# fp2=os.path.join(config.INPUTD,random.choice(config.CRASHIN))
# crashnum += 1
sin1 = 'xxyy'
sin2 = 'yyzz'
if len(inpsp) > 0:
if random.randint(0, 9) > config.SELECTNUM:
sin1 = random.choice(inpsp)
fp1 = os.path.join(config.INTER, sin1)
if random.randint(0, 9) > config.SELECTNUM:
sin2 = random.choice(inpsp)
fp2 = os.path.join(config.INTER, sin2)
np1 = os.path.join(config.INPUTD, "new-%d-g%d.%s" % (i, gn, ext))
np2 = os.path.join(config.INPUTD, "new-%d-g%d.%s" % (i + 1, gn, ext))
p1 = readFile(fp1)
p2 = readFile(fp2)
if (len(p1) > bestLen) or (len(p2) > bestLen):
#print "no crossover"
#mch1= ga.mutate(p1)
if sin1 != 'xxyy':
mch1 = ga.mutate(p1, sin1)
mch1 = taint_based_change(mch1, sin1)
else:
mch1 = ga.mutate(p1, par[0])
mch1 = taint_based_change(mch1, par[0])
#mch2= ga.mutate(p2)
if sin2 != 'yyzz':
mch2 = ga.mutate(p2, sin2)
mch2 = taint_based_change(mch2, sin2)
else:
mch2 = ga.mutate(p2, par[1])
mch2 = taint_based_change(mch2, par[1])
if len(mch1) < 3 or len(mch2) < 3:
die("zero input created")
writeFile(np1, mch1)
writeFile(np2, mch2)
i += 2
#continue
else:
#print "crossover"
ch1, ch2 = ga.crossover(p1, p2)
#now we do mutation on these children, one by one
if random.uniform(0.1, 1.0) > (1.0 - config.PROBMUT):
#mch1= ga.mutate(ch1)
if sin1 != 'xxyy':
mch1 = ga.mutate(ch1, sin1)
mch1 = taint_based_change(mch1, sin1)
else:
mch1 = ga.mutate(ch1, par[0])
mch1 = taint_based_change(mch1, par[0])
if len(mch1) < 3:
die("zero input created")
writeFile(np1, mch1)
else:
if sin1 != 'xxyy':
ch1 = taint_based_change(ch1, sin1)
else:
ch1 = taint_based_change(ch1, par[0])
writeFile(np1, ch1)
if random.uniform(0.1, 1.0) > (1.0 - config.PROBMUT):
#mch2= ga.mutate(ch2)
if sin2 != 'yyzz':
mch2 = ga.mutate(ch2, sin2)
mch2 = taint_based_change(mch2, sin2)
else:
mch2 = ga.mutate(ch2, par[1])
mch2 = taint_based_change(mch2, par[1])
if len(mch2) < 3:
die("zero input created")
writeFile(np2, mch2)
else:
if sin2 != 'yyzz':
ch2 = taint_based_change(ch2, sin2)
else:
ch2 = taint_based_change(ch2, par[1])
writeFile(np2, ch2)
i += 2
# now we need to delete last generation inputs from INPUTD dir, preserving BEST inputs.
#best=[k for k,v in sfit][:config.BESTP]
#print "gennext loop ",i
#raw_input("enterkey..")
for fl in files:
if fl in best:
continue
os.remove(os.path.join(config.INPUTD, fl))
#lets check if everything went well!!!
if len(os.listdir(config.INPUTD)) != config.POPSIZE:
die("Something went wrong while creating next gen inputs.. check it!")
