# Fuzzing APIs

So far, we have always generated _system input_, i.e. data that the program as a whole obtains via its input channels.  However, we can also generate input that goes directly into individual functions, gaining flexibility and speed in the process.  In this chapter, we explore the use of grammars to synthesize code for function calls, which allows you to generate program code that very efficiently invokes functions directly.  However, we also explore how such API grammars can be synthesized from existing executions; this means that you can synthesize API tests without having to write a grammar at all.

In [None]:
from fuzzingbook_utils import YouTubeVideo
YouTubeVideo("S_f2qV2_U00")

**Prerequisites**

* You have to know how grammar fuzzing work, e.g. from the [chapter on grammars](Grammars.ipynb).
* The later parts of this chapter infer grammars from dynamic traces of function calls and variables, as introduced in the [chapter on configuration fuzzing](ConfigurationFuzzer.ipynb).

## Fuzzing APIs

This is pretty straight-forward.  We define a grammar that creates API calls:

In [None]:
import fuzzingbook_utils

In [None]:
API_GRAMMAR = {
    "<call>":
        ['urlparse("<url>")']
}

This grammar creates calls in the form `urlparse(<url>)`, where `<url>` is yet to be defined; the idea is to create many of these calls and to feed them into the Python interpreter.

Let us add definitions for `<url>` from the previously defined URL grammar:

In [None]:
from Grammars import URL_GRAMMAR, is_valid_grammar

In [None]:
API_GRAMMAR.update(URL_GRAMMAR)

In [None]:
API_GRAMMAR["<start>"] = ["<call>"]

In [None]:
assert is_valid_grammar(API_GRAMMAR)

In [None]:
API_GRAMMAR

We can use this grammar for fuzzing:

In [None]:
from GrammarFuzzer import GrammarFuzzer

In [None]:
urlparse_fuzzer = GrammarFuzzer(API_GRAMMAR)
urlparse_fuzzer.fuzz()

And we can immediately execute these calls.  To this end, we have to import the functions first such that they are in scope.

In [None]:
from urllib.parse import *

In [None]:
# Call function_name(arg[0], arg[1], ...) as a string
def do_call(call_string):
    # We create the call as a string (easier + more robust)
    # Alternative: Call the code object directly, bypassing the parser
    print(call_string)
    try:
        result = eval(call_string)
    except:
        result = sys.exc_info()[0]
    print("\t= " + repr(result))
    return result

In [None]:
for i in range(10):
    call = urlparse_fuzzer.fuzz()
    do_call(call)

## Carving API Calls

Let us now try to _record_ and _replay_ calls.

In [None]:
# return function_name(arg[0], arg[1], ...) as a string
def call_with_args(function_name, args):
    return function_name + "(" + \
        ", ".join([var + "=" + repr(value) for (var, value) in args]) + ")"

In [None]:
call_with_args("urlparse", [("url", "http://example.com")])

We use a tracer to capture all calls and arguments.  \todo{Make this a `Carver` class.}

In [None]:
# This is where we store all calls and arguments
the_args = {}

In [None]:
# Tracking function: Record all calls and all args
def traceit(frame, event, arg):
    if event == "call":
        code = frame.f_code
        function_name = code.co_name
        
        if function_name.startswith('_'):
            return None # Internal function
        
        # When called, all arguments are local variables
        variables = frame.f_locals.keys()
        args = [(var, frame.f_locals[var]) for var in variables]

        if function_name not in the_args:
            the_args[function_name] = []
        if args not in the_args[function_name]:
            the_args[function_name].append(args)
       
        # Some tracking
        # print(call_with_args(function_name, args))

    # If we return None, this will only be called for functions (more efficient)
    return None

In [None]:
import math
import sys

In [None]:
# Record all function calls during an execution
def power(x, y):
    return math.pow(x, y)
    
def powerpair(pair):
    return power(pair[0], pair[1])

def record_calls():
    global the_args
    the_args = {}

    urls = [
        "https://andreas:zeller@cispa.saarland:8080/faculty/q?=zeller",
        "http://fuzzingbook.com/fuzzing",
        "http://google.com/query",
        "http://microsoft.com/windows",
        "https://mark:zuckerberg@facebook.com:666/friends"
    ]

    sys.settrace(traceit)
    
    for n in range(0, 10):
        x = power(n, n)
        x = powerpair((n, n))
    
    for url in urls:
        parts = urlparse(url)
        url = urlunparse(parts)
        
    sys.settrace(None)

In [None]:
record_calls()

In [None]:
the_args

In [None]:
# Re-run all calls seen, invoking functions directly
def run_calls():
    for function_name in the_args.keys():
        if function_name.startswith("_") or function_name.startswith("<"):
            continue        # Internal call

        for args in the_args[function_name]:
            call_string = call_with_args(function_name, args)
            do_call(call_string)

In [None]:
run_calls()

Of course, we can also first fuzz a program with a grammar, record the API calls and replay them.

## Mining a Grammar

Let us bring together the fuzzing and carving techniques and mine a function call grammar from API invocations.

