# Mining Input Grammars

So far, the grammars we have seen have been mostly specified manually – that is, you (or the person knowing the input format) had to design and write a grammar in the first place.  While the grammars we have seen so far have been rather simple, creating a grammar for complex inoputs can involve quite some effort.  In this chapter, we therefore introduce techniques that automatically _mine_ grammars from programs – by executing the programs and observing how they process which parts of the input.  In conjunction with a grammar fuzzer, this allows us to (1) take a program, (2) extract its input grammar, and (3) fuzz it with high efficiency and effectiveness.

**Prerequisites**

* You should have read the [chapter on grammars](Grammars.ipynb).
* The [chapter on configuration fuzzing](ConfigurationFuzzer.ipynb) introduces grammar mining for configuration options, as well as observing variables and values during execution.

In [None]:
import fuzzingbook_utils

In [None]:
import sys

## A Simple Grammar Miner

Say we want to obtain the grammar for the function `urlparse` from the *Python* distribution.

### Function Under Test

In [None]:
from urllib.parse import urlparse, clear_cache
FUNCTION = urlparse

## Tracing Variable Values

We have a few inputs that can be used, as listed below:

We use two *global* variables -- `the_values` is used to keep track of variable assignments and `the_input` to keep track of the current input string. We will show later how to avoid these globals.

In [None]:
INPUTS = [
    'http://user:pass@www.google.com:80/?q=path#ref',
    'https://www.cispa.saarland:80/',
    'http://www.fuzzingbook.org/#News',
]

### Recording Occurrence of Input Values.

The function `traceit()` is used to record all *non trivial* string variables (with length more than 2 characters) and values occurring during execution.

In [None]:
class Tracer:
    def __init__(self, inputstr):
        self.inputstr, self.the_values = inputstr, {}
        
    def __enter__(self):
        self.oldtrace = sys.gettrace()
        sys.settrace(self.traceit)
        return self

    def __exit__(self, *args):
        sys.settrace(self.oldtrace)

    def traceit(self, frame, event, arg):
        my_vars = {
            var: value
            for var, value in frame.f_locals.items()
            if isinstance(value, str) and len(value) > 2
            and value in self.inputstr
        }
        self.the_values.update(my_vars)
        return self.traceit
    
    def __call__(self):
        return self.inputstr

### Trace

The `trace_function()` hooks into the Python trace functionality.

In [None]:
clear_cache()
with Tracer(INPUTS[0]) as tracer:
    FUNCTION(tracer())

for var,val in tracer.the_values.items():
    print(var + " = " + repr(val))

### Extracting a Grammar

In [None]:
from Grammars import START_SYMBOL, syntax_diagram

Convert a variable name into a grammar nonterminal

In [None]:
def nonterminal(var):
    return "<" + var.lower() + ">"

Now, for each pair _VAR_, _VALUE_ found:

1. We search for occurrences of _VALUE_ in the grammar
2. We replace them by <_VAR_>
3. We add a new rule <_VAR_> $\rightarrow$ <_VALUE_> to the grammar

In [None]:
def get_grammar(tracer):
    traces, my_input = tracer.the_values, tracer.inputstr
    # Here's our initial grammar
    grammar = {START_SYMBOL: [my_input]}

    # Replace as listed above
    while True:
        new_rules = []
        for var, value in traces.items():
            for key, repl_alternatives in grammar.items():
                for j, repl in enumerate(repl_alternatives):
                    if not value in repl:
                        continue
                    # Replace value by nonterminal name
                    alt_key = nonterminal(var)
                    repl_alternatives[j] = repl.replace(value, alt_key)
                    new_rules.append((var, alt_key, value))

        if not new_rules:
            break  # Nothing to expand anymore

        for (var, alt_key, value) in new_rules:
            # Add new rule to grammar
            grammar[alt_key] = [value]

            # Do not expand this again
            del traces[var]

    return {key: values for key, values in grammar.items()}

First, trace the execution:

In [None]:
clear_cache()
with Tracer(INPUTS[0]) as tracer:
    FUNCTION(tracer())

grammar = get_grammar(tracer)
grammar

In [None]:
clear_cache()
with Tracer(INPUTS[1]) as tracer:
    FUNCTION(tracer())
grammar = get_grammar(tracer)
grammar

In [None]:
clear_cache()
with Tracer(INPUTS[2]) as tracer:
    FUNCTION(tracer())
grammar = get_grammar(tracer)
grammar

### Merging Grammars

In [None]:
def merge_grammars(g1, g2):
    merged_grammar = {}
    for key in list(g1.keys()) + list(g2.keys()):
        merged_grammar[key] = list(set(g1.get(key, [])) | set(g2.get(key, [])))
    return merged_grammar

In [None]:
def get_merged_grammar(traces):
    merged_grammar = {}
    for trace in traces:
        grammar = get_grammar(trace)
        merged_grammar = merge_grammars(merged_grammar, grammar)

    return merged_grammar

In [None]:
traces = []
for inputstr in INPUTS:
    clear_cache()
    with Tracer(inputstr) as tracer:
        FUNCTION(tracer())
    traces.append(tracer)

grammar = get_merged_grammar(traces)
syntax_diagram(grammar)

### Fuzzing

In [None]:
from GrammarFuzzer import GrammarFuzzer

In [None]:
f = GrammarFuzzer(grammar)
for i in range(10):
    print(f.fuzz())

## Grammar Miner with Stack

### Restrict The Input Window

In [None]:
class Vars:
    Namespaced = True

    def __init__(self, i, istack):
        self.defs = {START_SYMBOL: i}
        self.istack = istack

    def varname(self, var, frame):
        if not Vars.Namespaced:
            return var
        class_name = frame.f_code.co_name
        if frame.f_code.co_name == '__new__':
            class_name = frame.f_locals[frame.f_code.co_varnames[0]].__name__
        return "%s:%s" % (class_name, var)

    def update_vars(self, var, value, frame):
        if not isinstance(value, str):
            return
        if len(value) >= 2 and self.istack.has(value):
            qual_var = self.varname(var, frame)
            if not self.defs.get(qual_var):
                self.defs[qual_var] = value

### Keep Track of The Stack

In [None]:
class InputStack:
    def __init__(self):
        self.inputs = []

    def has(self, val):
        return any(val in var for var in self.inputs[-1].values())

    def push(self, inputs):
        if not self.inputs:
            my_inputs = {k:v for k,v in inputs.items()
                        if isinstance(v, str)}
        else:
            my_inputs = {k:v for k,v in inputs.items()
                         if isinstance(v, str) and self.has(v)}
        self.inputs.append(my_inputs)

    def pop(self):
        return self.inputs.pop()

We need to modify `traceit()` to be aware of events now:

In [None]:
class StackTracer(Tracer):
    def __init__(self, inputstr):
        super().__init__(inputstr)
        self.istack = InputStack()
        self.vars = Vars(inputstr, self.istack)
        
    def traceit(self, frame, event, arg):
        fun, fn = frame.f_code.co_name, frame.f_code.co_filename
        if not fn.endswith('urllib/parse.py'): return self.traceit

        if event == 'call':
            param_names = [frame.f_code.co_varnames[i]
                           for i in range(frame.f_code.co_argcount)]
            my_parameters = {k: v for k, v in frame.f_locals.items()
                             if k in param_names}
            self.istack.push(my_parameters)

            for var, value in my_parameters.items():
                self.vars.update_vars(var, value, frame)
            return self.traceit

        if event == 'return':
            self.istack.pop()
            return self.traceit

        if event == 'exception':
            return self.traceit

        variables = frame.f_locals
        for var, value in variables.items():
            self.vars.update_vars(var, value, frame)

        return self.traceit

For each (VAR, VALUE) found:
* We search for occurrences of VALUE in the grammar
* We replace them by VAR
* We add a new rule VAR -> VALUE to the grammar