return 0
def createIntegerOverflowInputs(input_list):
ga=operators.GAoperator(random.Random(),config.ALLSTRINGS)
interesting_8 = ["\x80","\x81","\xff","\x00","\x01","\x10","\x20","\x40","\x64","\x7f"]
interesting_16 = ['\x80\x00','\xff\x7f','\x00\x80','\x00\xff','\x02\x00','\x03\xe8','\x04\x00','\x10\00','\x7f\xff']
interesting_32 = ['\x80\x00\x00\x00','\xfa\x00\x00\xfa','\xff\xff\x7f\xff','\x00\x00\x80\x00','\x00\x00\xff\xff','\x00\x01\x00\x00','\x05\xff\xff\x05','\x7f\xff\xff\xff']
#raw_input()
num = 1
ga=operators.GAoperator(random.Random(),config.ALLSTRINGS)
ma = 0
fname = ""
for inp in input_list:
if inp in config.ANALYSIS_MAP:
#ch1= ga.mutate(p1)
arrs = len(config.ANALYSIS_MAP[inp][0]['INT16']) + len(config.ANALYSIS_MAP[inp][0]['INT32'])
if ((ma == 0 )or (arrs > ma)) and (inp not in config.used_int) and (inp not in config.err_in):
ma = arrs
fname = inp
config.used_int.append(fname)
if fname in config.ANALYSIS_MAP.keys() and fname != "":
extra_16 = 0
extra_32 = 0
mi = config.ANALYSIS_MAP[fname][0]
#print mi
#raw_input()
r = list(set(mi['INT32'])-set(config.MOSTCOMMON.keys()))
r = random.sample(r, min(config.NEWINT, len(r)))
if len(r) < config.NEWINT:
extra_16 = config.NEWINT-len(r)
r = list(set(mi['INT16'])-set(config.MOSTCOMMON.keys()))
if len(r) < config.NEWINT:
extra_32 = config.NEWINT-len(r)
r = random.sample(r, min(config.NEWINT+extra_16, len(r)))
for of in r:
bn, ext = splitFilename(fname)
fp=os.path.join(config.SPECIAL,fname)
p1=readFile(fp)
config.fname = fname
if int(of)+2 > len(p1):
continue
if config.AGGRESIVE==True:
for i in range(1,36):
no = struct.unpack("<H", p1[int(of):int(of)+2])[0] - i
if no<0:
no = no+65536
fuzzed=p1[:int(of)]+struct.pack(">H", no)+p1[int(of)+2:]
np1=os.path.join(config.BUGD,"extraint-%d.%s"%(config.NUMINPUTS,ext))
writeFile(np1,fuzzed)
num += 1
for v in interesting_16:
fuzzed=p1[:int(of)]+v+p1[int(of)+2:]
np1=os.path.join(config.BUGD,"extraint-%d.%s"%(config.NUMINPUTS,ext))
writeFile(np1,fuzzed)
num += 1
config.NUMINPUTS += 1
fuzzed=p1[:int(of)]+chr(255-ord(p1[int(of)]))+chr(255-ord(p1[int(of)+1]))+p1[int(of)+2:]
np1=os.path.join(config.BUGD,"extraint-%d.%s"%(config.NUMINPUTS,ext))
writeFile(np1,fuzzed)
num += 1
config.NUMINPUTS += 1
r = list(set(mi['INT32'])-set(config.MOSTCOMMON.keys()))
r = random.sample(r, min(config.NEWINT+extra_32, len(r)))
for of in r:
bn, ext = splitFilename(fname)
fp=os.path.join(config.SPECIAL,fname)
p1=readFile(fp)
config.fname = fname
if int(of)+4 > len(p1):
continue
if config.AGGRESIVE==True:
for i in range(1,36):
no = struct.unpack("<L", p1[int(of):int(of)+4])[0] - i
if no<0:
no = no+4294967296
fuzzed=p1[:int(of)]+struct.pack(">I", no)+p1[int(of)+4:]
np1=os.path.join(config.BUGD,"extraint-%d.%s"%(config.NUMINPUTS,ext))
writeFile(np1,fuzzed)
num += 1
for v in interesting_32:
fuzzed=p1[:int(of)]+v+p1[int(of)+4:]
