# Mining Input Grammars

So far, the grammars we have seen have been mostly specified manually – that is, you (or the person knowing the input format) had to design and write a grammar in the first place.  While the grammars we have seen so far have been rather simple, creating a grammar for complex inoputs can involve quite some effort.  In this chapter, we therefore introduce techniques that automatically _mine_ grammars from programs – by executing the programs and observing how they process which parts of the input.  In conjunction with a grammar fuzzer, this allows us to (1) take a program, (2) extract its input grammar, and (3) fuzz it with high efficiency and effectiveness.

**Prerequisites**

* You should have read the [chapter on grammars](Grammars.ipynb).
* The [chapter on configuration fuzzing](ConfigurationFuzzer.ipynb) introduces grammar mining for configuration options, as well as observing variables and values during execution.

## A Simple Grammar Miner

### Function Under Test

In [None]:
from urllib.parse import urlparse

In [None]:
FUNCTION = urlparse
INPUTS = [
    'http://user:pass@www.iie.ac.cn:80/?q=path#ref',
    'https://www.cispa.saarland:80/',
    'ftp://www.baidu.com/',
]

## Tracing Variable Values

In [None]:
import sys

In [None]:
# We store individual variable/value pairs here
global the_values
the_values = {}

# The current input string
global the_input
the_input = None

In [None]:
# We record all string variables and values occurring during execution
def traceit(frame, event, arg):
    global the_values
    variables = frame.f_locals.keys()

    for var in variables:
        value = frame.f_locals[var]
        # print(var, value)

        # Save all non-trivial string values that also occur in the input
        if isinstance(value, type('')) and len(value) >= 2 and value in the_input:
            the_values[var] = value

    return traceit

In [None]:
# Trace function
def trace_function(function, input):
    # We obtain a mapping of variables to values
    global the_input
    the_input = input

    global the_values
    the_values = {}

    sys.settrace(traceit)
    o = function(the_input)
    sys.settrace(None)

    return the_values

In [None]:
values = trace_function(FUNCTION, INPUTS[0])
for var in values.keys():
    print(var + " = " + repr(values[var]))
print('')

### Extracting a Grammar

In [None]:
# import fuzzingbook_utils

In [None]:
from fuzzingbook.Grammars import START_SYMBOL

In [None]:
# Convert a variable name into a grammar nonterminal
def nonterminal(var):
    return "<" + var.lower() + ">"

Now, for each pair _VAR_, _VALUE_ found:

1. We search for occurrences of _VALUE_ in the grammar
2. We replace them by <_VAR_>
3. We add a new rule <_VAR_> $\rightarrow$ <_VALUE_> to the grammar

In [None]:
# Obtain a grammar for a specific input
def get_grammar(function, input):
    # Here's our initial grammar
    grammar = {START_SYMBOL: [input]}

    # Trace execution
    values = trace_function(function, input)

    # Replace as listed above
    while True:
        new_rules = []
        for var in values:
            value = values[var]
            for key in grammar:
                repl_alternatives = grammar[key]
                for j in range(0, len(repl_alternatives)):
                    repl = repl_alternatives[j]
                    if value in repl:
                        # Replace value by nonterminal name
                        alt_key = nonterminal(var)
                        repl_alternatives[j] = repl.replace(value, alt_key)
                        new_rules = new_rules + [(var, alt_key, value)]

        if len(new_rules) == 0:
            break  # Nothing to expand anymore

        for (var, alt_key, value) in new_rules:
            # Add new rule to grammar
            grammar[alt_key] = [value]

            # Do not expand this again
            del values[var]

    return grammar

In [None]:
grammar = get_grammar(FUNCTION, INPUTS[0])
grammar

In [None]:
grammar = get_grammar(FUNCTION, INPUTS[1])
grammar

In [None]:
grammar = get_grammar(FUNCTION, INPUTS[2])
grammar

### Merging Grammars

In [None]:
def merge_grammars(g1, g2):
    merged_grammar = g1
    for key2 in g2:
        repl2 = g2[key2]
        key_found = False
        for key1 in g1:
            repl1 = g1[key1]
            for repl in repl2:
                if key1 == key2:
                    key_found = True
                    if repl not in repl1:
                        # Extend existing rule
                        merged_grammar[key1] = repl1 + [repl]

        if not key_found:
            # Add new rule
            merged_grammar[key2] = repl2

    return merged_grammar

In [None]:
def get_merged_grammar(function, inputs):
    merged_grammar = None
    for input in inputs:
        grammar = get_grammar(function, input)
        # print(repr(input) + " ->\n" + grammar_to_string(grammar))
        if merged_grammar is None:
            merged_grammar = grammar
        else:
            merged_grammar = merge_grammars(merged_grammar, grammar)

    return merged_grammar

In [None]:
grammar = get_merged_grammar(FUNCTION, INPUTS)
grammar

### Fuzzing

In [None]:
from fuzzingbook.GrammarFuzzer import GrammarFuzzer

In [None]:
f = GrammarFuzzer(grammar)
for i in range(100):
    print(f.fuzz())

## Lessons Learned

* Given a set of inputs, we can learn an input grammar by examining variable values during execution.
* The resulting grammars can be used right during fuzzing.

## Next Steps

_Link to subsequent chapters (notebooks) here, as in:_

* [use _mutations_ on existing inputs to get more valid inputs](MutationFuzzer.ipynb)
* [use _grammars_ (i.e., a specification of the input format) to get even more valid inputs](Grammars.ipynb)
* [reduce _failing inputs_ for efficient debugging](Reducer.ipynb)


## Background

\cite{Lin2008}

## Exercises

_Close the chapter with a few exercises such that people have things to do.  To make the solutions hidden (to be revealed by the user), have them start with_

```markdown
**Solution.**
```

_Your solution can then extend up to the next title (i.e., any markdown cell starting with `#`)._

_Running `make metadata` will automatically add metadata to the cells such that the cells will be hidden by default, and can be uncovered by the user.  The button will be introduced above the solution._

### Exercise 1: _Title_

_Text of the exercise_

In [None]:
# Some code that is part of the exercise
pass

_Some more text for the exercise_

**Solution.** _Some text for the solution_

In [None]:
# Some code for the solution
2 + 2

_Some more text for the solution_

### Exercise 2: _Title_

_Text of the exercise_

**Solution.** _Solution for the exercise_