Hi,
I wrote a fuzzing "framework" called Fusil and this week I wrote a fuzzer for
Python. The idea is quite simple: for a module,
- list all functions, classes and class methods
- call a function with random arguments (of random types)
- instanciate a class with random arguments
- if the class is created correctly, call methods with random arguments
Example:
--------------------- 8< -----------------------------------
print "Call 39/40: linuxaudiodev.open()"
try:
linuxaudiodev.open(
# argument 1/2
u"\u62C0\uFBD7\uB46A\u55E0\uFB7B\uD392\u7CEE",
# argument 2/2
52.682,
)
except Exception, err:
print >>stderr, "ERROR: %s" % err
--------------------- 8< -----------------------------------
I tried it on CPython 2.5 and then on CPython trunk (future 2.6). I found some
bugs, see last bug entries in Python bugtracker. Just an example:
http://bugs.python.org/issue3304
-> invalid call to PyMem_Free() in fileio_init()
Most bugs crash with a segmentation fault, abort or a denial of service.
If you would like to try my fuzzer, use:
(1) svn co http://fusil.hachoir.org/svn/trunk fusil
(2) cd fusil
(3) ./run_fusil.sh -p projects/python.py --fast --remove ALL
The option --fast goes faster, --remove does remove session directory even if
Python generated some files, and "ALL" test all modules.
FUSIL IS NOT SAFE! So run it under a different user using to avoid dangerous
call to os.unlink().
The module list is hardcoded: it's the list of CPython modules written in C.
More informations about Fusil:
http://fusil.hachoir.org/trac
--
Victor Stinner aka haypo
http://www.haypocalc.com/blog/
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
