# SWEN90006 Tutorial 8 Solution

## Tutorial 7：Question 3 and Question 4

### Question 3
Suppose you have a valid 54-byte header and you mutate an arbitrary
(uniformly randomly chosen) byte in the header to a new value (different
from its original value). What is the probability of producing a valid
header?

**Solution:**
We compute the probability for each byte choice, noting that for the
4-byte signed integers *Width* and *Height*, they can't be modified
without breaking the constraint that the size of the image data in bytes
(offsets 34--37) must be equal to 4\**Width*\**Height*. Likewise those
offsets cannot be modified either.

| Byte offset | Probability | Notes        |
|--------------------|----------------------|-----------------------|
| 0                  | 0                    |                       |
| 1                  | 0                    |                       |
| 2                  | 1                    |                       |
| 3                  | 1                    |                       |
| 4                  | 1                    |                       |
| 5                  | 1                    |                       |
| 6                  | 0                    |                       |
| 7                  | 0                    |                       |
| 8                  | 0                    |                       |
| $\ldots$             | $\ldots$               |                       |
| 17                 | 0                    |                       |
| 18                 | 0                    | only one valid choice |
| 19                 | $\ldots$               |                       |
| 25                 | 0                    | only one valid choice |
| 26                 | 0                    |                       |
| 27                 | $\ldots$               |                       |
| 37                 | 0                    |                       |
| 38                 | 1                    | All choices are valid |
| 39                 | $\ldots$               | All choices are valid |
| 45                 | 1                    | All choices are valid |
| 46                 | 0                    |                       |
| 47                 | $\ldots$               |                       |
| 53                 | 0                    |                       |


Letting $P(i)$ denote the probability from the above table for
byte-offset $i$, then the total probability is:

$$\sum\limits_i \frac{P(i)}{54} = \frac{\sum\limits_i P(i)}{54}$$


$$\sum\limits_i P(i) = 12$$


Thus the total probability is:

$$\frac{12}{54} \approx 0.222$$

So, finally, there is a 22.2% chance of a mutation in one byte still
producing a valid header.

### Question 4
Imagine you had to write a fuzzer to fuzz some BMP processing code that
processed BMP files of the format described above. If you had to choose
between generating completely random inputs vs. using random mutation on
existing BMP files, which strategy would you choose?

**Solution:**

Given the above, mutation is likely to produce more valid BMP headers,
so should be preferable. Specifically, it is likely to produce inputs
that achieve greater code coverage. Inputs generated by entirely random
strings of bytes are all likely to be invalid BMP files and so we might
expect them to all take the code paths taken only by invalid files.

On the other hand, up to $\approx 22\%$ of inputs generated using
mutation we can expect to be valid (depending on the mutation strategy,
this percentage might quickly decrease, though) and therefore to take
code paths that are almost impossible to trigger using random inputs
alone. Mutation will still generate plenty of invalid BMP headers, so
will still exercise code paths taken by invalid BMP files. Therefore we
might reasonably expect that the inputs produced by random mutation will
take a superset of the paths of those produced by entirely random
inputs.


## Generation-based Fuzzing

### Question 2
The input model can be found in file `boom_pit.xml`, that is already copied into the Docker image, but a small modification is required to use it. At line 33, you should comment out this line, and compare it with your input model. 

```xml
<Data fileName="in/*"/>
```

### All other questions are experiment-based questions, no solution