pub struct Mutator {
pub rand: Random,
}Expand description
The mutator engine used to mutate testcases randomly.
Role of the Mutator in the Fuzzer.
Since this fuzzer is mutation-based, each testcase, before being run, is mutated. The idea is to take an existing testcase and alter it. The changes introduced should be small enough to prevent the program from outright rejecting the testcase, but sufficient to explore new paths.
This mutator implements basic mutation strategies:
- bitflips;
- add, subtract, xor and negate operations on 8/16/32/64 bits of data;
- magic values insertion and overwrite;
- random values insertion and overwrite;
- 1-byte repetitions insertion and overwrite;
- shrinking and extension.
These methods are called randomly but are given arbitrary weights to prevent expensive
operations from being called too often (refer to the source code of Mutator::mutate for
more information). In the future, these weights might be changed or made user-controllable.
Example
// Creates a new random generator.
let rand = Random::new(0xa5a5a5a5a5a5a5);
// Creates a new mutator.
let mut mutator = Mutator::new(rand);
// The data to mutate
let mut data = vec![0x42, 0x42, 0x42, 0x42];
// Mutations
mutator.bitflip(&mut data, 0x100);
mutator.byte_op(&mut data, 0x100);
mutator.extend(&mut data, 0x100);
mutator.shrink(&mut data, 0x100);
mutator.magic_replace(&mut data, 0x100);
mutator.magic_insert(&mut data, 0x100);
mutator.random_replace(&mut data, 0x100);
mutator.random_insert(&mut data, 0x100);
mutator.repetition_replace(&mut data, 0x100);
mutator.repetition_insert(&mut data, 0x100);Fields
rand: RandomImplementations
sourceimpl Mutator
impl Mutator
sourcepub fn mutate<L: Loader>(
&mut self,
loader: &L,
data: &mut Vec<u8>,
max_size: usize,
max_mutations: usize
) -> u64
pub fn mutate<L: Loader>(
&mut self,
loader: &L,
data: &mut Vec<u8>,
max_size: usize,
max_mutations: usize
) -> u64
Randomly mutates a testcase.
sourcepub fn bitflip(&mut self, data: &mut Vec<u8>, _: usize)
pub fn bitflip(&mut self, data: &mut Vec<u8>, _: usize)
Performs a bitflip of 1, 2, 3 or 4 bits at a random location in the testcase.
sourcepub fn byte_op(&mut self, data: &mut Vec<u8>, _: usize)
pub fn byte_op(&mut self, data: &mut Vec<u8>, _: usize)
Adds, subtracts, XORs or negates bytes in the testcase with random values.
sourcepub fn extend(&mut self, data: &mut Vec<u8>, max_size: usize)
pub fn extend(&mut self, data: &mut Vec<u8>, max_size: usize)
Extends a testcase with a random amount of null bytes.
sourcepub fn shrink(&mut self, data: &mut Vec<u8>, _max_size: usize)
pub fn shrink(&mut self, data: &mut Vec<u8>, _max_size: usize)
Shrinks a testcase by a random amount.
sourcepub fn magic_replace(&mut self, data: &mut Vec<u8>, _max_size: usize)
pub fn magic_replace(&mut self, data: &mut Vec<u8>, _max_size: usize)
Replaces bytes at a random position with a magic value.
sourcepub fn magic_insert(&mut self, data: &mut Vec<u8>, max_size: usize)
pub fn magic_insert(&mut self, data: &mut Vec<u8>, max_size: usize)
Inserts a magic value at a random position.
sourcepub fn random_replace(&mut self, data: &mut Vec<u8>, _max_size: usize)
pub fn random_replace(&mut self, data: &mut Vec<u8>, _max_size: usize)
Replaces bytes at a random position with random bytes.
sourcepub fn random_insert(&mut self, data: &mut Vec<u8>, max_size: usize)
pub fn random_insert(&mut self, data: &mut Vec<u8>, max_size: usize)
Inserts random bytes at a random position.
sourcepub fn repetition_replace(&mut self, data: &mut Vec<u8>, _max_size: usize)
pub fn repetition_replace(&mut self, data: &mut Vec<u8>, _max_size: usize)
Replaces all bytes in a random range by the same byte.
sourcepub fn repetition_insert(&mut self, data: &mut Vec<u8>, max_size: usize)
pub fn repetition_insert(&mut self, data: &mut Vec<u8>, max_size: usize)
Inserts a repetition of the same byte at a random position.