In [None]:
def get_grammar(tracer):
    assignments, my_input = tracer.vars.defs, tracer.istack
    my_grammar = {}
    for var, value in assignments.items():
        nt_var = var if var == START_SYMBOL else nonterminal(var)
        if my_grammar:
            append = False
            for key, repl_alternatives in my_grammar.items():
                alt = set()
                for repl in repl_alternatives:
                    if value in repl:
                        repl = repl.replace(value, nt_var)
                        alt.add(repl)
                        append = True
                    else:
                        alt.add(repl)
                my_grammar[key] = alt
            if append:
                my_grammar[nt_var] = set([value])
        else:
            my_grammar[nt_var] = set([value])
    return my_grammar

In [None]:
clear_cache()
with StackTracer(INPUTS[0]) as tracer:
    FUNCTION(tracer())
grammar = get_grammar(tracer)
grammar

In [None]:
traces = []
for inputstr in INPUTS:
    clear_cache()
    with StackTracer(inputstr) as tracer:
        FUNCTION(tracer())
    traces.append(tracer)
grammar = get_merged_grammar(traces)
syntax_diagram(grammar)

## Tainted Grammar Miner

In [None]:
from InformationFlow import tstr

In [None]:
class TaintedInputStack(InputStack):
    def has(self, val):
        def is_from(var1, var2):
            s = var1
            while type(s) == tstr:
                if id(var2) ==  id(s): return True
                s = s.parent
            return False
        
        return any(is_from(val, var) for var in self.inputs[-1].values())

    def push(self, inputs):
        tainted = {k: v for k, v in inputs.items() if isinstance(v, tstr)}
        if not self.inputs:
            my_inputs = tainted
        else:
            my_inputs = {k: v for k, v in tainted.items() if self.has(v)}
        self.inputs.append(my_inputs)

In [None]:
class TaintedVars(Vars):
    def update_vars(self, var, value, frame):
        if not isinstance(value, tstr):
            return
        if len(value) >= 2 and self.istack.has(value):
            qual_var = self.varname(var, frame)
            if not self.defs.get(qual_var):
                self.defs[qual_var] = value
    def __str__(self):
        return str([(key,val) for key, val in self.defs.items()])

In [None]:
class TaintedTracer(StackTracer):
    def __init__(self, inputstr):
        super().__init__(inputstr)
        self.istack = TaintedInputStack()
        self.vars = TaintedVars(inputstr, self.istack)

    def __call__(self):
        return tstr(self.inputstr, parent=None)
    
    def __str__(self):
        return str(self.vars)

In [None]:
traces = []
for inputstr in INPUTS:
    clear_cache()
    with TaintedTracer(inputstr) as tracer:
        FUNCTION(tracer())
    traces.append(tracer)
grammar = get_merged_grammar(traces)
syntax_diagram(grammar)

## Lessons Learned

* Given a set of inputs, we can learn an input grammar by examining variable values during execution.
* The resulting grammars can be used right during fuzzing.

## Next Steps

_Link to subsequent chapters (notebooks) here, as in:_

* [use _mutations_ on existing inputs to get more valid inputs](MutationFuzzer.ipynb)
* [use _grammars_ (i.e., a specification of the input format) to get even more valid inputs](Grammars.ipynb)
* [reduce _failing inputs_ for efficient debugging](Reducer.ipynb)


## Background

\cite{Lin2008}

## Exercises

_Close the chapter with a few exercises such that people have things to do.  To make the solutions hidden (to be revealed by the user), have them start with_

```markdown
**Solution.**
```

_Your solution can then extend up to the next title (i.e., any markdown cell starting with `#`)._

_Running `make metadata` will automatically add metadata to the cells such that the cells will be hidden by default, and can be uncovered by the user.  The button will be introduced above the solution._

### Exercise 1: _Title_

_Text of the exercise_

In [None]:
# Some code that is part of the exercise
pass

_Some more text for the exercise_

**Solution.** _Some text for the solution_

In [None]:
# Some code for the solution
2 + 2

_Some more text for the solution_

### Exercise 2: _Title_

_Text of the exercise_

**Solution.** _Solution for the exercise_