np1=os.path.join(config.BUGD,"extraint-%d.%s"%(config.NUMINPUTS,ext))
writeFile(np1,fuzzed)
num += 1
config.NUMINPUTS += 1
"""
fuzzed=p1[:int(of)]+v[::-1]+p1[int(of)+4:]
np1=os.path.join(config.BUGD,"extraint-%d.%s"%(config.NUMINPUTS,ext))
writeFile(np1,fuzzed)
num += 1
config.NUMINPUTS += 1
"""
fuzzed=p1[:int(of)]+chr(255-ord(p1[int(of)]))+chr(255-ord(p1[int(of)+1]))+chr(255-ord(p1[int(of)+2]))+chr(255-ord(p1[int(of)+3]))+p1[int(of)+4:]
np1=os.path.join(config.BUGD,"extraint-%d.%s"%(config.NUMINPUTS,ext))
writeFile(np1,fuzzed)
num += 1
config.NUMINPUTS += 1
return num
def createMallocInputs(input_list):
ga=operators.GAoperator(random.Random(),config.ALLSTRINGS)
interesting_8 = ["\x80","\x81","\xff","\x00","\x01","\x10","\x20","\x40","\x64","\x7f"]
interesting_16 = ['\x80\x00','\xff\x7f','\x00\x80','\x00\xff','\x02\x00','\x03\xe8','\x04\x00','\x10\00','\x7f\xff']
interesting_32 = ['\x80\x00\x00\x00','\xfa\x00\x00\xfa','\xff\xff\x7f\xff','\x00\x00\x80\x00','\x00\x00\xff\xff','\x00\x01\x00\x00','\x05\xff\xff\x05','\x7f\xff\xff\xff']
#raw_input()
num = 1
ga=operators.GAoperator(random.Random(),config.ALLSTRINGS)
ma = 0
fname = ""
for inp in input_list:
if inp in config.ANALYSIS_MAP:
#ch1= ga.mutate(p1)
arrs = len(config.ANALYSIS_MAP[inp][5])
if (ma == 0 )or (arrs > ma):
ma = arrs
fname = inp
if fname in config.ANALYSIS_MAP.keys() and fname != "":
mi = config.ANALYSIS_MAP[fname][5]
for off in mi:
of=off[0]
bn, ext = splitFilename(fname)
fp=os.path.join(config.SPECIAL,fname)
p1=readFile(fp)
config.fname = fname
if off[1] == 1:
for v in interesting_8:
fuzzed=p1[:int(of)]+v+p1[int(of)+1:]
np1=os.path.join(config.BUGD,"extramalloc-%d.%s"%(config.NUMINPUTS,ext))
writeFile(np1,fuzzed)
num += 1
config.NUMINPUTS += 1
if off[1] == 2:
for v in interesting_16:
fuzzed=p1[:int(of)]+v+p1[int(of)+2:]
np1=os.path.join(config.BUGD,"extramalloc-%d.%s"%(config.NUMINPUTS,ext))
writeFile(np1,fuzzed)
num += 1
config.NUMINPUTS += 1
if off[1] == 4:
for v in interesting_32:
fuzzed=p1[:int(of)]+v+p1[int(of)+4:]
np1=os.path.join(config.BUGD,"extramalloc-%d.%s"%(config.NUMINPUTS,ext))
writeFile(np1,fuzzed)
num += 1
config.NUMINPUTS += 1
fuzzed=p1[:int(of)]+v[::-1]+p1[int(of)+4:]
np1=os.path.join(config.BUGD,"extramalloc-%d.%s"%(config.NUMINPUTS,ext))
writeFile(np1,fuzzed)
num += 1
config.NUMINPUTS += 1
if off[1] == 8:
for v in interesting_32:
fuzzed=p1[:int(of)]+v+p1[int(of)+4:]
np1=os.path.join(config.BUGD,"extramalloc-%d.%s"%(config.NUMINPUTS,ext))
writeFile(np1,fuzzed)
num += 1
config.NUMINPUTS += 1
fuzzed=p1[:int(of)]+v[::-1]+p1[int(of)+4:]
np1=os.path.join(config.BUGD,"extramalloc-%d.%s"%(config.NUMINPUTS,ext))
writeFile(np1,fuzzed)
num += 1
config.NUMINPUTS += 1
return num
def create_files(num):
''' This function creates num number of files in the input directory. This is called if we do not have enough initial population.