In [None]:
# Convert a variable name into a grammar nonterminal
def nonterminal(var):
    return "<" + var.lower() + ">"

In [None]:
def mine_grammar_from_calls():
    all_calls = "<call>"
    grammar = {
        "<start>": [all_calls],
    }
    
    function_nonterminals = []
    for function_name in the_args.keys():
        if function_name.startswith("_") or function_name.startswith("<"):
            # Internal function
            continue
        
        nonterminal_name = nonterminal(function_name)
        function_nonterminals.append(nonterminal_name)
        
        # Add a rule for the function
        expansion = function_name + "("
        first_arg = True
        for (var, _) in the_args[function_name][0]:
            arg_name = nonterminal(function_name + "_" + var)
            if not first_arg:
                expansion += ", "
            first_arg = False
            expansion += var + "=" + arg_name
        expansion += ")"
        # TODO: Handle polymorphic functions
        grammar[nonterminal_name] = [expansion]

        # Add rules for the arguments
        values = {}
        for args in the_args[function_name]:
            for (var, value) in args:
                if var not in values:
                    values[var] = []
                if value not in values[var]:
                    values[var].append(value)
        g = value_rules(values, function_name)
        grammrs = merge_grammars(grammar, g)
        
    # Add a rule for all calls
    grammar[all_calls] = function_nonterminals
            
    return grammar

In [None]:
# Merge two grammars G1 and G2
def merge_grammars(g1, g2):
    merged_grammar = g1
    for key2 in g2.keys():
        repl2 = g2[key2]
        key_found = False
        for key1 in g1.keys():
            repl1 = g1[key1]
            for repl in repl2:
                if key1 == key2:
                    key_found = True
                    if repl not in repl1:
                        # Extend existing rule
                        merged_grammar[key1] = repl1 + [repl]
                        
        if not key_found:
            # Add new rule
            merged_grammar[key2] = repl2
    return merged_grammar

In [None]:
DEEP_VALUES = False

In [None]:
# Return a grammar only for the values in VALUES
def value_rules(values, prefix):
    grammar = {}
    for var in values.keys():
        arg_name = nonterminal(prefix + "_" + var)
        if DEEP_VALUES:
            for value in values[var]:
                g = deep_value_expansions(arg_name, value)
                grammar = merge_grammars(grammar, g)
        else:
            expansions = [repr(value) for value in values[var]]
            grammar[arg_name] = expansions
            
    return grammar

In [None]:
api_grammar = mine_grammar_from_calls()

In [None]:
api_grammar

In [None]:
urlunsplit_fuzzer = GrammarFuzzer(api_grammar, start_symbol='<urlunsplit>')

In [None]:
for i in range(10):
    do_call(urlunsplit_fuzzer.fuzz())

In [None]:
urlunparse_fuzzer = GrammarFuzzer(api_grammar, start_symbol='<urlunparse>')

In [None]:
for i in range(10):
    do_call(urlunparse_fuzzer.fuzz())

We can thus extract a grammar from a module simply by tracking its calls.

\todo{Combine this with grammars at the system level!}

## Deep Values

Non-primitive values need special handling in Python:

In [None]:
# Expand a structured value into individual grammar rules       
def deep_value_expansions(prefix, value):
    # print("Expanding", prefix, "=", repr(value))
    
    grammar = {}

    attributes = value_attributes(value)
    if attributes is not None:
        # A class or named tuple
        attr_names = []
        for attribute in attributes:
            if attribute.startswith("_"):
                # Internal attribute
                continue
            attr_name = prefix + "_" + attribute.upper()
            attr_names.append((attribute, attr_name))
            g = deep_value_expansions(attr_name, getattr(value, attribute))
            grammar = merge_grammars(grammar, g)

        expansion = value.__class__.__name__ + "("
        first_attribute = True
        for (attribute, attr_name) in attr_names:
            if not first_attribute:
                expansion += ", "
            first_attribute = False
            expansion += attribute + " = " + attr_name
        expansion += ")"
        grammar[prefix] = [expansion]

    elif isinstance(value, type(())):
        # A tuple
        field_names = []
        for index in range(0, len(value)):
            field_name = prefix + "_" + repr(index)
            field_names.append(field_name)
            g = deep_value_expansions(field_name, value[index])
            grammar = merge_grammars(grammar, g)
            
        grammar[prefix] = ["(" + ", ".join(field_names) + ")"]
    
    else:
        # Can only expand to value
        grammar[prefix] = [repr(value)]
    
    # print("Expanded:", grammar_to_string(grammar))
    return grammar


## Lessons Learned

* _Lesson one_
* _Lesson two_
* _Lesson three_

## Next Steps

_Link to subsequent chapters (notebooks) here, as in:_

* [use _mutations_ on existing inputs to get more valid inputs](MutationFuzzer.ipynb)
* [use _grammars_ (i.e., a specification of the input format) to get even more valid inputs](Grammars.ipynb)
* [reduce _failing inputs_ for efficient debugging](Reducer.ipynb)


## Background

_Cite relevant works in the literature and put them into context, as in:_

The idea of ensuring that each expansion in the grammar is used at least once goes back to Burkhardt \cite{Burkhardt1967}, to be later rediscovered by Paul Purdom \cite{Purdom1972}.

## Exercises

_Close the chapter with a few exercises such that people have things to do.  To make the solutions hidden (to be revealed by the user), have them start with_

```markdown
**Solution.**
```

_Your solution can then extend up to the next title (i.e., any markdown cell starting with `#`)._

_Running `make metadata` will automatically add metadata to the cells such that the cells will be hidden by default, and can be uncovered by the user.  The button will be introduced above the solution._

### Exercise 1: _Title_

_Text of the exercise_

In [None]:
# Some code that is part of the exercise
pass

_Some more text for the exercise_

**Solution.** _Some text for the solution_

In [None]:
# Some code for the solution
2 + 2

_Some more text for the solution_

### Exercise 2: _Title_

_Text of the exercise_

**Solution.** _Solution for the exercise_