input generator for the Cairo fuzzer

Cairo fuzzer inputs
FuzzingLabs · Jun 16, 2023 · 16d8fd0 · 16d8fd0
2 parents 79d153d + 04412bf
commit 16d8fd0
Show file tree

Hide file tree

Showing 3 changed files with 83 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -14,6 +14,7 @@ Learn more about Thoth internals here: [Demo video](https://www.youtube.com/watc
 - **[Data Flow analysis](#print-the-contracts-data-flow-graph-dfg)**: Thoth can generate a **Data Flow Graph** (DFG) for each function
 - **[Disassembler](#disassemble-the-contracts-compilation-artifact-json)**: Thoth can translate bytecode into assembly representation
 - **[Control Flow analysis](#print-the-contracts-control-flow-graph-cfg)**: Thoth can generate a **Control Flow Graph** (CFG)
+- **[Cairo Fuzzer inputs generation](#generate-inputs-for-the-cairo-fuzzer)**: Thoth can generate inputs for the  [**Cairo fuzzer**](https://github.com/FuzzingLabs/cairo-fuzzer)
 - **[Sierra files analysis](/sierra/README.md)** : Thoth can analyze **Sierra** files 
 - **[Sierra files symbolic execution](/doc/symbolic_execution.md)** : Thoth allows **symbolic execution** on sierra files
 - **[Symbolic bounded model checker](/doc/symbolic_bounded_model_checker_sierra.md)** : Thoth can be used as a **Symbolic bounded model checker**
@@ -168,6 +169,14 @@ The output file (pdf/svg/png) and the dot file are inside the `output-cfg` folde
 	<img src="/doc/images/thoth/cairo_double_function_and_if_cfg.png"/>
 </p>
 
+## Generate inputs for the Cairo fuzzer
+
+You can generate inputs for the [Cairo fuzzer](https://github.com/FuzzingLabs/cairo-fuzzer) using this command
+
+```
+thoth local ./tests/json_files/cairo_0/cairo_test_symbolic_execution_2.json -a fuzzer
+```
+
 # F.A.Q
 
 ## How to find a Cairo/Starknet compilation artifact (json file)?

diff --git a/thoth/app/analyzer/__init__.py b/thoth/app/analyzer/__init__.py
@@ -4,6 +4,7 @@
 from thoth.app.analyzer.strings.strings_analyzer import StringsAnalyzer
 
 from thoth.app.analyzer.testing.tests_cases_generator import TestCasesGeneratorAnalyzer
+from thoth.app.analyzer.testing.fuzzer_input_generator import FuzzerInputGeneratorAnalyzer
 
 from thoth.app.analyzer.functions.functions_analyzer import FunctionsAnalyzer
 
@@ -23,6 +24,7 @@
     ERC721Analyzer,
     StringsAnalyzer,
     TestCasesGeneratorAnalyzer,
+    FuzzerInputGeneratorAnalyzer,
     FunctionsAnalyzer,
     StatisticsAnalyzer,
     # Optimization

diff --git a/thoth/app/analyzer/testing/fuzzer_input_generator.py b/thoth/app/analyzer/testing/fuzzer_input_generator.py
@@ -0,0 +1,72 @@
+import json
+import pprint
+
+from thoth.app.analyzer.abstract_analyzer import (
+    AbstractAnalyzer,
+    CategoryClassification,
+    ImpactClassification,
+    PrecisionClassification,
+    colors,
+)
+from thoth.app.decompiler.decompiler import Decompiler
+from thoth.app.symbex.symbex import SymbolicExecution
+from thoth.app.utils import bcolors
+
+pp = pprint.PrettyPrinter(indent=2)
+
+
+class FuzzerInputGeneratorAnalyzer(AbstractAnalyzer):
+    """
+    Generate test cases for the Cairo fuzzer
+    """
+
+    NAME = "Fuzzer tests cases generator"
+    ARGUMENT = "fuzzer"
+    HELP = "Automatically generate fuzzer test cases for each function of the contract"
+    IMPACT: ImpactClassification = ImpactClassification.INFORMATIONAL
+    PRECISION: PrecisionClassification = PrecisionClassification.HIGH
+    CATEGORY: CategoryClassification = CategoryClassification.ANALYTICS
+
+    def _detect(self) -> bool:
+        if self.disassembler.cairo1:
+            return False
+
+        path_color = colors.HEADER if self.color else ""
+        variable_color = colors.CYAN if self.color else ""
+
+        contract_functions = self.disassembler.functions
+        decompiler = Decompiler(functions=contract_functions)
+        decompiler.decompile_code(first_pass_only=True)
+
+        symbex = SymbolicExecution(
+            variables=decompiler.ssa.memory, assertions=decompiler.assertions
+        )
+
+        for function in contract_functions:
+            cairo_fuzzer_input = {
+                "workspace": "fuzzer_workspace",
+                "path": "input_file",
+                "name": "Fuzz_one",
+                "args": ["felt"] * len(function.args) if function.args is not None else [],
+                "inputs": [],
+            }
+
+            if function.is_import:
+                continue
+
+            test_cases = symbex._generate_test_cases(function=function)
+            if not test_cases:
+                continue
+            self.detected = True
+
+            function_test_cases = "%s\n" % function.name
+
+            paths_count = 0
+            for test_case in test_cases:
+                test_case_dict = {"value": {"val": [int(str(arg[1])) for arg in test_case]}}
+                cairo_fuzzer_input["inputs"].append(test_case_dict)
+
+            function_test_cases += json.dumps(cairo_fuzzer_input, indent=4)
+            self.result.append(function_test_cases)
+
+        return self.detected