Addition: once a new file is created by mutation/cossover, we query MOSTCOMMON dict to find offsets that replace values at those offsets in the new files. Int he case of mutation, we also use taintmap of the parent input to get other offsets that are used in CMP and change them. For crossover, as there are two parents invlived, we cannot query just one, so we do a random change on those offsets from any of the parents in resulting children.'''
log_print("[*] Creating initial population")
if config.HEAVYCHILDINPUTCREATION:
log_print(
"\033[0;33m[!] Child input creation enabled : it could take a while\033[0m"
)
files = os.listdir(config.INITIALD)
ga = operators.GAoperator(random.Random(), config.ALLSTRINGS)
# creating childs
while (num != 0):
if random.uniform(0.1, 1.0) > (1.0 - config.PROBCROSS) and (num > 1):
# we are going to use crossover, so we get two parents.
par = random.sample(files, 2)
bn, ext = splitFilename(par[0])
# fp1=os.path.join(config.INPUTD,par[0])
# fp2=os.path.join(config.INPUTD,par[1])
fp1 = os.path.join(config.INITIALD, par[0])
fp2 = os.path.join(config.INITIALD, par[1])
p1 = readFile(fp1)
p2 = readFile(fp2)
ch1, ch2 = ga.crossover(p1, p2) # ,par[0],par[1])
# now we make changes according to taintflow info.
ch1 = taint_based_change(ch1, par[0], ga)
ch2 = taint_based_change(ch2, par[1], ga)
np1 = os.path.join(
config.INPUTD,
"cross-ex-g%d-%d.%s" % (config.CURRENTGEN, num, ext))
np2 = os.path.join(
config.INPUTD,
"cross-ex-g%d-%d.%s" % (config.CURRENTGEN, num - 1, ext))
writeFile(np1, ch1)
writeFile(np2, ch2)
num -= 2
else:
fl = random.choice(files)
bn, ext = splitFilename(fl)
# fp=os.path.join(config.INPUTD,fl)
fp = os.path.join(config.INITIALD, fl)
p1 = readFile(fp)
ch1 = ga.mutate(p1, fl)
ch1 = taint_based_change(ch1, fl, ga)
np1 = os.path.join(config.INPUTD,
"ex-g%d-%d.%s" % (config.CURRENTGEN, num, ext))
writeFile(np1, ch1)
num -= 1
log_print("[*] Done with initial population")
if config.ALFINPUTREDUCTION:
files = os.listdir(config.INPUTD)
# collect all new files
createdFiles = []
for f in files:
if not "cross-ex-g" in f and not "ex-g" in f:
continue
createdFiles.append(os.path.join(config.INPUTD, f))
if len(createdFiles) == 0:
log_print("[-] ALFINPUTREDUCTION : No input created")
else:
log_print("[*] Starting input reduction (%d files)" %
(len(createdFiles)))
# start reduction
afl.reduction(createdFiles)
if config.ALFCHILDINPUTREDUCTION and config.HEAVYCHILDINPUTCREATION:
# collect all childs
createdChilds = []
for child in ga.childMap:
createdChilds.append(os.path.join(config.INPUTD, child))
if len(createdChilds) > 0:
log_print("[*] Starting child input reduction (%d files)" %
(len(createdChilds)))
# start reduction
afl.reduction(createdChilds)
else:
log_print("[-] ALFINPUTREDUCTION : No child input created")
#if config.HEAVYCHILDINPUTCREATION:
# log_print("\033[0;33m[!] Child input creation enabled : it could take a while\033[0m")
return 0