![Logo HS KL](https://upload.wikimedia.org/wikipedia/commons/thumb/5/5e/Logo_of_Hochschule_Kaiserslautern.png/320px-Logo_of_Hochschule_Kaiserslautern.png)
# Fuzz Testing
A Social Skills workshop by Jan

# Exercise: Simple Fuzzing
Breaking things with random inputs.

## Task 1: Positive Testing
Assume, your co-worker Fred implemented the following function `nr_sqrt`, which computes the square root of `x` ($\sqrt{x}$), using the [Newton-Raphson method](https://en.wikipedia.org/wiki/Newton%27s_method):

In [None]:
# Computes the square root of x, using the Newton-Raphson method
def nr_sqrt(x):
  approx = None
  guess = x / 2
  while approx != guess:
    approx = guess
    guess = (approx + x / approx) / 2
  return approx

The `assert` statement can be used to easily check whether `nr_sqrt` yields the expected result. `assert` takes a condition and raises an `AssertionError` exception, if the condition evaluates to false, otherwise nothing happens.

Below, Fred combines `assert` with `math.isclose` to deal with rounding errors when comparing two floating-point values.

In [None]:
import math

assert math.isclose(2.0, nr_sqrt(4.0))

Since no exception was thrown, Fred makes `nr_sqrt` available to other programmers, who embed it in their code to process system input:

In [None]:
def sqrt_program(arg: str) -> None:
  if not arg:
    print("You must supply an input!")
  else:
    x = float(arg)
    print('The root of', x, 'is', nr_sqrt(x))

### 1.1 Break `sqrt_program`
Can you think of any values for `arg` that lead to errors in the program?

Try them out below!

In [None]:
# Your code goes here -->

sqrt_program("4.0")

# <--

## Task 2: A simple Fuzzer
After professor Barton Miller crashed his university computer with the help of a thunderstorm, he created an assignment for his students to investigate the extent of the problem and its causes.

The assignment read:

>The goal of this project is to evaluate the robustness of various UNIX utility programs, given an unpredictable input stream. [...] First, you will build a fuzz generator. This is a program that will output a random character stream. Second, you will take the fuzz generator and use it to attack as many UNIX utilities as possible, with the goal of trying to break them.

### 2.1 Build a fuzz generator
Fulfill this assignment by defining the function `fuzz`, which produces a random character string. The signature of the function was already defined below.

`fuzz` shall:

1. produce a string with up to `max_length` characters
2. use characters in the range of [ `char_start`, `char_start` + `char_range` )

**Hint:
Function [`chr(i)`](https://docs.python.org/3/library/functions.html#chr) returns the string representing a character whose Unicode code point is the integer `i`.**

In [None]:
import random

def fuzz(max_length: int = 100, char_start: int = 32, char_range: int = 32) -> str:
  out = ""

  # Your code goes here -->

  # <--

  return out

Try your function `fuzz` out!

In [None]:
# Your code goes here -->

fuzz()

# <--

### 2.2 Test `sqrt_program` with `fuzz`
Use your fuzz generator `fuzz` to test `sqrt_program` until it crashes.

In [None]:
# Your code goes here -->

# <--

### 2.3 Test the UNIX utility program *bc* with `fuzz`
In their paper *An empirical study of the reliability of UNIX utilities*, Barton Miller et al. observed errors in many UNIX utility programs.

One of these programs was *bc* (*basic calculator*):

In [None]:
!apt install bc

*bc* takes an arithmetic expression from a file or standard input and evaluates it:

In [None]:
!echo "(1 + 1) * 14 / 2 * 3" | bc

Create a simple fuzzing tool to test the program *bc* by completing the code below.

**Hint: To execute external programs, use [`subprocess.run`](https://docs.python.org/3/library/subprocess.html#subprocess.run). To determine if a program crashed, check if its [returncode](https://docs.python.org/3/library/subprocess.html#subprocess.CompletedProcess.returncode) is a negative value.**

In [None]:
import os
import tempfile
import subprocess

# Creates a temporary file to store inputs to the external program
basename = "input.txt"
tempdir = tempfile.mkdtemp()
FILE = os.path.join(tempdir, basename)

# Name of the external program to test
PROGRAM = "bc"
# List to store results of executions
RUNS = []

# Tests external program with generated inputs
def test_external(trials = 100):
  for i in range(trials):
    # Your code goes here -->

    # Create input with your function fuzz() and write it to FILE

    # Execute PROGRAM and store result of the execution

    # Append the generated input and result of the execution to RUNS

    # <--


# Print all inputs in RUNS, which lead to a crash in the external program
def print_crashing_inputs():
  # Your code goes here -->

  # For every execution in RUNS, check if the program crashed and print the
  # corresponding input

  # <--


test_external()
print_crashing_inputs()

## Additional Links
* [The Fuzzing Book](https://www.fuzzingbook.org/)
* [An empirical study of the reliability of UNIX utilities](https://dl.acm.org/doi/pdf/10.1145/96267.96279)